Adoption of security as a service
© Senk; licensee Springer. 2013
Received: 6 February 2013
Accepted: 6 February 2013
Published: 4 April 2013
Security as a Service systems enable new opportunities to compose security infrastructures for information systems. However, to date there are no holistic insights about their adoption and relevant predictors. Based on existing technology acceptance models we developed an extended application-specific research model including formative and reflective measures. The model was estimated applying the Partial Least Squares technique to address the prediction-oriented nature of the study. A subsequent online survey revealed that a large number of industries shows significant and steadily growing interest in Security as a Service. Adoption drivers were investigated systematically.
Companies face an increasing threat regarding the security and safety of their information systems due to the opening of security domains for web-based access in the course of current technological developments such as Federated Identity Management and Cloud Computing[2, 3]. In this regard, Cloud Computing is a model “for enabling convenient, on-demand network access to a shared pool of configurable computing resources […]” . These resources are referred to as Cloud services and can logically be assigned to the infrastructure, (Infrastructure as a Service, IaaS), middleware (Platform as a Service, PaaS) or application software layer (Software as a Service, SaaS) [5, 6]. The Cloud Computing model itself not only induces certain security-related risks, it also opens up new opportunities to obtain innovative security solutions in a technically and economically flexible way in order to cope with rising security demands . The outsourcing of security according to SaaS principles is referred to as Security as a Service (SECaaS) [3, 8]. Such systems are considered to be the next step in the evolution of Managed Security Services (MSS) and differ clearly from traditional outsourcing models or on-premises deployments [3, 8, 9]. According to GARTNER RESEARCH, the demand for SECaaS will grow significantly and might substantially change existing IT security infrastructure landscapes . However, no deep insights about the current adoption and future developments exist. In this regard, based on an expert-group discussiona we defined that the answers to the following research questions (RQ) are important to predict the future of SECaaS:
RQ1: Is there a market for SECaaS enterprise applications in general and for specific application types in particular?
RQ2: Which are the key drivers and inhibitors for the adoption of SECaaS?
RQ3: Which benefits are perceived to be relevant by potential adopters of SECaaS?
RQ4: Which risks are perceived to be relevant by potential adopters of SECaaS?
RQ5: Which organization-specific factors (e.g. company size) affect the acceptance of SECaaS?
The main objective of this paper is to answer these research questions through empirical research in order to gain insights valuable for both potential consumers and providers of SECaaS. The remainder of this paper is structured as follows: Section 2 defines SECaaS and overviews related work regarding the adoption of similar technologies. In Section 3 the research concept is specified and justified. Section 4 gives an overview of the results of the estimation of the research model and the related hypotheses. Afterward, the findings are discussed respecting the specified research questions. Section 5 concludes the paper.
2 Theoretical background
This chapter provides the theoretical background for the context of the study. This includes the object of adoption (SECaaS), which is defined in Subsection 2.1. Subsequently, an overview of related work regarding the adoption of similar technological innovations is provided in Subsection 2.2 in order to identify adequate research approaches.
2.1 Security as a service
SECaaS is a service-oriented approach to IT security architecture and thus a consequent evolution of traditional security landscapes [8, 9]. It is defined as a model for the delivery of standardized and comprehensive security functionality in accordance with the SaaS model [8, 11]. It thus follows the Cloud Computing model. Hence, SECaaS systems are delivered in form of Cloud services complying with related principles. This excludes built-in security controls of existing Cloud services . Key attributes of Cloud services contain the following [5, 6, 12]:
Application and underlying infrastructure are abstracted and offered through service interfaces;
Standardized network access by any device;
Scalability and flexibility of the underlying infrastructure;
Shared and multi-tenant resources;
On-demand self-service provisioning and near real-time deployment;
Flexible and fine grained pricing without up-front commitments.
Classification of SECaaS applications
Secure operation of software applications
(e.g. application firewalls, code analyzers)
Compliance & IT
Support of the client organization’s compliance and IT security management
Security management (ITSM)
(e.g. automatic compliance checks, benchmarking)
Protection of content data from intended attacks and undesired events
(e.g. e-mail encryption, filtering of network traffic)
Protection of servers or client computers in networks
(e.g. malware protection, host-based intrusion detection)
Identity & access management
Identification of users, provisioning of user identity attributes and assign-
ment of necessary privileges (e.g. single sign-on, multi-factor authentication)
Remote management of client-sided security systems
(e.g. intrusion detection and prevention systems)
Security information &
Specific security-related functions for monitoring complex IT systems
event management (SIEM)
(e.g. archiving and analysis of log-data, forensic analysis)
Vulnerability & threat
Detection of threats apart of eminent internal security incidents
(e.g. patch management, notifications on current attacks)
2.2 Adoption of related technologies
The term Adoption can be traced back to ROGERS’ (1962) diffusion of innovations theory and is defined as a consumer’s positive decision to accept and use an innovation, which ultimately leads to a positive investment decision and actual use . Adopters can be individuals or organizations .
There are only a few current insights regarding the adoption of the outsourcing of IT security. GARTNER and FORRESTER RESEARCH conducted analyses of the MSS market and forecasted a steady and significant growth [7, 13]. Moreover, FORRESTER RESEARCH surveyed IT security decision makers and identified major benefits of MSS : Quality improvements, 24 ×7 support, cost reduction, and decrease of the complexity of security infrastructures. However, the study is not suitable regarding the research questions identified in this paper since the adoption was not investigated holistically and not focused on Cloud systems.
Benlian et al. conducted a meta-survey of the adoption of SaaS systems and applied different research theories . They concluded that behavioral theories reveal more consistent results regarding the adoption of SaaS systems than economic or strategic research theories . Behavioral theories include the Technology Acceptance Model (TAM) , the Theory of the Diffusion of Innovation, and the Unified Theory of Acceptance and Use of Technology (UTAUT) . The results indicate that the adoption of SaaS technologies is mainly influenced by :
Attitude toward the technology,
Uncertainty of adoption,
Strategic value of respective resources.
However, due to the underlying research design, these results do not provide for causality . BENLIAN ET AL. also concluded that both the adoption and adoption drivers differ across application types, which should be considered in future research . Previous research indicates a higher susceptibility to SaaS adoption for smaller and medium-sized companies  and a different perception of risks and potential benefits by large-scale organizations , although no correlation was discovered between company size and adoption . Udoh applied a combined model including elements of UTAUT and TAM and observed that the adoption of grid, Cloud and related technologies can be causally explained by four predictors :
Effort expectations (Perceived ease of use),
Risk expectations (Trust),
Performance expectations (Perceived usefulness),
Udoh’s model provides a very high level of explanation which indicates a high aptitude for its application in similar technology acceptance studies . Furthermore, its generic constructs can be itemized according to the specifics of subsequent research.
3 Research design
Based on related studies [23, 26], this paper applies the Structural Equations Modeling methodology. For the model estimation involved, the Partial Least Squares technique is used. The methodology is introduced and justified in Subsection 3.1. Subsequently, in Subsection 3.2, a system of hypotheses -the research model- is developed. In Subsection 3.3, the measurement model is derived from this research model.
Common technology acceptance theories like TAM or UTAUT are based on the development and testing of hypotheses regarding the influences of theoretical constructs on each other . A system of hypotheses can be modeled as a system of equations . A common approach to solving such systems is Structural Equations Modeling (SEM) . SEM is defined as “a comprehensive statistical approach to testing hypotheses about relations among observed and latent variables” . Besides the structural model, which primarily prescribes hypothetical relations between latent variables, a measurement model is required to quantize thes variables .
The measurement model prescribes not directly observed (latent) variables of the structural model by a set of measurable indicators . Measurement models can be reflective or formative. Reflective measurement models assume empirically measurable variables. In this regard, the latent variable causes a set of reflective measurement indicators which correlate highly among each other . In contrast, formative measurement models estimate a latent variable, applying a set of indicators, which are assumed to cause the construct . This facilitates the differentiated analysis of the relevance and strength of certain influences on a theoretical construct . Formative measures are mainly intended to explain the composition of a construct, whereas reflective measures only indicate a construct’s outcome . Therefore, on the one hand, formative measures lead to deeper practical insights than reflective ones and are more suitable for practical research applications . On the other hand, such measurement models are restricted regarding the application of quality indicators . To avoid this disadvantage, formative and reflective measures can be combined to form Multiple Indicators, Multiple Causes (MIMIC) models .
To estimate the comprehensive model either co-variance-based approaches (CB-SEM) or the variance-based Partial Least Squares (PLS-SEM) technique can be applied . Both approaches provide different benefits and drawbacks that imply their qualification for specific applications in research [28, 30]. The PLS-SEM technique is more suitable for the research for this study due to four reasons: (1) the prediction-oriented research goal to explain the adoption of SECaaS (dependent variable) as comprehensively as possible; (2) the formative measurement of perceived overall risks and benefits which is required to get a deep and differentiated understanding of the composition of relevant adoption drivers; (3) the small sample size expected relative to the high complexity of the research model implied by the high number of hypothesized influences; (4) the possibility of applying fewer than four indicators for latent variables which is necessary to keep the study’s questionnaire as purposive as possible .
The model estimation was performed using the software SmartPLS developed by Ringle et al. . The tool facilitates the building of both structural and measurement models and was successfully applied in similar studies . Further quality metrics were calculated using the statistics software SPSS PASW Statisticsb.
3.2 Research model
In SEM, hypotheses are relationships between latent variables which are represented by the structural model [27, 28]. The system of hypotheses must be theoretically well-grounded . This was assured since its development was based on related literature in the fields of Cloud Computing, SaaS and MSS, and continuously validated by an expert groupc (Below, this expert group is referred to as the Expert Panel) using a dedicated online discussion platform (PBworksd). The labels used for the study’s constructs represent the essence of the construct and are assumed to be independent regarding their theorized content. Constructs and hypothesized influences are described and justified below.
3.2.2 Perceived ease of use
This variable is defined as the degree to which the adopter believes that applying SECaaS is effortless [22, 26, 34, 35]. From a client organization’s point of view this involves the integration in the IT security infrastructure [11, 15] as well as the actual use of the system . Cloud-based security systems promise high ease of use since service interfaces are based on standardized internet technologies and can be accessed ubiquitously via thin clients (e.g. web browsers) . It is questionable whether this fact affects the adoption and whether it is reflected by the perception of the adopters.
3.2.3 Perceived usefulness
Perceived Usefulness is defined as the degree to which an organizational adopter believes that the application of SECaaS increases the performance of the organization [22, 26, 34, 35]. Performance expectation is a key driver for adoption [22, 34]. Based on related literature Benlian et al. identified five specific benefit dimensions for SaaS service consumers which are hypothesized for SECaaS according to RQ3 :
Perceived Flexibility Benefits: The SaaS model implies a low organizational dependence of service consumers on service providers. Therefore, switching barriers are low and strategic flexibility regarding IT and IT security architectures is increased [11, 25]. Furthermore, service use can be adapted flexibly to actual quantitative and qualitative needs .
Improved Resource Access: Low entry barriers enable easy access to specific resources, skills and technologies of the external service providers [15, 25]. Particularly mid-sized or smaller organizations might derive advantages from that when they cannot afford the time and effort involved in roviding sophisticated IT security resources on their own .
Perceived Cost & Liquidity Benefits: Multi-tenancy architectures leverage economies of scale at the service providers’ site. At the same time, service consumers’ assumed low switching barriers induce a pricing pressure, forcing service providers to share respective savings. This ultimately leads to lower costs of operation and maintenance for service consumers [13, 15, 25]. Hence, on-demand pricing models enable decreased capital commitment [11, 25]. Furthermore, the outsourcing model facilitates the transfer of financial risks of security incidents and thus the reduction of recovery costs .
Perceived Quality Benefits: Security service providers use to be highly specialized, which implies their ability to provide a higher quality of service [11, 13, 15, 16]. In addition, due to low switching barriers, service providers are forced to provide permanent high service quality . Moreover, multi-tenancy architectures enable cross-client data aggregation and the application of business intelligence techniques . Identified patterns can be used to improve quality of service, such as the performance of anti-virus applications, for instance. Lastly, SECaaS services are permanently up-to-date without the necessity of time-delayed updates at the client’s site .
Improved Focus on Core Business: The outsourcing of certain systems according to SaaS (or SECaaS) de-allocates internal resources [11, 25]. These resources can be (re-)allocated to an organization’s core business, which might increase overall performance [15, 25] - assuming that IT security is not the core competency. Hence, this is also one of the major drivers for IT security outsourcing in general .
Many IT outsourcing programs do not yield expected performance outcomes [39, 40]. Reasons include exaggerated expectations, poorly developed business cases, deficient change management, non-transparency of vendor performance, and lock-in effects . This so-called “IT outsourcing paradox”  might affect the expected usefulness of SECaaS and its influence on the adoption.
The adoption of grid and Cloud systems is highly influenced by perceived risks [18, 23, 26, 41, 42]. This influence is represented by the variable Trust, which is interpreted as a semantic inversion of perceived risk. BENLIAN ET AL. identified SaaS-specific risk dimensions which are hypothesized in analogy to Perceived Usefulness addressing RQ4 :
Perceived Security Risks: The outsourcing of systems according to SaaS implies the loss of control over the processed data and requires the client organization to interface with the external service. This causes risks regarding the enterprise data and affected processes [11, 15, 25, 42]. In this regard, Cloud-specific security risks focus on resource protection, communication and storage security, and authentication and authorization .
Perceived Social Risks: The outsourcing of applications induces social risks including internal resistance or negative influences on the organization’s image .
Perceived Strategy & Compliance Risks: The outsourcing of certain systems might involve the loss of critical capabilities  and, in turn, the risk of an increased dependency on the service provider [15, 37]. Furthermore, the service consumers might lose the control to ensure the compliance with legal and regulative requirements .
Perceived Operational Risks: Since service operation is fully controlled externally there is the risk of the service provider not complying with existing SLAs. This might affect service quality, performance, and availability [15, 25, 42].
The Attitude construct represents an adopter’s individual positive or negative behavior toward an innovation and is considered to be independent from the othervariables [22, 26, 43]. It can be prescribed by individual preferences or perceived relative advantage to related technologies [22, 26]. Its relevance for SaaS adoption is indicated by previous research .
3.2.6 Moderator variables
The validity of PLS-SEM results can be compromised by heterogeneous and conflicting data . Potential sources for heterogeneity can be modeled and tested by means of moderator analyses . Venkatesh et al. propose the use of moderators in addition to key determinants to account for dynamic influences and thus to improve the quality of adoption research models . Moderators are variables that influence the relation between two constructs positively or negatively [22, 28]. Moderators at the individual level include demographic characteristics and organizational context (e.g. gender, age) . Since our research focuses on adoption by organizational entities, we hypothesized new moderators to address RQ5. As part of the aforementioned expert workshop in the course of a session of the “IT security solutions” working group of the German Federal Association for Information Technology, Telecommunications and New Media, and based on related literature, we identified four relevant factors: Company size, industrial sector, a company’s role in the Cloud ecosystem, and the strategic value of IT security. Moreover, we considered the respondent’s job function and the division in which he or she works as potential sources for heterogeneity and modeled respective moderator variables.
Based on the constructs of the specified structural model a measurement model was developed. Therefore, an initial literature review was conducted in order to identify and classify the major related indicators which semantically describe the structural model’s constructs. These indicators were presented to the Expert Panel via the aforementioned collaboration system PBworks. The experts actively discussed and supplemented the indicator set which was subsequently revised by the authors of this paper and transformed to the study’s online questionnaire. Finally, the Expert Panel approvede the measurement model (including the online questionnaire).
Metrically measured indicators
Use intent short-term (next 3 years)
Use intent mid-term (4–7 years)
Use intent long-term (≥ 7 years)
Actual use/intent of Endpoint Security applications
Actual use/intent of content security applications (appl.)
Actual use/intent of application security applications
Actual use/intent of compliance & IT security management appl.
Actual use/intent identity & access management appl.
Actual use/intent of managed devices applications
Actual use/intent of security information & event management appl.
Actual use/intent of threat & vulnerability management appl.
Perceived ease of use (refl.)
General ease of use
Ease of learning
Ease of target achievement
Perceived ease of use (form.)
Ease of initial integration/deployment of the service
Usability of the service
Ease of customizing the service
Comprehensive support by service provider
Perceived usefulness (refl.)
Increase in performance
Increase in effectiveness
Perceived cost & liquidity benefits (form.)
Reduction in costs of operation and maintenance
Variabilization of IT security costs
Reduction in recovery costs
Perceived quality benefits (form.)
Transparency & control of security department
Increase in organizational level of security
Improvement of legal and regulative compliance
Perceived flexibility benefits (form.)
Flexibility of IT and security processes
Flexibility of business processes
Reactivity regarding security-related problems
Increased focus on core business (form.)
Decrease in employee errors
Time savings in security management
Improved resource access (form.)
Enablement of access to new technologies
Access to external know-how
Independence from dedicated systems
Overall trust in adoption
Trust in certified service providers
Hesitation due to uncertainty
Perceived security risks (form.)
Vulnerability to unauthorized service access
Deficient data mitigation and security
Vulnerability regarding network-based attacks
Deficient service continuity
Perceived strategy & compliance risks (form.)
Dependence on service providers
Inability to comply with obligations to produce supporting documents
Non-compliance with data protection regulations
Perceived social risks (form.)
Loss of image
Perceived financial & operational risks (form.)
Unexpected costs of integration
Deficient provider’s compliance with SLAs
General attitude toward cloud technologies
Relative advantage over managed security
Relative advantage over on-premises systems
Strategic value of IT security (refl.)
Criticality of IT security for business
All indicators were transformed into questionnaire items in German following general construction guidelines [28, 46]. As mentioned in the beginning of this section, the supporting expert group validated the wording and soundness of all items as well as the structure of the entire questionnaire from a semantic point of view as suggested by CHURCHILL. SEM requires metrically-scaled data for further analysis . Thus, we applied a systematically constructed seven-point Likert scale, which produces data that can be interpreted metrically for SEM model estimations [28, 46].
This section presents the empirical investigation of the research model. In Subsection 4.1, the sample and the process of data collection are described. In Subsection 4.2, implications regarding the market for SECaaS applications are deduced from descriptive data analysis. In Subsection 4.3, the model estimation including quality and hypotheses testing is laid out. Finally, in Subsection 4.4, the results are discussed respecting the research questions of the study.
4.1 Data collection and sample
The survey yielded 202 returns. The data was processed and cleaned as suggested by WEIBER AND MüHLHAUS. Accordingly, incomplete records were excluded. For the remaining records the squared Mahalanobis distances were calculated in order to identify those deviating markedly from the centroid; three outliers were identified and excluded. This left 160 records for further analysis.
Participants by industrial sector
Participants by company size f
Small & micro organization
Participants by role in cloud ecosystem
Cloud service provider
Participants by job function
IT security officer
Participants by division
Management and support
Research & development
Sales & marketing
4.2 Market implications
Development of Adoption f
Percentage with strong positiveindication foradoptiona
Vuln. & threat management
Identity & access mgmt.
Security info. & event mgmt.
Compliance & ITSM
4.3 Model estimation
4.3.1 Evaluation of the measurement model
Perceived ease of use
Formative measurement model for P. usefulness
Indicator significances (t-Values)
Significance of construct (t-Value)
Cost & liquidity
Formative measurement model for trust
Indicator significances (t-Values)
Significance of construct (t-Value)
Since the measurement model meets existing requirements entirely, valid estimations of the study’s latent variables can be assumed. This is requisite for the subsequent evaluation of the structural model [28, 30].
4.3.2 Evaluation of the Structural Model
The evaluation of the structural model includes the degree of determination of the model’s latent variables and the evaluation of the hypothesized relations between them . All independent latent variables meet the required minimal coefficient of determination (R2) value of 0.3 and are thus sufficiently explained  (see Table 10). Due to the study’s predictive research goal the R2 of the dependent variable is of special importance . CHIN suggests a critical value of 0.67 for substantial predictions . This requirement is met for the study’s dependent variable Adoption (R2 = 0.71). We additionally proved the model’s capacity to predict the dependent variable by means of the Stone-Geisser test (cross-validated redundancy Q2 = 0.489 > 0) . Thus, we consider the adoption of SECaaS to be explained comprehensively by this study’s proposed model. To test the significances of the model’s hypothesized relations, the bootstrap method (df = 1,000) was applied and t-values were calculated [31, 52]. In regard to the study’s non-directional hypotheses, the influence of one variable on another is considered to be significant when α = 10%[28, 30]. Thus, a hypothesis is supported when the corresponding t-value ≥1.646 and the respective null hypothesis is falsified . To get a deeper understanding of the relations we tested three levels of significance: α = 10% (*, t-value = 1.646); α = 5% (**, t-value = 1.962); α=1% (***, t-value = 2.581). Moreover, corresponding path coefficients were calculated indicating both strength and direction of a variable’s influence . According to Lohmoeller path coefficients ≥ 0.1 indicate relevance .
Estimation of hypothesized key drivers
Perceived usefulness ⇒ adoption
Perceived ease of use ⇒ adoption
Trust ⇒ adoption
Attitude ⇒ adoption
Below, the findings are discussed in regard to the research questions considering related findings.
4.4.1 RQ1: Is there a market for SECaaS enterprise applications in general and for specific application types in particular?
The market for SECaaS applications is still emerging. The study indicates an already significant and steadily growing acceptance by enterprise consumers. The adoption varies across different security service application types, which supports previous findings about SaaS . The market’s focus is on applications for Content Security, Endpoint Security, and Vulnerability & Threat Management.
4.4.2 RQ2: Which are the key drivers and inhibitors for the adoption of SECaaS?
Key drivers for the adoption of SECaaS are effort expectancies, perceived usefulness, and trust regarding the adoption of respective applications. These results basically confirm UDOH’s findings regarding the adoption of grid and Cloud technologies . Only the influence of the adopter’s individual attitude toward the technology [23, 26] was not supported for this research context. Hence, the influence of perceived risks and thus the uncertainty of SECaaS adoption is more significant than the influence of the other drivers, including perceived usefulness. This supports the findings of BENLIAN ET AL. regarding SaaS adoption .
4.4.3 RQ3: Which benefits are perceived to be relevant by potential adopters of SECaaS?
The perceived usefulness of SECaaS is forged by quality as well as cost and liquidity benefits. Quality benefits mainly reflect the expected return in terms of an increased level of security and regulative compliance. Cost and liquidity benefits include the reduction of direct security expenditures and recovery costs. Thus, according to the adopter’s perception, SECaaS potentially increases return on security investments . Hence, the expected performance of SECaaS systems is positively correlated with effort expectancies and trust, which supports previous empirical findings [22, 55, 56].
4.4.4 RQ4: Which risks are perceived to be relevant by potential adopters of SECaaS?
Major barriers to SECaaS adoption are perceived security, social, strategy and compliance risks. Perceived social risks are mainly driven by expected internal resistance. In this context, an inherent problem is the possible fear of the direct loss of competencies in the course of outsourcing certain security systems. The significance of social influences regarding SaaS adoption was already identified by BENLIAN ET AL.. To increase trust and thus future adoption the effectiveness of technical and organizational controls securing Cloud-based security services must be conveyed transparently to potential SECaaS consumers. Specific certification programs for service providers might support this, for example.
4.4.5 RQ5: Which organization-specific factors affect the acceptance of SECaaS?
The individual strategic value of IT security for an organization’s business directly influences the perceived usefulness of SECaaS. The expected performance is thus higher for organizations with higher demands on IT security from a business point of view. This coherence was already laid out by BENLIAN ET AL. regarding SaaS . Moreover, for the organization’s role in the Cloud ecosystem a moderating effect on the relation between the variables Perceived Usefulness and Adoption was identified. This means that perceived benefits matter less for the actual adoption of SECaaS technologies when the organization itself provides Cloud services for external customers, acting in the role of a Value Added Reseller. On the contrary, general organization-specific factors like company size or industrial sector do not have any significant effects on the adoption. This, on the one hand, conflicts with the general rationale that SECaaS is particularly relevant for companies with limited capacities regarding IT security; on the other hand, however, it confirms previous findings regarding the adoption of SaaS .
The applied methodology (PLS-SEM) is often criticized because calculations tend to be less precise compared to alternative CB-SEM techniques. However, PLS-SEM is more qualified for the application in this study as already laid out in Subsection 3.1. Considering the complexity of this study’s research model and the achievable sample size, the application of CB-SEM would not have revealed valid results (compare e.g. [27, 28, 30]), which supports the authors’ research design decision. The sample was selected among organizations with an existing affinity toward IT. Therefore we assume the sample to be representative for potential SECaaS adopters but not for all organizations. The survey explicitly addressed companies in the German-speaking area. Even though it is assumed to provide general insights about the adoption of SECaaS, observations might vary among different markets, for instance due to location-specific data protection regulations. Furthermore, the adoption of SECaaS by private consumers has not been considered and thus remains open for future research.
This paper systematically investigates the adoption of SECaaS. An application-specific research model was developed based on existing technology acceptance models. The model was estimated applying the Partial Least Squares technique to address the prediction-oriented nature of the study. Based on 160 valid responses from companies in the German-speaking area, we investigated the market potential for SECaaS, key adoption drivers, the relevance of certain risks and benefits, and the influence of organization-specific factors like company size or industrial sector.
The results make valuable contributions for both practice and research. They provide a benchmark for potential adopters of SECaaS. Moreover, the findings support the understanding of the adoption behavior of enterprise consumers. Service providers can use this understanding to direct research, development and marketing programs by considering the significance of perceived security-related risks, for instance. Therefore, this study contributes to driving the future adoption of SECaaS, addressing existing threats to the security of enterprise information systems. Moreover, the developed research model including its measures was validated and can be applied for related future studies.
Future research should reflect the adoption of Cloud-based security services in other markets, survey specific security application types, investigate most relevant application fields and success drivers.
aSession of the “IT security solutions” working group of the German Federal Association for Information Technology, Telecommunications and New Media (BITKOM e.V., see: http://www.bitkom.de last access: 01 August 2012).
bhttp://www.spss.com.hk/statistics/ (last access: 29 September 2012).
c16 selected IT and IT security professionals of the German Federal Association for Information Technology, Telecommunications and New Media (BITKOM e.V.).
dhttp://pbworks.com (last access: 01 August 2012).
eTherefore, a simple online poll with the options “I do not approve”, “I am ok” and “I fully approve” was conducted. Four experts responded “I am ok” and eight fully approved.
fAccording to the European Commission, the number of a company’s employees and its turnover (alternatively: balance sheet total) indicate its size. Companies are categorized as follows: “micro”, when number of employees < 10 and turnover ≤ € 2,000,000; “small”, when number of employees < 50 and turnover ≤ € 10,000,000; “medium-sized”, when number of employees < 250 and turnover ≤ € 50,000,000. Larger organizations are labelled as “large-scale”. See: http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/sme-definition(last access: 01 August 2012).
gDiscriminant validity is provided for when an indicator’s loading with the assigned construct is higher than with remaining constructs. An indicator’s loading with non-assigned constructs is referred to as cross loading.
hConvergent validity expresses the degree to which a latent variable explains the variance of assigned indicators.
- Hommel W: Architektur- und Werkzeugkonzepte für föderiertes Identitäts-Management. Dr. Hut, München 2007.Google Scholar
- Brock M, Goscinski A: Toward a framework for cloud security. In Algorithms and architectures for parallel processing, Lecture Notes in Computer Science, vol. 6082. Edited by: Yeo SS, Park J, Yang L, Hsu CH, Hsu CH, Yang L, Park J, Yeo SS. Springer, Berlin/Heidelberg; 2010:254–263.Google Scholar
- Rittinghouse J, Ransome J: Cloud computing: implementation, management, and security. CRC, Boca Raton; 2010.Google Scholar
- Mell P, Grance T: The nist definition of cloud computing. Natl Ins Stand Technol 53 (6) 2009, 50. [http://csrc.nist.gov/publications/nistpubs/800–145/SP800–145.pdf] Google Scholar
- Furth B: Cloud computing fundamentals. In Handbook of Cloud Computing. Edited by: Escalante A, Furth B, Furth B, Escalante A. Springer, US, Boston; 2010:3–20.Google Scholar
- Höfer C, Karagiannis G: Cloud computing services: taxonomy and comparison. J Internet Serv Appl 2011, 2(2):1–14.View ArticleGoogle Scholar
- Gartner: Gartner says security delivered as a cloud-based service will more than triple in many segments by 2013 (2008). [http://www.gartner.com/it/page.jsp?id=722307] 
- Hafner M, Mukhtiar M: Seaas - a reference architecture for security services in soa. JUCS 2009, 15(15):2916–2936.Google Scholar
- Peterson G: Service-oriented security indications for use. Comput Sci Eng 2009, 7: 91–93.Google Scholar
- Smith DM: Hype cycle for cloud computing 2010. 2010.http://www.gartner.com/DisplayDocument?doc_cd=201557 Google Scholar
- Staudenrauss P: Untersuchung und Bewertung von Security-as-a-Service-Diensten. In Seminar IT-Sicherheit - Sicherheit und Vertrauen in Cloud Computing. Edited by: Helmbrecht U, Kretzschmar M, Eiseler V. Institut füur Technische Informatik, München; 2011:49–74.Google Scholar
- Mather T, Kumaraswamy S, Latif S: Cloud security and privacy: an enterprise perspective on risks and compliance. O’Reilly Media Inc, Sebastopol; 2009.Google Scholar
- Kark K, Penn J, Whiteley R, Coit L: Market overview: Managed security services. 2010. http://www.forrester.com/Market+Overview+Managed+Security+Services/fulltext/-/E-RES56068?objectid=RES56068Google Scholar
- Senk C, Holzapfel A: Market overview of security as a service systems. In ISSE 2011 Securing Electronic Business Processes Edited by: Schneider W, Reimer H, Pohlmann N, Pohlmann N, Reimer H, Schneider W. 2011.Google Scholar
- Allen J, Gabbard D, May C: Outsourcing Managed Security Services. Carnegie Mellon University Software Engineering Institute; 2003. [http://books.google.de/books?id=CFGnNwAACAAJ] Google Scholar
- Deshpande D: Managed security services: an emerging solution to security. In Proceedings of the 2nd annual conference on Information security curriculum development, InfoSecCD ’05. ACM, New York; 2005:107–111.View ArticleGoogle Scholar
- Keuper F, Wagner B, Wysuwa H: Managed services: IT-Sourcing der nächsten Generation. Gabler; 2009. [http://books.google.de/books?id=5J7Qbx2GIYIC] View ArticleGoogle Scholar
- Martens B, Teuteberg F: Decision-making in cloud computing environments: A cost and risk based approach. Inf Syst Front 2011, 14(4):1–23.Google Scholar
- Huber M: IT-security in global corporate networks. Center for Digital Technology and Management, München; 2002.Google Scholar
- Karyda M, Mitrou E: A framework for outsourcing is/it security services. Inf Manag Comput Secur 2006, 14(5):402–415. 10.1108/09685220610707421Google Scholar
- Rogers E: Diffusion of Innovations. Simon & Schuster, New York; 2003.Google Scholar
- Venkatesh V, Morris MG, Davis GB, Davis FD: User acceptance of information technology: Toward a unified view. MIS Q 2003, 27(3):425–478.Google Scholar
- Benlian A, Hess T: Drivers of saas-adoption – an empirical study of different application types. Business Inf Syst Eng 2009, 1: 357–369. 10.1007/s12599-009-0068-xView ArticleGoogle Scholar
- Davis FD, Bagozzi RP, Warshaw PR: User acceptance of computer technology: A comparison of two theoretical models. Manage Sci 1989, 35(8):982–1003. 10.1287/mnsc.35.8.982View ArticleGoogle Scholar
- Benlian A, Hess T, Buxmann P: Software-as-a-Service: Anbieterstrategien, Kundenbedürfnisse und Wertschöpfungsstrukturen. Gabler, Betriebswirt.-Vlg; 2010.View ArticleGoogle Scholar
- Udoh E VDM Verlag Dr. Müller e.K., Saarbrücken; 2010.Google Scholar
- Hoyle R: Structural equation modeling: concepts, issues and applications. Sage Publications, New York; 1995.Google Scholar
- Weiber R, Mühlhaus D: Strukturgleichungsmodellierung: Eine anwendungsorientierte Einführung in die Kausalanalyse mit Hilfe von AMOS, SmartPLS und SPSS. Springer, Berlin, Heidelberg; 2010.Google Scholar
- Edwards JR: On the nature and direction of relationships between constructs and measures. Psychol Methods 2000, 5(2):155–174.Google Scholar
- Hair J, Ringle CM: PLS-SEM: Indeed a silver bullet. J Mark Theory Pract 2011, 19(2):139–151. 10.2753/MTP1069-6679190202View ArticleGoogle Scholar
- Ringle CM, Wende S, Will A: Smartpls 2.0. 2005.http://www.smartpls.deGoogle Scholar
- Bliemel F: Handbuch PLS-Pfadmodellierung: Methoden, Anwendung, Praxisbeispiele. Schäffer-Poeschel, Stuttgart, Germany; 2005.Google Scholar
- Hamre LJ: Exploring the use of social capital to support technology adoption and implementation. Ph.D. thesis, University of Bath; 2008.Google Scholar
- Davis FD: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 1989, 13(3):319–340. 10.2307/249008View ArticleGoogle Scholar
- Thompson RL, Higgins CA, Howell JM: Personal computing: Toward a conceptual model of utilization. MIS Q 1991, 15(1):125–143. 10.2307/249443View ArticleGoogle Scholar
- Cranor L, Garfinkel S: Security and Usability. O’Reilly Media, Inc, Sebastopol; 2005.Google Scholar
- Böhme R: Security metrics and security investment models. In Echizen I, Kunihiro N, Sasaki R(eds) Advances in Information and Computer Security, Lecture Notes in Computer Science, vol. 6434. Springer, Berlin /Heidelberg; 2010:10–24.Google Scholar
- Schwarze L, Müller: IT-outsourcing - Erfahrungen, status und zukünftige herausforderungen. HMD-Praxis der Wirtschaftsinformatik; 2005. http://ephorie.de/pdfs/Schwarze_IT-Outsourcing-Erfahrungen_Status_und_zukuenftige_Herausforderungen.pdfGoogle Scholar
- Aubert BA, Patry M, Rivard S: Assessing the risk of IT outsourcing. In Proceedings of the Thirty-First Hawaii International Conference on System Sciences, Volume VI. Organizational Systems and Technology. IEEE Computer Society, Washington, U.S.A.; 1998:685–693.View ArticleGoogle Scholar
- Rouse AC: Is there an “Information technology outsourcing Paradox”? In Hirschheim R, Heinzl A, Dibbern J (eds) Information systems outsourcing. Springer, Berlin Heidelberg; 2009:129–146.View ArticleGoogle Scholar
- Duisberg A: Gelöste und ungelöste Rechtsfragen im IT-Outsourcing und Cloud Computing. In Picot A, Götz T, Hertz U (eds) Trust in IT. Springer, Berlin Heidelberg; 2011:49–70.Google Scholar
- Subashini S, Kavitha V: A survey on security issues in service delivery models of cloud computing. J Netw Comput Appl 2011, 34(1):1–11. 10.1016/j.jnca.2010.07.006View ArticleGoogle Scholar
- Fishbein M, Ajzen I: Belief, attitude. Addison-Wesley, Reading; 1975.Google Scholar
- Diamantopoulos A, Winklhofer HM: Index construction with formative indicators: An alternative to scale development. J Mark Res 2001, 38(2):269–277. 10.1509/jmkr.38.2.269.18845View ArticleGoogle Scholar
- Senk C: Securing inter-organizational workflows in highly flexible environments through biometrics. Proc. of E C I S Pretoria 2010.Google Scholar
- Bortz J: Forschungsmethoden und Evaluation für Human- und Sozialwissenschaftler Springer-Lehrbuch. Springer; 2006.Google Scholar
- Churchill GA: A paradigm for developing better measures of marketing constructs. J Mark Res 1979, 16(1):64–73. 10.2307/3150876MathSciNetView ArticleGoogle Scholar
- Hulland J: Use of partial least squares (pls) in strategic management research: a review of four recent studies. Strateg Manage J 1999, 20(2):195–204. 10.1002/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7View ArticleGoogle Scholar
- Chin WW: The partial least squares approach to structural equation modeling. Modern Methods Business Res 1998, 295: 336.Google Scholar
- Johnson MD, Herrmann A, Huber F: The evolution of loyalty intentions. J Mark 2006, 70(2):122–132. 10.1509/jmkg.70.2.122View ArticleGoogle Scholar
- Fornell C, Bookstein FL: Two structural equation models: Lisrel and pls applied to consumer exit-voice theory. J Mark Res 1982, 19(4):440–452. 10.2307/3151718View ArticleGoogle Scholar
- Nevitt J, Hancock GR: Performance of bootstrapping approaches to model test statistics and parameter standard error estimation in structural equation modeling. Struct Equation Model Multidisciplinary J 2001, 8(3):353–377. 10.1207/S15328007SEM0803_2MathSciNetView ArticleGoogle Scholar
- Lohmoeller JB: Latent variable path modeling with partial least squares. Physica, Heidelberg; 1989.MATHView ArticleGoogle Scholar
- Sonnenreich W, Albanese J, Stout B: Return On Security Investment (ROSI). In A practical quantitative model Journal of research and practice in information technology. INSTICC Press, Setubal; 2005:239–252.Google Scholar
- Lee D, Park J, Ahn J: Proceedings of the International Conference of Information Systems 2001. On the explanation of factors affecting E-commerce adoption 2001, 109–120.Google Scholar
- Venkatesh V, Bala H: Technology acceptance model 3 and a research agenda on interventions. Decis Sci 2008, 2: 273–315. 39 39View ArticleGoogle Scholar
- Baun C, Kunze M, Nimis J: Cloud computing Web-basierte dynamische IT-services. Springer-Verlag, Berlin and Heidelberg; 2010.Google Scholar
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.