- Open Access
Adoption of security as a service
Journal of Internet Services and Applications volume 4, Article number: 11 (2013)
Security as a Service systems enable new opportunities to compose security infrastructures for information systems. However, to date there are no holistic insights about their adoption and relevant predictors. Based on existing technology acceptance models we developed an extended application-specific research model including formative and reflective measures. The model was estimated applying the Partial Least Squares technique to address the prediction-oriented nature of the study. A subsequent online survey revealed that a large number of industries shows significant and steadily growing interest in Security as a Service. Adoption drivers were investigated systematically.
Companies face an increasing threat regarding the security and safety of their information systems due to the opening of security domains for web-based access in the course of current technological developments such as Federated Identity Management and Cloud Computing[2, 3]. In this regard, Cloud Computing is a model “for enabling convenient, on-demand network access to a shared pool of configurable computing resources […]” . These resources are referred to as Cloud services and can logically be assigned to the infrastructure, (Infrastructure as a Service, IaaS), middleware (Platform as a Service, PaaS) or application software layer (Software as a Service, SaaS) [5, 6]. The Cloud Computing model itself not only induces certain security-related risks, it also opens up new opportunities to obtain innovative security solutions in a technically and economically flexible way in order to cope with rising security demands . The outsourcing of security according to SaaS principles is referred to as Security as a Service (SECaaS) [3, 8]. Such systems are considered to be the next step in the evolution of Managed Security Services (MSS) and differ clearly from traditional outsourcing models or on-premises deployments [3, 8, 9]. According to GARTNER RESEARCH, the demand for SECaaS will grow significantly and might substantially change existing IT security infrastructure landscapes . However, no deep insights about the current adoption and future developments exist. In this regard, based on an expert-group discussiona we defined that the answers to the following research questions (RQ) are important to predict the future of SECaaS:
RQ1: Is there a market for SECaaS enterprise applications in general and for specific application types in particular?
RQ2: Which are the key drivers and inhibitors for the adoption of SECaaS?
RQ3: Which benefits are perceived to be relevant by potential adopters of SECaaS?
RQ4: Which risks are perceived to be relevant by potential adopters of SECaaS?
RQ5: Which organization-specific factors (e.g. company size) affect the acceptance of SECaaS?
The main objective of this paper is to answer these research questions through empirical research in order to gain insights valuable for both potential consumers and providers of SECaaS. The remainder of this paper is structured as follows: Section 2 defines SECaaS and overviews related work regarding the adoption of similar technologies. In Section 3 the research concept is specified and justified. Section 4 gives an overview of the results of the estimation of the research model and the related hypotheses. Afterward, the findings are discussed respecting the specified research questions. Section 5 concludes the paper.
2 Theoretical background
This chapter provides the theoretical background for the context of the study. This includes the object of adoption (SECaaS), which is defined in Subsection 2.1. Subsequently, an overview of related work regarding the adoption of similar technological innovations is provided in Subsection 2.2 in order to identify adequate research approaches.
2.1 Security as a service
SECaaS is a service-oriented approach to IT security architecture and thus a consequent evolution of traditional security landscapes [8, 9]. It is defined as a model for the delivery of standardized and comprehensive security functionality in accordance with the SaaS model [8, 11]. It thus follows the Cloud Computing model. Hence, SECaaS systems are delivered in form of Cloud services complying with related principles. This excludes built-in security controls of existing Cloud services . Key attributes of Cloud services contain the following [5, 6, 12]:
Application and underlying infrastructure are abstracted and offered through service interfaces;
Standardized network access by any device;
Scalability and flexibility of the underlying infrastructure;
Shared and multi-tenant resources;
On-demand self-service provisioning and near real-time deployment;
Flexible and fine grained pricing without up-front commitments.
Based on the market-oriented taxonomy of KARK for outsourced security services  and the adaption of SENK AND HOLZAPFEL we classify SECaaS systems as depicted in Table 1. This classification scheme was recently validated by a survey of existing SECaaS offerings . According to that survey, the majority of existing SECaaS products cover Endpoint Security or Content Security applications . The authors further outline existing systems’ deficient compliance with Cloud and SaaS design principles. Especially inflexible pricing models often restrict the potential value of existent SECaaS systems . It has to be noted that the granularity of SECaaS offerings can vary from fine-grained basic services addressing highly specific security needs (e.g. biometric user authentication) to coarse-grained solutions covering a broad set of security functionalities.
The delivery of security services according to the SECaaS model differs clearly from traditional MSS provisioning and on-premises deployments (see Figure 1). On-premises security systems are deployed, operated, and maintained on the client’s side . This requires the allocation of dedicated IT and human resource capacities. Service costs do not scale up or down with the actual degree of capacity utilization. None of the identified Cloud principles apply . Managed Security Services are characterized in that a dedicated security service instance is set up for a client organization by an external service provider. This involves the prior negotiation of individual Service Level Agreements (SLA) . In this regard, the provider is responsible for the operation and maintenance of the system [15–17]. Such security services do not provide for native multi-tenancy. Hence, the instant service use is not feasible and economies of scale are not exhausted . Additionally, service usage may involve the deployment of dedicated software and hardware components and due to the initial effort required clients are often bound to providers by fixed-term licenses and up-front commitments . Traditional managed service provisioning thus follows the Application Service Providing (ASP) model [12, 14, 20]. In contrast, Security as a Service solutions are fully operated and maintained by the service provider with no dedicated client-sided hardware or software necessary [11, 14]. Full virtualization of the security service ensures the highest degree of capacity utilization. This makes the service usage highly cost-effective to the customer and enables fine-grained pay-per-use models. A virtualized multi-tenancy architecture not only enables the instant start of service use but also leverages inherent data aggregation benefits for service providers . Moreover, operational and organizational flexibility is improved .
2.2 Adoption of related technologies
The term Adoption can be traced back to ROGERS’ (1962) diffusion of innovations theory and is defined as a consumer’s positive decision to accept and use an innovation, which ultimately leads to a positive investment decision and actual use . Adopters can be individuals or organizations .
There are only a few current insights regarding the adoption of the outsourcing of IT security. GARTNER and FORRESTER RESEARCH conducted analyses of the MSS market and forecasted a steady and significant growth [7, 13]. Moreover, FORRESTER RESEARCH surveyed IT security decision makers and identified major benefits of MSS : Quality improvements, 24 ×7 support, cost reduction, and decrease of the complexity of security infrastructures. However, the study is not suitable regarding the research questions identified in this paper since the adoption was not investigated holistically and not focused on Cloud systems.
Benlian et al. conducted a meta-survey of the adoption of SaaS systems and applied different research theories . They concluded that behavioral theories reveal more consistent results regarding the adoption of SaaS systems than economic or strategic research theories . Behavioral theories include the Technology Acceptance Model (TAM) , the Theory of the Diffusion of Innovation, and the Unified Theory of Acceptance and Use of Technology (UTAUT) . The results indicate that the adoption of SaaS technologies is mainly influenced by :
Attitude toward the technology,
Uncertainty of adoption,
Strategic value of respective resources.
However, due to the underlying research design, these results do not provide for causality . BENLIAN ET AL. also concluded that both the adoption and adoption drivers differ across application types, which should be considered in future research . Previous research indicates a higher susceptibility to SaaS adoption for smaller and medium-sized companies  and a different perception of risks and potential benefits by large-scale organizations , although no correlation was discovered between company size and adoption . Udoh applied a combined model including elements of UTAUT and TAM and observed that the adoption of grid, Cloud and related technologies can be causally explained by four predictors :
Effort expectations (Perceived ease of use),
Risk expectations (Trust),
Performance expectations (Perceived usefulness),
Udoh’s model provides a very high level of explanation which indicates a high aptitude for its application in similar technology acceptance studies . Furthermore, its generic constructs can be itemized according to the specifics of subsequent research.
3 Research design
Based on related studies [23, 26], this paper applies the Structural Equations Modeling methodology. For the model estimation involved, the Partial Least Squares technique is used. The methodology is introduced and justified in Subsection 3.1. Subsequently, in Subsection 3.2, a system of hypotheses -the research model- is developed. In Subsection 3.3, the measurement model is derived from this research model.
Common technology acceptance theories like TAM or UTAUT are based on the development and testing of hypotheses regarding the influences of theoretical constructs on each other . A system of hypotheses can be modeled as a system of equations . A common approach to solving such systems is Structural Equations Modeling (SEM) . SEM is defined as “a comprehensive statistical approach to testing hypotheses about relations among observed and latent variables” . Besides the structural model, which primarily prescribes hypothetical relations between latent variables, a measurement model is required to quantize thes variables .
The measurement model prescribes not directly observed (latent) variables of the structural model by a set of measurable indicators . Measurement models can be reflective or formative. Reflective measurement models assume empirically measurable variables. In this regard, the latent variable causes a set of reflective measurement indicators which correlate highly among each other . In contrast, formative measurement models estimate a latent variable, applying a set of indicators, which are assumed to cause the construct . This facilitates the differentiated analysis of the relevance and strength of certain influences on a theoretical construct . Formative measures are mainly intended to explain the composition of a construct, whereas reflective measures only indicate a construct’s outcome . Therefore, on the one hand, formative measures lead to deeper practical insights than reflective ones and are more suitable for practical research applications . On the other hand, such measurement models are restricted regarding the application of quality indicators . To avoid this disadvantage, formative and reflective measures can be combined to form Multiple Indicators, Multiple Causes (MIMIC) models .
To estimate the comprehensive model either co-variance-based approaches (CB-SEM) or the variance-based Partial Least Squares (PLS-SEM) technique can be applied . Both approaches provide different benefits and drawbacks that imply their qualification for specific applications in research [28, 30]. The PLS-SEM technique is more suitable for the research for this study due to four reasons: (1) the prediction-oriented research goal to explain the adoption of SECaaS (dependent variable) as comprehensively as possible; (2) the formative measurement of perceived overall risks and benefits which is required to get a deep and differentiated understanding of the composition of relevant adoption drivers; (3) the small sample size expected relative to the high complexity of the research model implied by the high number of hypothesized influences; (4) the possibility of applying fewer than four indicators for latent variables which is necessary to keep the study’s questionnaire as purposive as possible .
The model estimation was performed using the software SmartPLS developed by Ringle et al. . The tool facilitates the building of both structural and measurement models and was successfully applied in similar studies . Further quality metrics were calculated using the statistics software SPSS PASW Statisticsb.
3.2 Research model
In SEM, hypotheses are relationships between latent variables which are represented by the structural model [27, 28]. The system of hypotheses must be theoretically well-grounded . This was assured since its development was based on related literature in the fields of Cloud Computing, SaaS and MSS, and continuously validated by an expert groupc (Below, this expert group is referred to as the Expert Panel) using a dedicated online discussion platform (PBworksd). The labels used for the study’s constructs represent the essence of the construct and are assumed to be independent regarding their theorized content. Constructs and hypothesized influences are described and justified below.
The endogenous variable Adoption depicts the degree to which a certain entity intends to use SECaaS. This includes both the plan for future deployment [22, 26] and the present adoption by an organization . In this regard, the behavioral intention to use a system and actual use can be modeled either separately or using a single construct . We chose the second option to keep the model purposive. The measurement of this variable allows implications about the current state and future development of the SECaaS market. Thus, we utilize Adoption to cope with RQ1. The variable was hypothesized to be driven by the general determinants for grid and Cloud adoption identified . These address RQ2 and represent the first four hypotheses (H) of this study as depicted in Figure 2: Adoption is significantly influenced by Perceived Ease of Use (H1), Perceived Usefulness (H2), Trust (H3), and Attitude (H4).
3.2.2 Perceived ease of use
This variable is defined as the degree to which the adopter believes that applying SECaaS is effortless [22, 26, 34, 35]. From a client organization’s point of view this involves the integration in the IT security infrastructure [11, 15] as well as the actual use of the system . Cloud-based security systems promise high ease of use since service interfaces are based on standardized internet technologies and can be accessed ubiquitously via thin clients (e.g. web browsers) . It is questionable whether this fact affects the adoption and whether it is reflected by the perception of the adopters.
3.2.3 Perceived usefulness
Perceived Usefulness is defined as the degree to which an organizational adopter believes that the application of SECaaS increases the performance of the organization [22, 26, 34, 35]. Performance expectation is a key driver for adoption [22, 34]. Based on related literature Benlian et al. identified five specific benefit dimensions for SaaS service consumers which are hypothesized for SECaaS according to RQ3 :
Perceived Flexibility Benefits: The SaaS model implies a low organizational dependence of service consumers on service providers. Therefore, switching barriers are low and strategic flexibility regarding IT and IT security architectures is increased [11, 25]. Furthermore, service use can be adapted flexibly to actual quantitative and qualitative needs .
Improved Resource Access: Low entry barriers enable easy access to specific resources, skills and technologies of the external service providers [15, 25]. Particularly mid-sized or smaller organizations might derive advantages from that when they cannot afford the time and effort involved in roviding sophisticated IT security resources on their own .
Perceived Cost & Liquidity Benefits: Multi-tenancy architectures leverage economies of scale at the service providers’ site. At the same time, service consumers’ assumed low switching barriers induce a pricing pressure, forcing service providers to share respective savings. This ultimately leads to lower costs of operation and maintenance for service consumers [13, 15, 25]. Hence, on-demand pricing models enable decreased capital commitment [11, 25]. Furthermore, the outsourcing model facilitates the transfer of financial risks of security incidents and thus the reduction of recovery costs .
Perceived Quality Benefits: Security service providers use to be highly specialized, which implies their ability to provide a higher quality of service [11, 13, 15, 16]. In addition, due to low switching barriers, service providers are forced to provide permanent high service quality . Moreover, multi-tenancy architectures enable cross-client data aggregation and the application of business intelligence techniques . Identified patterns can be used to improve quality of service, such as the performance of anti-virus applications, for instance. Lastly, SECaaS services are permanently up-to-date without the necessity of time-delayed updates at the client’s site .
Improved Focus on Core Business: The outsourcing of certain systems according to SaaS (or SECaaS) de-allocates internal resources [11, 25]. These resources can be (re-)allocated to an organization’s core business, which might increase overall performance [15, 25] - assuming that IT security is not the core competency. Hence, this is also one of the major drivers for IT security outsourcing in general .
Many IT outsourcing programs do not yield expected performance outcomes [39, 40]. Reasons include exaggerated expectations, poorly developed business cases, deficient change management, non-transparency of vendor performance, and lock-in effects . This so-called “IT outsourcing paradox”  might affect the expected usefulness of SECaaS and its influence on the adoption.
The adoption of grid and Cloud systems is highly influenced by perceived risks [18, 23, 26, 41, 42]. This influence is represented by the variable Trust, which is interpreted as a semantic inversion of perceived risk. BENLIAN ET AL. identified SaaS-specific risk dimensions which are hypothesized in analogy to Perceived Usefulness addressing RQ4 :
Perceived Security Risks: The outsourcing of systems according to SaaS implies the loss of control over the processed data and requires the client organization to interface with the external service. This causes risks regarding the enterprise data and affected processes [11, 15, 25, 42]. In this regard, Cloud-specific security risks focus on resource protection, communication and storage security, and authentication and authorization .
Perceived Social Risks: The outsourcing of applications induces social risks including internal resistance or negative influences on the organization’s image .
Perceived Strategy & Compliance Risks: The outsourcing of certain systems might involve the loss of critical capabilities  and, in turn, the risk of an increased dependency on the service provider [15, 37]. Furthermore, the service consumers might lose the control to ensure the compliance with legal and regulative requirements .
Perceived Operational Risks: Since service operation is fully controlled externally there is the risk of the service provider not complying with existing SLAs. This might affect service quality, performance, and availability [15, 25, 42].
The Attitude construct represents an adopter’s individual positive or negative behavior toward an innovation and is considered to be independent from the othervariables [22, 26, 43]. It can be prescribed by individual preferences or perceived relative advantage to related technologies [22, 26]. Its relevance for SaaS adoption is indicated by previous research .
3.2.6 Moderator variables
The validity of PLS-SEM results can be compromised by heterogeneous and conflicting data . Potential sources for heterogeneity can be modeled and tested by means of moderator analyses . Venkatesh et al. propose the use of moderators in addition to key determinants to account for dynamic influences and thus to improve the quality of adoption research models . Moderators are variables that influence the relation between two constructs positively or negatively [22, 28]. Moderators at the individual level include demographic characteristics and organizational context (e.g. gender, age) . Since our research focuses on adoption by organizational entities, we hypothesized new moderators to address RQ5. As part of the aforementioned expert workshop in the course of a session of the “IT security solutions” working group of the German Federal Association for Information Technology, Telecommunications and New Media, and based on related literature, we identified four relevant factors: Company size, industrial sector, a company’s role in the Cloud ecosystem, and the strategic value of IT security. Moreover, we considered the respondent’s job function and the division in which he or she works as potential sources for heterogeneity and modeled respective moderator variables.
Based on the constructs of the specified structural model a measurement model was developed. Therefore, an initial literature review was conducted in order to identify and classify the major related indicators which semantically describe the structural model’s constructs. These indicators were presented to the Expert Panel via the aforementioned collaboration system PBworks. The experts actively discussed and supplemented the indicator set which was subsequently revised by the authors of this paper and transformed to the study’s online questionnaire. Finally, the Expert Panel approvede the measurement model (including the online questionnaire).
The measurement model includes both formative and reflective elements to account for the methodological problems mentioned in Subsection 3.1. We developed two-construct MIMIC models separating formative and reflective indicators for the major latent variables Perceived Ease of Use, Perceived Usefulness, Trust, and Adoption. Within the structural equations model the latent variable is represented by a reflective construct; one or more formative constructs model the composition of the variable . For the reflective (refl.) constructs, existing published measures were applied. Formative (form.) constructs and indicators were based on related work and both specified and validated by the Expert Panel. The MIMIC models for Perceived Usefulness and Trust each consist of one reflective and several formative elements representing the respective benefit and risk dimensions as depicted in Figure 2. In this regard, operational and financial risks were merged to one variable. The remaining two variables were measured linking only one formative element. Table 2 provides an overview of all indicators of the study’s primary variables and the variable Strategic Value of IT Security. The Company Size was determined by means of the company turnover and headcount. The remaining organization-specific factors were each measured by one global indicator with nominal scale.
All indicators were transformed into questionnaire items in German following general construction guidelines [28, 46]. As mentioned in the beginning of this section, the supporting expert group validated the wording and soundness of all items as well as the structure of the entire questionnaire from a semantic point of view as suggested by CHURCHILL. SEM requires metrically-scaled data for further analysis . Thus, we applied a systematically constructed seven-point Likert scale, which produces data that can be interpreted metrically for SEM model estimations [28, 46].
This section presents the empirical investigation of the research model. In Subsection 4.1, the sample and the process of data collection are described. In Subsection 4.2, implications regarding the market for SECaaS applications are deduced from descriptive data analysis. In Subsection 4.3, the model estimation including quality and hypotheses testing is laid out. Finally, in Subsection 4.4, the results are discussed respecting the research questions of the study.
4.1 Data collection and sample
The survey yielded 202 returns. The data was processed and cleaned as suggested by WEIBER AND MüHLHAUS. Accordingly, incomplete records were excluded. For the remaining records the squared Mahalanobis distances were calculated in order to identify those deviating markedly from the centroid; three outliers were identified and excluded. This left 160 records for further analysis.
The composition of the sample is depicted in Tables 3, 4, 5, 6 and 7 by means of the measured non-metrically scaled organization-specific factors. Of the participating companies, 44.4% originate from the IT sector, which indicates its relatively higher affinity toward SECaaS compared to other industrial sectors (see Table 3). Almost half of the sample (48.1%) consists of large-scale organizations. Medium-sized and smaller organizations each represent about a quarter (see Table 4). Regarding a company’s primary role in the Cloud ecosystem, most respondents (53.8%) evaluate their organization to act as exclusive potential consumer of SECaaS. Further 23.1% see their organization in a hybrid role, potentially doing both consuming and providing SECaaS. Only 23.1% do not consider to consume SECaaS at all (see Table 5). Table 6 shows the composition of the sample grouped by the respondents’ job function. The majority (37.5%) has an executive position. Also in this regard, most respondents originate from their organization’s IT department. Other divisions are under-represented (see Table 7). The variable Strategic Value of IT Security was measured by one reflective item on a seven-point Likert scale (Mean: 6.244, standard deviation: 1.080). We assume the sample to be compliant with the study’s target population and thus representative for the adoption of SECaaS.
4.2 Market implications
The measurement of the study’s dependent variable Adoption reveals several implications about the market for SECaaS (RQ1). It was measured by two constructs: a reflective element covering the actual use and use intent of SECaaS in regard to the planning horizon, and a formative one containing different security application types. 18.1% of the respondents indicate that their organization is currently using SECaaS. The data further indicates a steadily rising adoption rate. In the long term, over 30% of the surveyed organizations clearly intend to use SECaaS. Only 16% exclude the possibility of its use entirely. The positive development of the adoption of SECaaS in regard to the organizations’ planning horizon is shown in Table 8.
Respondents were asked whether their organization uses or intends to use certain SECaaS application types. Content Security, Endpoint Security, and Vulnerability & Threat Management solutions exhibit especially high adoption rates. Whereas the market is already dominated by the first two application types, the diffusion of Cloud-based Vulnerability & Threat Management services is relatively low . This indicates a high level of future adoption, especially for this type of application. Hence, the data indicate a very weak current and future interest in Compliance & IT Security Management products. Other types of application are middle-ranking. The overall results and detailed findings specific to industrial sector and company size are summarized in Table 9.
4.3 Model estimation
4.3.1 Evaluation of the measurement model
The assessment of reflective measurement models includes their reliability and validity [28, 30]. An indicator’s reliability can be assumed for a minimal factor loading of 0.7 [30, 50]. For values between 0.4 and 0.7 indicators should only be eliminated if this increases the construct’s Average Variance Extracted (AVE) value . Indicators with lower factor loadings indicate deficient reliability and should be removed . According to these requirements, all reflective indicators featured reliability. The reliability of a construct is routinely estimated by means of its Composite Reliability (CR) indicating its internal consistency . CR values should be 0.7 or higher [30, 49]. This requirement is met for all latent variables. The assessment of the validity of the measurement model includes discriminant validityg and convergent validityh. Discriminant validity was verified by calculating cross loadings . All indicators have a higher correlation with the appertaining latent variable than with others and thus provide for discriminant validity. Furthermore, for each variable the AVE exceeds the minimal value of 0.5, which indicates the convergent validity of the entire measurement model [30, 51]. Table 10 summarizes key metrics of the study’s major latent variables including CR and AVE values. For Attitude no AVE value was calculated since no formative measures were applied.
The evaluation of formative indicators aims to support their relevance for the measured construct . This includes the strength and the significance of its influence . The significance can be determined by means of the bootstrap procedure calculating t-values . A formative indicator’s influence is assumed to be significant for a t-value = 1.646 (level of significance α = 10%, degrees of freedom df = 1,000). Weights should be 0.1 or higher. Though the results quantitatively indicate the minor relevance of four formative indicators they did not have to be excluded since the Expert Panel strongly supported their inclusion from a qualitative point of view [28, 30]. Table 11 summarizes weights and significances of the formative indicators for Perceived Usefulness grouped by the corresponding benefit dimension. Additionally, the significance of the influence of the respective dimension on the core construct Perceived Usefulness (refl.) is shown. In analogy, Table 12 describes the MIMIC measurement model for Trust. The measurement model does not contain any redundant formative indicators: the Variance Inflation Factor (VIF) indicating multi-colinearity was calculated for all indices. All values (range [1.3; 4.2]) are smaller than the critical value of 5.0; thus, no indicators had to be reconsidered [30, 44].
Since the measurement model meets existing requirements entirely, valid estimations of the study’s latent variables can be assumed. This is requisite for the subsequent evaluation of the structural model [28, 30].
4.3.2 Evaluation of the Structural Model
The evaluation of the structural model includes the degree of determination of the model’s latent variables and the evaluation of the hypothesized relations between them . All independent latent variables meet the required minimal coefficient of determination (R2) value of 0.3 and are thus sufficiently explained  (see Table 10). Due to the study’s predictive research goal the R2 of the dependent variable is of special importance . CHIN suggests a critical value of 0.67 for substantial predictions . This requirement is met for the study’s dependent variable Adoption (R2 = 0.71). We additionally proved the model’s capacity to predict the dependent variable by means of the Stone-Geisser test (cross-validated redundancy Q2 = 0.489 > 0) . Thus, we consider the adoption of SECaaS to be explained comprehensively by this study’s proposed model. To test the significances of the model’s hypothesized relations, the bootstrap method (df = 1,000) was applied and t-values were calculated [31, 52]. In regard to the study’s non-directional hypotheses, the influence of one variable on another is considered to be significant when α = 10%[28, 30]. Thus, a hypothesis is supported when the corresponding t-value ≥1.646 and the respective null hypothesis is falsified . To get a deeper understanding of the relations we tested three levels of significance: α = 10% (*, t-value = 1.646); α = 5% (**, t-value = 1.962); α=1% (***, t-value = 2.581). Moreover, corresponding path coefficients were calculated indicating both strength and direction of a variable’s influence . According to Lohmoeller path coefficients ≥ 0.1 indicate relevance .
All in all 10 of the original 50 hypotheses were supported. Of the hypothesized key determinants only Attitude does not have a significant influence on Adoption. This might be caused by the consideration of the individual organization-specific factors; however, we did not find any relations between these variables and Attitude. The investigation of the MIMIC measurement models of Perceived Usefulness and Trust revealed that the respective constructs are determined by very few factors. Only quality, and cost and liquidity benefits matter significantly for Perceived Usefulness. Ex post we identified the significant influence of Trust and Perceived Ease of Use on the variable Perceived Usefulness. Trust is negatively correlated with security risks, social risks, and strategy and compliance risks. Financial and operational risks do not matter. Investigating the organization-specific factors we identified a moderating effect of Role in Cloud Ecosystem on the relationship between Perceived Usefulness and Adoption, and a direct (positive) influence of the Strategic Value of IT Security on Perceived Usefulness. Company Size and Industrial Sector do have neither a direct nor indirect influence on the adoption of SECaaS. However, in the course of a more detailed analysis we found that financial risks matter more for bigger organizations, while social, operational, and strategy and compliance risks are more important to smaller organizations. Figure 3 depicts the reduced model including supported hypotheses. The path coefficients and significances of the hypothesized key drivers are summarized in Table 13.
Below, the findings are discussed in regard to the research questions considering related findings.
4.4.1 RQ1: Is there a market for SECaaS enterprise applications in general and for specific application types in particular?
The market for SECaaS applications is still emerging. The study indicates an already significant and steadily growing acceptance by enterprise consumers. The adoption varies across different security service application types, which supports previous findings about SaaS . The market’s focus is on applications for Content Security, Endpoint Security, and Vulnerability & Threat Management.
4.4.2 RQ2: Which are the key drivers and inhibitors for the adoption of SECaaS?
Key drivers for the adoption of SECaaS are effort expectancies, perceived usefulness, and trust regarding the adoption of respective applications. These results basically confirm UDOH’s findings regarding the adoption of grid and Cloud technologies . Only the influence of the adopter’s individual attitude toward the technology [23, 26] was not supported for this research context. Hence, the influence of perceived risks and thus the uncertainty of SECaaS adoption is more significant than the influence of the other drivers, including perceived usefulness. This supports the findings of BENLIAN ET AL. regarding SaaS adoption .
4.4.3 RQ3: Which benefits are perceived to be relevant by potential adopters of SECaaS?
The perceived usefulness of SECaaS is forged by quality as well as cost and liquidity benefits. Quality benefits mainly reflect the expected return in terms of an increased level of security and regulative compliance. Cost and liquidity benefits include the reduction of direct security expenditures and recovery costs. Thus, according to the adopter’s perception, SECaaS potentially increases return on security investments . Hence, the expected performance of SECaaS systems is positively correlated with effort expectancies and trust, which supports previous empirical findings [22, 55, 56].
4.4.4 RQ4: Which risks are perceived to be relevant by potential adopters of SECaaS?
Major barriers to SECaaS adoption are perceived security, social, strategy and compliance risks. Perceived social risks are mainly driven by expected internal resistance. In this context, an inherent problem is the possible fear of the direct loss of competencies in the course of outsourcing certain security systems. The significance of social influences regarding SaaS adoption was already identified by BENLIAN ET AL.. To increase trust and thus future adoption the effectiveness of technical and organizational controls securing Cloud-based security services must be conveyed transparently to potential SECaaS consumers. Specific certification programs for service providers might support this, for example.
4.4.5 RQ5: Which organization-specific factors affect the acceptance of SECaaS?
The individual strategic value of IT security for an organization’s business directly influences the perceived usefulness of SECaaS. The expected performance is thus higher for organizations with higher demands on IT security from a business point of view. This coherence was already laid out by BENLIAN ET AL. regarding SaaS . Moreover, for the organization’s role in the Cloud ecosystem a moderating effect on the relation between the variables Perceived Usefulness and Adoption was identified. This means that perceived benefits matter less for the actual adoption of SECaaS technologies when the organization itself provides Cloud services for external customers, acting in the role of a Value Added Reseller. On the contrary, general organization-specific factors like company size or industrial sector do not have any significant effects on the adoption. This, on the one hand, conflicts with the general rationale that SECaaS is particularly relevant for companies with limited capacities regarding IT security; on the other hand, however, it confirms previous findings regarding the adoption of SaaS .
The applied methodology (PLS-SEM) is often criticized because calculations tend to be less precise compared to alternative CB-SEM techniques. However, PLS-SEM is more qualified for the application in this study as already laid out in Subsection 3.1. Considering the complexity of this study’s research model and the achievable sample size, the application of CB-SEM would not have revealed valid results (compare e.g. [27, 28, 30]), which supports the authors’ research design decision. The sample was selected among organizations with an existing affinity toward IT. Therefore we assume the sample to be representative for potential SECaaS adopters but not for all organizations. The survey explicitly addressed companies in the German-speaking area. Even though it is assumed to provide general insights about the adoption of SECaaS, observations might vary among different markets, for instance due to location-specific data protection regulations. Furthermore, the adoption of SECaaS by private consumers has not been considered and thus remains open for future research.
This paper systematically investigates the adoption of SECaaS. An application-specific research model was developed based on existing technology acceptance models. The model was estimated applying the Partial Least Squares technique to address the prediction-oriented nature of the study. Based on 160 valid responses from companies in the German-speaking area, we investigated the market potential for SECaaS, key adoption drivers, the relevance of certain risks and benefits, and the influence of organization-specific factors like company size or industrial sector.
The results make valuable contributions for both practice and research. They provide a benchmark for potential adopters of SECaaS. Moreover, the findings support the understanding of the adoption behavior of enterprise consumers. Service providers can use this understanding to direct research, development and marketing programs by considering the significance of perceived security-related risks, for instance. Therefore, this study contributes to driving the future adoption of SECaaS, addressing existing threats to the security of enterprise information systems. Moreover, the developed research model including its measures was validated and can be applied for related future studies.
Future research should reflect the adoption of Cloud-based security services in other markets, survey specific security application types, investigate most relevant application fields and success drivers.
aSession of the “IT security solutions” working group of the German Federal Association for Information Technology, Telecommunications and New Media (BITKOM e.V., see: http://www.bitkom.de last access: 01 August 2012).
bhttp://www.spss.com.hk/statistics/ (last access: 29 September 2012).
c16 selected IT and IT security professionals of the German Federal Association for Information Technology, Telecommunications and New Media (BITKOM e.V.).
dhttp://pbworks.com (last access: 01 August 2012).
eTherefore, a simple online poll with the options “I do not approve”, “I am ok” and “I fully approve” was conducted. Four experts responded “I am ok” and eight fully approved.
fAccording to the European Commission, the number of a company’s employees and its turnover (alternatively: balance sheet total) indicate its size. Companies are categorized as follows: “micro”, when number of employees < 10 and turnover ≤ € 2,000,000; “small”, when number of employees < 50 and turnover ≤ € 10,000,000; “medium-sized”, when number of employees < 250 and turnover ≤ € 50,000,000. Larger organizations are labelled as “large-scale”. See: http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/sme-definition(last access: 01 August 2012).
gDiscriminant validity is provided for when an indicator’s loading with the assigned construct is higher than with remaining constructs. An indicator’s loading with non-assigned constructs is referred to as cross loading.
hConvergent validity expresses the degree to which a latent variable explains the variance of assigned indicators.
Hommel W: Architektur- und Werkzeugkonzepte für föderiertes Identitäts-Management. Dr. Hut, München 2007.
Brock M, Goscinski A: Toward a framework for cloud security. In Algorithms and architectures for parallel processing, Lecture Notes in Computer Science, vol. 6082. Edited by: Yeo SS, Park J, Yang L, Hsu CH, Hsu CH, Yang L, Park J, Yeo SS. Springer, Berlin/Heidelberg; 2010:254–263.
Rittinghouse J, Ransome J: Cloud computing: implementation, management, and security. CRC, Boca Raton; 2010.
Mell P, Grance T: The nist definition of cloud computing. Natl Ins Stand Technol 53 (6) 2009, 50. [http://csrc.nist.gov/publications/nistpubs/800–145/SP800–145.pdf] 
Furth B: Cloud computing fundamentals. In Handbook of Cloud Computing. Edited by: Escalante A, Furth B, Furth B, Escalante A. Springer, US, Boston; 2010:3–20.
Höfer C, Karagiannis G: Cloud computing services: taxonomy and comparison. J Internet Serv Appl 2011, 2(2):1–14.
Gartner: Gartner says security delivered as a cloud-based service will more than triple in many segments by 2013 (2008). [http://www.gartner.com/it/page.jsp?id=722307] 
Hafner M, Mukhtiar M: Seaas - a reference architecture for security services in soa. JUCS 2009, 15(15):2916–2936.
Peterson G: Service-oriented security indications for use. Comput Sci Eng 2009, 7: 91–93.
Smith DM: Hype cycle for cloud computing 2010. 2010.http://www.gartner.com/DisplayDocument?doc_cd=201557 
Staudenrauss P: Untersuchung und Bewertung von Security-as-a-Service-Diensten. In Seminar IT-Sicherheit - Sicherheit und Vertrauen in Cloud Computing. Edited by: Helmbrecht U, Kretzschmar M, Eiseler V. Institut füur Technische Informatik, München; 2011:49–74.
Mather T, Kumaraswamy S, Latif S: Cloud security and privacy: an enterprise perspective on risks and compliance. O’Reilly Media Inc, Sebastopol; 2009.
Kark K, Penn J, Whiteley R, Coit L: Market overview: Managed security services. 2010. http://www.forrester.com/Market+Overview+Managed+Security+Services/fulltext/-/E-RES56068?objectid=RES56068
Senk C, Holzapfel A: Market overview of security as a service systems. In ISSE 2011 Securing Electronic Business Processes Edited by: Schneider W, Reimer H, Pohlmann N, Pohlmann N, Reimer H, Schneider W. 2011.
Allen J, Gabbard D, May C: Outsourcing Managed Security Services. Carnegie Mellon University Software Engineering Institute; 2003. [http://books.google.de/books?id=CFGnNwAACAAJ] 
Deshpande D: Managed security services: an emerging solution to security. In Proceedings of the 2nd annual conference on Information security curriculum development, InfoSecCD ’05. ACM, New York; 2005:107–111.
Keuper F, Wagner B, Wysuwa H: Managed services: IT-Sourcing der nächsten Generation. Gabler; 2009. [http://books.google.de/books?id=5J7Qbx2GIYIC] 
Martens B, Teuteberg F: Decision-making in cloud computing environments: A cost and risk based approach. Inf Syst Front 2011, 14(4):1–23.
Huber M: IT-security in global corporate networks. Center for Digital Technology and Management, München; 2002.
Karyda M, Mitrou E: A framework for outsourcing is/it security services. Inf Manag Comput Secur 2006, 14(5):402–415. 10.1108/09685220610707421
Rogers E: Diffusion of Innovations. Simon & Schuster, New York; 2003.
Venkatesh V, Morris MG, Davis GB, Davis FD: User acceptance of information technology: Toward a unified view. MIS Q 2003, 27(3):425–478.
Benlian A, Hess T: Drivers of saas-adoption – an empirical study of different application types. Business Inf Syst Eng 2009, 1: 357–369. 10.1007/s12599-009-0068-x
Davis FD, Bagozzi RP, Warshaw PR: User acceptance of computer technology: A comparison of two theoretical models. Manage Sci 1989, 35(8):982–1003. 10.1287/mnsc.35.8.982
Benlian A, Hess T, Buxmann P: Software-as-a-Service: Anbieterstrategien, Kundenbedürfnisse und Wertschöpfungsstrukturen. Gabler, Betriebswirt.-Vlg; 2010.
Udoh E VDM Verlag Dr. Müller e.K., Saarbrücken; 2010.
Hoyle R: Structural equation modeling: concepts, issues and applications. Sage Publications, New York; 1995.
Weiber R, Mühlhaus D: Strukturgleichungsmodellierung: Eine anwendungsorientierte Einführung in die Kausalanalyse mit Hilfe von AMOS, SmartPLS und SPSS. Springer, Berlin, Heidelberg; 2010.
Edwards JR: On the nature and direction of relationships between constructs and measures. Psychol Methods 2000, 5(2):155–174.
Hair J, Ringle CM: PLS-SEM: Indeed a silver bullet. J Mark Theory Pract 2011, 19(2):139–151. 10.2753/MTP1069-6679190202
Ringle CM, Wende S, Will A: Smartpls 2.0. 2005.http://www.smartpls.de
Bliemel F: Handbuch PLS-Pfadmodellierung: Methoden, Anwendung, Praxisbeispiele. Schäffer-Poeschel, Stuttgart, Germany; 2005.
Hamre LJ: Exploring the use of social capital to support technology adoption and implementation. Ph.D. thesis, University of Bath; 2008.
Davis FD: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 1989, 13(3):319–340. 10.2307/249008
Thompson RL, Higgins CA, Howell JM: Personal computing: Toward a conceptual model of utilization. MIS Q 1991, 15(1):125–143. 10.2307/249443
Cranor L, Garfinkel S: Security and Usability. O’Reilly Media, Inc, Sebastopol; 2005.
Böhme R: Security metrics and security investment models. In Echizen I, Kunihiro N, Sasaki R(eds) Advances in Information and Computer Security, Lecture Notes in Computer Science, vol. 6434. Springer, Berlin /Heidelberg; 2010:10–24.
Schwarze L, Müller: IT-outsourcing - Erfahrungen, status und zukünftige herausforderungen. HMD-Praxis der Wirtschaftsinformatik; 2005. http://ephorie.de/pdfs/Schwarze_IT-Outsourcing-Erfahrungen_Status_und_zukuenftige_Herausforderungen.pdf
Aubert BA, Patry M, Rivard S: Assessing the risk of IT outsourcing. In Proceedings of the Thirty-First Hawaii International Conference on System Sciences, Volume VI. Organizational Systems and Technology. IEEE Computer Society, Washington, U.S.A.; 1998:685–693.
Rouse AC: Is there an “Information technology outsourcing Paradox”? In Hirschheim R, Heinzl A, Dibbern J (eds) Information systems outsourcing. Springer, Berlin Heidelberg; 2009:129–146.
Duisberg A: Gelöste und ungelöste Rechtsfragen im IT-Outsourcing und Cloud Computing. In Picot A, Götz T, Hertz U (eds) Trust in IT. Springer, Berlin Heidelberg; 2011:49–70.
Subashini S, Kavitha V: A survey on security issues in service delivery models of cloud computing. J Netw Comput Appl 2011, 34(1):1–11. 10.1016/j.jnca.2010.07.006
Fishbein M, Ajzen I: Belief, attitude. Addison-Wesley, Reading; 1975.
Diamantopoulos A, Winklhofer HM: Index construction with formative indicators: An alternative to scale development. J Mark Res 2001, 38(2):269–277. 10.1509/jmkr.38.2.269.18845
Senk C: Securing inter-organizational workflows in highly flexible environments through biometrics. Proc. of E C I S Pretoria 2010.
Bortz J: Forschungsmethoden und Evaluation für Human- und Sozialwissenschaftler Springer-Lehrbuch. Springer; 2006.
Churchill GA: A paradigm for developing better measures of marketing constructs. J Mark Res 1979, 16(1):64–73. 10.2307/3150876
Hulland J: Use of partial least squares (pls) in strategic management research: a review of four recent studies. Strateg Manage J 1999, 20(2):195–204. 10.1002/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7
Chin WW: The partial least squares approach to structural equation modeling. Modern Methods Business Res 1998, 295: 336.
Johnson MD, Herrmann A, Huber F: The evolution of loyalty intentions. J Mark 2006, 70(2):122–132. 10.1509/jmkg.70.2.122
Fornell C, Bookstein FL: Two structural equation models: Lisrel and pls applied to consumer exit-voice theory. J Mark Res 1982, 19(4):440–452. 10.2307/3151718
Nevitt J, Hancock GR: Performance of bootstrapping approaches to model test statistics and parameter standard error estimation in structural equation modeling. Struct Equation Model Multidisciplinary J 2001, 8(3):353–377. 10.1207/S15328007SEM0803_2
Lohmoeller JB: Latent variable path modeling with partial least squares. Physica, Heidelberg; 1989.
Sonnenreich W, Albanese J, Stout B: Return On Security Investment (ROSI). In A practical quantitative model Journal of research and practice in information technology. INSTICC Press, Setubal; 2005:239–252.
Lee D, Park J, Ahn J: Proceedings of the International Conference of Information Systems 2001. On the explanation of factors affecting E-commerce adoption 2001, 109–120.
Venkatesh V, Bala H: Technology acceptance model 3 and a research agenda on interventions. Decis Sci 2008, 2: 273–315. 39 39
Baun C, Kunze M, Nimis J: Cloud computing Web-basierte dynamische IT-services. Springer-Verlag, Berlin and Heidelberg; 2010.
The author declare that they have no competing interests.
Electronic supplementary material
About this article
Cite this article
Senk, C. Adoption of security as a service. J Internet Serv Appl 4, 11 (2013). https://doi.org/10.1186/1869-0238-4-11
- Cloud computing
- Partial least squares
- Security as a service