https://orcid.org/0000-0002-9882-3341
![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
ABSTRACT
This research examines how a firm’s cloud storage implementation affects different types of security breaches in both the short- and long-term. Building on the attention-based view, we find that cloud storage implementation positively relates to a firm’s external breaches and accidental internal breaches in the short-term. However, the positive relationship between cloud storage implementation and external breaches diminishes over time and becomes insignificant long-term. Our results demonstrate a long-term security advantage of cloud storage in reducing accidental internal breaches. We did not find a significant association between cloud storage and malicious internal breaches. Findings highlight the need for firms to direct limited resources to different security risks in the short- and long-term of cloud storage implementation over time. This research contributes to our understanding of cloud storage’s security implications and explicitly theorizes the role of attention in firm IT security management. We contribute to the attention-based view by contextualizing the theory to IT security. We highlight temporal dynamics through distinct attentional mechanisms, including selective attention, attentional flexibility, and attentional vigilance.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Supplementary material
Supplemental data for this article can be accessed online at https://doi.org/10.1080/07421222.2023.2301177
Notes
1. Tilley, A. “SolarWinds Hack Pits Microsoft Against Dell, IBM over How Companies Store Data,” The Wall Street Journal, February 27, 2021.
2. Source: https://enterprise.verizon.com/resources/reports/2021/2021-data-breach-investigations-report.pdf
5. Ocasio [Citation42] calls this “executive attention,” but we refer to this as attentional flexibility for clarity and simplicity.
6. We collected all available transcripts retrieved from a Google search using the keywords: (“CIO” OR “CISO”) AND “interview” AND “cloud.” We conducted a content analysis of the collected transcripts in the following procedure. First, the authors read through the collected transcripts and identified what the executive highlighted in each transcript. Second, we grouped each transcript’s highlighted topics (e.g., functionality, security) to synthesize common attention allocation patterns. When a transcript is not explicit about the attention tradeoff, we assume that the highlighted topics attract the executive’s attention. Third, we organized the transcripts into short-term and long-term groups based on the interview’s time relative to the company’s cloud storage implementation time. Finally, we fitted the transcripts to each theorized attentional mechanism as anecdotal evidence.
7. Refer to https://www.crowdstrike.com/cybersecurity-101/cloud-security/shared-responsibility-model/ for more details about the shared responsibility model of cloud storage.
8. It is notable that although some firms may be aware of the cloud technology’s security risks, the strength of their attention to the security issues is likely to be lower than functionality issues in the shorter-term of cloud usage.
9. Source: https://thisweekhealth.com/captivate-podcast/today-is-the-cloud-more-secure-than-on-prem/
11. Source: https://www.greenpages.com/blog/it-management/cio-focus-interview-kevin-hall-greenpages-logicsone
16. Source: https://cioinfluence.com/security/cio-influence-interview-with-darren-williams-ceo-and-founder-at-blackfog/
17. Source: https://cioinfluence.com/data-management/cio-influence-interview-with-dave-grant-president-at-nasuni/
18. Source: https://thisweekhealth.com/captivate-podcast/today-is-the-cloud-more-secure-than-on-prem/
22. Source: https://cioinfluence.com/data-management/cio-influence-interview-with-dave-grant-president-at-nasuni/
23. In addition to the covariates in our final PSM model, we have initially included: (1) hospitals’ number of data storage types and the number of applications that physicians can access via a dashboard to approximate their data storage demand; (2) number of IT employees and number of laptops and computers as additional proxy of IT resources; (3) hospital age, number of employees, and status (i.e., academic or not, owned properties or leased) as institutional characteristics; and (4) number of security breaches in the past three years as additional proxy of security concerns. Then, we ran models sequentially by dropping the variable with the highest p-value of estimated coefficient each time. We end the model selection process when all covariates have significant coefficients.
24. We used the “cloud-based storage” category reported in the HIMSS database’s “LongTermStorage” table when measuring hospitals’ cloud storage usage. The HIMSS database did not explicitly define the cloud-based storage and clarify whether it refers to public or private cloud. However, based on our examination of the data, we believe it focuses more on the public cloud. Specifically, we examined the product descriptions of the cloud storage vendors reported in the HIMSS database. Several vendors are typical public cloud storage providers, such as Amazon Web Services (AWS), Box Inc., Citrix Systems Inc., and Microsoft. Other vendors have commonly developed cloud-based healthcare IT solutions built on AWS or Google Cloud Platform, for example, Cloudwave Healthcare IT Solutions, Ambra Health, and GE Healthcare.
We also acknowledge that some hospitals may purchase private cloud from the cloud service providers. However, regardless of private or public cloud, the major tradeoffs in attention allocation and main players in the cloud usage context (i.e., client firms, cloud user employees, and cloud service providers) exist. Hospitals’ public cloud usage may observe stronger impacts on security breaches than private cloud use. Thus, the possible existence of both public and private cloud will make our empirical test more conservative. Therefore, not explicitly clarifying private versus public cloud storage in the HIMSS database should not be a concern of validating our theoretical development.
25. We are not estimating panel data Logit, Probit, or ordered Logit models as the main analysis due to their disadvantages of controlling for time-invariant heterogeneity. Specifically, using unconditional fixed effects in these models will cause the incidental parameters problem that produces inconsistent estimates, while conditional fixed effects will drop all panels with no variation in the dependent variable (i.e., firms without any data breaches in the sample). To ensure the stability of our results, we also ran Logit and ordered Logit models as robustness checks and obtained consistent results.
26. We also ran robustness checks using the ratio of hospitals in the local area with cloud storage to measure the instrumental variables HSACloud and HRRCloud and found consistent results. The results are not reported due to space limits but are available upon request.
Additional information
Funding
Notes on contributors
He Li
He Li ([email protected]) is an Assistant Professor of Information Systems at Wilbur O. and Ann Powers College of Business, Clemson University. His research focuses on organizational competitive strategies in IT-enabled emerging contexts such as digital platform ecosystems, IT security management, and transportation information systems. Dr. Li’s research has been published in such journals as MIS Quarterly, Journal of Management Information Systems, Journal of the Association for Information Systems, and Journal of Operations Management.
William J. Kettinger
William J. Kettinger ([email protected]) is the W.S. Lee Distinguished Professor of Information Systems at Clemson University. He previously served as the FedEx Chair of Excellence in MIS at the University of Memphis. Dr. Kettinger’s research interests include strategic information management, platforms and digital business strategy, cybersecurity, IS service quality, and supply chain, and process management. He publishes in the Journal of Management Information Systems, MIS Quarterly, Information Systems Research, Journal of the Association for Information Systems, Journal of Operations Management, and Sloan Management Review. He serves as a senior editor of MIS Quarterly Executive, senior editor emeritus of MIS Quarterly, and has served as an associate editor of MIS Quarterly, Information Systems Research, and Journal of the Association for Information Systems, and has three times served as a special issue editor for Journal of Management Information Systems.
Sungjin Yoo
Sungjin Yoo ([email protected]) is an Assistant Professor of Information Systems in the School of Business Administration at Soongsil University, Korea. He holds a Ph.D. in Business Information & Technology from the University of Memphis. Dr. Yoo’s research is focused on IT security, sharing economy platforms, and IT strategy, among other areas. His work has been published in such journals as the Journal of Management Information Systems, Journal of Operations Management, Journal of Strategic Information Systems, and MIS Quarterly Executive.