This is a repository copy of Risks in enterprise cloud computing: the perspective of IT
experts.
White Rose Research Online URL for this paper:
http://eprints.whiterose.ac.uk/79144/
Version: Accepted Version
Article:
Dutta, A., Peng, G.C. and Choudhary, A. (2013) Risks in enterprise cloud computing: the
perspective of IT experts. Journal of Computer Information Systems, 53 (4). pp. 39-48.
eprints@whiterose.ac.uk
https://eprints.whiterose.ac.uk/
Reuse
Unless indicated otherwise, fulltext items are protected by copyright with all rights reserved. The copyright
exception in section 29 of the Copyright, Designs and Patents Act 1988 allows the making of a single copy
solely for the purpose of non-commercial research or private study within the limits of fair dealing. The
publisher or other rights-holder may allow further reproduction and re-use of this version - refer to the White
Rose Research Online record for this item. Where records identify the publisher as the copyright holder,
users can verify any specific terms of use on the publisher’s website.
Takedown
If you consider content in White Rose Research Online to be in breach of UK law, please notify us by
emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request.
promoting access to White Rose research papers
White Rose Research Online
eprints@whiterose.ac.uk
Universities of Leeds, Sheffield and York
http://eprints.whiterose.ac.uk/
This is an author produced version of a paper published in Journal of Computer
Information Systems.
White Rose Research Online URL for this paper:
http://eprints.whiterose.ac.uk/79144
Published paper
Dutta, A., Peng, G.C. and Choudhary, A. (2013) Risks in enterprise cloud
computing: the perspective of IT experts. Journal of Computer Information
Systems, 53 (4). pp. 39-48.
http://www.iacis.org/jcis/jcis_toc.php?volume=53&issue=4
Dutta, A., Peng, G.C. and Choudhary, A. (2013). “Risks in enterprise cloud computing: the
perspective of IT experts”. Journal of Computer Information Systems, 53 (4), pp. 39-48
Risks in Enterprise Cloud Computing: the
Perspective of IT Experts
Arnab Dutta
Information School, University of Sheffield,
Regent Court, 211 Portobello Street, Sheffield, S1 4DP, United Kingdom
Guo Chao Alex Peng*
Information School, University of Sheffield,
Regent Court, 211 Portobello Street, Sheffield, S1 4DP, United Kingdom
Telephone: 0044 114 2222658. Email:
g.c.peng@shef.ac.uk
* Corresponding author
Alok Choudhary
Management School, University of Sheffield,
IWP Building, Mushroom Lane, Sheffield, S10 2TN, United Kingdom
ABSTRACT
Cloud computing has become an increasingly prevalent topic in recent years. However, migrating
hitherto internal IT data and applications to the cloud is associated with a wide range of risks and
challenges. The study reported in this paper aims to explore potential risks that organisations may
encounter during cloud computing adoption, as well as to assess and prioritise these risks, from the
perspective of IT practitioners and consultants. A questionnaire was designed and distributed to a
group of 295 highly experienced IT professionals involved in developing and implementing cloud
based solutions, of which 39 (13.2%) responses were collected and analysed. The findings identified
a set of 39 cloud computing risks, which concentrated around diverse operational, organisational,
technical, and legal areas. The most critical top 10 risks perceived by IT experts were found to be
caused by current legal and technical complexity and deficiencies associated with cloud computing,
as well as by a lack of preparation and planning of user companies.
Keywords
Enterprise cloud computing, risks, risk management, legal, technical, data security
1. INTRODUCTION
In the contemporary digital age, Information Technologies (IT) have become an integral part
of the organisational infrastructure of most knowledge-intensive organisations in any sectors
(e.g. manufacturing firms, banks, universities, hospitals, and even governments) and
countries. Traditionally, IT resources (including data, software, CPUs, memory cards, and
servers) are internally hosted and maintained by user organisations. However, accompanied
with continuous business and technology evolution, modern organisations are supported by
an increasing number of IT applications and an ever sophisticated IT infrastructure. This
increasing amount of internal IT facilities and resources has now become very costly and
time-consuming for companies to maintain. Consequently, and also owing to the global
economic crisis started in 2008, organisations nowadays are often facing the dilemma to
remain high usage of advanced IT applications to sustain competitiveness on the one hand,
and to substantially reduce their IT operation and maintenance costs on the other hand. With
the development of new IT and web technologies, cloud computing emerges in recent years
as a solution to this IT dilemma.
2
Cloud computing is an advanced IT model to host and share both software and hardware
resources over the Internet. It allows organisations to use a pool of IT resources and
applications as services virtually through the web, without physically holding these
computing resources internally [1]. This innovative cloud model also enables the on-demand
provision of computing resources on a pay-as-you-go basis. This makes the use of IT
resources similar to the consumption of other daily utilities, such as water and gas [1, 2]. The
emergence of cloud computing also facilitates the progression of IT standardization and
commoditization, which refers to the phenomenon that IT resources (especially infrastructure
resources, e.g. servers, storage, and networks) can be used by user companies as standardized
commodities without the need for being uniquely designed, installed and maintained [3, 4].
However, and despite these attractive features and benefits, migrating the hitherto internal
IT resources and sensitive business data to a third-party cloud vendor is never an easy
decision to be made by CEOs, CIOs and IT managers. In fact, the adoption of cloud
computing is associated with a wide range of potential risks and challenges, which have not
been sufficiently explored and studied by previous researchers. Therefore, the study reported
in this paper aimed to contribute to this research gap by exploring a comprehensive list of
potential risks associated with cloud computing. A systematic literature review was carried
out at the early stage of the research. As a result of this extensive review, the researchers
established a theoretical risk ontology that contains 39 potential risks that organisations may
encounter during cloud computing adoption and usage. A questionnaire was constructed
based on this theoretical risk ontology and it was used to seek IT professionals’ perceptions
of the established cloud risks. This paper is organized in the following manner. The next
section of the paper presents a further introduction and overview of cloud computing.
Subsequently, the research methodology, including the theoretical risk ontology and the
research questionnaire design, is discussed. Section 4 presents the analysis and results
derived from the questionnaire survey and discussed the overall risk findings including top 10
cloud computing risks. Finally, the theoretical and practical implications of the study are
discussed, with conclusions drawn.
2. AN OVERVIEW OF CLOUD COMPUTING
From a historical perspective, computer and IT architecture has evolved rapidly and
significantly over the last half-century, from the originally centric ones to the increasingly
distributed ones. Specifically, terminals and mainframes were used prevalently in the market
during the 1970s and 1980s. In that period of time, people used terminals (i.e. equipments
that were just little more than keyboards and monitors) to connect to local mainframes (i.e.
large computer machines to process and store data) that were shared by many users [5]. Such
traditional terminal/mainframe model resulted in a very centralized computing architecture,
and was shortly replaced by stand-alone personal computers (PCs) – users no longer need to
share a mainframe with other people, in the late 1980s [5]. With the emergence of network
and internet technologies in the 1990s, users can connect their PCs with other computers and
servers to exchange information and documents as well as to use remote applications (e.g.
through the client/server model). In the early 2000s, with the support of new technologies
like Web 2.0 and distributed (e.g. grid and cluster) computing, users can get accessed to a set
of external and shared computer resources through an electronic grid over an Ethernet or the
Internet [5]. It is widely recognised that distributed/grid computing forms the basis of
today’s cloud architecture [6].
Cloud computing can be defined as an IT service model, which delivers a set of
convenient, on-demand, and configurable computing services and resources [2], to clients
3
“over a network in a self-service fashion, independent of device and location [and with
minimal internal IT effort and…] service provider interaction” [7]. These cloud applications
and services can be accessed by not only PCs but also mobile devices, such as smartphones
and tablets. Since the emergence of the concept, a wide range of cloud computing services
have been developed by IT providers. These cloud services can be divided into three main
categories/models [1]:
• Software as a Service (SaaS). In the SaaS model, software applications (e.g.
organisational email systems, office applications, sales/accounting systems, and even
Enterprise Resource Planning or ERP systems) are run on a vendor-managed and
controlled infrastructure, and are made available to clients through web browsers.
• Platform as a Service (PaaS). In the PaaS model, computing platforms are provided
as a service to deploy and run user applications. It offers a programmable
environment and middleware to support IT application development and deployment
in user companies.
• Infrastructure as a Service (IaaS). In the IaaS model, hardware and IT infrastructure
resources (e.g. CPUs, hard discs, databases, and servers) are provided as a service to
companies through the virtualised cloud environment.
Nowadays organizations are increasingly looking for adopting the various cloud services
for supply-chain integration and access to real-time data. Cloud computing also promises to
deliver high-quality and advanced IT services to organisations with substantially reduced
costs [7], such as reduced hardware investments, less maintenance fees, and lower electricity
consumption associated with IT usage. As a result of these features and potential benefits,
cloud computing has been widely perceived as one of the most important development in the
IT industry in the late 2000s. In particular, from 2008 to 2010 Gartner (a well-known global
IT consulting firm) had constantly rated cloud computing as one of the top 10 strategic
technologies, which has the potential to change traditional IT usage in organisations and even
transform the global IT industry [8]. Furthermore, it was expected in a recent report (entitled
“Sizing the Cloud”) published by Forrester Research that, the global market size of cloud
computing will grow rapidly from US$40.7 billion in the early 2010s to US$241 billion in
2020.
However, and despite these very attractive facts, a wide range of risks can actually occur
when adopting cloud computing. A risk can be defined as “the occurrence of an event that
has consequences for, or impacts on a particular project” [9]. This definition implies a
fundamental characteristic of a risk, namely uncertainty. Specifically, there is a probability
that the risk event may occur and can result in an impact on the business processes that may
imply substantial losses. Bearing these principles in mind, for the purpose of this study the
researchers defined a cloud computing risk as:
“the occurrence of an event, which is associated with the adoption and use of cloud
computing, and can have undesirable consequences or impacts on user companies”
For instance, the inherent features of cloud computing determine that IT operation within a
third-party cloud provider will be by no means transparent to user companies, who also have
limited control on the subscribed cloud services [10]. Such lack of transparency and control
may raise potential risk events related to the security and privacy of business and customer
data stored in the cloud [1]. Moreover, user companies need to make a range of internal
changes (e.g. designing new business processes, refining IT roles, and downsizing IT
department) to prepare themselves to the new cloud environment [11]. This however may
