It hasn’t often appeared as a topic in this blog, but I have an interest in information security. Recently, I’ve been looking at some data on how a group of businesses have decided to (not) move to the cloud – security emerged as a key consideration (not surprisingly). This blog post explores one theory (TOE) which claims to explain the how these decisions are made, focus on how well it copes with the importance of security. Apologies in advance for the somewhat dry academic style.
I’m still getting my thoughts together, so feedback and corrections are very welcome.
Some background: The TOE framework
Like individuals, organisations and businesses are constrained by circumstances when making decisions. One important choice a business can make is whether to implement a technology that is new to it (such as cloud computing). Researchers have long been exploring frameworks to explain what factors affect management choices. Without an explanation, we are left with gut feelings or statistical correlations, and not much in the way of understand of why some factors are more important.
This blog post looks at one model of innovation adaption, called Technology, Organisation and Environment (TOE) . TOE is an extension of a well known frequently used theory called Diffusion of Innovation which has been developed by Everett Rogers since the 1950s. It claims to provide a mechanism for explaining an organisation’s response to a new technology by assessing internal and external factors that influence adoption of new technological innovations.
Figure 1 A typical TOE model
The diagram above gives a quick overview of how TOE approaches the factors behind the decision. Over the last 20 years, a body of research as expanded the three top level contexts by developing a number of different variables which have been used to explain their impact in different business environments: the eight bulleted items above reflect the most commonly used variables.
From my perspective, what interesting is that there is nothing in TOE that has a clear link to information security – but security is a major (and growing) factor in technology adoption decisions. This raises the question what is the most appropriate way to deal with security: as a new variable (or factor?) – or as something that pervasively influences all (or most) of the variables.
Note: There are other established theories for explaining organisational behaviour, including institutional theory, which provides a strong model of the impact of social and cultural factors. Other theories attempt to explain or predict individual choice: for instance the theory of planned behaviour or the various Technology Acceptance Models (TAM).
A good place to start is to be clear that security here means information security. Information security is generally agreed (by ISO27000 for instance) to include achieving the Confidentiality, Integrity and Availability of information that an organisation is responsible for. (Other factors including Privacy have also been proposed but I want to keep the story simple.)
Security is broader that a mere consideration of technology  – though unfortunately security is still often seen as (simply) a technical challenge. The non-technical nature of information security can be demonstrated by the activities of an organisation as it maximises its information security, including:
- Installing, configuring, running & monitoring technologies
- carrying out risk management to prioritise security prevention, detection and recovery activities
- putting management controls in place
- supporting a positive organisational security culture
- ensuring compliance with laws and government regulations such as the Sarbanes Oxley Act or Data Protection law in Europe.
These elements are all important to choice of technology and would seem to relate to all three TOE factors: technology used, organisational context and the business environment. But when reviewing TOE research relating to the adoption of cloud services, I have noticed that there’s a lack of sophistication in the consideration of what is meant by ‘security’: when it is considered at all, it is generally as a part of the technological factor  or bolted on top of the TOE framework . The lack of research into factors behind security related decisions is also noted by other researchers in this area, eg , which uses institutional theory as its theoretical lens.
Even when security has been considered within TOE research, findings have been mixed. For instance, security considerations were not found to be a factor for the manufacturing or service sector SMEs in Portugal . This is counter-intuitive and it is acknowledged that context (such as country and business sector) could be important, and that there is a need to formulate an adoption model for each industry: the legal sector for instance is likely to have a very different attitude to security, particularly around client confidentiality, and regulatory compliance.
The story so far…
So, TOE may have potential provide a framework for understanding the security factors involved in a technology adoption decision (for instance, whether to move to cloud services), but it would help if it could incorporate a richer account of security.
The next challenge is to see whether/how the extensive information security literature can be married to the TOE models of innovation decisions to provide a richer understanding.
Here are the main sources I used when putting this post together. Unfortunately, most of these sources will cost you if you are accessing them from outside a university.
- Baker, J. (2012). The Technology–Organization–Environment Framework. In Y. K. Dwivedi, M. R. Wade, & S. L. Schneberger (Eds.), Information Systems Theory (Vol. 28, pp. 231–245). New York, NY: Springer New York. doi:10.1007/978-1-4419-6108-2
- Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013). Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework. In 2013 46th Hawaii International Conference on System Sciences (pp. 4425–4435). IEEE. doi:10.1109/HICSS.2013.132
- Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2013). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information and Management, 52(4), 385–400. doi:10.1016/j.im.2014.12.004
- Chang, V., Kuo, Y.-H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24–41. doi:10.1016/j.future.2015.09.031
- Oliveira, T., & Martins, M. (2011). Literature review of Information Technology Adoption Models at Firm Level. European Conference on Information Management and Evaluation. E-Journal of IS Evaluation, 14(1).
- Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497–510. doi:10.1016/j.im.2014.03.006
- von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. doi:10.1016/j.cose.2013.04.004
- Whitman, M. E., & Mattord, H. J. (2010). Management of Information Technology (International Edition). Thomson Course Technology.
- Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592. doi:10.1016/j.future.2010.12.006