Chapter 1: Introduction to the Study
According to the National Institute of Standards and Technology (NIST) (2011), Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. According to Mell and Grance (2011), the NIST is a federal agency that is part of the United States Department of Commerce, and some of its responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. [J Ready3] This cloud computing model is composed of five essential characteristics, three service models, and four deployment models. The essential architectural characteristics of cloud computing include on-demand self-service, broad network access, resource pooling, rapid elasticity and measured services, while the service models include software as a service, platform as a service. AbuOliem (2013) observed there are current gaps in the existing literature relating to cloud computing regulations and uncertainty remains when it comes to the legal implications of storing and moving personal data between countries. Therefore, research is needed to identify best standards and practices to enhance business operations. According to [J4] Narayanan (2012), international regulations on cloud computing can be achieved[J5] by the creation of an international organization dedicated to regulate cloud computing activities.
According to Salisbury (2013), “in the US, exporters can receive criminal penalties of up to $1,000,000 for violation of the Export Administration Regulations (EAR). Examples of such high penalties do not seem to be common; however, fines of up to $250,000 are seen [J6] quite frequently” (p. 540). Jaeger (2015) stated [J7] that one of the reasons why export control reform is taking place is to facilitate compliance and reduce the unnecessary burden to United States companies. [J Ready8] However, [J9] the risk of having controlled data such as technology or software in the cloud remains as long as the controlled information is not encrypted all the way until it reaches its intended recipient. Palmeri (2015) noted that the main export challenge in the cloud is determining where the servers that are storing the data will be located[J10] . However, [J11] the main goal of protecting data in the cloud is controlled access to this export controlled data by an unauthorized foreign person(s).
Therefore, private companies evaluating adopting cloud computing opportunities must consider the export compliance implications, specifically when the company products or services is controlled [J12] under the United States export control rules and regulations (Mell and Grance, 2011). Cloud computing is employed as a private cloud, community cloud, public cloud and a hybrid cloud (NIST, 2011). There have been studies in cloud computing, with a focus on how it will affect the efficiency and ease of doing business. The study Oliveira, Thomas, and Espadanal [J13] (2014), for example, stands out as a breakdown of the ways through which the use of cloud computing allows for better capital application to the key competency of an organization. However, the study [J14] lacks enough data that points out to what the perception of the targeted users of the technology is. This study will explore how information technology and export compliance managers perceive the export compliance impact of adopting cloud computing technology; therefore, it will examine reasons why companies and leaders within them adopt cloud technology as opposed to continuing to use their current forms of technology. The export compliance impact is relevant in this study since there are no other studies that highlight the lack of clarity when it comes to United States Government providing clear guidance as to who is responsible for the export compliance in the cloud. There are only very few advisory opinions from the various export compliance agencies, and that cannot be considered as law and therefore. [J15] Providers and users of the cloud cannot rely on such advisory opinions (BIS, 2009, 2011) because the export control laws are vague when it comes to cloud computing for users and providers. Furthermore, The discussion section at the end of the study will help to determine why leaders adopt the cloud and cloud-based technologies while dealing with the impact of export compliance.
Forecasters in the information technology (IT) field state[J18] the approach and significance of cloud computing are an inevitability and a foregone conclusion (Weinman, 2011). The adoption of the cloud can offer businesses several cost saving advantages where corporations and individuals can pay for access to virtual space, which will store and process data on servers located in large computer farms all over the world (Schoorl, 2012). While companies and enterprises in various industries understand the demand to deploy cloud computing to reduce cost and increase efficiency, future research is required to understand when organizations should adopt cloud computing and ways to manage the risks involved (Egbert, 2015). Modeling should be used as the primary predictor of implementation as cloud computing may in fact not be the advantageous solution for all companies to embark upon and adopt (Garrison, 2012).
The research study will be conducted as a qualitative inductive study [J19] from data collected from users of cloud computing. Sampling will be done through a convenience model, and the data will be analyzed in a grounded theory style[J20] . The aim is to add to the body of knowledge by trying to fill the identified gap in research. This [J21] will be done by exploring the awareness of the users and providers of cloud computing on export compliance issues through a research study with the aim to create awareness about unidentified issues. The assumption is that awareness is lacking, given the lack of studies and literature. The Insufficiency here is a relative term that represents the availability of scholarly literature on export compliance versus other areas of cloud computing like data security where there are plenty of literature reviews and studies about this subject matter (Villasenor, 2011). The research is different from relatable studies in the area of research in that it does not focus on narrowing down the information to fit a pre-set hypothesis rather seeks to infer from primary qualitative data.[J22]
Cloud computing has created a set of new export compliance challenges. For example, one critical issue that has received little attention regarding cloud computing is export control (Villasenor, 2011). Corporations can face legal challenges when adopting cloud computing; notably, complying with export compliance laws and regulations. Businesses and corporations can simply violate the export control laws by storing export-controlled technical data, and information or conduct transactions with denied parties on the United States Government sanctioned lists such as the United States Department of Treasury, Specially Designated Nationals List (SDN) (Tauwahre, 2015). Companies are required to be highly attentive to the ways they use cloud computing. What is less obvious is that businesses that do not sell export-controlled products or services should also to consider export control regulations as they consider cloud computing (Villasenor, 2011). In addition, the preferred way to advance the adoption of cloud computing technology is not clear as compliance professionals differ in opinion. The purpose of the study is to explore how information technology and export compliance managers’ perceive the compliance impact of adopting cloud computing technology. Export compliance managers are tasked with complying with various domestic and international compliance rules and regulations while safeguarding the corporation from unintended risks, such as the release of controlled technical data or information to the public or foreign nationals. The tradeoffs of adopting cloud computing include the challenge of maintaining compliance with a profuseness of data privacy and export control laws and regulations (Xiao & Xiao, 2013). Businesses should focus on complying with various data security laws that keep shifting as the law attempts to keep pace with innovation (Salow, Meier, & Goodwin, 2011). Compliance managers sound the alarm that the industry is moving more quickly than the litigation regulating it is. However, the perception, as noted by Xiao and Xiao (2013), remains that unmitigated risk of utilizing and adopting the cloud is what companies must manage across multiple departments in the enterprise if they are to remain competitive.
A range of theories and concepts exists to guide this study. Two theories are relevant to the subject matter of the proposed study: change theory and technology adoption theory. Force field analysis has been identified as a method rather than a theory, meaning that is a process that guides decision making in each environment instead of a theory that identifies a constant number of factors that affect decision making (Lewin, 1943)[J Ready24] . Because of this research, it is important to view the attitudes of organizations regarding the forces they believe relevant, such as the regulatory environment and predictions about its future.
Lewin’s concept of force field analysis suggests that cultural differences drive organizational behavior, with there being forces that work to encourage change or the adoption of a policy and forces that work against it. The force field analysis theory within an organization works in the stages outlined by the change model by Lewin. Cultural differences have to be overcome for the unfreezing and change to occur before a new organizational culture emerges at the refreezing stage. [J25] Also, Harmon (2014) refers to technology adoption theory as relevant to cloud computing when organizations consider whether to integrate or improve an existing system with cloud system technology.
Previous research, however, has not addressed gaps in the literature. The following section will outline the main conclusions of previous research in this area.
Previous research. Cloud computing technology adoption provides significant benefits to small and large corporations (Oliveira, Thomas, and Espadanal, 2014). However, the challenges of adoption may complicate the selection decisions and subsequent adoption process (Hailu, 2012). The studies that exist in the cloud computing space are mostly about the technological challenges, opportunities and the resistance to adoption of new ways of doing things. [J26] There are extensive studies on security and privacy of data, which is a sensitive topic especially because of alleged government surveillance. [J27] The information that seems to be lacking is that pertaining to compliance with laws on the movement of data[J28] . It is [J29] written by Murphy (2013) that the US does have laws on the movement of IT data. Murphy (2013) further notes that the problem is deeper than mere regulatory and legal compliance because many companies are not even aware that laws are governing the movement of data.
Previous research refers to cloud computing that it offers several advantages, such as flexibility and cost efficiency, relative to traditional centralized computing schemes (Oliveira, Thomas, and Espadanal, 2014). However, the benefits come with compliance risks such as security, privacy and export control risks that might affect providers’ access to such information (Xiao and Xiao, 2013). For example, a provider transmitting or storing export-controlled information or technology in the cloud might give access to foreign nationals working on servers outside the United States for the purpose of maintenance and technical support (Mayberry, Dombek, & Palmeri, 2015). Existing research does point out that the export compliance risks could lead to national security breaches or patent infringement.
Future research is required to focus on the type of organization that cloud computing is best suitable and shall be conducted first and foremost (Oelrich, 2015). There is an obligation that exists regarding why cloud computing technology should be adopted broadly and that the adoption success is dependent on the type of organization and employees implementing the adoption (Oelrich, 2015). Therefore, the strategic effect of cloud computing has not fully been addressed and studied since such adoption and will have a profound impact on the transformation of any organization (Qian & Palvia, 2013).
Evidence suggests that the challenge of adoption will have to be the United States laws surrounding how organizations and individuals will address export violations (Tauwahre, 2015). How to mitigate export compliance factors while utilizing cloud computing to store and share export-controlled data and the information is still unclear. Software companies adopting cloud computing services should be aware of the compliance dangers looming of storing and processing data.
These United States export control laws [J30] and regulations are an example of the challenges faced while adopting and utilizing cloud computing services. For clarification purposes, the primary United States federal agencies that are responsible for implementing export control laws and regulations are the Department of State through its International Traffic in Arms Regulations (ITAR). The ITAR primarily address the exportation and importation of defense articles, defense services, and technical data. The Department of Commerce through its Export Administration Regulations (EAR) address the exportation of dual-use items that have a commercial and military [J31] use. The Department of Treasury, through its Office of Foreign Assets Control (OFAC), is the agency that manages and implements sanctions on countries, entities, and persons (Burke, 2012).
The mere provision of cloud computing would not constitute an “export”; however, there are no guidelines to address whether a user putting controlled data into the cloud is considered an “exporter” (Mayberry et al., 2015). Providers and users of cloud computing technology have to adhere to the complicated United States export control laws and regulations that prevent the export of software, technology, and data without an export authorization from the United States Government.[J32] These export compliance regulations have to be also addressed to ensure that the American national security and foreign policy interests are adequately protected. (Villasenor, 2011).
The problem for this study is a lack of knowledge regarding how information technology and export compliance managers perceive the influence of adopting cloud computing technology on export compliance[J Ready34] . It is necessary This study will find that [J35] it is imperative [J Ready36] to learn the reasons why export compliance and information technology leaders adopt the cloud as a new technology. In addition, this study will seek to provide business leaders and decision makers insight into how to make the transfer of data and accessing export controlled information safer for United States companies using the cloud to store and share data in the cloud. [J37]
Previous research shows that cloud computing technology allows for significant benefits for corporations, but adopting this new type of technology may create complications [J38] (Xiao and Xiao, 2013). This study will provide an understanding as to the reasons why export compliance and information technology leaders adopt the cloud as a new technology and evaluate their perceptions of how to mitigate the export compliance challenges associated with such adoption.
The problem targeted in this planned research is multidimensional. Analysts and organizational managers alike experience the problem of inadequate knowledge in the literature, having a demand for more empirical information regarding the advantages and disadvantages of system implementations in different circumstantial variables (Eggbert, 2015; Schoorl, 2012). Meanwhile, a range of perspectives and recommendations for applying and maintaining cloud systems impedes the establishment of best practices, standards, and harmonization in this area. [J39] Not addressing these areas [J40] can lead to a lack of awareness and challenges in adopting and using cloud systems, which can, in turn, affect the business and the business bottom line.
Information technology and export compliance managers perceive the compliance aspect of adopting cloud computing technology in their software companies is unknown, which can influence the efficiency and effectiveness of related organizational processes. Failing to conduct research focusing on the types of organizations that cloud computing is best suited also fails to optimize adoptions and outcomes, which is problematic as well (Oelrich, 2015). Considering these issues, future research clarifying when the adoption of cloud computing, considering the range of dynamics and systems observed, is vital (Egbert, 2015). Egbert (2015) further notes that cloud computing adoption is predominantly organizational problems, but failing to take action to facilitate improvements or optimize operations can also be industrial problems. The technology adoption problems can be argued to be technological as well since failure to understand the details of demands and potential at the organizational level can inhibit the optimization of technical aspects[J41] . The factors above support the identified problem of inadequate knowledge in the field being available to manage risk in export compliance matters. [J42]
The purpose of the qualitative case study is to explore how information technology and export compliance managers perceive the influence of cloud computing technology on export compliance in software companies and technology companies [J Ready44] in Southern California. The phenomenon to be explored is the export compliance impact of adopting cloud computing. The tradeoffs of adopting cloud computing include the challenge of maintaining compliance with United States export control laws and regulations that are not up-to-date with the current technology advancements. Software companies adopting cloud computing services should be aware of the export compliance dangers looming of storing and processing data. Corporations can face legal challenges when adopting cloud computing; notably, complying with export compliance laws and regulations. Businesses will have to focus on complying with various data security laws that keep shifting as the law attempts to keep pace with innovation (Salow, Meier, & Goodwin, 2011).
This study will provide an understanding [J45] as to the reasons why export compliance and information technology leaders adopt the cloud as a new technology and evaluate the perception of professionals and practitioners in the field of how to mitigate the export compliance challenges associated with such adoption[J46] . This study is different from previous studies and current research available in that it examines specific reasons why companies and leaders adopt cloud technology [J47] as opposed to continuing to use their current forms of technology and how those leaders handle export compliance issues that are associated with adopting cloud computing. Furthermore, the main purpose of this study is to evaluate front line employee perceptions of how to mitigate export compliance issues and how to overcome the export compliance challenges that are inherent in switching technology systems. This study will highlight the current export compliance exposure of companies utilizing cloud computing and study the perception of employees (IT and export compliance professionals) mitigating the risk of export compliance challenges in the absences of clear guidelines from the United States Government of what constitutes an export in the cloud and who is responsible for the export; the cloud user or provider or both.
A sample of 20 export compliance and IT professionals will be interviewed to explore their perception of the compliance issues facing cloud computing adoption[J48] . The professionals will be drawn from the software and high technology industries. Employee[J Ready49] perception of the export compliance concerns when adopting cloud computing will be explored through a questionnaire and in-person interviews to understand the organizational impact of adopting cloud computing.
This study will explore why businesses adopt cloud-based technologies and the relevance of that to export compliance with intangible exports. [J50] It also explores leader perceptions of how to mitigate compliance issues. This study will provide recommendations that can assist to minimize the export compliance risks to organizations of adopting cloud computing. These findings will add to the current field of study and will have practical implications in that the findings could be analyzed to will be analyzed to provide business leaders and decision makers’ insight into how to make the transfer of export controlled data and information safer when it is used and provided in the cloud. [J51]
The purpose of the study is to explore how information technology and export compliance managers’ perceive the compliance impact of adopting cloud computing technology. Each research question has been created to relate to a different aspect of the problem statement. This study will be guided by three research questions:
R1: How do IT and export compliance managers perceive software companies’ compliance with United States regulations that are in conflict with other international laws pertaining to cloud computing technology? [J53]
R2: How do IT and export compliance managers perceive the compliance impact of adopting cloud-computing technology in their software companies in Southern California?
R3: How is cloud computing considered an effective cost saving technology when faced with compliance challenges? [J Ready54]
Regarding question number one, export compliance and information technology managers should understand [J Ready55] how the United States and other export regimes are guiding the cloud providers and users, and how this can affect the integration and adoption and the availability of the cloud in the enterprise (Murphy, 2013). Regarding question number two, understanding the jurisdiction of cloud computing technical data and services provided and how to classify what users are responsible for is crucial in understanding how to minimize what providers are company users can and can’t upload in the cloud. Regarding question number three, long-term cloud integration strategy is a crucial element in successful cloud computing adoption; however, legal risks are still considered one of the most afterthought issues during and after the integration of cloud computing in any organization (Qian & Palvia, 2013).
Advancing Theoretical knowledge[J56]
A range of theoretical framework is relevant to the subject matter of the proposed study, particularly technology adoption theory (Harmon, 2014) and change theory (Lewin, 1946). The two theories are relevant when considered within the context risk management and government compliance. Therefore, concepts that will be researched include technology adoption theory (Harmon, 2014) and change theory (Lewin, 1946), risk management (Morin, Aubert, & Gateau, 2012), and government compliance (Doelitzscher, Reich, & Sulistio, 2010). These concepts directly affect the researcher’s understanding of cloud-based technologies and how companies and individuals react to change in technology.
The technology adoption theory (Harmon, 2014) and change theory (Lewin, 1946) have been selected due to their efficacy to address [J57] this study’s problem statement. Particularly, Lewin’s concept of force field analysis suggests [J58] that cultural differences drive organizational behavior, with forces that work to encourage change or the adoption of a policy and forces that work against it. The cultural differences form part of the restraining forces that have to be overcome in the unfreezing sage of the change model when adopting a new technology such as cloud computing. This force field theory can be applied to the issue of cloud data management, since social factors on a large scale, such as the political climate, appear to drive legislation regarding the use of data and attitudes toward privacy. Furthermore, as according to Harmon (2014), anything innovative can give an organization a competitive advantage, and therefore it is beneficial for them to adopt technology that can help them to achieve this, potentially even when it is considered ‘early’ or risky amid minimal information.
According to Lewin (1946), when Lewin came in contact with a great variety of organizations, institutions, and individuals who came for help in the field of group relations, these people exhibited a high amount of goodwill, to face the problem but these eager people feel themselves with some unanswered questions: 1. what is the present situation? 2. What are the dangers? 3. Moreover, what shall they do? (Lewin, 1946, p. 201) [J59] [J Ready60] Driving forces in cloud computing include a strategic emphasis, economies of scale, a simplified IT structure, and miscellaneous cost savings (Aljawarneh, 2015). Meanwhile, restrictive forces include reliability, data security and access, and resistance to change. These technological driving forces can be considered for optimal implementation, which may include work in business process change (i.e. project management or restructuring IT operations), vendor and product-related decisions (i.e. vendor lock-ins), or information assurance and governance processes (i.e. shared service governance) (Aljawarneh, 2015). A Political, Economic, Social and Technological (PEST) analysis may also be comparably beneficial for facilitating change (Aljawarneh, 2015).
Risk management is another significant consideration of cloud computing. There is a range of situations potentially integral in a cloud computing system that may be difficult for an organization’s existing risk management protocol to handle, include a wide scope of control, service level agreements, memos of understanding, and verification and trust provisions to contracts (Halpert, 2011). Exploring this[J61] is important because export compliance needs to consider the legal risks for data loss or interception.
[J61] Harmon (2014) refers to technology adoption theory [J62] as relevant to cloud computing when organizations consider whether to integrate or improve an existing system with cloud system technology. Anything innovative can give an organization a competitive advantage, and therefore it is beneficial for them to adopt technology that can help them to achieve this, potentially even when it is considered ‘early’ or risky amid minimal information. Harmon (2014) explained “early adopters take technologies that are a little further along and try to develop applications before their competitors do, and thus gain an advantage. Like innovators, early adopters have strong technology groups” (p. 473). Early adopters work to establish standards of the technology, and their successes and failures can serve as the guidelines or model for further development in the industry (Harmon, 2014). Early adoption may be considered too risky in some cases, and companies should, therefore, conduct a thorough strategic assessment to determine what is the most efficient and most productive for them (Harmon, 2014).
Cloud computing implementation and maintenance requires compliance with government regulations. Samani, Reavis, & Honan (2014) explained: “one of the challenges faced by organizations with cloud computing is ensuring they are compliant with various legal, industry, customer, and regulatory requirements” (p.98).[J63] Compliance requirements may be specific to the industry (such as in healthcare) in addition to region and customer types, and there may be requirements unique to payment types (such as payment cards) as well. Organizations subject to such requirements are therefore obligated to ensure their service provider is compliant with all relevant policy. Organizational managers are further challenged by the difficulties of assessing how their system might affect the compliance aspects of their internal security regulations (Pearson & Yee, 2012). Service providers are obligated to external audits as well as controls for internal monitoring.
Some of the recommendations for cloud technology preadoption perception may assess how organizations can successfully prepare employees to address technology adoption challenges in compliance and security, and these pre-adoption attitudes in a company are affected by the limited experience of compliance managers and professionals in the field (Furner, 2015). Two fundamental questions in this area should be answered: what individual level factors affect pre-adoption attitudes, and how do pre-adoption attitudes affect use (Furner, 2015). [J64]
The purpose of this study is to assist business enterprises to select the appropriate cloud computing technology for their organizations by identifying the compliance challenges associated with adopting cloud computing enterprise-wide. Compliance and information technology decision makers and their perception of adopting cloud computing will be evaluated to address export control and other compliance challenges in software and technology companies in Southern California. Companies who need compliance managers can encourage cooperation in the development of cloud computing by incentivizing collaboration with compliance managers outside the organization. While it is important to recognize how employees perceive the adoption of cloud computing in their organization, it is crucial to understand the implications after the adoption has occurred and prepared the organization for some human resource challenges companywide. Cloud computing provides several advantages, including reduced costs, increased responsiveness to business exigency, easier administration, and global access (Yeh, 2013). Relatively few studies exist on the topic of cloud computing adoption and perception of export compliance and IT professionals who enter the process and then maintain its functions operationally. Shared services through the cloud require organizations to dedicate a group of employees to be the centralized point of service to focus on the business functions, and that will require support from various business units other than IT and the legal departments (Mohan, 2014).
Significance of the Study[J65]
There is a need to explore and research the challenges of adopting new technology such as cloud computing and recommending best adoption practices. The study seeks to explore how to overcome the export compliance challenges that are inherent in switching technology systems. This study will highlight the current export compliance exposure of companies utilizing cloud computing and study the perception of employees (IT and export compliance professionals) mitigating the risk of export compliance challenges in the absences of clear guidelines from the United States Government of what constitutes an export in the cloud and who is responsible for the export; the cloud user or provider or both. Not addressing the standards and harmonization can lead to challenges in adopting and suing the cloud system and therefore, affect the whole organization (Harmon, 2014).
Many organizations do not follow a systematic approach to adopting the cloud computing technology (Bidgoli, 2011). Checklists that organizations could use before introduction should include an understanding of grid computing, application service providers, understanding utility, understanding security and preparing a cloud computing plan (Bidgoli, 2011). One of the most significant and most overlooked aspects of cloud computing adoption is the compliance aspect (Egbert, 2015). Many companies sometimes overlooked or misunderstood the laws that accompany the uploading, sharing, and storing of certain information and data in the cloud (Murphy, 2013). United States companies still should be careful to avoid any potential liability when it comes to the treatment of indirect or direct export to the cloud and what is an “export” under cloud computing (Mayberry et al., 2015).
A qualitative methodology will be used to explore employees’ perspectives about adopting cloud computing technology. There are two main reasons why a qualitative approach has been selected. First, qualitative analysis will allow for the collection of data in depth. In addition, qualitative methods enable exploration of issues and subjects and phenomenon in greater breadth and depth than quantitative methods. Second, qualitative methods are not limited to specific questions. As such they give a clearer view of the subject matter, compared to quantitative methods in this situation, the number of respondents is small[J67] . This could [J68] be the reason why Borgman, Bahli, Heier and Schewski (2013) used qualitative research for their study on cloud computing adoption. Brender and Markov (2013) used qualitative methods in their study on risk management in cloud computing, as well. [J69] This qualitative study will explore a deeper understanding of the export compliance challenges of cloud computing adoption by aggregating data gathered from interviews, observations, and questionnaires. [J70] A qualitative study was selected as the approach of choice for exploring employees’ perspectives, motives, reasons, and patterns in adopting cloud computing technology while complying with export control laws and regulations in the absence of clear United States Government guidance regarding compliance in the cloud for this research. The choice was informed by the suitability of the approach based on the knowledge that the research aims at creating a deep understanding of a specific issue and that it used a small number of respondents and that the qualitative approach[J71] . Further, this research did not wish to form a generalized conclusion but rather aimed at the creation of specific knowledge in the cloud computing ecosystem. Current research on cloud computing risks has been very limited and focused only on security and privacy (Dutta, Peng, & Choudhary, 2013).
Current research on cloud computing risks has been very limited and focused only on security and privacy. Case studies pointed to various issues such as business and legal matters (Dutta et al., 2013). Security and confidentiality could be particularly a concern when using a cloud computing platform, and users play a major role in its success. Experts in the field are sharing their concern about adopting cloud computing by the enterprise; however, the dissertation will rely on employee perception of cloud computing from a compliance perspective. This perspective includes export compliance and security issues surrounding the adoption of cloud computing.
The research design is a qualitative case study and [J73] [AE74] [J75] is focused on exploring [J76] the perspectives of employees adopting cloud computing technology and the IT and export compliance challenges associated with such adoption. This research design was selected to grasp perspectives, motives, reasons, and patterns of employees and businesses in adopting cloud computing technology and how they handle complying with export compliance laws and regulations in the cloud. Therefore, the proposed research method will focus on direct observations[J77] of current technologies used in daily business operations, and the perceptions of leaders, manager, and other administrative personnel that understand cloud-based technologies, which will be collected and analyzed through interviews. Interviews are the main data collection method for this study (Yin, 2003). Also, questionnaires will be utilized to complete the data collection to compare the data. Interviews and questionnaires [J78] are used because each study participant will respond to the same set of questions phrased the same way. Therefore, questionnaires may yield data that is more comparable than the data that is collected through the interview process. The interview process will serve as a two-part method in which the researcher will collect data from verbal answers provided as well as observations of their body language. [J79]
Since cloud computing is considered a new concept, business managers, and users might not have sufficient insights into cloud computing risks (Dutta et al., 2013). The interviews will also focus on how businesses adopt cloud computing and the challenges that are facing software companies before and after the adoption. The adoption of new “I[J80] nformation and communication technologies can affect other departments within the enterprise such as business operations, style of management and center of power in the company. (Cudanov, Krivakapic, & Krunic, 2011)
Definition of Terms
With any research study, there are technical terms, independent and dependent variables, and certain words and verbiage that are uniquely and consistently used in the study. Therefore, a definition of terms is necessary to make clear what each term refers to. The following terms will be used extensively in this study:
Cloud Computing. A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell & Grance, 2011).
Export Administration Regulations (EAR). The main export control regulation regime in the United States administered through the United States Department of Commerce, and it imposes restrictions on the sale of commercial products on any items listed on the Commerce Control List (CCL) (Bureau of Industry and Security, 2016)
International Traffic in Arms Regulations (ITAR): The ITAR Which is administered by the United States Department of State, controls the sale and access to Defense Articles, Defense Services and Technical Data listed on the United States Munitions List (USML)
(United States Directorate of Defense Trade Controls, 2016)
Office of Foreign Assets Control (OFAC): OFAC is part of the United States Department of Treasury and is responsible for the administrating of economic sanctions laws and country specific restrictions and provides a list of restricted parties and entities and embargoed countries where it is prohibited for United States person or company to conduct business with or to export to (United States Department of Treasury-Office of Foreign Asset Control)
On-demand self-service: A consumer unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider (Mell & Grance, 2011)
Broad network access: Capabilities available over the network and accessed through standard mechanisms that promote use by heterogeneous client platforms (e.g., mobile phones, tablets, laptops, and workstations) (Mell & Grance, 2011)
Resource pooling: The cloud computing provider’s computing resources are pooled to serve multiple consumers with different physical and virtual resources assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, and network bandwidth (Mell & Grance, 2011)
Rapid elasticity: Elastic capabilities provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time (Mell & Grance, 2011).
Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering service. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service (Mell & Grance, 2011).
Software as a Service (SaaS): The capability provided to the consumer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. (Mell & Grance, 2011).
Commerce Control List (CCL): A list of items under the export control jurisdiction of the Bureau of Industry and Security, United States Department of Commerce. Note that certain additional items described in part 732 of the EAR are also subject to the EAR (Bureau of Industry and Security, 2016).
Exporter: The person in the United States who has the authority of a principal party in interest to determine and control the sending of items out of the United States (Bureau of Industry and Security, 2016)
Software: A collection of one or more “programs” or “microprograms” fixed in any tangible medium of expression (Bureau of Industry and Security, 2016)
Technical data: Data taking the form of blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices, such as disk, tape, read-only memories (Bureau of Industry and Security, 2016)
Technical Assistance: may take forms such as instruction, skills, training, working knowledge, consulting services. ‘Technical assistance’ may involve the transfer of ‘technical data.’ ‘Technical assistance’ may involve transfer of ‘technical data.’ (Bureau of Industry and Security, 2016)
Technology: Specific informationnecessary for the “development,” “production,”or “use” of a product. The information takes theform of ‘technical data’ or ‘technical assistance’ (Bureau of Industry and Security, 2016)
Assumptions, Limitations, Delimitations
Every study has some form of assumptions, limitations, and delimitations. According to Pepperdine (2016), “assumptions are factors potentially influential to your study for which you have no hard data, might not ever know, and can’t or don’t intend to control for” (p. 1). The following assumptions are present in this study:
A limitation can be any characteristics of the design or methodology that impacts the interpretation of the research study’s findings (Pepperdine, 2016). Limitations may be the constraints on generalizability, applications to practice, and the utility of findings that are the result of the ways the researcher initially chose to design the study (Pepperdine, 2016). In this case, the following limitations are present in this study:
- The choice of location. The results garnered from selecting this specific location may generate different findings than what may have resulted elsewhere. In other words, the results found at this location may be unique to this location and may not be reflected elsewhere.
- Sample size. Only 10-20 participants will be used due to the number of participants available for research at this location. The results found and analyzed from these participants may be different from results garnered from a larger number of study participants.
A delimitation can be defined as choices made by the researcher which should be mentioned. They describe the boundaries that have been set for the study (bps, 2010[J Ready82] ). The following delimitations were present in this study:
- 1. The participants include only professionals outside the export compliance and information technology managers since they are the ones who are most impacted by the adoption of cloud computing and enforcing internal and external export compliance. [J83] The sample used for this study is limited to 10-20 interviews and surveys since the industry targeted is the software industry which does not make up many companies in the targeted geographical location.[J Ready84]
Summary and Organization of the Remainder of the Study[J85]
This study will provide an understanding as to the reasons why export compliance and information technology leaders adopt the cloud as a new technology and evaluate their perceptions of how to mitigate the export compliance challenges associated with such adoption. Furthermore, a discussion at the end of the study will help to determine why leaders adopt the cloud and cloud-based technologies. This study is created to evaluate leader perceptions of how to mitigate compliance issues and will provide recommendations that can assist to minimize the export compliance risks to organizations of adopting cloud computing.
Previous research shows that cloud computing technology allows for great benefits for corporations, but adopting this new type of technology may create complications. It is not known how information technology and export compliance managers perceive the export compliance impact of adopting cloud computing technology in their software companies.
Various types of theoretical framework apply to the subject matter of the proposed study, particularly Lewin’s change theory, early technology adoption, risk management issues, and government compliance. The purpose of the qualitative case study is to explore how information technology and export compliance managers perceive the export compliance impact on the organization when adopting cloud computing technology in software companies and technology companies in Southern California. A sample of 20 export compliance and IT professionals will be interviewed to seek their perception on the compliance issues facing cloud computing adoption. Data will be conducted through observations and interviews, which will then be analyzed.
The study in the next chapters will focus on the export compliance impact of adopting cloud computing technology in software and technology companies. Therefore, there is a need to study and research the challenges of adopting new technology such as cloud computing and to recommend best adoption practices. Not addressing the standards and harmonization can lead to challenges if organizations do not follow a systematic approach to adopting such technology (Bidgoli, 2011).
Chapter 2 will offer an overview of the current literature on this topic and address areas where literature does not cover the gap in knowledge. Chapter 3 will cover the methodology used and will go into detail of what methods were used to acquire the data. Chapter 4 will discuss findings in detail, and Chapter 5 will offer a discussion of main findings and their implications and purpose for future use, as well as recommendations for moving forward with this information. [J Ready86]
Chapter 2: Literature Review[J87]
Introduction and Background to the Study[J88]
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.[J89] This study will explore how information technology and export compliance managers’ perceive the compliance impact of adopting cloud computing technology. Furthermore,[J90] the discussion section at the end of the study will help to determine how to handle the impact of export compliance imposed on users and providers of cloud computing technologies.[J91] Despite the relative scarcity of scholarly studies in the area of export compliance, there are materials that have been written on the subject matter. This literature review samples and presents what that material contains.
The adoption of cloud computing in many organizations provides great benefits as well as challenges associated with the need by the provider and the user to comply with many laws and regulations such as export compliance regulations. For example, Pearson and Yee (2013) noted that international regulations regarding data and privacy differ among countries, which makes compliance difficult. Certain industries that handle sensitive data, such as the medical industry, may also face legal restrictions in some countries, which limits the ability of corporations to store and retrieve data (Schweitzer, 2012).
The export compliance challenges are mainly associated with the transmission of data and information across country borders. The United States Government laws and regulations do not offer any guidelines on how to comply with export laws in the cloud. There are only minimum references and advisory opinions (BIS, 2016) as to what the export laws define who is responsible for exporting, the user of the cloud computing services or the provider of the cloud infrastructure such as Microsoft, Amazon, Google, etc. The cloud, for example, allows customers to access their company data or data provided by third parties from any location around the world. Export controlled technical data and any other type of information that might be controlled for exporting from any device connected to the internet without installing special computer programs on their own devices. This process, therefore, allows the user to access any financial records or other types of data upon request by going through the standard account authentication and access protocols. However, The United States government compliance regulations are starting to address the security risk that these types of electronic transactions pose (Marston, Subhajyoti, Zhang & Ghalsasi, 2011).
The History of Cloud Computing.
Cloud computing has been a goal of the technology industry for some time because it allows data process to be handled by a third party, which means companies can outsource IT knowledge. [J92] Cloud computing can also provide faster data retrieval and better data management than organizations could provide themselves (Leavitt, 2009). Traditionally, data would be stored on hardware that is owned by a company and managed by its employees or contractors, which means employing an IT staff that understands the organization’s data needs and can keep the data secure and accessible. Cloud computing changes this model by placing the storage and management of data into the hands of a third party (Source). This means [J93] that the party stores and manages the data, which may not be physically located in the same country and must be transmitted to the organization that is paying for cloud computing services (Zissis & Lekkas, 2012).
According to the NIST[J Ready94] , there are five essential characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service (Source). This indicates [J95] that the physical resources that contain data are shared among many users and that cloud data should be available at all times, able to be expanded to meet the needs of users, and monitored for its ability to meet these needs (Berry & Reisman, 2012). Additionally, NIST describes the three building layers of cloud computing as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) (Choudhary & Vithayathil, 2013). [J Ready96] When the regulatory compliance environment and technological risks of cloud computing are understood, adopting cloud computing technology offers many advantages and cost savings to many organizations. However, communicating and handling the compliance risk are crucial for successful adoption of cloud computing technology (Pearson & Yee, 2013). Cloud computing became possible around the beginning of the new century, with customer relationship management software (CRM), such as Salesforce, being used to handle data for specific business areas (Source). In this model, a company that also provides the software for this service, which could include data reports, written communications with clients, and order and shipping information, stores data that is used for placing orders and interacting with clients remotely. The next major cloud computing development was the Amazon Web Services in 2002 where applications were developed and shared over the internet (Mohamed, 2015). At this stage, cloud computing did not create a regulatory problem because data was created and transferred between two organizations who agreed to the process and because regulation had not yet addressed the issue.
Later developments allowed more types of data, such as that which is created by private individuals who purchase from a company, to be stored and managed by third parties (Mohamed, 2015). These developments created [J97] [J Ready98] regulatory issues because the data of these private individuals might be transferred across legal jurisdictions and national borders and the agreement of these individuals might not be received before this took place. At the same time, regulators in many countries were noticing the growth of the internet and computing technology with various legislations on the use of data (Source). In the United States, data regulations were originally interpreted using older privacy laws. However, after the year 2001, more focus was placed on the role of data in preventing criminal behavior (source). Therefore, a set of conflicting policies that depended on the nature of the data and the interests of the government was created (Pearson & Yee, 2013). In contrast, the European Union has stricter standards for protection in some areas, and international law from organizations such as the World Trade Organization further complicated the issue, with different states conflicting over what standard is bets for facilitating business while maintaining privacy and security (Pearson & Yee, 2013).
Some national governments have cooperated to create matching regulations. An example of this is the General Data Protection Regulation, which protects the use and transfer of individual’s data, is required to be followed by all members of the European Union (Wilhelm, 2016). However, data transfer still occurs across continents, and the legal environment and the export compliance laws and regulations are difficult for organizations to interpret, while the consequences of a poor technical data protection policy can be significant. For this reason, the issue of cloud storage regulation is of a significant concern (Marston, Subhajyoti, Zhang & Ghalsasi, 2011). There are many resources and scholarly works that explore the issue of data security as it is exported to the cloud. What remains conspicuously lacking, however, is studies on the awareness of the people in charge of IT systems and management of firms of the laws governing exporting data to the cloud. The main gap is that when firms contemplate laws they are mostly thinking within the frame of legal jurisdiction, which more often than not extends only as far as national borders, while data exportation is thought of in the realm of the Internet, knows no geographical borders. The challenge, therefore, is that export compliance struggles with the intangible exports. Therein lies the complication which can be said to be a cause of the export compliance issues. This study will explore the export compliance challenges from the perspective of the stakeholders by not only considering the United States law but other laws and jurisdictions and internal company processes.
This study will highlight the main compliance challenges of adopting cloud computing and how to mitigate and handle the use of cloud computing in organizations in the technology and software field. As cloud computing technology adoption takes place and evolves into a standard norm and required technology, laws and regulations in the United States and elsewhere around the world, struggles to keep pace to address the new challenges of cross-border utilization and access to data and technology (Berry & Reisman, 2012).
Theoretical Foundations and/or Conceptual Framework[J99] [AE100]
The technology adoption theory (Harmon, 2014) and change theory (Lewin, 1946) make up the theoretical framework for this study. [J101] This study will investigate the export compliance issues of adopting cloud computing from a behavioral, organizational framework that considers how organizations respond to the regulation of data in terms of the forces that motivate them.
This framework will relate to issues relevant to the export compliance challenges of adopting cloud computing by organizations in the software field. Kurt Lewin’s study of human behavior and change and the political, economic, social and technological (PEST) analysis of optimal implementation and business process changes outlined in the study by Aljawarneh (2015) will guide this analysis.
Lewin’s work was originally applied to social situations, although it has also reached into the field of organizational theory. His concept of force field analysis suggests that cultural differences drive organizational behavior, with forces that work to encourage change or the adoption of a policy and forces that work against it. This can [J102] be applied to the issue of cloud data management, since social factors on a large scale, such as the political climate, appear to drive legislation regarding the use of data and attitudes toward privacy. Lewin’s work on organizational culture can be related to these differences in legal environments that drive the decisions of organizations because legislation is a result of culture. As Pearson and Yee (2013) pointed out, a cultural contest has occurred between the United States and the European Union over data policy, in which both attempt to influence the data policies of the other, based on their cultural and legal perspectives toward privacy and security. The European Union is more focused on the security of the individual and privacy as a human right, while the Unites States emphasizes security, crime prevention, and the capability of law enforcement. Other organizations may also be influenced by the culture of their members, their customers, or the methods they use to store data, which will, in turn, affect their legal compliance and attitude toward data policy.
Force field analysis has been identified as a method rather than a theory, meaning that is a process that guides decision making in a given environment instead of a theory that identifies a constant number of factors that affect decision making (Lewin, 1943). For this reason, it is important to view the attitudes of organizations in terms of the forces they believe are relevant, such as the regulatory environment and predictions about its future. However, it is also important to base this analysis on a theoretical decision-making model that can identify relevant factors that influence a decision and explain why that decision is made. Other researchers have built on Lewin’s work to address this problem (Swanson & Creed, 2013).
The main research question focuses on how IT and export compliance managers perceive software companies’ compliance with United States regulations. Additionally, what are the required understanding of how the United States and other export regimes are guiding the cloud providers, and users affect the integration and adoption of the cloud in the enterprise. [J103] According to Huxford (2012), 28 % of financial advisers have most of their software in the cloud, and another 34 % of financial advisers are moving towards the utilization of the cloud. Huxford (2012) outlined the cloud pre-adoption attitude and considerations in any organizations by highlighting the following questions, and they are: Why the move to the cloud, important features now and in the future, working with knowledgeable cloud computing professional, vendor due diligence and the performance of cost analysis. Therefore, understanding the pros and cons will eliminate the additional burden on the organization when it comes to complying with the United States export control laws and regulations.
Cloud computing adoption will have many consequences on the internal units in the enterprise such as the export compliance/legal and the IT departments. The basic illustration below from Choudhary and Vithayathil (2013) showed a cloud computing model that can be referred to when [J104]
adopting cloud computing and what to look for when IT departments realize what their role is in post adoption. As more services and utilization of the cloud is procured through the cloud, the more cost and compliance issues that will arise. Choudhary and Vithayathil (2013) assumed that future research is needed to show the effects of cloud computing on IT departments and how IT departments can ensure the current and future needs of the various consuming units within the organization. Additionally, future research is needed to consider the other factors besides the efficiency arguments for adopting the cloud such as access control, security and propriety features of the cloud. It can be argued that under the security factors, export compliance is one of the main security issues facing organizations adopting cloud computing.
United States companies are faced with a wide range of export compliance challenges. Noncompliance with United States export control laws can be very costly and damaging to organizations that are not following and updating their compliance procedures and providing training to their employees.
Shane and Sheetz (2014) referred to the challenges posed by the United States Export Administration Regulation (EAR) as potential pitfalls for companies engaged in the exporting and re-exporting of software and hardware and specifically with encryption functionality. Most software and hardware falls under one of the two Export Control Classification Numbers (ECCNs) 5D992, 5D002, while hardware falls under ECCN, 5A992 or 5D002. Therefore, it is important for software companies to classify their products and know exactly what software will be placed in the cloud or allowed to be downloaded from a cloud service provider. Any violation of such export laws will subject the organization to the United States Government penalties of at least $250,000 per export violation as well as criminal sanctions for the willful export violation and can carry up to $1 Million penalty and imprisonment up to 20 years (Shane & Sheetz, 2014).
Review of the Literature[J105]
The purpose of this qualitative study is to provide empirical information regarding complying with the United States export control laws and pre and post adoption of cloud computing technology by an organization in the technology and software field.[J106] The lack of knowledge of what export compliance challenges lie ahead is still unknown to organizations providing and using the cloud and thus fails to optimize adoptions and outcomes (Oelrich, 2015). The perception of how technology and export compliance managers of the main compliance impact of adopting cloud computing will be discussed and addressed and information will be collected when interviews and surveys will be conducted.
Cloud Computing Adoption Compliance challenges. Overall strategies exist that guide the decisions of organizations when they are faced with the questions of whether to adopt clout computing. These can include external factors such as economic conditions and the regulatory environment, which can be described through PEST analysis. The regulatory environment is intended to balance the interests of commerce, privacy rights and security needs (Pearson & Yee, 2013), which in turn is driven by the political and social landscape of the bodies creating those regulations. However, there are also internal factors affecting these decisions, such as the strategy the company has set to adopt the cloud and the perception of how to satisfy internal and external enterprise requirements (Werfs et al., 2013). These strategies require frequent compromise and careful planning. For example, the decision to adopt cloud computing might be drive by a desire to reach a larger customer base in a different region (Werfs et al., 2013), but this would need to be balanced by the ability to comply with a complicated regulatory environment (Pearson & Yee, 2013). This interaction between export compliance challenges and business needs shapes the strategy of adopting cloud computing.
Within these needs, there are a wide range of strategies that can take place. One is to adapt the function of the business to be compatible with cloud computing technology. In a longitudinal study of the company Telco, Khanagha, Volberda, Sidhu, & Oshri (2014) detailed how the company made very deliberate and small experimental changes that over time led to the entire business model being renovated. Werfs et al. (2013) suggested that this is a common theme because there is usually not a single cause or trigger for adopting a cloud strategy. Lin and Chen (2012) shed some light on the decision when they found that IT managers are most concerned with the ability of a company to comply with provider policies and the advantages compared to other technologies, instead of the absolute benefits that are usually promoted.
Although these strategies can be categorized based on their interests, environmental forces, and type of change they accept, there does not appear to be a single approach, set of guidelines, or specific circumstances that are used to guide adoption. Chang, Walters and Willis (2013) noted that the Cloud Computing Business Framework (CCBF) lacks the necessary discussion about the regulatory and environmental factors, which are known to influence technology adoption. Lin and Chen (2012), referred to the necessary four factors that influences cloud adoption and they are classification, organizational sustainability, modeling and service portability and linkage. However, IT managers are not necessarily concerned about the factors mentioned above.
United States Export Control Laws and the Cloud. Research question 1 – discuss how IT and export compliance managers perceive software companies’ compliance with United States export control and how export compliance and information technology managers should understand how the United States and other export regimes are guiding the cloud providers and users and how this can affect the integration and adoption and the availability of the cloud in the enterprise.
The United States export controls regulations have been in existence to ensure that the exports of technology, software, commodities, and services are consistent with United States government national security and foreign policy objectives and goals. Maberry, Dombek, Palmeri and Whitten (2015) referred to United States export compliance laws as complicated and mostly governed by various agencies that produce many repetitive laws and regulations that in most instances can overlap. Therefore, leaving private industry with many unanswered compliance questions. When companies and organizations adopt cloud computing technology, whether they are a user or provider of cloud computing services, they fail to recognize that United States export control laws and regulations apply to the downloaded and uploaded software and technology. Additionally, export control laws apply to foreign persons having access to the United States technology and source code in the United States or abroad and this rule is called “deemed export.” As an example, employment of Chinese nationals by United States [J107] persons or companies might require an export license if there is a release of controlled technology or source code to a Chinese national (Gao & Hardin, 2012). The previous example provides additional challenges when adopting cloud computing in an organization that specifically have items controlled for export. Therefore, it is crucial for companies to self-classify its items and know which items are controlled and under what United States export control regime and what export laws applies in addition to working with the United States companies’ human resources to determine how to restrict the release of technology and source code to foreign nationals (Gao & Hardin, 2012).
Hasty et al. (2012) discussed that in some surveys and reports that cloud computing adoption has saved some organizations close to 40 % but investigations into the challenges of adoption should be investigated. Some of these challenges revolve around the regulatory and compliance concerns. An example of some of the United States export laws that refer to cloud computing is the International Traffic in Arms Regulations (ITAR). The ITAR, which is administered by the United States Department of State, controls the export and temporary import of defense articles, technical data and defense services related to a defense article on the United States Munitions List (USML). When cloud computing is addressed in the ITAR, the ITAR was not equipped to handle this electronic transaction since the ITAR was mainly designed and created for the transmission of technical information in a physical form. According to the ITAR, cloud computing does constitute an export when ITAR controlled technical data is placed in a cloud computing server that is accessible by foreign persons or located in a foreign country (DTAG, 2013).
Another example of overlapping export compliance by the government in reference to cloud computing are the advisory opinion from the Bureau of Industry and Security (BIS) beginning in 2009 and occurring as recently as 2014. This advisory opinion from BIS refers to the applicability of the export administration regulations (EAR) to regulate the provision of cloud computing and has several complications. The EAR does not consider the service provider of cloud computing to be the exporter of services in many cases. For example, the original BIS guidance stated that cloud providers are not subject to the EAR as long as they are not exporting software that is controlled or regulated (DeButts, 2014). However, the United States service provider might need to apply for an export license if the provider knows that the data or information will assist in the development, production, or use of chemical or biological weapons (DeButts, 2014[AE108] [J109] ). This means [J110] that providers still face some amount of risk from their users, which a provider may have legal and technical problems keeping track of.
To add to the export challenges for cloud computing, BIS in the same advisory opinion refers to the user as the primary principal party of interest and therefore, the user is considered the main beneficiary of the export and therefore, the export rules applies to the user in the cloud computing case (DeButts, 2014). While this is somewhat beneficial because it removes risk from the service provider, it also can make things complicated for users, and those in the industry have argued for exceptions to the export compliance rules (Nagel, 2014). The relevance of this advisory opinion by BIS in 2009 is how private industry have been determining how to adopt and use the cloud as a user and as a provider. Private companies in the United States are relying on how the EAR is applied to their products and services since there is no formal guidance from the United States government. The main export issue is determining what a United States origin item is. According to Maberry et al. (2015), “an item that is of United States origin must meet the following conditions and they are: items located physically in the United States regardless of where it was manufactured, United States software and technology, foreign origin items with more than required United States content and all other United States origin items wherever located “(p. 75). Thus, according to Maberry et al. (2015), any user storing export-controlled technical data or information in the cloud must ensure that the data or information is not accessible by foreign persons and the storage should not be outside United States unless there is an explicit export license or exception or authorization from the United States government.
The United States Treasury Department, through its Office of Foreign Assets Control (OFAC), is another export control agency that administers and controls economic sanctions programs against specific countries, entities, and individuals as well as monitoring and penalizing individuals and companies who conduct prohibited financial or trade transactions. For example, OFAC has determined that conducting electronic transactions by a United States entity, should follow specific guidelines that does not include (A) any transactions that violates OFAC;s country sanction programs and (B) any transactions that involves individuals or entities’ on the Specially Designated Nationals (Treasury.gov, 2016). The understanding of the OFAC cloud computing guidance and rules by private industry can vary, and is dependent on the United States person method of delivery of the prescribed cloud services and if the service is considered a United States origin product or not. Additionally, if the materials or services or content is considered informational materials when it is accessed by foreign persons in the United States or abroad.
Compared to the United States, export control regimes in Europe have the same political and economic aim as the export control regimes in the United States. Micara (2012) stated that the European export control laws have to make sure that dual-use items not be used in any proliferation of weapons of mass destruction. The dual-use items that can be used for military as well commercial uses are still governed by international treaties such as the Wassenaar arrangement among many other treaties, which is focused on the stability of international security by promoting transparency in the transfer of conventional arms and dual-use goods and technology. Since the EU export laws have gone through a tremendous evolution since the 1990s, to respond to the rapid changes in today’s political and military environment, the EU introduced a new regulation in 2009 called Regulation 482/2009. This regulation was initially created to tackle the Weapons of Mass Destruction (WMD), replace the older Regulation 1334/2000 and to make it easier for enterprises and private businesses in Europe to comply with export control laws (Micara, 2012).
While there are many export control laws that can impede business transactions between nations, the two main economic blocks in the world the United States and the EU have still not provided clear guidance on processing electronic transactions through the cloud (Pearson & Yee, 2013). United States businesses that are interested in cross-border business transactions have to comply with. [J111] There are additional export control laws and regulations that the cloud provider or user has to comply with. The European Union (EU), for example, have current strict data privacy regulations as well laws that affect compliance in the cloud. According to the European Commission (2016), there are new rules that will go into effect by 2018, to protect EU citizen’s personal data. Under this new rule, personal data will only be collected and stored under strict conditions and for only legitimate reasons only. The European Commission stated that under Directive 95/46/EC, data systems, and processing should protect the fundamental rights of all individuals to privacy. This right is not restricted to a specific nationality or residence (European Law, 2016).
United States companies conducting business in the European Union. [J112] There are additional export compliance challenges to United States businesses conducting business in European countries inside of the EU. Under the EU directive 25, member EU states should only transfer personal data to a third country (non-EU member state), unless the third country ensures “adequate” levels of protections and therefore, the “adequacy” requirement has extraterritorial legal reach beyond the EU. Therefore, United States businesses, in this case, will not be afforded the same level of protection “adequacy” because there is no national independent data protection authority and the United States does not have specific data protection regime that covers both private and public sectors (Colona, 2014).
There are a number of ways United States companies can comply with the new data privacy measures according to Colona (2014). Some of these measures are: Having the United States company join the Safe Harbor program where the company has to develop a privacy policy that consists of seven principles that the private should make public and they are: notice, choice, onward transfer, security, data integrity, access and enforcement (p.204). The Safe Harbor (personal communication, legal counsel, June 17, 2016) is in the process of being eliminated and replaced by what the legal community calls Safe Harbor 2.0 which will provide one set of legal protection of data transfer from the EU to the United States. Currently, United States companies have limited options when it comes to complying with EU personal data transfers rules. Colona (2014) referred to some of these options that include: end-user providing consent for his/her data transfer to the United States in advance. In addition to United States companies taking special permissions from member states data protection agency.
Another option that was discussed by Colona (2016) was having United States companies with international subsidiaries rely on Binding Corporate Rules (BCRs) that is approved by the European data protection authorities (p.204). The European Commission provides some guidance regarding how United States companies comply with the Safe Harbor program and they mention that United States companies have the right to self-certify that they conform to the “safe harbor” principals and register with the United States Department of Commerce with an oversight from the United States, Federal Trade Commission (FTC) (European Commission, 2016). With the introduction of new data privacy compliance regulations and current EU laws, it seems like the usage of cloud computing in Europe will have significant limits and adds additional burden on United States companies including the risk of cyber attacks and country sanctions imposed by the United States and the EU (Maberry et al., 2014).
Privacy and Security in the Cloud
Ritchey et al. (2013) referred to the ongoing debate regarding privacy in the cloud. As various privacy laws specifically from the United States and European Union (EU) comes into play, the main issue that becomes prevalent is jurisdiction and access to data. The relationship between privacy and security in the cloud is highlighted in another European legal compliance regulation. The UK Data Protection Act defines additional controls on the movement of data. According to the Information Commissioner’s Office (2013), the data controller is an enterprise that is processing the data about data subjects. The focus of this directive is to ensure that there are enough technical and internal business measures to protect against the unauthorized transfer of personal data to a country that does not offer adequate security measures. To add to the maze of compliance challenges to United States businesses doing business in Europe, Whitley, et al. (2013) argued that the cloud provider might be considered as a data controller and therefore, be responsible for the movement of the data outside of the EU. The relationship between privacy and security in the cloud is highlighted in another European legal compliance regulation. The UK Data Protection Act defines additional controls on the movement of data. According to the Information Commissioner’s Office (2013), the data controller is an enterprise that is processing the data about data subjects. The focus of this directive is to ensure that there are enough technical and internal business measures to protect against the unauthorized transfer of personal data to a country that does not offer adequate security measures. To add to the maze of compliance challenges to United States businesses doing business in Europe, Whitley, et al. (2013) argued that the cloud provider might be considered as a data controller and therefore, be responsible for the movement of the data outside of the EU.[J113]
The business restrictions and limitations on the transfer of data in the cloud will only restrict cloud providers in what they can offer businesses outside of United Stated. For example, a cloud provider might limit the company data center to a specific location in the EU, even though this data center have infrastructure limitation such as the lack of proper relocation of resources if one data center suffers a particular outage or disaster (Esayas, 2012).
Export Compliance in the Cloud
Additional export compliance cost should be accounted for when organizations adopt cloud computing technology. To reduce such compliance costs and maintain full compliance, Bilzi et al., (2011) explained that the first step in identifying US export control issues in outsourcing situations is to determine whether the item falls under the EAR or the ITAR
Jurisdiction and determining if there are any technology or software will be exported. Another factor to consider is whether the technology or source code is being accessed or provided to foreign nationals in the United States or abroad, which might require an export license from the United States government. Bilzi et al., (2011) went on to explain that another step is needed to identify export compliance issues when outsourcing which is where the item is going and who will be using the item. The United States sanctions against denied parties and entities and countries should also be taken into consideration when exporting a physical or intangible products and items.
Export compliance in the cloud and having subsidiaries and affiliates and distributors of United States companies abide by United States export laws are a major undertaking. However, United States companies should impose certain restrictions and flow-downs to minimize export control violations by the United States government. Bilzi et al. (2011) noted that United States companies should include an export clause that includes the products that are subject to the United States export control laws, the subcontractors and the users should have an internal compliance program and apply for the necessary export licenses including creating and activating a technology control plan if necessary. Bilzi et al. (2011) that the subcontractor agrees not to sell to individuals, countries or entities prohibited by the United States government, further noted it.
According to Khanagha et al. (2013) “The link between management innovation and the incumbents’ success in the adoption of an emerging technology has been the subject of less frequent inquiry” (p.6). Therefore, preadaptation and post adoption attitudes and perceptions in any organization is dependent on how innovative and knowledgeable management is. This information is valuable since the adoption of new technology can cost additional resources that might outweigh the benefits on the short term. For example, Khanagha et al. referred to the general unwillingness to allocate financial resources to create or adopt alternative technology or the lack of incentives for employees to move to the new technology platform or system. In
retrospect, Khanagha et al.(2013) case study was still limited in the scope and deliverable to the principal of management innovation without taking into considerations other important factors such as legal and technical aspects of adopting cloud computing as a new technology. While this study observed many important phenomena’s’ such as the gradual adoption of cloud computing, still, this lacks the clear legal implications of adopting cloud computing and the specific dilemma of handling multiple jurisdictions’s starting with the United States export control laws and regulations.
The International Trade Authority of the United States Department of Commerce (“ITA”) had downplayed these concerns. Currently, United States privacy protection does not meet EU “adequacy” requirements, so moving data to the United States is not permitted. The only option for a United States importer to meet the adequacy requirement is to be certified to Safe Harbor Principles or enter into an approved EU standard contract clause with the EU data exporter. The ITA stated that it “does not believe that ‘cloud computing’ represents an entirely new business model or presents any unique issues for Safe Harbor. This type of debate will continue as regulators struggle to address the cloud and other new technology (Ritchey et al., 2013). The UK Data Protection Act is another legal hurdle for cloud providers that are utilizing or selling cloud services to multiple customers around the world and especially in the U.K. The main principle of this act are the measures that should be taken against unauthorized processing of personal data and that personal data should not be transferred out of the European Economic Area to a country that does not have appropriate or adequate level of personal data protection (Whitley et al., 2013, p 79).
Gaps in the Literature
AbuOliem (2013) observed in his study that there are current gaps in the existing literature relating to cloud computing regulations and pointed that uncertainty remains when it comes to the legal implications of storing and moving personal data between countries. Therefore, research is needed to identify best standards and practices to enhance business operations.
The understanding of the jurisdiction of cloud computing technical data and services provided and how to classify what users are responsible for is crucial in understanding how to minimize what providers and company users can be granted or denied access to upload technical data %in the cloud. According to Narayanan (2012), international regulations on cloud computing can be achieved by the creation of an international organization dedicated to only regulate cloud computing activities. The main issue here is the willingness of all the states to give up jurisdictional powers in favor of an international supervising agency. Another option discussed by Narayanan (2012) is for all the states to develop an internal data protection method with extraterritorial jurisdictions to employ when handling cloud computing activities. Either option would likely to keep up with the technological advances that are taking place and reduce the dependence on laws and regulations that are lagging behind the technological curve.
According to Salisbury (2013), “In the US, exporters can receive criminal penalties of up to $1,000,000 for violation of the Export Administration Regulations (EAR). Examples of such high penalties do not seem to be common; however, fines of up to $250,000 are seen quite frequently” (p. 540). Jaeger (2015), Stated that one of the reasons why export control reform is taking place is to facilitate compliance and reduce the unnecessary burden to United States companies. However, the risk of having controlled data such as technology or software in the cloud remains as long as the controlled information is not encrypted all the way until it reaches its intended recipient. Palmeri (2015) noted that the main export challenge in the cloud is determining where the servers that are storing the data will be located. However, the main goal of protecting data in the cloud is controlled access to this export controlled data by an unauthorized foreign person(s).
This qualitative study will provide a deeper understanding of the compliance challenges of cloud computing adoption by aggregating data gathered from interviews and questionnaires. The main theme is to show what makes the organization adopt cloud computing technology as a provider or as a user and then assess the compliance requirements to be successful in utilizing the cloud computing technology. For example, the IT department can now view itself as the main guardian of the provisioning of cloud computing while the new cloud computing environment might not need additional resources and other departments might fight for these resources. Werfs et al. (2013) explained that cloud computing as a disruptive technology provides benefits and risks and organizations should anticipate potential problems and react to them as they occur. The risk of adopting cloud computing can also increase the tension between internal departments within the organization.
Gonzalez and Smith (2014) identified the main driver for using the cloud technology is the reduction of costs, and all firm sizes are becoming a cloud computing customers. However,
the security and access control still cause many organizations from using the cloud. Mangiuc (2011) observed during his study that 81 % of survey respondents mentioned that security related services such as security measures that are related to protection of data and access restrictions among other concerns are the main concerns for cloud computing customers.
Frameworks Used
The research of this qualitative study will be performed based on interviews with management practitioners and experts in the field of cloud computing and the field of export compliance, and the questions will revolve around the pre and post adoption attitudes and perceptions of the compliance challenges of adopting this new technology. The members of the target groups will be able to add their observations and input from their own professional experiences. However, biases and company culture as well the industry they represent will be taken into consideration when the interview and feedback take place.
Conclusion
Cloud computing has been developed and implemented for many years. However, reactive responses have been observed from the business side to the legal and technical issues. Many businesses that are offering cloud computing services are becoming more familiar with how their customers bring them technical and legal concerns. One of the business responses discussed by Whitley et al. (2013) was the use of private cloud versus the public cloud due to concerns by the customers for the handling and access of controlled and confidential data. Another business response involves the creation and monitoring of a Service Level Agreement (SLA) to ensure that the cloud provider is closely being monitored by the customer.
Cloud computing in most cases presents itself as a business challenge as well as a compliance challenge. The illustration below shows an example of how a cloud provider might
Structure a business agreement with a cloud user as well as with a data center and in some cases with a cloud subcontractor to handle the upload issues of user data issues (Whitley et al., 2013).
The export compliance legal implication of cloud computing is the main focus of this study. However, it is prudent to touch on other legal aspects of cloud adoption since the relationship between all the laws and jurisdictions are interconnected. During a survey conducted by Manguic (2011), compliance risks are considered a major concern when adopting or using cloud computing and cloud providers should be able to provide their own compliance certifications to the customer and allow the customer own auditors to audit the cloud provider.
The complexity of cloud computing does not stem only from the legal, business, security and data risk, but cloud computing as a concept can be easily misunderstood since cloud computing means different deliverables to different users and providers. Madhavaiah, Bashir, and Shafi (2012) have studied about 36 definitions of what cloud computing means and out of the 16 concepts discussed in their study, they found that there are some constant and common concepts such as service delivery, delivery on demand and virtualization. However, the main theme of the cloud computing definition is the offering of software services over the internet.
Adopting cloud computing and successfully implementing this new technology in any organization needs to sustain a complete business, legal and IT compliance in a cohesive manner. Manguic (2012) stated that the architecture and the setup of practices associated with access and identity management in the cloud is an essential part of managing compliance in the cloud. Moreover, since the cloud is fully automated, access controls and preventing unauthorized access should be given greater priority to be fully compliance with the various compliance rules and regulations.
For now, United States cloud providers and users should follow a special script to avoid violating United States export laws and regulations. According to DTAG (2013) guidance, cloud users and providers should implement various types of clouds and service models, refer to the NIST publication 800-144 for specific recommendations on Service Level Agreement (SLA). The SLA should also include, how ITAR data will be stored and managed in the cloud by the provider and users should understand all other export compliance agencies involved in regulating the cloud.
Chapter 2 has outlined the main key points found and analyzed in the literature review. Some of the themes and topics discussed included an overview of cloud-based computing, the lack of clarity of United States cloud computing export law references in the Export Administration Regulation (EAR) and the International Traffic in Arms Regulations (ITAR) and other compliance issues that United States companies have to abide by when exporting to the European Union (EU). Chapter 3 will discuss the methodology used to acquire and analyze data obtained from participant interviews.
Chapter 3: Methodology
The purpose of the qualitative phenomenological study is to explore how information technology and export compliance managers perceive the compliance impact of adopting cloud computing technology in software companies in Southern California. Employee perception of the compliance concerns when adopting cloud computing will be discussed and addressed through a questionnaire and in-person interviews to understand the organizational impact of adopting cloud computing.
Legal questions arise from time to time when organizations are adopting, using or providing cloud computing technology. Moreover, while cloud computing challenges the traditional law concepts because of the multiple laws and jurisdictions that are attached to a specific cloud computing transaction, cloud computing still considered an attractive option for organizations to adopt and utilize. The concern of how to prevent the accidental export of technical data in the cloud while preventing cyber attacks, has companies scrambling to locate some guidance from any United States Government agency. According to Feigelson, Pastorem Serrato and Metallo (2016), the National Institute of Standards and Technology (NIST) addressed mobile device and cloud security guidance in 2014 and will publish additional guidance to the public sometime in 2016. In the original guidance of 2014, the NIST cybersecurity framework or guidance offers many recommendations for private industry to adopt to mitigate the risk of cyber security and possibly compliance issues. For example, Bring Your Own Device (BYOD) is considered a risk when employees are downloading personal information and accessing company files remotely. Fiegelson et. al. (2016) recommends private industry to use the NIST cybersecurity practice guidance and to have legal and IT departments work together to reduce the risk of noncompliance. Some of the steps and recommendations lie with knowing the type of data on the mobile devices and separating the employee person data from the business data while encouraging the implementation of cloud-based solutions that are secured.
Howell (2015) assumes that the move by organizations and businesses to the cloud is not limited to leading edge and innovative businesses. The cloud offers business solutions to all types and sizes of businesses including key business functions such as accounting and compliance and other functions. However, Howell (2015) sees the greatest weaknesses of adopting and using the cloud are people. For example, compliance teams usually utilize the cloud to streamline and ease the burdens of reporting and accessing data. Companies might elect to implement Enterprise Resource Planning (ERP) systems to reduce cost and ease access to global innovations and scalability (Seethamraju, 2014). This cloud-based solution can reduce the organization’s dependence on software licenses that they need to purchase and can control access to reduce ITA personal and maintenance costs.
Statement of the Problem[J118]
It is not known how information technology and export compliance managers perceive the compliance impact of adopting cloud computing technology in their software companies. Cloud computing adoption is predominantly an organizational problem, but failing to take action to facilitate improvements or optimize operations can also become a legal problem from a compliance perspective. Not addressing all aspects of cloud adoption can lead to a lack of awareness and compliance challenges in adopting and using cloud systems, which can, in turn, affect the business and the business bottom line.
This study will provide an understanding of the reasons why export compliance and information technology leaders adopt the cloud as a new technology and evaluate their perceptions of how to mitigate the compliance challenges associated with such adoption. Hailu (2012) assumes that cloud computing technology adoption provides significant benefits to small and large corporations, however, the challenges of adoption may complicate the selection decisions and subsequent adoption process.
In a recent survey by the Forrester Research and ARMA International RM survey of records management professional in 2015, 29% of the respondents to the survey cited the lack of legal, compliance and business stakeholder alignment as one of the top challenges in their organizations (McKinnon, 2015). Big data and the challenge to identify which data should be categorized, shared or accessed is the big challenge when adopting cloud computing. Who will take the positions of identifying and categorizing the data is a question that needs to be answered before and during cloud computing adoption.
The purpose of the study is to explore how information technology and export compliance managers’ perceive the compliance impact of adopting cloud computing technology. This study will be guided by three research questions:
R1: How do IT and export compliance managers perceive software companies’ compliance with United States regulations that are in conflict with other international laws pertaining to cloud computing technology?
R2: How do IT and export compliance managers perceive the compliance impact of adopting cloud-computing technology in their software companies in Southern California?
R3: How is cloud computing considered an effective cost saving technology when faced with compliance challenges?
The study will make use of qualitative research methods since it will be the best method for gathering insights into the problems that present when considering cloud computing compliance (Creswell, 2012). Brinkman (2014) assumes that social contact between the interviewer and interviewee or informants can be beneficial in enhancing the interview experience and sharing of information.
A qualitative methodology will be used to explore employees’ perspectives about adopting cloud computing technology. Current research on cloud computing risks has been very limited and focused only on security and privacy (Dutta, Peng, & Choudhary, 2013). The research design is a qualitative case study and is focused on exploring the perspectives of employees adopting cloud computing technology and the IT and export compliance challenges associated with such adoption. Therefore, the proposed research method will focus on direct observations and interviews as the main data collection method (Yin, 2003).
The primary focus of this qualitative study is to gain an understanding of the perspectives of IT and export compliance managers on the compliance impact of adopting cloud computing technology. This study will also focus on the legal and technological challenges that arise when the United States laws and regulations are in conflict with other international laws and jurisdictions. Thus, the study will utilize the qualitative research methods since it will be the most effective method for gathering insights into the problems that are present when considering compliance in the cloud (Creswell, 2012). Interviews and observations will be used as the preferred data gathering method. Green (2014), argues that the literature review, purpose and research question, all complement each other when it comes to the design of the theoretical framework. Brinkman (2014) on the other hand, assumes that interviewing using semi-structured questions are often posed to seek answers in qualitative studies by the researcher. Interviewing will be adopted as the primary data collection method, with observation and archival data to augment the research. One of the issues that emerge when adopting semi-structured interviews relates to the excessive amount of time it takes to conduct as well as being difficult to manage or participate in since they lack preconceived questions and provide little to no guidance on what needs to be covered (Brinkmann, 2014). Structured interviews are akin to verbally administered questionnaires in that they contain a series of predetermined questions, with little to no variation, and no allowance for follow-up questions even for issues that call for further elaboration. While the interviews whether structured or semi-structured may be relatively quick and easy to administer, they are without the benefit of comprehensive answers owing to the rigidity that prevents them from sampling more in-depth explanations. Consequently, the interviews conducted for this research will be Semi-structured as this will afford the interviewers the advantages of both structured and unstructured interview techniques while mitigating their disadvantages (Creswell, 2012). Semi-structured interviews offer some benefits that the other forms simply cannot. One key area is that they follow a consistent structure. The interview questions will follow some general guidelines that focus on the respondents’ background and experience of IT, cloud computing and other specialties such as legal and compliance (Dutta, Peng, & Choudhary, 2013). Since the study already has some predetermined research questions, the research method can use these issues as the fundamental structure of the interview (Brinkmann, 2014). In addition, the three research questions identified above will provide a framework to not only serve as a guideline to define the areas for exploration but also allow the interviewer or interviewee room to deviate to pursue an idea or response in more detail. Irwin (2013) offers confirmation that the use of secondary data can enhance primary research data and therefore assist in discovering new questions and understand the generalization of findings.
Marshall and Rossman (2011) advocate the use of semi-structured interviews since the flexibility of the approach over the structured interviews may help to identify additional areas for further research that may not be highlighted enough in the study. According to Yilmaz (2013), “The credibility of a qualitative study is affected by the context to which systematic data collection procedures, multiple data sources and other techniques for producing trustworthy data are used” (p. 321). Green (2014) argues that research outcomes can be dependent on the development of theoretical or conceptual frameworks. When discussing the Interview process, Marshall and Rossman (2011) implies that the interview is considered a fact while observations are considered descriptions. Additionally, phenomenological interviewing that includes past and present experience requires the respondents to draw from their vast professional experiences and perspectives. Another reason for the support of interviews as the preferred method for carrying out the research stems from the number of respondents. As stated earlier, the research process will sample from a relatively small population size focusing on a limited geographical areas and specific private industry which is software industry. Interviews are not preferred for carrying out research that covers scores of people since they tend to be expensive as compared to other methods like questionnaires (Brinkmann, 2014). The interview sessions can also serve as a precursor and fundamental basis for the development of additional research and to gain more knowledge and insight.
Interviews and questionnaires including observations will be utilized to gain knowledge about the perspectives of IT and export compliance professionals regarding the adoption of cloud computing technology and the compliance challenges associated with such adoption. Research designs are important factors to the overall strategy for building a study that is a coherent and logical to ensure that the research problem has been addressed adequately (Creswell, 2012). As such, the research design is crucial in the development process for any research. Yilmaz (2013) points out that qualitative study is the study that tries to understand how social experiences are created and how the known and knower are connected in the qualitative paradigm. To confirm his previous point, Yilamz (2013), concluded that naturalistic methods for data collection based on people’s experience are the main aim of qualitative research approach.
Adhering to the objective of collecting as much pertinent data as possible, the interviewer will rely on their observations while keeping the organization’s culture in mind of the test subjects composed of the IT and export compliance professionals while they are answering the questions. The aim of this qualitative study is to study the phenomena by capturing participants own experiences and communicating those experiences through interviews and observations (Yilmaz, 2013). Interpretation and analysis of the collected data after the interview process is over will take into account both the researcher perspective and the interview data collected (Schweitzer, 2012). At the same time, since the interview process needs to gather in-depth insights, the interview will be formulated to allow for either party to seek clarification or expand on their questions or answers. Additionally, secondary data analysis will be collected to confirm the primary researcher’s generated data analysis from the interviews and the questionnaires offered to the IT and export compliance professionals (Irwin, 2013).
For the interviews, the questioner will require data on the primary research questions and the gap being investigated. Ratten (2015) assumes that process approach focuses on the individual behavior while the factor approach focuses on the innovations and industries. Consequently, the interview questions not only will focus on the innovation part of cloud computing but the human behavior before, during and after the adoption of the cloud computing technology. The discussion is meant to generate perspectives, perceptions, and professional experiences relating to cloud compliance from the compliance managers. According to Brinkmann (2014), any interview effort that will involve interaction between the participants in the process and such social contact is bound to affect the ease of the information.
Population Size and Sampling[J122]
Sampling is essential to qualitative research methods that will be employed in this study since it has direct implications on the quality of the data that will be obtained. For this reason, the sampling method should be effective and likely to result in the most accurate data. Similar considerations regarding the sampling procedure relate to the chosen research method, interviews. Rucks and Bierbaum (2015) argues that spatial analysis has been neglected by qualitative sociologists in their studies. In this qualitative study, maps and a limited amount of statistics will be provided to enhance the primary research and confirm the secondary research data analysis.
In professional settings, interviews can be time-consuming and therefore, the need to identify participants with compliance and IT experience is crucial to the validity and reliability of this study. Interviews by their very nature tend to be time-consuming, and as such, careful consideration has gone into identifying informants who will have the knowledge or experiences necessary to answer the research question. According to Marshall and Rossman (2011), interviews should include four essential elements, and they are; participation, direct observation, depth of the interview, and the document analysis. The research based on the above facts will focus on the export compliance IT managers for software companies since these are the individuals that are considered in the forefront to relate to the pre and post adoption of cloud computing in their organizations. As a result of these restrictions, the pool of potential subjects who can be called upon to give feedback is relatively small. Creswell (2012) suggests that at least between 20 to 30 persons population sample in qualitative research is sufficient sample to extract data. However, in this qualitative study, a sample of 10-20 participants will be utilized since the focus of this study is to explore the perception of export compliance and IT professionals of a newly adopted technology.
This study will focus on a limited number of companies that have implemented cloud computing as part of their information system architecture. Therefore, a limited number of IT and export compliance managers will be interviewed, and those managers have to be qualified as managers and professionals that have direct interaction with the pre and post adoption of cloud computing. After the subset has been identified, stratified sampling could also be used to ensure that the views are representative of both small and large companies as well as those in the Information Technology subsector and those that are not. Uprichard (2011) noted that initial knowledge of the population is required from the beginning to achieve statistical significance. Additionally, Mishra (2015) assumes that successful research is dependent on the engagement of multiple methods such as observations, interviews, and recordings.
Uprichard (2011) believes that sampling is a core issue in research and effective sampling remains a challenge to be resolved. One of the pre-identified requirements of qualitative research is that as much valid data as is required to be representative of all views is collected. At this point, interviews, observation, and archival type materials such as secondary data such as readily available maps and statistics will be applied in the research process (Rucks & Bierbaum, 2015). From the data collected in the interviews, additional research questions may be proposed for future quantitative research.
Interviews will act as the main source of data since it will provide better insights into the experiences and perceptions of the chosen test subjects while allowing them to elaborate on their opinions (Marshall & Rossman, 2014). At the same time, since the sample size is comparatively small, the costs of administering an interview are not prohibitive. However, Mishra (2015) believes that interviewing ten people is sufficient due to the time it takes to interview each individual. Interviews will be used for the collection of information regarding the primary areas of the research, particularly with a view towards providing satisfactory answers to the research questions posed in this study. As an example, the interview questions will cover the areas of cloud computing risks from IT and export compliance perspectives and how the cloud computing adoption will and can affect the employees’ perspective regarding the new technology.
According to the Association for Qualitative Research (2013), [J Ready125] validity refers to the scientific test that measures how well the research reflects the reality or the purpose of the research. Validity can also be thought of as simply a way through which a determination on whether the study measures what it purports to can be made (Kvale & Brinkmann, 2014). In essence, it examines how truthful the research is. For this specific instance, validity will serve as a measure of how well suited the tools, processes, and data used in the interview were. Further, Hampshire, Iqbal, Blell and Simpson (2014) point [J Ready126] out that interviews based on guided conversations will provide all kinds of connections in the qualitative research. The interview basis will allow for the participant’s experiences and interpretations to guide the interview process which will be a more efficient method to validate the outcome (Hampshire et al., 2014). Camfield and Jones (2013) noted that secondary research would add value to the research due to the wider access to data. However, relying on the secondary research can pose many challenges, and they are less reliable than semi-structured interviews. The validation of this qualitative research study will be based on the intrinsic qualitative research context to enhance the credibility of the qualitative research (Sousa, 2014).
According to the Association for Qualitative Research (2013), [J Ready128] reliability is the repeatability of a particular set of research findings that can be replicated in a second identical piece of research. Reliability was also defined as the extent to which the results of research are consistent over time. A quick test for the reliability of a study is if the results of the study can be replicated under a similar methodology (Brinkmann, 2014). For this research study, the interview design will be conducted in a geographically heterogeneous sample of southern California in the technology and software industry. Reliability is further assured through comparing the relevant data from the different respondents in the interview. Finally, the researcher will be aware of the inherent challenges in using heterogeneous industry sampling. For example, Robinson (2014) argues that the diversity of the data may decrease cross-case themes located during the analysis.
Data Collection Procedures [J129]
The data will be collected by providing IT and export compliance professionals a questionnaire that will be followed by an interview that is semi-structured while observing some case studies in cloud computing adoption. This qualitative research will follow on the strong tendencies by researchers to conduct qualitative and quantitative studies separately (Archibald, Radil, Xiaozhou & Hanson, 2015).
A questionnaire will be developed using questions based on the literature contained in the studies in cloud computing and an interview protocol guide. [J Ready130] The interview will be designed to allow IT and export compliance professionals to identify major compliance and security risk issues they face since the adoption of the cloud computing. The target respondents will have at least three years of professional in-house experience in their field and show a willingness to participate fully in interviews and answer specific questions listed in the questionnaire.
This qualitative study will focus on the four-point approach to qualitative sampling recommended by Robinson (2014). Robinson recommends that an efficient sampling should follow a defined sample, sample size, strategy, and sourcing the sample. Each one of the sample points will be followed and highlighted during the interview process and the development of the targeted questionnaire. Following the Robinson (2014) guide, the sampling will be set at a maximum of 20 individuals. The limited sampling population is to explore in depth analysis from employees and decision makers as well experts in the field. Another reason are constraints associated with time and finances. The exact strategy for identification of the 20 individuals is that they have to come from the software and high technology and there are limited companies in that particular field. Therefore, the study will explore clarity which will be created by considering the software and technology industries that have adopted cloud computing technology. The initial sample will be 100 emails. Of these, only 20 will be selected for the sampling. The curating of the respondents will be done by choosing those who are willing to answer a questionnaire and later answer follow-up questions in a call; phone or Skype. The overall sampling technique is convenience sampling, which Bryman (2015) defines as a selection of samples that are easy to reach, with prominence given to the samples of least resistance.
Thematic analysis is utilizing similarity, frequency and sequence coding from the interviews and questionnaires of employees working for software companies and how they perceive the compliance impact of adopting cloud computing technology. Collected data will be gathered and offered in a descriptive phenomenological method (Sousa, 2014).
Interviews, surveys, observations and questionnaires will provide descriptive data, and the researcher or interviewer will strive to demonstrate that the interviews and research are free from bias. Relying on archived data to save time and reanalyzing this data will also provide additional confidence in the conclusions of the research (Camfield & Jones, 2013). Additional precaution during the data collection phase of this study will focus on how much reliance on expert judgment and perspectives to build a sound case and make an argument to conclude findings (Kremljak, 2011).
The data analysis will follow a structure dictated by the research questions. As such, the researcher will start analyzing data collected by categorizing it under it a relevant question. The underlying mechanism for the analysis is guided by the Timmermans and Tavory (2012) definition of qualitative data analysis as the process by which data that has been collected is changed into information, interpretation or understanding within the context of the subject matter. With that in mind, the clear path for the data analysis is inductive analysis. Inductive analysis allows the researcher to start from a single point expand, thereby exploring new aspects of the subject matter. In addition, an inductive approach does not need to prove a pre-conceived point of view in the way that deductive approaches do. There are three major steps that the inductive process applied will follow. These are observation/examination of collected data, identification of patterns and the formation of a possible theory. It is this theory or body of new information that this research aims at arriving at. If need be, the theory can be investigated in a different undertaking through a quantitative analysis process. With the aim of the research being the exploration with the intention of building new perspectives, the data that will be of most use of inferential data. This means [J132] that the researcher will collect the data, code it then take the time to scour it for inferential value. The inferential data will then be used to try and form new perspectives that the researcher finds to be missing in the body of literature as it at the conception and writing of this research. The scouring for inferential data will be done through a coding process.
The first step in the process is the organization of the data. In this research, the data will be organized under the research questions. The second step will be the creation of an analysis framework. The analysis framework, or the coding plan, will determine where the labeling and definitions attached to the data. Since this is a grounded theory type of research, the coding framework will only focus on exploratory and not explanatory data. Timmermans and Tavory (2012) explain this by pointing out that explanatory data leads to descriptive and consequently deductive ends. The focus of this research is inferential and, therefore, inductive results. The third step will be entering the data into the structure, followed by the last step, which is the second order analysis of the data with the aim of finding workable inferences.
Until the receipt of the Institutional Review Board (IRB) permission, no data, interviews or questionnaires forms will be collected. All the data in the study will be identified in a way that any researcher and the future reader will not be able to identify the individuals in the study. The data and all related documentation collected from interviews and respondents will be stored on a password-protected computer for the required minimum of three years after the research has concluded, in accordance with the University Institutional Review Board (IRB) policy.
Kremljak (2011) argues that data precision and reliability is considered one of the qualitative project and research risks. This will [J134] lead the researcher during the data collection process to identify and handle all the risks involved when interviews take place.
The study will suffer limitations in some areas. For instance, there is a concern that the sample size, given the number of the entire population may be too small to enable the finding of a significant relationship based on the data. Most of the underlying concerns about the sample size stem from how representative it will be, given that most software companies within the study area fall within the same region in the distribution. Another major limitation might be the biases of the researcher and the previous knowledge as a user and a professional in the field of export compliance.
Considerations into how the problem has been stated, the data to be studied have been selected, and what does not make it into the final report Similar consideration will also go into ensuring that questions for the interview will be phrased without any positive or negative connotation that is likely to influence the decision in any way.
Chapter 3 has explored the concept of cloud computing, and the legal issues that are associated with adopting the technology will be studied and analyzed. The research questions that pose the research gap in this qualitative study will be the focus of the data collection and analysis method in the next chapters of the study. Moreover, several data collection methods such as interviews, questionnaires and observations will be conducted during the research process. Immediate consideration will be represented in this study to ensure valid and reliable population sampling of IT and export compliance managers that are at the forefront of cloud computing adoption in their organizations. The first set of data that will be collected will focus on the adoption process and how management and professionals decide its usefulness and secondly, the implementation phase of the cloud computing technology. Another focus will be on the regular employee and how this new innovative technology affects their daily use of data. Further, how data categorization is applied and whether they understand what data should be segregated or can be shared or uploaded to the cloud. Additionally, there will be an emphasis on how export control regulations in the United States affect cloud users and providers. For example, Silverman (2012) believes that United States BIS and OFAC agencies place the burden of export compliance on the users of the cloud and not the cloud providers. Therefore, the interviews and other data collection methods in this research study will focus on how pre and post adoption of cloud computing affects the organization from a cloud user and provider perspective.
Chapter 4 will start the research process per the school template. This[J137] will involve collecting and analyzing the data and offers conclusions, limitations, and further research questions.
AbuOliem, A. (2013). Cloud computing regulation: An attempt to protect personal data transmission to cross-border cloud computing storage services. International Journal of Computer and Communication Engineering, 2, 521-525. doi:10.7763/IJCCE.2013.V2.240[J Ready140]
Aljawarneh, S. (2015). Advanced research on cloud computing design and applications. Jordan University of Science and Technology, Jordan.
Archibald, M. M., Radil, A. I., Xiaozhou, Z., & Hanson, W. E. (2015). Current mixed methods practices in qualitative research: A content analysis of leading journals. International Journal of Qualitative Methods, 14(2), 5-33.[J141] Doi or journal’s home page url?
Baltimore County Public Schools (2010). BCPS research process steps. Retrieved from http://www.bcps.org/offices/lis/researchcourse/develop_writing_methodology_limitations.html
Berry, R., & Resiman, M. (2012). Policy challenges of cross-border cloud computing. Journal of International Commerce and Economics, Web Version, 1-38.[J142]
Bidgoli, H. (2011). Successful introduction of cloud computing into your organization. Journal of International Information Management Association, 20 (1,). [J143]
Bilzi, C. J., Eisner, R. S., Aronchik, M. G., & Balsanek, K. L. (2011). Identifying and resolving US export control issues in outsourcing deals. Intellectual Property & Technology Law Journal, 23(10), 3-7[J144] .
Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013, January). Cloudrise: exploring cloud computing adoption and governance with the TOE framework. In System Sciences (HICSS), 2013 46th Hawaii International Conference on (pp. 4425-4435). IEEE.
Brender, N., & Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International Journal of Information Management, 33(5)[J Ready145] , 726-733. Doi or journal’s home page url if not doi can be found
Brinkmann, S. (2014). Interview (pp. 1008-1010). Springer New York.[J Ready146]
Brinkman, S., & Kvale, S. (2014). Interviews: Learning the craft of qualitative research interviewing. Thousand Oaks, CA. Sage Publications
Bryman, A. (2015). Social research methods. City, State: Oxford University Press.
Burke, D. D. (2012). Export control policy initiatives under the Obama administration. Journal of Legal, Ethical & Regulatory Issues, 15(1), 47-66.
Camfield, L., & Palmer-Jones, R. (2013). Improving the quality of development research: What could archiving qualitative data for reanalysis and revisiting research sites contribute? Progress in Development Studies, 13(4), 323-338. doi:10.1177/1464993413490481
Casalicchio, E., & Palmirani, M. (2015). A Cloud Service Broker with Legal-Rule Compliance Checking and Quality Assurance Capabilities. Procedia Computer Science, 68, 136-150.
Chang, V., Walters, R., & Wills, G. (2013). The development that leads to the Cloud Computing Business Framework. International Journal of Information Management, 33(3), 524-538. http://dx.doi.org/10.1016/j.ijinfomgt.2013.01.005
Choudhary, V., & Vithayathil, J. (2013). The Impact of cloud computing: Should the IT Department be organized as a cost center or a profit center? Journal of Management Information Systems, 30(2), 67-100.
Cohen, R. (2012). The past, the present and the future of cloud computing. Technology Journal, 16(4).
Colona, L., (2014). Article 4 of the EU Data Protection Directive and the irrelevance of the EU-US Safe Harbor Program. International Data Privacy Law, 4 (3): 203-221 doi:10.1093/idpl/ipu005
Crestin, F., Judde, M. (2011). Strategic and economic issues of ownership rights and private life compliance. Journal of Internal Security, 3(1), 63-65.
Creswell, J. (2012). Qualitative Inquiry and Research Design: Choosing Among Five Approaches (3rd ed.). Washington D.C: Sage Publications.
Cudanov, M., Krivokapic, J., Krunic, J. (2011). The influence of cloud computing concept on organizational performance and structure. Management Journal, (1820-0222): 18-24.
DeButts, T. (2014). What happens in the cloud stays in the cloud: BIS reinforces export control insulation for cloud-based computing and processing | Insights | DLA Piper Global Law Firm. DLA Piper. Retrieved from https://www.dlapiper.com/en/us/insights/publications/2014/12/what-happens-in-the-cloud/
Doelitzscher, F., Reich, C., & Sulistio, A. (2010). Designing cloud services adhering to government privacy laws. Computer and Information Technology. doi: 10.1109/CIT.2010.172
DTAG Cloud Computing Working Group (May, 2013). Retrieved from http://www.pmddtc.state.gov/dtag/documents/plenary_May2013_Cloud Computing.pdf
Dutta, A., Peng, A., & Choudhary, A. (2013). Risks in enterprise cloud computing: the perspective of IT experts. Journal of Computer Information Systems, 53(4), 39-46.
Egbert, M. (2015). Driving public cloud adoption through qualitative and quantitative modeling. Available from ProQuest Dissertations & Theses Full Text: The Humanities and Social Sciences Collection. Retrieved from http://search.proquest.com/docview/1712400561
European Commission Website. Retrieved from http://ec.europa.eu/justice/data-protection/index_en.htm (2016)
European Union Law (2016). Access to European Union Law. Retrieved from http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:31995L0046, 2016
Feigelson, J., Jim, P., Serrato, J. K., & Jonathan, M. (2016). New Federal Guidance on Cybersecurity for Mobile Devices. Intellectual Property & Technology Law Journal, 28(3), 25-26.
Furner, C. (2013). Getting heads into the cloud. International Information Management Association, 22 (3), 1-19.
Gao, J. & Hardin, D. (2012). The export control risks of US-China technology collaboration. China Business Review, 39(4), 35-39.
Gonzalez, M. D., & Smith Jr., M. L. (2014). Are cloud computing services adoption trends changing? Franklin Business & Law Journal, 2014(3), 120-144.
Green, H. E. (2014). Use of theoretical and conceptual frameworks in qualitative research. Nurse Researcher, 21(6), 34-38.
Haibach, G. (2015). Cloud computing and European Union private international law. Journal of Private International Law, 11(2), 252-266.
Hailu, A. (2012). Factors affecting cloud-computing technology adoption in developing countries. Available from ProQUest Dissertations & Theses Full Text: The ABI/Inform
Hale, C., Barbee, G., Lewis, M., Major, A. (2015). Cloud computing legal desktop. Thomson Reuters. Sheppard Mullin. Westlegalcenter.com.
Halpert, B. (2011). Auditing Cloud Computing: A Security and Privacy Guide. New York, NY: John Wiley & Sons.
Hampshire, K., Iqbal, N., Blell, M., & Simpson, B. (2014). The interview as narrative ethnography: seeking and shaping connections in qualitative research. International Journal Of Social Research Methodology, 17(3), 215-231. doi:10.1080/13645579.2012.729405
Harmon, P. (2014). Business Process Change. Burlington, MA: Morgan Kaufmann.
Hasty, B. K., Schechtman, G. M., & Killaly, M. (2012). Cloud computing: differences in public and private sectors. International Journal of The Academic Business World, 6(1), 51-62
Howel, J. (2015). Moving to the cloud. Institute of Management Accountants, 96 (12), 30-37
Huxford Jr., D. C. (2012). 6 Steps for Transitioning to the Cloud. Journal of Financial Planning, 25(3), 30-32.
Information Commissioner’s Office. (2013). Key definitions for the Data Protection Act Archived
at http://www.ico.org.uk/for_organisations/data_protection/the_guide/key_definitions
Irwin, S. (2013). Qualitative secondary data analysis: Ethics, epistemology and context. Progress In Development Studies, 13(4), 295-306. doi:10.1177/1464993413490479
Jaeger, Jaclyn. “Rule change to ease export controls in the cloud.” Compliance Week Sept. 2015: 22+. Academic OneFile. Web. 29 June 2016.
Johnson, H. (2013). Cloud enable your workforce management. Workforce Solutions Review.
Khanagha, S., Volberda, H., Sidhu, J., & Oshri, I. (2013). Management innovation and adoption of emerging technologies: The case of cloud computing. European Management Review, 10(1), 51-67.
Katz, M.L. & Shapiro, C. (1986). Technology adoption in the presence of network externalities. Journal of Political Economy, 94(4), 822-841. Retrieved from http://www.jstor.org/stable/1833204
Kremljak, Z. (2011). Qualitative analysis of project risk. Annals of DAAAM & Proceedings, 191-192.
Leavitt, N. (2009). Is Cloud Computing Really Ready for Prime Time? Computer, 42(1), 15-20. http://dx.doi.org/10.1109/mc.2009.20
LeBeau, A.J., Holzer, J. (2014). International trade and business: United States export controls. The Complete Compliance and Ethics Manual. Minneapolis, MN, 5.345-5.359.
Lin, A. & Chen, N. (2012). Cloud computing as an innovation: Percepetion, attitude, and adoption. International Journal of Information Management, 32(6), 533-540. http://dx.doi.org/10.1016/j.ijinfomgt.2012.04.001
Lewin, K. (1943). Defining the ‘field at a given time’. Psychological Review, 50(3), 292-310. http://dx.doi.org/10.1037/h0062738
Lewis, S. (2015). Qualitative inquiry and research design: Choosing among five approaches. Health promotion practice, 1524839915580941.
Madhavaiah, C., Bashir, I., & Shafi, S. I. (2012). Defining Cloud Computing in Business Perspective: A Review of Research. Vision (09722629), 16(3), 163-173. doi:10.1177/0972262912460153
Manguic, D. M. (2012). Cloud Identity and Access Management – A Model Proposal. Accounting & Management Information Systems / Contabilitate Si Informatica De Gestiune, 11(3), 484-500.
Marshall, C., & Rossman, G. B. (2011). Designing qualitative research. Newbury Park, CA: Sage publications.
Marston, S., Li, Z., Subhajyoti, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing-The business perspective. Decision Support Systems, 51(1), 176-189.
Maberry, S.J., Dombek, M.C., Palmeri, C., Whitten, R., (2015). Cloud Computing Legal Desktop. Eagan, MN: Thomson Reuters
McKendrick, J. (2014). NIST puts a sharper point on cloud computing | ZDNet. ZDNet. Retrieved from http://www.zdnet.com/article/nist-puts-a-sharper-point-on-cloud-computing/
McKinnon, C. (2015). Embrace the cloud, big data to take control of the digital deluge. Information Management, 49 (5), 18-23
Mell. P., & Grance. T., (2011). The NIST definition of cloud computing. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Mishra, A. (2015). Disguised depth interviews as games: Methodological extension to design perception. Journal of Ethnographic & Qualitative Research, 9(4), 286-302.
Mohamed, A. (2015). A history of cloud computing. Computer Weekly. Retrieved June 16, 2016, from http://www.computerweekly.com/feature/A-history-of-cloud-computing
Mohan, B. (2014). Simplifying shared services and HR transformations initiatives through innovation. Workforce Solutions Review, January, 12-16.
Moran, J.H., Aubert, J., & Gateau, B. (2012). Towards cloud computing SLA risk management: Issues and challenges. System Science. doi: 10.1109/HICSS.2012.602
Murphy, R. M. (2013). US Export Controls Over Cloud Computing: The Forecast Calls for Change. Syracuse Sci. & Tech. L. Rep., 28, 65-121.
Nagel, T. (2014). Cloud Services and Export Control: What You Don’t Know Can Hurt You | White & Case LLP International Law Firm, Global Law Practice. Whitecase.com. Retrieved from http://www.whitecase.com/publications/alert/cloud-services-and-export-control-what-you-dont-know-can-hurt-you
Narayanan, Vineeth (2012), Harnessing the Cloud: International Law Implications of Cloud-Computing. Chicago Journal of International Law: 12(2), 793-808
National Institute of Standards and Technology (2011). Final version of NIST cloud computing definition published. Retrieved from http://www.nist.gov/itl/csd/cloud-102511.cfm
Oelrich, P. A. (2015). Role and effect of social determinants on moral judgment: A study of employee behavior when communicating using social technology. Available from ProQuest Dissertations & Theses Full Text: The Humanities and Social Sciences Collection.
Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497-510.
O’Reilly, M., & Parker, N. (2012). ‘Unsatisfactory Saturation’: a critical exploration of the notion of saturated sample sizes in qualitative research. Qualitative Research, 1468794112446106.
Pearson, S., & Yee, G. (2012). Privacy and security for cloud computing Computer Communications and Networks. New York, NY: Springer Science & Business Media.
Pepperdine University (2016). Pepperdine University Graduate School of Education & Psychology. Retrieved from http://community.pepperdine.edu/gsep/writing-support/content/dissertation-assumptions-limitations-delimitations.pdf
Qian, R., & Palvia, P. (2013). Towards an understanding of cloud computing’s impact on organizational IT strategy. Journal of Informational Technology Case & Application Research, 15(4), 34-54.
Ratten, V. (2015). International consumer attitudes toward cloud computing: A social cognitive theory and technology acceptance model perspective. Thunderbird International Business Review, 57(3), 217-228. doi:10.1002/tie.21692
Ritchey, K., Paez, M., McGregor, V., & Sendra, M. (2013). Global privacy and data security developments–2013. Business Lawyer, 69(1), 245-254.
Robinson, O. C. (2014). Sampling in Interview-Based Qualitative Research: A Theoretical and Practical Guide. Qualitative Research In Psychology, 11(1), 25-41. doi:10.1080/14780887.2013.801543
Rucks-Ahidiana, Z., & Bierbaum, A. H. (2015). Qualitative spaces: Integrating spatial analysis for a mixed methods approach. International Journal of Qualitative Methods, 14(2), 92-103.
Salisbury, D. (2013). Trade controls and non-proliferation: compliance costs, drivers and challenges. Business & Politics, 15(4), 529-551. doi:10.1515/bap-2013-0006
Salow, H., Meier, J., Goodwin, D. (2011). Cloud computing trend sparks compliance concerns. National Defense, 43.
Samani, R., Reavis, J., & Honan, B. (2014). CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security. Rockland, MA: Syngress.
Schoorl, J. (2012). Clicking the “Export” button: Cloud data storage and UNITED STATES dual-use export controls. The George Washington Law Review, 80(2), 632-667.
Schweitzer, E. J. (2012). Reconciliation of the cloud computing model with US federal electronic health record regulations. Journal of the American Medical Informatics Association, 19(2), 161-165.
Shaffer, G. (2000). Globalization and social protection: the impact of EU and international rules in the ratcheting up of US data privacy standards. Yale Journal of International Law, 25, 1-88.
Shane, J. R., & Scheetz, L. E. (2014). Export controls for tech companies: The basics and the pitfalls of UNITED STATES encryption controls. Journal of Internet Law, 18(3), 1-12.
Sobragi, C., Macada, A., Oliveira, M. (2014). Cloud computing adoption: A multiple case study. BASE, 11(1).
Silverman, J., S., (2012). US trade controls and cloud computing. IP Litigator, 24-30.
Sousa, D. (2014). Validation in Qualitative Research: General Aspects and Specificities of the Descriptive Phenomenological Method. Qualitative Research In Psychology, 11(2), 211-227. doi:10.1080/14780887.2013.853855
Sugumaran. (2016). Advances in Systems Analysis, Software Engineering, and High Performance Computing. Hershey, PA: IGI Global.
Swanson, D. & Creed, A. (2013). Sharpening the Focus of Force Field Analysis. Journal of Change Management, 14(1), 28-47. http://dx.doi.org/10.1080/14697017.2013.788052
Tauwhare, R. (2015). Cloud computing, export controls and sanctions. Internet Law, 19(2), 632-667
The Association of Qualitative Research (2013). AQR The hub of qualitative thinking.
Retrieved from https://www.aqr.org.uk/glossary/reliability
Timmermans, S., & Tavory, I. (2012). Theory construction in qualitative research from grounded theory to abductive analysis. Sociological Theory, 30(3), 167-186.
Togan, M. (2014). Considerations on cloud computing security. MTA Review, XXIV (4), 201-218.
United States Department of Treasury (2016). Retrieved from
https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_general.aspx#basic (last visited June 17, 2016)
Uprichard, E. (2011). Sampling: bridging probability and non-probability designs. International Journal of Social Research Methodology, 16(1), 1-11.
Villasenor, J. (2011, July 25). Addressing export control in the age of the cloud computing. Center for Technology Innovation, Brookings Institute, 1-15. Retrieved from http://www.brokings.edu
Werfs, M., Baxter, G., Allison, I. K., & Sommerville, I. (2013). Migrating software products to the cloud: An adaptive STS perspective. Journal of International Technology & Information Management, 22(3), 37-54.
Whitley, E. A., Willcocks, L. P., & Venters, W. (2013). Privacy and security in the cloud: A review of guidance and responses. Journal of International Technology & Information Management, 22(3), 75-92.
Wilhelm, E. (2016). A brief history of the General Data Protection Regulation. Iapp.org. Retrieved June 16, 2016, from https://iapp.org/resources/article/a-brief-history-of-the-general-data-protection-regulation/
Xiao, Z., & Xiao, Y. (2013). Security and privacy in cloud computing. IEEE Communications Surveys & Tutorials, 15(2), 843-859.
Yin, R.K (2003). Case study research, design and methods (3rd Ed.). Thousand Oaks, CA: Sage.
Yeh, C. (2012). Cloud computing and human resources in the knowledge era. Human Systems Management, 31 3(4)165-175.
Yilmaz, K. (2013). Comparison of Quantitative and Qualitative Research Traditions: epistemological, theoretical, and methodological differences. European Journal of Education, 48(2), 311-325. doi:10.1111/ejed.12014
Zissis, D. & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583-592. http://dx.doi.org/10.1016/j.future.2010.12.006