Computer Standards & Interfaces 38 (2015) 72–77

Contents lists available at ScienceDirect

Computer Standards & Interfaces

journal homepage: www.elsevier.com/locate/csi

Cloud computing: A value creation model

David C. Chou ⁎
Department of Computer Information Systems, Eastern Michigan University, Ypsilanti, MI 48197, USA

a r t i c l e i n f o a b s t r a c t

Article history: Cloud computing has gained vast attention due to its technological advancement and availability. Possible
Received 12 April 2014 benefits of adopting cloud computing in organizations are ease-of-use, convenience, on-demand access,
Received in revised form 18 July 2014 flexibility, and least management from the users. This paper analyzes the risk and value components inside
Accepted 1 October 2014
cloud computing practice through a value creation model.
Available online 13 October 2014
© 2014 Elsevier B.V. All rights reserved.
Keywords:
Cloud computing
Value creation model
Risk analysis
IT auditing standards

1. Introduction process and technology may also be examined before it to be adopted

Cloud computing is a newly developed computing area that has
been adopted by a large number of organizations in the world for
information technology practices. Organizations move to cloud comput-
ing practice may gain benefits such as cost saving, efficiency improving,
agility enhancing, flexibility and scalability of services, and environmen-
tal sustainability. Cloud computing gained its popularity because it
changed the physiognomies of the IT industry through the exercise of
virtualization. In the meantime, some major concerns to cloud
computing practice, such as security and privacy breaches are originat-
ed from its virtualized setting. The cloud computing operation is similar
to the practice of information technology (IT) outsourcing. The
complexity of outsourcing makes cloud computing's quality control a
challengeable job.
This paper intends to discover the value creation and challenges
confronted by cloud computing's practice. Since cloud computing may
become the next wave of IT innovation, many more organizations may
adopt this technology into their business processes. Therefore, a clear
examination to the value realization of cloud computing may contribute
to the IT field dramatically.
The discovery of value creation is an essential and challengeable task
in every business process. In order to pursue sustainable business conti-
nuity in organizations, they must maintain and strengthen the outcome
of value creation activities. For example, Michael Porter [21] proposed
“value chain analysis”, in which every step in business process has
been investigated to manage its value. However, individual business
in organizations. For this vibrant thought, cloud computing's practice
may also be examined through the value creation analysis.
This study aims to identify a set of components that assist organi-
zations to assess the value creation of cloud computing. We
introduce a value creation model to describe the content of each
component and the relationship among components in the value
creation model. Various effects of implementing cloud computing
in organizations will be discussed. This value creation model
provides guidance to the IT industry for their future development
in cloud computing. Since cloud computing heavily depends on
Internet infrastructure and technology, security will be a major
concern to cloud computing operation. These risk factors are identi-
fied in the value model. The auditing practice is stipulated by law. In
order to comply with legal requirement, auditing must be exercised
in cloud computing operation. All of these concerns and require-
ments are included and discussed in the value creation model.
The paper is structured as follows. The next section provides a
background analysis to cloud computing technology, including its
benefits and inherent risks. After that, the concept and the theoretical
foundation of IT value are explained. The cloud computing value
creation model is introduced and illustrated in the next section. A
conclusion is provided in the last section of the paper.
2. Moving to the cloud
2.1. Cloud computing implications

⁎ Tel.: +1 734 487 0054. More and more companies adopted cloud computing services
E-mail address: dchou@emich.edu. recently. Gartner Inc. forecasted that the sale for cloud services will

http://dx.doi.org/10.1016/j.csi.2014.10.001
0920-5489/© 2014 Elsevier B.V. All rights reserved.
 D.C. Chou / Computer Standards & Interfaces 38 (2015) 72–77
increase from US $46.4 billion in 2008 to US $150.1 billion in 2013 [14].
Cloud computing is a recently developed information technology (IT)
that utilizes resources virtualization approach to deliver IT services
through Internet technology and on-demand mode. National Institute
of Standards and Technology (NIST) defined cloud computing, on its
web page, as “a model for enabling convenient, on-demand network ac-
cess to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction” [18]. NIST classified the cloud deployment into the
following four categories: private cloud, community cloud, public cloud,
and hybrid cloud [18].
Private cloud is operated solely for an organization, on which hard-
ware, networking, storage, applications, interfaces, and infrastructure
do not share with other companies. Private cloud provides internal
services to the organization and employees through corporate intranet
or data center. This cloud service can offer desired fault tolerance and
security capabilities (such as firewall) to guard the safety of internal IT
operations and processes. Therefore, private cloud can be implemented
in a highly secured and manageable environment. The main disadvan-
tage of running private cloud computing is its high cost for hiring staff
and maintaining infrastructure and data center.
Community cloud is “shared by several organizations and supports a
specific community that has shared concerns (e.g., mission, security
requirements, policy, and compliance considerations).” [15, p. 5].
Community cloud can be created inside or outside the organization.
Since its shared characteristics, cloud security control becomes a
major concern. For example, a school district in a city may create a
community cloud for regional schools' access and usage. These schools
must agree to and follow a common policy of cloud computing practice.
Public cloud is the most common type of cloud computing. Within
this model, the service provider (such as Google or Amazon.com) offers
its cloud infrastructure for general public use on a self-service,
on-demand, and pay-per-use basis. Public cloud service providers
must create an extremely scalable data center and flexible infrastruc-
ture for clients' needs. Since client's computing and storage needs are
unpredictable, cloud service providers must be well prepared for
these uncertain demands. Public cloud may serve a large amount of
customers in the market; its security functionality must be well
protected.
Hybrid cloud is the cloud service that syndicates public cloud,
private cloud, and community cloud options. Based on corporate
needs (such as strategic, security and/or confidentiality concerns),
company can allocate workloads into separate cloud infrastructures.
For example, a company may use a public platform to send data to a
private cloud would be a hybrid cloud environment. A new way of
conducting corporate computing process is to combine public ser-
vices with private clouds and data center together. This is a typical
hybrid cloud implementation.
Based on the package offered by the vendors, cloud computing
contains three different types of service models: software-as-a-
service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-
a-service (IaaS). SaaS allows clients to use providers' applications
that run on a cloud infrastructure, which can be accessed through a
web browser. All needed cloud infrastructure (such as network,
servers, operating systems, and application software) is hosted in
vendor's house. PaaS accommodates to developers' need by offering
the entire computing platform and solutions set for an application
needed at client's house. PaaS allows the client to control the appli-
cation software (analysis and design), however, the developer
must know how to work with vendors' programming languages,
interfaces and database systems. IaaS offers clients the capabilities
of processing, storage, networks, and other computing resources so
they can run selective software (operating systems and applications)
in house. Its only tradeoff is that cloud providers manage the
infrastructure in use.
73
2.2. Benefits of moving to the cloud
Cloud computing providers offer active and convenient accessibility
to clients, such as on-demand and pay-per-use services. Cloud comput-
ing users save IT cost since they only pay for what they used; they do not
need to invest in hardware, software, networking, and hiring IT staff in-
side organizations. Security service is handled by cloud computing pro-
viders, however, the user organizations are the major concern of
security breach. Another important benefit of moving to the cloud is
the scalability and flexibility of IT that are offered by cloud computing
vendors. Cloud computing users can enjoy the suppleness of workload
changes, especially handling growing business transactions during the
hot season. Users moving to cloud computing just are like outsourcing
their IT operations to the vendors. For this reason, users do not need
to handle IT management tasks in the organization. Another benefit of
moving to the cloud is the enhancement of mobility, that is, clients
can have access to the software at any place they go to, as long as the
Internet access is feasible.
2.3. Risks of moving to the cloud
The main risks on cloud computing technology are related to the
following areas: authentication, data security and privacy, interfacing
with internal systems, system availability, business continuity, and
ownership of content and other legal requirements [22]. Among these
risk factors, security and privacy are the most concerned area since
cloud computing data are stored outside corporate premises [19].
In cloud computing practices, the clients (or user companies) out-
source servers, server applications, data storage, and software programs
to a cloud service provider (or vendor) for receiving on-demand and
pay-per-use service [20]. Most of cloud providers offer metered
service— it means they charge customers for the processing capacity
that customers have actually used. This special arrangement makes
cloud computing's audit work different from that of traditional IT audit.
We recognize the fact that information technology delivers value to
user organizations and businesses. Any new breed of information
technology should add new and supplementary value to the existing
IT capability or functionality to survive. Cloud computing has been in-
troduced to the IT field and gained sufficient acceptance from the
users in the business community. It is likely that cloud computing has
created substantial value in many user organizations. We would discuss
the implication of IT value creation and its relevance to cloud computing
in the next section.
3. Theoretical foundation
3.1. Cloud computing and outsourcing model
Cloud computing, just like SaaS, is an operation of outsourcing
internal IT services into external vendors for meeting company's
needs. Chou [4] indicated that SaaS practice should be fitted into an
outsourcing model, its main advantages are cost saving, better resources
utilization, more application access scalability, and global outsourcing
possibility. The theoretical foundation behind outsourcing practice is
ample, for example, production cost economics [28], transaction cost
theory [7], resource-based theory [8], competitive advantage and
value chain [21], and economies of scale [4]. The production cost
economics theory supports the argument that outsourcing decision of
the firm is to pursue a low-cost production process [4,5]. The transac-
tion cost theory reflected that organizations intend to consider
outsourcing while transaction cost is low for business activities, includ-
ing time and cost for negotiation, and writing and enforcing contract be-
tween two sites [4,5]. The resource-based theory indicates that firms
center on deployment and combination of specific input rather than
avoidance of opportunities [8]. For this reason, an outsourcing decision
is based on seeking external resources or capability for meeting
74 D.C. Chou / Computer Standards & Interfaces 38 (2015) 72–77
company's purposes such as saving expenses or improving capability [4,
5]. Cloud computing practice, similarly, allows user companies to con-
sume a subset of resources from a pool of IT hardware and software
that are managed within the company (i.e., for private cloud operation)
or by external providers (i.e., for public cloud operation).
Porter [21] proposed a competitive forces model to show the princi-
ple of competitive advantage. The value chain is based on the process
view of organizations, that is, it sees an organization as a series of pro-
cesses and each process adds value to the product or service for their
customers. A main strategy in competitive advantage is to target high
value-adding process within an organization for enhancing their final
value [21]. Mohammed et al. [17] applied Porter's value chain theory
into a reference model for the cloud value chains.
Economies of scale and division of labor are also theoretical founda-
tion of creating outsourcing practice [4]. The outsourcing vendor ex-
poses economies of scale since their average cost declines through the
provision of a mass amount of IT services in the marketplace [4,5].
Cloud computing vendors perform the similar capability for gaining
the advantage of economies of scale.
In summary, theoretical foundation of outsourcing and cloud com-
puting is similar to each other, they are cost economy, resource sharing,
competitive advantage, value chain, and economies of scale. Their main
principle of cloud computing is to have individual vendors who can offer
high quality, mass capability, and low cost service to enter the market-
place. The final objective of cloud computing process is to create value to
the society. We will discuss the value of cloud computing next.
3.2. Value of cloud computing
Valuation is an economic process that identifies the value of actions
in an organization. Value plays an important role while organizations
are determining an action-taking arrangement. While business
executives intend to invest in a vital project, they must measure the pos-
sible outcome of satisfaction in that venture. Value is therefore a foun-
dation of decision-making. Cronk and Fitzgerald [9] indicated that
value is the worth or desirability of a thing. Porter [21] proposed a
well-known “value chain analysis”. This value chain analysis conducts
‘a systematic way of examining all the activities a firm performs and
how they interact is necessary for analyzing the sources of competitive
advantage.’ (Porter, p. 33).
Without a doubt, IT delivers value to organizations. IT generates
value by utilizing computing power in the work place, in there time sav-
ing, cost deduction, and decision-support function can be achieved is a
vivid indication of IT value realization. Whereas applying value analysis
into IT practice, Smith and McKeen [25] constituted three components
of developing an IT value in business processes, including identification,
conversion, and realization. Identification component implies that those
potential opportunities for adding value should be identified at the be-
ginning of the process. Conversion component is the step to show that
those opportunities must be converted into effective applications of
technology for the process. Realization component is the final step
that states applications must be realized by organizations for generating
IT value [25].
One example of value realization process model was done by Chou
and Chou [3]. They utilized a value model to illustrate the process of
realizing green IT. Their green IT value model consists of four compo-
nents/stages, including awareness, translation, comprehension, and
green IT value realization. In order to achieve the goal of adopting
green IT, the awareness stage indicates that organizations must identify
and recognize the value of green IT. The translation stage specifies that
organizations must convert the idea of green IT into actions. The
comprehension stage demands organizations to fully support the prac-
tice of green IT by developing metrics and methods for evaluating and
monitoring the implementation outcomes of green IT. The final stage,
green IT value, reveals the performance result and the value of realizing
green IT. As indicated by Chou and Chou [3], the value of green IT is
achieved through the satisfactions of enterprises and society.
Thethi [26, p. 2] made a cloud value proposition as “reduction of total
cost of ownership, translation of fixed to variable cost, and improve-
ment of business agility and ability to build systems of a global class.”
Based on his cloud value proposition, Thethi [26] proposed a four-step
cloud adoption strategy, which includes assess, validate, prepare, and
execute.
Another cloud computing value study was delivered by Mohammed
et al. [17]. They proposed a cloud computing value chain model that is
based on Porter's value chain theory. This model incorporated three in-
dividual segments, they are primary services, business-oriented support
services, and cloud-oriented support services. Cloud computing value is
to be delivered based on constant process implementation within above
mentioned services [17].
Since cloud computing is an emergent technology in the IT industry,
it is worth of discovering its process of value realization. This paper
proposes a cloud computing value creation model that is based on the
theoretical foundation of cost economies, resource-based theory,
competitive advantage, value chain theory, and economies of scale.
These theories support the innovative application of cloud computing
in the IT industry. The IT industry observed the needs and opportunities
of cost reduction, resourcing sharing, value creation and economies of
scale that exist in the marketplace; therefore, cloud computing has
been formed and developed. However, cloud computing technology
needs to go through a few steps to create its value. Based on the above
discussion, a cloud computing value creation model may possess a
four-step process, including awareness, translation, comprehension,
and cloud computing value creation. The final objective of implementing
cloud computing is to reach a sustainable cloud computing technology.
The details of this model are discussed in the next section.
4. Cloud computing value creation model
Cloud computing value realization process can be identified and
illustrated through a value creation model. As illustrated in Fig. 1,
cloud computing value creation model consists of four components:
awareness, translation, comprehension, and cloud computing value cre-
ation. The combined outcomes of the framework, including awareness,
translation, comprehension, and cloud computing value creation can
reach to the status of cloud computing sustainability. The individual
components of the framework are discussed below.
4.1. Awareness component
The expected benefits of adopting cloud computing service can be
anticipated by prospective organizations. Logically, organizations may
create their own wish list or expectations for the cloud computing ser-
vice. An ideal cloud computing service should offer a client organization
needed IT capability through on-demand and pay-per-use service from
provider's provisioning of application software, platform, infrastructure,
and data center, so the client company could focus on its core business
strategies, such as innovation, economic of scale, competitiveness, and
efficiency and effectiveness, just to name a few of them.
The prospective cloud computing adopters should understand the
types of cloud computing (public, private, community, and hybrid)
and then determine the one that may fit into their business environ-
ment. They should also understand the cloud computing service
models, including software-as-a-service (SaaS), infrastructure-as-a-
service (IaaS), and platform-as-a-service (PaaS). Picking a suitable ser-
vice model is essential since such cloud computing practice must meet
organizational need and IT setting.
Another important decision factor now is cost determination. The
client company must figure out the cost and benefits of moving to the
cloud environment. Moving to the cloud is similar to pursuing IT
outsourcing practice. SaaS, for example, can be characterized as an
 D.C. Chou / Computer Standards & Interfaces 38 (2015) 72–77
Awareness Translaon Comprehension
1. Understanding 1. Risk idenficaon
of cloud compung
2. Security protecon
2. Need
idenficaon 3. Contracng issue
3. Cost analysis
Fig. 1. Cloud computing value creation model.
outsourcing model [5]. The benefit of moving to the cloud is to save a
large portion of current IT expenses such as hardware, software,
networking, data storage, technical support, and staff management
and training. The cost of receiving cloud computing service is based on
the amount of IT services received from the vendors. To most organiza-
tions, the result of cost/benefit analysis must be positive. Gartner Inc.
reported its investigation to the economics, or cost/benefit analysis, of
cloud computing and found that economic advantage of cloud comput-
ing is higher than on-site computing practice [12]. In the meantime,
organizations must recognize possible risks of moving to the cloud.
Risk factors such as security breach and system unavailability may
cause a vital damage to the organization.
4.2. Translation component
After awareness, the value creation model moves to the translation
component. A vital objective of the translation component is to convert
cloud computing desire and interest into a series of tactics. During this
phase, organizations must perform profound studies before adopting
cloud computing practice, especially to the area of risk identification.
Risk identification can be done through a detailed examination to
possible security breach during data transmission in cloud computing
practice. Also, moving to the cloud implies the existence of uncertain sit-
uations such as loss of control to IT operation and data management.
Many cases have been reported about service interruption from cloud
computing providers. On April 21, 2011, Amazon's cloud computing
platform stopped working, which brought down a number of websites
such as Reddit and Quora [27]. Essers [11] reported the cloud failures
as “A total of 568 h of downtime at 13 well-known cloud services
since 2007 had an economic impact of more than $71.7 million dollars,
said the International Working Group on Cloud Computing Resiliency
(IWGCR) …. Their research is based on press reports of cloud outages
at services like Twitter, Facebook, Amazon, Microsoft, Google, Yahoo,
and Paypal, among others.”
Cloud computing is based on virtualization scheme and it processes
information through the Internet. There are many risk areas inside
cloud computing practice. Armbrust et al. [2] indicated “top 10 obstacles
and opportunities” for cloud computing: business continuity and ser-
vice availability, data lock-in, data confidentiality and auditability, data
transfer bottlenecks, performance unpredictability, scalable storage,
bugs in large-scale distributed systems, scaling quickly, reputation fate
sharing, and software licensing. Within these risk factors, data security
is a growing concern in cloud computing operation. As indicated earlier,
client's data are stored in cloud computing vendor's data center and also
shared with other client's data (i.e., memory virtualization) without
controlling capability, which could create ‘trust’ concern. However,
most of security breaches exist in end-users' systems or storage practice.
75
Cloud Compung Sustainable
Value Creaon cloud computing
1. Audit standards 1. Sasfacon
2. Risk measurement 2. Social value
3. Knowledge 3. Green IT
management system
The user organizations should pay close attention to these areas since
any security breach may cause damage to companies.
Another important risk is regarding contracting issue. Cloud com-
puting vendors and clients must agree upon their service items and
guaranteed quality levels. These details must be included as the service
level agreements (SLAs) in the service contract.
The cloud computing practitioners must fully understand the issues
discussed above, and then the translation stage can be completed. The
next component in the cloud computing value creation model is
comprehension.
4.3. Comprehension component
The third component in the value creation model is comprehension.
During this stage, organizations must fully understand the characteris-
tics of cloud computing, cost function of subscribing cloud computing
service, risk factors and legal compliance (such as cloud computing
auditing). It is then moving to the cloud comprehension phase.
During cloud comprehension, organizations must create measure-
ment to assess the outcome of cloud computing operations. The current
IT assessment method is commonly handled by the auditing process.
Cloud computing should also apply IT auditing process to monitor its
operations.
Organizations that adopt cloud computing service imply the action
of outsourcing its IT functions to external vendors. Under SOX regula-
tion, the client company cannot surrender its management responsibil-
ities of IT internal control to vendor organizations. The Auditing
Standard No. 2 (stipulated by Public Company Accounting Oversight
Board) states that:
“The use of a service organization does not reduce management's
responsibility to maintain effective internal control over financial
reporting. Rather, user management should evaluate controls at the ser-
vice organization, as well as related controls at the user company, when
making its assessment about internal control over financial reporting.”
The above standard stipulates that cloud computing adopters must
conduct an evaluation of vendor organization's control over IT environ-
ment. The SAS 70 (Statement on Auditing Standard No. 70) states that
auditor's report from vendor's site will meet the goal of this stipulation,
although this auditor's report is prepared by vendor's auditor. Since
there are two types of SAS 70 reports — type-1 and type-2 audit reports.
Type-1 audit focuses on the fairness of the presentation of service
organization's controls. Type-2 audit focuses on whether the specific
controls were operating effectively. Since cloud computing technology
is more complicated than regular outsourcing practice, and conducting
type-2 audit may show more detailed controlling information from
the vendor's site [10].
76 D.C. Chou / Computer Standards & Interfaces 38 (2015) 72–77
The rise of cloud computing attracted IT auditor's attention, especial-
ly on possible risks associated with such technology. Under such
circumstance, IT auditors must understand the details of cloud comput-
ing and follow a specific auditing method/approach that can comply
with regulations set by auditing authority for conducting auditing
work. However, risks on cloud computing implementation are the
major focus in cloud computing auditing.
Since cloud computing involves external vendor's support and
control to needed information technologies, the auditing work should
be more complicated than the regular IT auditing work [13,22–24].
Risk-based IT auditing is one of the important auditing methods. This
approach requests IT auditors to follow an effective risk assessment
method to conduct IT audit.
An alternate way of conducting cloud computing audit is the value-
added approach. Auditors should clearly understand the value of cloud
computing to be assumed by the client organization. The auditing
then focuses on those targeted value propositions. Possible value aims
for cloud computing practice comprise of budget solution, increased
flexibility, better resource utilization, improved efficiency and greater
agility, access to new technology, improved security, cost avoidance,
new cost model, and improved collaboration [6]. Value-added cloud
computing can be easier if these targeted value components can be
identified and checked by the IT auditor.
Cloud computing auditing is a complicated task, in which various
technological aspects need to be examined and reported. For example,
organizations may adopt public cloud, private cloud, community
cloud, or hybrid cloud for their cloud practices. The complexity within
these cloud categories may cost IT auditors tremendous amount of
energy to filtering out the details of network connectivity, systems
and software interfaces, database storage methods, platform differ-
ences, and infrastructure designs.
Security is the most significant concern to cloud computing practice.
Since user organization's data are stored in provider's remote site, it
raises privacy and confidentiality concerns. Also, any data transforma-
tion in cloud operation must pass through the Internet infrastructure.
Unless the providers offering absolute security programs to guard the
data source and to prevent data breach during transmission, trust
relationship between vendors and clients may not be easily established.
Other than data security, there are plenty of risk components that need
to be identified before an IT auditor starts his/her work. Therefore, a
well preparation is essential to the success of cloud computing audit
process.
Since cloud computing is a relatively new computing technology, its
technological weaknesses and immaturity may exist. In order to con-
duct a complete audit process, these technological drawbacks need to
be discovered and published. This way allows IT auditors to find the
right areas to examine. Therefore, cloud computing's audit effectiveness
can be achieved rapidly.
A variety of IT auditing standards have been used, they are COBIT
(Control Objectives for Information and related Technology), ISACA's
IT Assurance Framework, ITIL (Information Technology Infrastructure
Library), ISO reporting standard ISAE 3402, and SAS 70 [1,10,19,24].
The auditor may select one acceptable standard for auditing practice.
Most of these standards are applicable to IT auditing, however, it lacks
a standard for implementing cloud computing audit.
A non-technical challenge to cloud computing is the contractual
issue, that is, service level agreements (SLAs) disputing among clients
and vendors. Since clients depend heavily on vendor's technology to
run business and process data, a fully agreeable contract (including
SLA) must be created and signed. For example, the SLA must include
performance measurement, security provisions, service charge amount
and metering method, exit strategy (how to terminate contract), etc.
Therefore, SLA is a key object to be audited.
Finally, cloud computing auditors need to be knowledgeable to all
related information of cloud computing practice. As we mentioned
above, there are a number of challenges face to the future of cloud
computing audit. An auditing firm must offer their IT auditors sound
educational and training programs. A better way to develop their
auditors is the creation of a knowledge management system (KMS)
for cloud computing audit. All experienced cloud computing auditors'
knowledge, solutions to problems, and work experience can be stored
in the KMS for corporate access.
4.4. Cloud computing value creation component
Combining the effects of cloud computing's awareness, translation,
and comprehension could result in a predictable cloud computing
value. Specifically, the user organizations place the full trust into the
vendors. All risks and security breaches can be fully controlled by
vendors. Auditing practice can be independently implemented by the
cloud computing auditor. The targeted value set by user organization
can be assessed and verified at this stage.
Value can be identified as the worth of desirability of a thing [9].
Value can be measured through the satisfaction of doing things. It can
be inferred that the value of cloud computing can reveal the degree of
satisfaction in the IT industry. A measurement device will be used to
measure the value of cloud computing practice.
Cloud computing can generate additional value on enhancing envi-
ronmental sustainability. Moving to the cloud means the reduction of
acquiring computer hardware and network devices. Most importantly,
the use of electricity in organizations will be diminished. In the mean-
time, the result of e-waste generation will also be shortened. These en-
vironmental protection activities create the social value in our society.
This value effect contributes to the green IT movement and finally
reaches to the goal of environmental sustainability. It could be the
best scenario to the development of cloud computing technology.
5. Conclusion
Cloud computing has been accepted by the IT industry. Its practice
brings in benefits such as cost saving, ease of use, scalability, flexibility,
and environmental sustainability. This new technology adds new value
to the society, however, it may not be easy to be watched. Therefore, we
must identify its value realization process.
In order to understand the inner insinuation of this new technology,
this paper conducts a study to investigate the implications of cloud
computing, and then proposed a cloud computing value creation
model. This cloud computing value creation model can be depicted
with four components: awareness, translation, comprehension, and
cloud computing value creation. The final circumstance of cloud
computing is to reach to a sustainable computing era.
After examining the technical and application aspects, this paper
lays down a number of challenges that face cloud computing, including
technological complexity, security risk, absence of audit standard, and
contractual issue. As indicated by Marston et al. [16], weaknesses exit
on using cloud computing. For example, user organizations have
concern about the loss of physical control of the data in the cloud and
the service quality and availability may not be guaranteed by the
cloud vendors. Oracle Corp. established a “Cloud Computing Maturity
Model” in 2011 to guide the success of building cloud capabilities. This
model is in line with the Capability Maturity Model (CMM) that has
been frequently adopted in the software industry. Oracle's Cloud
Computing Maturity Model contains six levels of maturity, including
none, ad hoc, opportunistic, systematic, managed, and Optimized [16].
The cloud computing industry still sees the level-6 maturity as a
challengeable goal to be reached. Furthermore, the future devel-
opment to this technology could be knowledge management system's
construction.
We wish this study could provide some guidance to those IT practi-
tioners who are going to conduct cloud computing practice in the
near future.
 D.C. Chou / Computer Standards & Interfaces 38 (2015) 72–77
References
[1] J. Akoka, I. Wattiau, A framework for auditing web-based information systems, ECIS
2010 Proceedings, 2010 (Paper 58).
[2] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D.
Patterson, A. Rabkin, I. Stoica, M. Zaharia, A view of cloud computing, Commun.
ACM 53 (4) (2010) 50–58.
[3] D.C. Chou, A.Y. Chou, Awareness of Green IT and its value model, Comput. Stand.
Interfaces 34 (2012) 447–451.
[4] D.C. Chou, An investigation into IS outsourcing success: the role of quality and
change management, Int. J. Inf. Syst. Chang. Manag. 2 (2) (2007) 190–204.
[5] D.C. Chou, A.Y. Chou, Analysis of a new information systems outsourcing practice:
software-as-a-service business model, Int. J. Inf. Syst. Chang. Manag. 2 (4) (2007)
392–405.
[6] CDW, Migrating to the CloudA white paper, available at cdw.com/cloud2012
(accessed on November 1, 2012).
[7] R. Coase, The nature of the firm, Economica 4 (1937) 386–405.
[8] K.R. Conner, A historical comparison of resource-based theory and five schools of
thought within industrial organization economics: do we have a new theory of
the firm? J. Manag. 17 (1) (1991) 121–154.
[9] M. Cronk, E. Fitzgerald, Understanding ‘IS business value’: derivation of dimensions,
Logist. Inf. Manag. 12 (1–2) (1999) 40–49.
[10] H. Du, Y. Cong, Cloud computing, accounting, auditing, and beyond, CPU J. (October
2010) 66–70.
[11] L. Essers, Cloud failures cost more than $71 million since 2007, InfoWorld, June 19
2012. (available at http://www.infoworld.com/d/cloud-computing/cloud-failures-
cost-more-71-million-2007-195895, accessed on April 2, 2013).
[12] J. Feiman, D.W. Cearly, Economics of the cloud: business value assessment, Gartner RAS
Core Research Note G00168554, Gartner Inc., 2009. (available at http://escience.wash-
ington.edu/sites/default/files/b-economics_of_the_cloud_bva_OR.en-us.pdf, accessed
on July 10, 2014).
77
[13] S. Gadia, Cloud computing: an auditor's perspective, ISACA J. 6 (2009).
[14] S. Hamm, Cloud Computing's Big Bang for Business, BusinessWeek, June 15, p. 42–44,
2009.
[15] V. Kundra, Federal Cloud Computing StrategyA white paper The White House,
Washington, DC, 2011.
[16] S. Marston, Z. Li, S. Bandyopadhyay, J. Zhang, A. Ghalsasi, Cloud computing — the
business perspective, Decis. Support. Syst. 51 (2011) 176–189.
[17] A.B. Mohammed, J. Altmann, J. Hwang, Cloud computing value chains: understand-
ing businesses and value creation in the cloud, Economic Models and Algorithms for
Distributed Systems, Birkhauser Verlag, Basel, Switzerland, 2009, pp. 187–208.
[18] NIST, NIST cloud computing programavailable at http://www.nist.gov/itl/cloud/
2012 (accessed November 01, 2012).
[19] C.A. Nicolaou, A.I. Nocolaou, G.D. Nocolaou, Auditing in the cloud: challenges and
opportunities, CPA J. (January 2012) 66–70.
[20] R.R. Panko, J.L. Panko, Business Data Networks and Telecommunications, 8th edition
Prentice Hall, Boston, MA, 2011.
[21] M.E. Porter, Competitive Advantage: Creating and Sustaining Superior Performance,
The Free Press, New York, 1985.
[22] V. Raval, Risk landscape of cloud computing, ISACA J. 1 (2010).
[23] S. Ross, Cloudy daze, ISACA J. 1 (2010).
[24] T.W. Singleton, IT audits of cloud and SaaS, ISACA J. 3 (2010) 1–3.
[25] H.A. Smith, J.D. McKeen, Developments in practice VII: developing and delivering
the IT value proposition, Communications of the Association for Information
Systems, vol. 112003. (article 25).
[26] J.P. Thethi, Realizing the value proposition of cloud computing: CIO's enterprise IT
strategy for clouda white paper Infosys, Inc., 2009.
[27] S. Towns, Preparing for cloud computing failuresAccessed from http://www.governing.
com/columns/tech-talk/Preparing-for-Cloud-Computings-Failure.html2011.
[28] O.E. Williamson, The modern corporation: origin, evolution, attributes, J. Econ. Lit.
19 (1981) 1537–1568.