Peer review qualitative

Cloud Computing: Overview and Risk Analysis” by Alali and Yeh

Academic Peer Review

  1. Appropriateness of Research Methodology The research methodology employed in this paper is a quantitative empirical analysis, which is appropriate for the stated purpose of examining the risk characteristics of cloud computing companies. The study utilizes a comparative analysis between cloud computing firms and non-cloud firms, employing logistic regression models to assess financial and audit-related risks.

However, while the quantitative approach effectively highlights measurable differences in risk variables, it may not fully capture qualitative aspects such as managerial decision-making, security policies, or operational challenges in cloud computing environments. The authors acknowledge this limitation and suggest future qualitative research, such as surveys or interviews, to better understand risk assessment practices.

  1. Appropriateness of Data Collection and Analysis The study relies on hand-collected data from annual reports (10-Ks) and financial databases (Compustat and Audit Analytics) for cloud and non-cloud firms from 2006 to 2009. The selection criteria for cloud computing firms are clearly defined, and matched sampling helps ensure comparability.

The use of logistic regression to analyze the data is statistically sound, but some risk variables (e.g., security, privacy, availability) were not found to be statistically significant. The authors suggest that small sample size and lack of publicly available data on cloud security may explain these results. A larger dataset or alternative analytical methods (e.g., machine learning models) could strengthen the study’s findings.

  1. Support for Claims and Conclusions The paper supports its claims with a mix of academic literature, regulatory standards (NIST, COSO, SAS 70), and empirical findings. The findings align with previous research on IT outsourcing and audit risk, reinforcing concerns about leverage, financial restatements, and audit complexities in cloud firms.

However, while the quantitative evidence is robust, some conclusions—particularly regarding internal control weaknesses and financial misstatements—could benefit from direct evidence on security breaches or regulatory non-compliance. This could be addressed in future studies using case studies or cybersecurity incident reports.

  1. Enhancements to the Paper To improve the study, I recommend the following enhancements:

Expand Sample Size: Including more firms from recent years (post-2010) would provide a more comprehensive view of evolving cloud risks. Qualitative Insights: Incorporating survey or interview data from auditors and cloud providers would complement the empirical findings. Security Risk Variables: Since security concerns are central to cloud computing, additional cybersecurity risk metrics (e.g., data breaches, compliance failures) should be integrated. Comparative Analysis Over Time: A longitudinal study examining how risks change as cloud adoption matures would enhance the relevance of findings. Machine Learning Models: Instead of traditional logistic regression, more advanced data analytics techniques could improve risk prediction accuracy.

References:

Alali, F.A. and Yeh, C.L. (2012) “Cloud computing: Overview and risk analysis,” Journal of Information Systems, 26(2). Available at: https://doi.org/10.2308/isys-50229.