Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

V. S. Prakash Attili,Saji K. Mathew,Vijayan Sugumaran

DOI: https://doi.org/10.1007/s10796-021-10158-0

2021-06-22

Information Systems Frontiers

Abstract:Information privacy concerns have been rising over a few decades. As per the recent General Data Protection Regulation, organizations need to implement the highest-possible privacy settings by design and default. Following the neo-institutional theory, this study develops a model for understanding the mechanism of information privacy assimilation in Information Technology (IT) organizations. This study treats information privacy as a distinct dimension separate from security. After analyzing a sample survey data of 214 respondents from the IT industry, privacy capability and organizational culture emerged as influencing factors with a statistically significant influence on information privacy assimilation. The findings from this study support the mediating role of senior management participation between the external coercive forces and privacy-related business strategy. Business strategy also plays a mediating role between coercive/normative forces and privacy-related activities within an organization. Here the mimetic forces show a direct influence on privacy-related activities. A positive moderating effect of organizational culture on normative forces and privacy-related activities relationship; and a negative moderating effect of privacy capability on mimetic forces and privacy-related activities relationship are observed. These findings could enable senior managers to respond to institutional pressures by focusing on appropriate factors within an organization for developing effective privacy strategies and actions. This work is an extension of the pilot work that was published in Communications of the Association for Information Systems (CAIS), 2018. The prior work focuses on developing the propositions qualitatively. Building on that, we have formally defined the hypotheses, developed the appropriate survey instrument and collected the primary data which is large enough to do adequate analysis. Adopted a quantitative approach using an extensive sample survey of IT organizations, followed a more rigorous process for data collection, analysis, and discussion of the results. In addition, based on the lessons learned from the pilot study, we have updated the research model and hypotheses with a focus on privacy-related business strategy and activities.

computer science, information systems, theory & methods

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Maurizio Cavallari

DOI: https://doi.org/10.36941/ajis-2023-0151

2023-11-05

Academic Journal of Interdisciplinary Studies

Abstract:In the advanced field of Information and Communication Technology (ICT) within modern corporate frameworks, the pressing issue of non-compliance becomes increasingly crucial. Achieving the ideal balance—where one fosters consistent employee commitment without resorting to overly harsh penalties for possible violations—presents a complex problem. Such a nuanced relationship calls for a synchronized coordination among the company’s underlying factors, the principles of the Information Security Plan (ISP), and overarching compliance mandates. As companies step into a period where digital environments are in constant flux, the importance of securing information systems rises to a critical level. Against this backdrop, compliance stands out as a vital component, functioning as a stringent safeguard in the ongoing mission to protect precious digital assets—a mission comprehensively detailed within the ISP. This in-depth academic study sets out to rigorously explore and scrutinize the diverse opinions and beliefs of committed employees and insightful management concerning unwavering company alignment with the ISP. This is accomplished by defining a construct that centers on key dimensions: Organizational Culture, Personal Attitudes, Actors, Behavioral Intentions, and Motivational Dynamics. Eleven Hypotheses are outlined and represent the materialisation of the model. This model form a starting point from which future empirical exploration will be able to take place, propelling us towards a deeper understanding of the phenomena under scrutiny. Received: 15 September 2023 / Accepted: 23 October 2023 / Published: 5 November 2023

Kholekile L. Gwebu,Jing Wang

DOI: https://doi.org/10.1016/j.cose.2024.103891

IF: 5.105

2024-05-08

Computers & Security

Abstract:Data breaches have become a common occurrence with serious consequences, making organizational security management critically important. Nonetheless, the research community has not yet clearly defined the characteristics of a strong organizational security climate. This study conducts a comprehensive literature analysis to identify a collection of research-based and managerially relevant constructs that represent the essential components of a strong security climate. We operationalize the identified measures of the constructs and empirically validate them for reliability, construct validity, and nomological validity in terms of their relationships with employees' security awareness, neutralization, and intention to comply with organizational information security policies (ISPs). The results suggest that these integral elements, when embraced by organizations, discourage employees' use of neutralization to justify violation of ISPs and improve employees' security awareness and their ISP compliance intention. Organizations can use the identified subcomponents and their corresponding measures as a diagnostic decision support instrument to make a reliable and valid assessment of the strengths and weaknesses of their security climate, to continuously monitor their security climate, and to develop interventions that contribute to a strong security climate.

computer science, information systems

Akhyari Nasir,Ruzaini Abdullah Arshah,Mohd Rashid Ab Hamid,Syahrul Fahmy,,,,

DOI: https://doi.org/10.30880/ijie.2022.14.03.017

2022-06-20

International Journal of Integrated Engineering

Abstract:This paper examines the factors determining a positive Information Security Culture (ISC) concept and the influence of ISC towards ISP compliance intention (INT) between IT and non-IT professionals in Malaysian public universities. Partial least square structural equation modelling, using PLS MGA, is used to assess the measurement and structural models, and to compare the results between the two groups. Results indicate all factors have significant contribution towards ISC in both groups, with two out of seven ISC factors have significant differences. This study has revealed that although both groups have the same ISC factors, IT and non-IT professionals have significant difference in terms of believe that Top Management Commitment and Information Security Knowledge are required for implementing apositive ISC. In addition, there is a significant difference between these two groups in terms of the influence of ISC towards ISP compliance intention. ISC has less influence towards INT for Non-IT professionals compared to IT professionals within the same ISC. These empirical findings would benefit in formulating better security strategies by providing appropriate efforts for different groups of employees in the organizations. This study also provides a total cyber security solution for improving information security culture and employees’ compliance towards Information Security Policy.

Betsy Uchendu,Jason R.C. Nurse,Maria Bada,Steven Furnell

DOI: https://doi.org/10.1016/j.cose.2021.102387

2021-10-01

Abstract:<p>While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture.</p>

computer science, information systems

Leonardo Horn Iwaya,Gabriel Horn Iwaya,Simone Fischer-Hubner,Andrea Valeria Steil

DOI: https://doi.org/10.1109/access.2022.3190373

IF: 3.9

2022-07-23

IEEE Access

Abstract:New regulations worldwide are increasingly pressing organisations to review how they collect and process personal data to ensure the protection of individual privacy rights. This organisational transformation involves implementing several privacy practices (e.g., privacy policies, governance frameworks, and privacy-by-design methods) across multiple departments. The literature points to a strong influence of the organisations' culture and climate in implementing such privacy practices, depending on how leaders and employees perceive and address privacy concerns. However, this new hybrid topic referred to as Organisational Privacy Culture and Climate (OPCC), remains poorly demarcated and weakly defined. In this paper, we report a Scoping Review (ScR) on the topic of OPCC to systematically identify and map studies, contributing with a synthesis of the existing work, distinguishing core and adjacent publications, research gaps, and pathways of future research. This ScR includes 36 studies categorised according to their demographics, research types, contribution types, research designs, proposed definitions, and conceptualisations. Also, 18 studies categorised as primary research were critically appraised, assessing the studies' methodological quality and credibility of the evidence. Although published research has significantly advanced the topic of OPCC, more research is still needed. Our findings show that the topic is still in its embryonic stage. The theory behind OPCC has not yet been fully articulated, even though some definitions have been independently proposed. Only one measuring instrument for privacy culture was identified, but it needs to be further developed in terms of identifying and analysing its factors, and evaluating its validity and reliability. Initiatives of future research in OPCC will require interdisciplinary research efforts and close cooperation with industry to further propose and rigorously evaluate in- truments. Only then OPCC would be considered an evidence-based research topic that can be reliably used to evaluate, measure, and embed privacy in organisations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Charlette Donalds,Corlane Barclay

DOI: https://doi.org/10.1080/0960085X.2021.1978344

2021-09-23

European Journal of Information Systems

Abstract:The evolving sophistication of threats and the impact of security breaches have caused managers to continually grapple with strategies to reduce these risks. One common security control is the adoption of information security policies (ISPs) geared at improving employees' compliance behaviour. However, there is mounting empirical evidence that shows that ISP compliance is a challenging undertaking with less than satisfactory outcomes. Further, little attention is placed on developing economies in the study of this phenomenon. This research adopts a values-based methodology to determine fundamental and means objectives in maximising employees' compliance with ISPs in a developing economy context. The research identifies 30 objectives and demonstrates that risk mitigation, people, technical and organisational factors are essential to improving compliance. The results contribute objectives, contextualised to the people for whom the results are relevant, thus promoting deeper understanding. The research offers utility to managers in the design and implementation of InfoSec strategies and policies. The findings can also inform investment decisions regarding compliance tools, methods and technologies. Recognising that security (information and cyber) threats are a global dilemma, we contend that investigating forms of security risks and potential solutions can mitigate the social and economic costs of security incidents.

information science & library science,management,computer science, information systems

Anđelija Đukić,Dejan Vuletić

DOI: https://doi.org/10.5937/bezbednost2203140d

2022-01-01

Abstract:The mass application of information and communication technologies (ICT) has facilitated the functioning of organizations, but has also increased their vulnerability and conditioned the development of the information security function. Attacks on ICT systems involve people as potential targets of vulnerability, highlighting the importance of paying close attention to an employee's behavior in interactions with elements of the ICT system and its environment, as well as developing an information security culture (ISC) as an integrative component of organizational culture and an important factor in the organization's information security. The paper attempts to set a comprehensive concept of ISC based on the unity of knowledge, perceptions, beliefs and attitudes of employees and their coordinated actions in the application of security measures, which emphasize the role of the organization and its management in creating, building and maintaining ISC. The focus of determining ISC is on understanding and applying information security policy measures, but it also includes the behavior of employees in situations that are not or could not be predicted, when employees are expected to protect the information assets of the organization. The paper identifies the most important external factors that are mostly objective, determined by the situation in the country in which the organization operates and contained in the elements of general social (national) culture and country's economic and technological development. As a specific impact on ISC, the activities of malicious individuals, groups and organizations in cyberspace - stand out, manifested through threats and endangerment to the integrity of the ICT system. Internal factors are mostly subjective and dependent on general organization; the knowledge, vision and actions of management in the field of information security; individual characteristics of people, their values, needs, knowledge, understanding and application of information security policy measures. Among the factors, the highest level of management stands out for its role and importance due to the greatest responsibility for organization's information security, but also as the creator of its strategy and policy, the holder of resource engagement policy, shaper of professional security teams, decisionmaker on hardware and software protection, and supporter, creator and implementer of programs for ISC level raising.

Gliner Dias Alencar,Hermano Perrelli de Moura,Ivaldir Honório de Farias Júnior,José Gilson de Almeida Teixeira Filho

DOI: https://doi.org/10.48550/arXiv.1807.06184

2018-07-17

Cryptography and Security

Abstract:The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

Samuel Cris Ayo,Bonaventure Ngala,Olasunkanmi Amzat,Robin Lal Khoshi,Samarappulige Isuru Madusanka

DOI: https://doi.org/10.48550/arXiv.1812.04659

2018-12-12

Abstract:Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising and determining acceptable risks. From the analysis, it was deduced that human being posed the greatest Information security risk through intentional/ unintentional human error. In conclusion, effective control techniques based on defence in-depth were devised to mitigate the impact of the identified risks from risk register.

Computers and Society,Cryptography and Security

Clara Sophie Jenkner,Nirmal Ravi,Marie Gabel,Jacqueline‐Charlene Vogt

DOI: https://doi.org/10.1002/isd2.12208

2022-01-11

The Electronic Journal of Information Systems in Developing Countries

Abstract:Abstract Interactions in situations involving the disclosure of personal information require trust‐based relationships. However, trust manifests in different ways, depending on the cultural and contextual environment. An in‐depth understanding of how culture influences trust is therefore of considerable importance to managing situations that require the disclosure of sensitive health information, both from an academic and practical perspective. Drawing on the Model of National Culture and the Development of Trust, our study investigates culture as a determinant of trust in data‐requesting organizations. We link the model&#x27;s three cultural dimensions ( relation to self , risk , and authority ) with Hofstede&#x27;s study cultural dimensions and the privacy calculus (Laufer and Wolfe&#x27;s study). To test our hypotheses, we analyze survey data collected in Nigeria, in cooperation with a non‐governmental organization working on data‐driven healthcare solutions. Our results confirm an influence of culture on trust in data‐requesting organizations which is, however, dependent on the cultural dimension. In addition, we show that perceived benefits increase trust significantly and provide a theoretical starting point for extending the Model of National Culture and the Development of Trust by the dimension relation to benefit .

Ahmed Alkalbani,Hepu Deng,Booi Kam

DOI: https://doi.org/10.48550/arXiv.1606.00875

2016-05-28

Computers and Society

Abstract:The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

Nik Zulkarnaen Khidzir,Khairul Azhar Mat Daud,Ahmad Rasdan Ismail,Mohd. Shahfik Affendi Abd. Ghani,Mohd. Asrul Hery Ibrahim

DOI: https://doi.org/10.1007/978-981-13-0074-5_21

2018-01-01

Abstract:Digital Social Media as a part of the eco-system in today’s global cyberspace business environment. It provides an excellent communication and marketing channel for knowledge societies in the world. The popularity of Digital Social Media has also influenced the personal lifestyle and encouraged the digital culture development among cyber community around the globe. Unfortunately, sharing their ideas, activities, statuses, and real-time location could cause them to several critical cybersecurity risks. These categories of risk caused severe impacts to the entire cyber community eco-system associated in digital social media that need to be managed and mitigated seriously. Recent empirical findings underlined the core information security requirement (confidentiality, integrity, and availability) contributes to the severity level of cybersecurity risks in digital social media. Therefore, the aim of this study is to determine the relationship between cybersecurity risks confidentiality, integrity, and availability in Digital Social Media. Questionnaires were distributed to the various active cyber communities and knowledge societies. The results of the mean score indicate that, more cybersecurity awareness program should be implemented in digital knowledge societies. Furthermore, the results of the correlation coefficient (r) values between &gt;0.4 and &lt;0.7 verifies that a moderate positive relationship exists between cybersecurity risks, confidentiality, integrity, and availability of information in Digital Social Media. Findings reveal that the highest moderate cybersecurity risk relationship between integrity and availability. This empirical evidence indicates how the core information security requirement influences each other’s on the cybersecurity risk severity. Through the findings, cyber communities and knowledge societies would be able to determine the direction and strength of the relationship among information security requirement and plan the appropriate cybersecurity awareness program to Digital Social Media users as a preventive approach to mitigate critical cybersecurity risks.

Sadaf Hina,P. Dhanapal Durai Dominic

DOI: https://doi.org/10.1080/08874417.2018.1432996

2018-03-30

Journal of Computer Information Systems

Abstract:This paper provides a systematic literature review in the information security policies’ compliance (ISPC) field, with respect to information security culture, information security awareness, and information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.

computer science, information systems

Adedotun Joseph Adenigbo

DOI: https://doi.org/10.1007/s12198-024-00273-9

2024-02-28

Journal of Transportation Security

Abstract:The increase in technology and other parameters for security does not guarantee the expected secured airports without the appropriate behaviour, attitude, and customs of stakeholders. This study examines the airport security culture practices in Nigeria. The study adopted the Airports Council International (ACI 2021) survey instrument developed to assess security culture at airports. The instrument was designed as a questionnaire that presents eight dimensions of security culture with twenty-six (26) indicators using a 5-point Likert scale in order of agreement. The questionnaire was administered randomly to airport stakeholders, and a total response of 472 was recorded for data analysis. The data was subjected to exploratory factor analysis (EFA) to summarise and reduce the items to a few orthogonal ones representing Nigeria's common airport security culture practices. The study found that three (3) indicators relating to leadership roles do not significantly contribute to the factors serving as common security practices at airports in Nigeria. However, eight (8) common security practices were identified to be significant at airports in Nigeria. Strikingly, the study found that corporate security practices were not significant at Nigeria's airports. The study highlights the need for airport managers to enhance security culture by adopting security as their corporate culture.

Kelsey R. Ciagala,Sydney L. Reichin,Katherine Parsons,Samuel T. Hunter

DOI: https://doi.org/10.1016/j.ssci.2024.106518

IF: 6.392

2024-03-25

Safety Science

Abstract:Those tasked with protecting soft targets, including organizations, have tried to counteract threats against them by increasing security, yet the effectiveness of these measures remains largely unknown. Organizations, researchers, and practitioners can gain a more holistic understanding of how, when, why, and where security measures are effective (or ineffective) by examining organizational culture. The purpose of this paper more specifically is to build upon the current security culture models (i.e., Security Culture: Hofreiter et al., 2020: Nuclear Security Culture, IAEA, 2017) to propose a more comprehensive framework and nomological network of physical security culture that can be applied to organizations and soft targets. This article reviews the current understanding of physical security culture. Further, this article looks to the more developed information security culture and safety culture literatures to better understand how physical security culture may impact security outcomes in soft targets. This article also explores multiple avenues for future research that is needed to understand how physical security culture develops and how to best promote it for the health, safety, and security of employees.

engineering, industrial,operations research & management science

Stacey R Kessler,Shani Pindek,Gary Kleinman,Stephanie A Andel,Paul E Spector

DOI: https://doi.org/10.1177/1460458219832048

2019-03-14

Health Informatics Journal

Abstract:Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act–covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.

health care sciences & services,medical informatics

Thomas Groß

DOI: https://doi.org/10.2478/popets-2021-0026

2021-01-29

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Internet Users’ Information Privacy Concerns (IUIPC-10) is one of the most endorsed privacy concern scales. It is widely used in the evaluation of human factors of PETs and the investigation of the privacy paradox. Even though its predecessor Concern For Information Privacy (CFIP) has been evaluated independently and the instrument itself seen some scrutiny, we are still missing a dedicated confirmation of IUIPC-10, itself. We aim at closing this gap by systematically analyzing IUIPC’s construct validity and reliability. We obtained three mutually independent samples with a total of N = 1031 participants. We conducted a confirmatory factor analysis (CFA) on our main sample to assert the validity and reliability of IUIPC-10. Having found weaknesses, we proposed a respecified instrument IUIPC-8 with improved psychometric properties. Finally, we confirmed our findings on a validation sample. While we found sound foundations for content validity and could confirm the overall three-dimensionality of IUIPC-10, we observed evidence of biases in the question wording and found that IUIPC-10 consistently missed the mark in evaluations of construct validity and reliability, calling into question the unidimensionality of its sub-scales Awareness and Control. Our respecified scale IUIPC-8 offers a statistically significantly better model and outperforms IUIPC-10’s construct validity and reliability. The disconfirming evidence on IUIPC-10’s construct validity raises doubts how well it measures the latent variable Information Privacy Concern. The less than desired reliability could yield spurious and erratic results as well as attenuate relations with other latent variables, such as behavior. Thereby, the instrument could confound studies of human factors of PETs or the privacy paradox, in general.