2016 49th Hawaii International Conference on System Sciences
Sweet Idleness, but Why? How Cognitive Factors and Personality Traits
Affect Privacy-Protective Behavior
Christian Matt
LMU Munich
[email protected]
Philipp Peckelsen
LMU Munich
[email protected]
Abstract
control in relation to the status quo. PETs are usually
add-on software, i.e. they need to be installed in addition to an operating system. Many PETs are gratis
and are available for various technology platforms.
Therefore, financial acquisition costs or technological
incompatibilities should not be critical reasons for
non-use, and it is unclear why PET diffusion remains
low. PETs’ missing success stands in contrast to
antivirus software or firewalls, which many users
already use to protect their computers.
There are several possible explanations for users’
reluctance to use PETs, which have differential consequences for practice and policy makers: First, users
state a wish for more privacy protection for reasons
of social desirability but do not in fact want more
privacy, or even hope to profit from more personalization. If this is the case, no regulatory actions are
required from policy makers. Second, users may
judge the personal consequences resulting from privacy incidents to be low. Third, users perceive privacy risks as severe enough and seek more privacy
protection but then fail to assess the concrete risks
that result from privacy incidents, or their perception
is that they would not fall victim to such incidents. In
both of the latter two cases, more public information
about privacy could help users to reconsider their
opinion about potential consequences, to better calculate potential risks and to make better decisions.
Fourth, users want more privacy protection but do not
know how to achieve this or do not trust the current
solutions. In this case, the development of more userfriendly, directly integrated solutions, and the better
communication of such technology’s effectiveness
are required. In order to suggest proper measures that
foster PET diffusion, we first need to find the reason(s) for PET non-use.
We take a first step toward figuring out why users do
not act by posing the question how cognitive factors
and personality traits influence PET usage intention.
By drawing on protection motivation theory (PMT),
we seek to explain users’ cognitive weighing up of
the perceived need to act and their assessment of the
measures they could take at present. However, in our
view, users’ decision whether or not to adopt PETs is
According to media and research, users have a
high interest in protecting their personal data. Although privacy-enhancing technologies (PETs) can
help secure users’ privacy, only very few make use of
PETs – even if some of these are gratis. Given the
overall impact for individuals, good answers are
needed, which we seek in both cognitive and personality factors. By drawing on protection motivation
theory (PMT) and the five-factor model (FFM), we
seek to explain individuals’ intention to use PETs.
Our results support the suitability of the PMT in the
PET context. In particular, perceived response efficacy has a strong effect on individuals’ intention to
use PETs. Most personality factors have no or somewhat unexpected influences, but due to the measurements’ brevity further research with extended personality scales is needed to validate these results.
1. Introduction
Privacy has long been a frequently discussed topic in information systems research, but discrepancies
between online services’ demands for personal information and users’ willingness to provide such
information remain. Research has found that users
have three options to prevent undesired usage of their
personal information [51]. First, they could refrain
from disclosing their personal information. However,
in many cases, refraining to provide information
prohibits further usage of a service. Hence, particularly for services that are offered gratis, many users
give in and disclose their personal information despite their concerns [4]. Second, users could provide
false information. However, although no true personal information is given, certain negative effects may
result from not providing actual information, such as
suspension from using the service or simply not obtaining regular notifications owing to incorrect contact details. Third, users have an increasing choice of
privacy-enhancing technologies (PETs) – tools and
applications (e.g. e-mail encryption or advertising
cookie blocking) that increase individuals’ privacy
1530-1605/16 $31.00 © 2016 IEEE
DOI 10.1109/HICSS.2016.599
4831
4832
not only cognitively governed. We therefore seek to
place a stronger emphasis on personality factors and
integrate a brief version of the well-established fivefactor model (FFM) as a second pillar. While PMT
primarily accounts for cognitive components (i.e. the
abovementioned assessments of threats and ways to
cope with them), we suggest that, especially in the
field of privacy, additional non-cognitive elements
have an important influence on individuals’ decision
processes. These connections are empirically assessed in a large-scale survey and seek to provide a
better understanding of users’ privacy-protective
behavior using PETs.
In our view, our results have implications for
practice and research. The question why users fear
privacy but do not act in privacy-sensitive ways remains unsolved. Research can benefit from further
insights as well as PET suppliers and policy makers
to improve their strategies to promote PETs.
ing from information disclosure, falsifying personal
information, or using PETs [51].
To date, there has been no commonly accepted
definition of privacy-enhancing technologies. But, as
privacy is usually referred to as “the ability of individuals to control the terms under which their personal information is acquired and used” [12], we
consider PETs as technological mechanisms that
increase individuals’ privacy control in relation to the
status quo. Hence, PETs are tools and applications
that enhance users’ privacy levels regarding one or
more central privacy issues: information collection,
information processing, information dissemination,
or invasion [47]. Examples of PETs are anonymization or encryption tools, such as “The Onion Router”
(TOR), or “Pretty Good Privacy” (PGP). Other PETs
include features to block third-party trackers, spyware, and popups.
Research has explored antecedents of users’ intentions to use PETs by considering software firewalls [30] and anonymity software [5]. By using an
extended version of TAM, these studies find the
attitude toward security and privacy protection technologies, as well as Internet privacy awareness, to be
significant predictors of usage intention. In a qualitative approach, users were asked why they do not use
end-to-end encryption solutions, finding potential
explanations in lack of awareness, lack of concern,
lack of knowledge, misconceptions on how to protect, and lack of perceived need to take action [40].
2. Conceptual foundations
2.1. Users’ evaluation of privacy threats and
privacy-enhancing technologies
It is widely assumed that most users have an inherent interest in not disclosing personal information
to third parties. Similar to other decisions that involve
weighing up benefits and costs, a mental calculus
perspective can be assumed for privacy concerns.
Primary user incentives for sharing information are
financial rewards, personalization, social adjustment,
and actual participation in a specific offering [45]. By
contrast, the potential costs of revealing information
to third parties can include risks pertaining to discrimination, exclusion from future transactions, social embarrassment, and stigmatization, among others
[41].
To examine individuals’ willingness to share information, past research has applied privacy calculus
theory as an antecedent and has analyzed the formation of individuals’ concerns for information privacy (CFIP) [17]. The most frequently used operationalization is from Smith et al. [46], who introduced four distinct yet correlated dimensions – collection, unauthorized access, secondary use, and
error. Research has found that various environmental
factors (e.g. governmental regulation and social presence), individual factors (e.g. demographic factors
and the need for privacy) and personality-related
factors can influence CFIP [28]. User demands for
privacy are not uniform, nor are users’ knowledge
and awareness of privacy [8]. Concerning the effects
of privacy concerns, different studies have found a
positive impact on protective actions, such as refrain-
2.2. Protection motivation theory
Grounded in fear appeal research, protection motivation considers persuasive messages about a specific
threat and potential remedies that individuals could take
to reduce or circumvent its impact [43]. In the domain
of privacy concerns, these threat messages are sent via
both public media and individuals. When facing a specific threat, individuals seek either to get rid of the
unpleasant feelings evoked by a threat or to come to
grips with the situation [26]. If a certain fear threshold
level fails to be reached, there is no motivation to
take any action [3]. Building on expectancy-value
theory, Rogers [44] elaborated that two cognitive processes – threat appraisal and coping appraisal – determine individuals’ protection motivation, which, in
health research, is considered to be the most immediate predictor of behaviors [50]. In the threat appraisal,
the perceived severity (i.e. the magnitude of expected
harm) and perceived susceptibility (i.e. the extent of
feeling at risk) of the threat determine maladaptive
behavior (e.g. non-use of PETs), while extrinsic or
intrinsic rewards can foster adaptive behavior. For
coping appraisal, adaptive behavior is generally sup4833
4832
ported by higher perceived self-efficacy (i.e. beliefs
in the ability to perform a recommended response)
and perceived response efficacy (i.e. beliefs in the
effectiveness of a recommended response to avert a
threat).
The PMT has seen frequent applications in other
fields, such as communication science or medicine.
In the IS domain, there are various applications pertaining to organizational security compliance [26]
and IT-related security behavior [54]. The application
in these contexts has been criticized, since the threats
did not affect the physical self but rather corporate
assets (e.g. data and systems), and it would therefore
lack perceived relevance [27]. However, we hold that
privacy related to personal information directly affects an individual’s personal self and should consequently be sufficiently relevant. Furthermore, as
evidence from practice shows, while IT security
software (e.g. antivirus or firewall products) has seen
large diffusion among individuals, this is by far not
the case for PETs, indicating that the models from IT
security behavior are not simply transferable to the
field of privacy.
of new ideas), and (e) agreeableness (i.e. a compassionate interpersonal orientation) [10]. The integration
of personality can lead to substantially better model
explanatory power, thus confirming that personality
traits directly influence technology usage intention [14,
36]. Applications of the FFM in IS often use TAM or
UTAUT models. It has been found, however, that
models that are based on the theory of planned behavior often fail to consider perceptions of risk adequately [9]. By contrast, PMT enables us to grasp
users’ perceptions of the risks and threats inherent to
privacy-related behavior.
3. Research model and hypotheses development
Grounded in the conceptual foundations described
above, our research model combines both cognitive
factors and personality traits to explain intentions to
use PETs (Figure 1). By building on PMT, we integrate a comprehensive concept that accounts for
users’ perceived threats of privacy-invading practices, and their beliefs in the measures that could be
taken to alleviate these threats. The FFM provides a
picture of personality traits in the usage decision and
is employed here as a complement to the cognitive
aspects.
2.3. Personality cues and five-factor model
Personality refers to a largely stable set of characteristics that determine the differences in individuals’
thoughts, feelings, and actions [32]. Owing to its
general importance for human cognition and behavior, researchers in the IS domain have integrated a
large number of personality traits (e.g. affinity, computer anxiety, personal innovativeness) to assess
personality differences within the domain of technology acceptance behavior [24]; however, to date, only
a few approaches have integrated the entire essence
of a personality [33]. This might be due to the large
number of isolated personality variables, which has
made it difficult to compare results. However, there
is now considerable agreement in psychology that
personality can be represented by five superordinate
constructs [6], all of which have been integrated into
the five-factor model (FFM). The FFM is considered
the most parsimonious model and the most useful
taxonomy in personality research [2], and it enables
research to cover individuals’ personality broadly and
systematically [6].
The FFM clusters all personality traits into five
factors: (a) conscientiousness (i.e. the extent of organization, persistence, and motivation in goaldirected behavior), (b) extraversion (i.e. being sociable, gregarious, and ambitious), (c) neuroticism (i.e.
insecurity, anxiousness, and hostility), (d) openness
to experience (i.e. flexibility of thought and tolerance
3.1. Users’ protection motivation
People tend to adjust their protective behavior to the
extent of harm that a certain threat may cause [39]. In
line with this tendency, researchers have observed
that individuals who received stronger messages
about a threat’s severity exhibited a higher motivation to engage in responsive actions [37]. In IS contexts, user behavior can be determined by the perception of the seriousness of a consequence in case of
non-compliance, for instance, in case of avoiding
malicious IT [31]. The positive effect of severity
perception on protection motivation has been widely
supported, especially in health research [16]. Results
have found analogous results in IS research, for instance in the context of home wireless network security [53] and user IT security behavior [54]. Thus, we
propose:
H1: Perceived severity of privacy threats positively influences the intention to use PETs.
Behavioral economics has shown that when faced
with uncertainty, individuals evaluate probabilistic
outcomes differently, depending on their personal
reference points [29]. Similarly, perceived occurren-
4834
4833
Cognitive factors
Control variables
Privacy
concerns
Threat appraisal
Perceived severity of privacy threats
Personality traits
Prev. privacy
experience
-
-
Perc. susceptibility of privacy threats
Emotional stability
H1+
Agreeableness
H2+
Intention to
use PETs
+
Conscientiousness
Coping appraisal
Perceived self-efficacy to use PETs
Perceived response efficacy of PETs
-
H3+
H4+
Adoption of
PETs
H5a-e
+
Extraversion
Openness
Figure 1. Conceptual research model
ces of a specific threat vary, subject to other personal
factors. However, individuals often misperceive personal vulnerabilities to certain threats as well as the
advantageousness of preventive measures [23]. Higher perceived threat susceptibility has been shown to
have a positive impact on adopting recommended
responses, for instance in responding to security
breaches [54]. We therefore hold:
H2: Perceived susceptibility of privacy threats
positively influences the intention to use PETs.
ceived usefulness and is likewise perceived as a positive predictor of IT adoption [13]. We therefore hold:
H4: Perceived response efficacy positively influences the intention to use PETs.
In addition to the two threat appeal factors, we include two coping resources to obtain a more comprehensive picture of the antecedents of individuals’
intentions to use. Thus, after the arousal of psychological pressure, perceived self-efficacy and the perceived efficacy of recommended responses (i.e. using
PETs) determine whether users seek to engage in
danger control (i.e. adoption) instead of fear control
(i.e. rejection) processes.
Perceived self-efficacy expresses subjective beliefs in a user’s ability to perform a desired behavior.
External factors, such as the ease of obtaining and
interpreting information, can play an important role
in influencing perceived self-efficacy and resulting
behavior [25, 48]. In the IS literature, numerous studies have examined the effects of perceived selfefficacy on IT adoption and have found a positive
effect on adoption [e.g. 1]. Thus, we hold:
H3: Perceived self-efficacy positively influences
the intention to use PETs.
Emotional stability. Emotional stability is generally
accepted as the reverse pole of neuroticism [6]. Neuroticism is associated with characteristics such as being
anxious, depressed, impulsive, and vulnerable to stress
[34]. Since individuals who score high on neuroticism,
and are thus emotionally instable, tend to be more concerned and more susceptible to anxiety, we suggest that
they are more likely to undertake protective efforts to
safeguard themselves from potential threats by enhancing their privacy level. We propose:
H5a: Emotional stability negatively influences the
intention to use PETs.
3.2. Personality cues
The FFM assumes that people can be described
along five dimensions of personality. We will now
briefly explain each of these and derive hypotheses:
Agreeableness. Agreeableness has primarily been
considered a dimension of interpersonal behavior [11],
but it has been revealed that it also influences individuals’ self-image and helps to shape social attitudes and
philosophy of life [11, 28], since agreeable individuals
strive for harmony and shirk conflicts [35]. The facets
of agreeableness are trust, straightforwardness, altruism, compliance, modesty, and tender-mindedness [11].
As individuals who score high on agreeableness tend to
regard others as honest and trustworthy, in our view,
they might consider themselves less threatened by their
environment and consider it less necessary to apply
protective actions. Thus, we propose:
H5b: Agreeableness negatively influences the intention to use PETs.
Perceived response efficacy is a user’s belief in a
technology’s effectiveness in mitigating the threat to
which the user is exposed. In IS research, perceived
response efficacy has recently been analyzed as it
relates to IS security threats, among others [26]. Response efficacy exhibits some connection with per-
4835
4834
Conscientiousness. Individuals scoring high on conscientiousness tend to be well-organized, thorough,
reliable, and exact [20]. A conscientious person adheres
to standards of conduct and values order and persistence [11]. Chauvin et al. [7] found that conscientious
individuals take more precautionary steps. Since conscientious individuals tend to stick to established rules
and procedures and experience discomfort when deviating from familiar paths, we suppose that they are less
willing to get involved in risky situations and will initiate efforts to protect themselves from potential threats.
Therefore, we hold:
H5c: Conscientiousness positively influences the
intention to use PETs.
et al. [27]. Intention to use PETs was measured by
adopting items from Venkatesh et al. [49]. For the
FFM, we used the Ten Item Personality Inventory
(TIPI) [21]. TIPI has been successfully implemented
in several applications, also in the field of IS, e.g. in
privacy research [28].
In addition to our focal constructs, we accounted
for two controls: users’ privacy concerns and previous privacy experience. The items measuring context-specific concerns for information privacy were
taken from Dinev and Hart [17]. Users’ past privacy
experience was integrated, since we see a direct relationship between negative past privacy experiences
and a potential behavioral change as a result. The
items were taken from Xu et al. [55]. Each item was
measured using a seven-point Likert scale.
Extraversion. Extraversion is primarily related to the
preferred amount of social stimulation [11]. Extraverted
individuals stand out through characteristics such as
assertiveness, activity, positive emotions, or cheerfulness, and being excitement-seeking. Chauvin et al. [7]
found that extraversion is negatively associated with
hazards linked to individual behavior. Individuals who
score high on extraversion tend to live an actionoriented life that includes some risks [7]. We follow
this reasoning and conclude:
H5d: Extraversion negatively influences the intention to use PETs.
4.2. Procedure and participants
Data was collected in two stages. First, a 10-minute
paper-based questionnaire with IS undergraduate students of a major German university was handed out.
Second, a follow-up online questionnaire was distributed three weeks later. Participants of the first survey
were asked to take part in the follow-up survey by
disclosing their e-mail addresses.
For the initial survey, participants received extensive information on PETs. To ensure that participants
had completed the survey with a shared understanding of the core issue, the participants needed to answer test questions to complete the survey.
Additionally, three different available PET solutions that can help the participants protect their
smartphone privacy (“Cyber Ghost VPN”, “Disconnect” and “Whiteout Mail”) were described to them.
The PET examples were printed on a flyer that could
be taken home. Besides the description, a screenshot
of the software and a QR code with a link to the
download page was provided. All three solutions are
available for iOS and Android phones. More than
97% of the participants indicated that they use one of
these two mobile operating systems.
In the initial survey, 227 questionnaires were completed. After removing 87 invalid answers, 140 questionnaires were used in the analysis. Criteria for invalid
answers were (a) non-smartphone users (3 cases), (b)
more than 15% missing values (14 cases) [22], and (c)
respondents who failed to answer one or both of the
PET comprehension test questions (70 cases). An absolute majority of the participants were aged between 16
and 24 years (92.5%). 81 (58.7%) of the participants
were female, and 57 male; two did not specify. The
sample comprised 12 individuals (8.6%) who indicated
that they are already using a PET on their smartphones.
Three weeks later, an invitation to the follow-up quest-
Openness. Openness is connected to dimensions such
as fantasy, aesthetics, feelings, actions, ideas, and values [34]. Devaraj et al. [14] found support that openness impacts usage intention in technology adoption.
Individuals who score high on openness are characterized by a broader and deeper scope of awareness and a
higher need to enlarge and examine experience [35],
which leads to a higher willingness to try new and
different things. Given that PETs are still niche products, these individuals should have a higher interest in
discovering PETs. We hold:
H5e: Openness positively influences the intention
to use PETs.
4. Methodology
4.1. Operationalization of constructs
For the operationalization of our constructs, we
used validated measures from prior studies and
adapted them to the PET context (Appendix 1). Multi-item scales were used, since they have been proved
to provide better predictive validity for construct
measurement than single-item constructs [15]. The
protection motivation constructs and their subdomains (threat and coping appraisals) were operationalized with items from Witte et al. [52] and Johnston
4836
4835
Table 1. Internal consistency, discriminant validity, and latent variable correlation matrix
(1) AGREE
(2) BEH
(3) CONC
(4) CONSC
(5) EMOST
(6) EXP
(7) EXTRA
(8) INT
(9) OPEN
(10) PREF
(11) PSEF
(12) PSEV
(13) PSUS
CR
1.00
1.00
0.93
1.00
1.00
0.72
0.89
0.97
1.00
0.92
0.84
0.96
0.90
AVE
1.00
1.00
0.77
1.00
1.00
0.57
0.79
0.92
1.00
0.80
0.64
0.90
0.76
(1)
1.00
-0.07
0.03
0.34
0.10
0.08
0.04
0.16
0.14
0.11
0.04
0.00
-0.17
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
(13)
1.00
0.28
-0.25
-0.01
0.31
0.01
0.23
0.20
-0.06
0.09
0.25
0.08
0.88
-0.02
-0.13
0.33
-0.05
0.50
0.12
0.20
0.09
0.37
0.40
1.00
0.15
0.14
-0.08
-0.10
0.04
-0.07
-0.05
-0.09
-0.04
1.00
0.12
0.23
0.10
0.02
-0.10
0.13
0.03
0.02
0.76
0.13
0.39
0.19
0.04
0.18
0.15
0.35
0.89
0.13
0.17
0.05
-0.04
0.00
-0.03
0.96
0.08
0.36
0.32
0.38
0.34
1.00
0.01
0.06
0.11
0.05
0.90
0.25
0.10
0.09
0.80
0.12
0.18
0.95
0.30
0.87
ionnaire was sent via e-mail to 98 (of the 140) individuals who consented to take part in a second survey. Out
of the 98, a total of 71 participated in the follow-up.
one we had hypothesized. All the other personality
effects were not statistically significant, and the hypotheses (H5a, H5d, and H5e) were not supported.
Both control variables showed strong and significant influences and help to explain individuals’ intentions to use PETs. It is remarkable that privacy concerns had the strongest influence overall of any of the
constructs (b=0.31, p<0.01), while the values for prior
privacy experience were also fairly high (b=0.20,
p<0.01).
5. Results
5.1. Measurement model analysis
SmartPLS 3.0 was used for data analysis [42].
Composite reliability (CR), indicator loadings, and
average variance extracted (AVE) were assessed to
evaluate convergent validity. In addition, the FornellLarcker criterion and cross loadings were analyzed to
assess discriminant validity [18]. Five personality items
were deleted immediately due to low indicator loadings
with values below 0.4 (PER2; PER3; PER5; PER9),
and the items EXP1 (0.60) and EXP3 (0.66) were considered for removal [22]. We eliminated EXP1 since it
led to a substantial increase in AVE and CR of the
construct. All other suggested cut-off values were exceeded and the quality criteria met (Table 1).
6. Discussion
By drawing on PMT and FFM, this study developed a model that included both cognitive and personality-related factors and tested the proposed model in a
two-stage survey. The model explains a considerable
amount of PET usage intention. While PET usage
intention proved to be a significant antecedent of
PET adoption behavior, individuals’ intention still
covers only a small amount of explained variance of
the actual usage. As a substantial part of the variance
remains unexplained, other motives do notably influence PET adoption behavior. This leads us to the
conclusion that an analogous intention-behavior dichotomy, as observed by other researchers in the field
of privacy-related behavior [4], is manifested in the
field of PET adoption.
From the results of the PMT side of our model, it
can be concluded that the perceptions of the consequences of a privacy incident are important enough to
build a strong predictor of PET usage intention. Thus,
if individuals can grasp the potential negative consequences of privacy incidents, they should be more
likely to make use of PETs. By contrast, users’ assessment of the occurrence likelihood of a privacy
incident (=perceived susceptibility) yielded no significant impact on PET usage intention, thus not constituting a considerable antecedent. An interpretation of
this finding could be that users have difficulties as-
5.2. Structural model analysis
To test structural relationships, the hypothesized
causal paths were estimated using the pairwise replacement option, owing to the different sample sizes
for the initial and the follow-up questionnaires (Figure
2). The model explained a considerable amount of
variance in individuals’ intention to use PETs (R2 =
0.498), while the explanatory power for the subsequent
adoption behavior remained low (R2 = 0.051).
Concerning the hypotheses, we found a mixed picture (Table 2). Three of the four hypotheses related to
the PMT constructs found support, namely those for
severity, self-efficacy and response-efficacy, supporting
hypotheses 1, 3, and 4. Only the effect of susceptibility
on usage intention was not significant (p=0.28), and
thus H2 was not supported. The results concerning the
personality constructs led were surprising, as H5b and
H6c were significant, but in the direction opposite the
4837
4836
Cognitive factors
Threat appraisal
Perceived severity of privacy threats
Perc. susceptibility of privacy threats
Personality traits
Control variables
Privacy
concerns
+0.16*
Prev. privacy
experience
+0.31**
+0.10
Emotional stability
+0.16*
Agreeableness
+0.20**
+0.08
Intention to
use PETs
-0.14*
Perceived self-efficacy to use PETs
Conscientiousness
(R2=0.498)
Coping appraisal
+0.23*
+0.15*
Perceived response efficacy of PETs +0.21**
Adoption of
PETs
+0.09
Extraversion
-0.06
Openness
(R2=0.051)
* p < 0.05; ** p < 0.01.
Figure 2. Results of PLS analysis
sessing the chances that a privacy incident may happen to them or that they just believe these things will
happen only to others. It is conceivable that ongoing
press reports may lead to an increase in individuals’
susceptibility perception. However, while many users
have presumably already experienced damage caused
by viruses, at least some of the privacy incidents will
not be noticed, and the actual negative consequences
are more difficult to assess than losing data because
of a virus attack.
Perceived response efficacy is a significant predictor of PET usage intention. Thus, individuals’ perception of the availability and effectiveness of the PET
solution is a significant antecedent of users’ protective
intentions. Similar findings (albeit with a weaker influence) are obtained with respect to individuals’ perceived self-efficacy: If users feel they are able to find,
set up and install such solutions, they are more likely to
start using PETs. Both factors demonstrate the importance of clear and convincing communication of the
PET functional benefits and of its ease of use, as the
absence of one of the two might lead to further user
inaction.
Concerning personality, while few authors successfully implemented the TIPI in their research [28], others encountered substantial difficulties with respect to
its reliability coefficients [38]. We have chosen to
implement TIPI for the sake of brevity, but sadly, comparable problems occurred in our study, resulting in
low reliability coefficients (except extraversion). Although not aiming for high reliability levels, TIPI seeks
to be an adequate proxy for longer FFM instruments
[21]. Nevertheless, very low scores raise concerns
about the reliability of the results. In order to reach
more reliable conclusions regarding the personality
factors, four items have been eliminated. Keeping in
mind that single-item constructs reduce predictive
validity, the elimination led to four single-item constructs. We therefore emphasize that the conclusions
drawn from the personality side of our model should be
handled with caution.
Agreeableness was hypothesized to influence PET
usage intention negatively, while a positive link was
proposed for conscientiousness. Surprisingly, the results were the opposite of the effect we had expected
for both relations. Agreeableness is associated with
individuals who regard others as honest and trustworthy. While we assumed that this would result in individuals’ lower perceived need to act and install a PET,
it could apparently rather be individuals’ greater trust in
the PET supplier that leads to higher intention to use.
To test this assumption, we will add a construct to
measure trust in provider for a reassessment. Concerning conscientiousness, we can only imagine that using a
PET that could lead to restrictions concerning familiar
paths and functions can impose discomfort on conscious users, and thus lower intention to use.
6.1. Implications for theory
One contribution of our work is the integration of
both cognitive factors and personality traits as antecedents of individuals’ intention to use PETs. Previous
research related to PETs has often applied a technology-centered perspective or used common technology
acceptance models. However, in our view, traditional
approaches to technology adoption are not fully able to
grasp the ubiquitous privacy risks that users face. Thus,
we included personality traits to map latent, nonexplicitly expressed aspects that have an impact on
users’ behavior and are generally still under-researched
in IS. However, since the chosen inventory to assess
individuals’ personality turned out not to be elaborate
4838
4837
enough for our purpose, further research efforts are
necessary.
Related to the analysis of cognitive factors, we contribute by introducing protection motivation theory in
the context of individual privacy, in particular to PET
usage. While PMT has already been used to explain
information security behavior concerning threats
related to IT assets, to the best of our knowledge,
PMT has not yet been applied to our particular field
of interest. In our context, the fundamental PMT
assumptions are met, since privacy threats are of high
relevance to an individual’s self, while the application of PETs can directly alleviate these threats.
Hence, for future research in this context, we suggest
making use of the PMT and its facets.
Although our joint model explains a considerable
share of variance on PET usage intention, there is a
substantial difference with the explained share of variance for actual usage. Acknowledging the limitation
that we put participants into a scenario in which they
otherwise might not have shown any interest, this limitation implies that especially in the field of privacy,
further research should seek to further explain the gap
between intention and actual behavior.
tion, suppliers’ communication should target PETs’
convenient ease of use, implementation and setup.
Second, new insights are also highly relevant for
actors that are still profiting from users’ passive responses to privacy threats – among others, online
advertisers and suppliers of advertising-financed
services. Although we do not intend to strengthen
their currently sometimes privacy-invasive practices
– which continue to work, despite being disliked by
many users – these actors also have an interest in a
better understanding of why users often do not act in
privacy-sensitive ways. Our results indicate that users
do not take into account the susceptibility of being
subject to privacy incidents, which might be caused
by their inability to quantify this risk. Following
these lines, it is even possible that the oft-cited omnipresent fear that users appear to have of privacy incidents might be a conformity statement rather than a
true fear.
7. Next steps
Owing to the methodological shortcomings of the
TIPI operationalization to measure the personality traits
in our study, we will replicate our survey with minor
adaptations of the research model and an extended
personality framework. For the latter, we hope that a
more elaborate personality scale will lead to more
robust results. We decided to extend the personality
inventory to 25 items with five items per dimension
[19]. On this basis, we seek to expand our
understanding of how cognitive and personality-related
factors interact in users’ adoption and usage of PETs.
6.2. Implications for practice
Different actors in practice can benefit from an
improved understanding of how users handle threats
to their personal privacy, how their beliefs in the
application of technologies alleviate these matters,
and how their personality influences all of these factors.
First, the implications are useful for PET suppliers, whose products continue to have low usage rates.
They can be providers of security software (e.g. antivirus) that sell PETs as an additional module, but also
providers of standalone PETs that seek greater insight
into how they can foster the diffusion of their products. Our results show that while the fear of the consequences of a privacy incident causes the intention
to use protective software, the susceptibility does not
account for such intentions. Since the public media is
already sending strong and frequent threat messages
to users, our findings indicate that more precise supplier communication messages need to be sent out.
Certain antivirus software suppliers are already sending out messages on a regular basis about current
severe threats to users of their free versions in order
to encourage them to upgrade to the full version of
their products. In addition, users need to be convinced of the PETs’ effectiveness and easy usability.
Following the privacy-by-design principles, we suggest
integrated solutions wherever possible to reduce the
implementation effort for users to near zero. In addi-
Appendix 1
Perceived Severity (SEV, adapted from Witte et al. [52])
1. I believe that the consequences of a privacy incident
are severe.
2. I believe that the consequences of a privacy incident
are serious.
3. I believe that the consequences of a privacy incident
are significant.
Perceived Susceptibility (SUS, adapted from Witte et al.
[52])
1. I am at risk of becoming a victim of privacy incidents.
2. It is likely that I will experience privacy incidents.
3. It is possible that I will experience privacy incidents.
Self-efficacy (SEF, adapted from Johnston et al. [27])
1. Setting up a PET is easy.
2. Setting up a PET is convenient.
3. I am able to set up a PET without much effort.
4839
4838
Model of User Adaptation", MIS Quart., 29(3), 2005, pp.
493-524.
[4] Berendt, B., Günther, O., and Spiekermann, S., "Privacy
in E-Commerce: Stated Preferences Vs. Actual Behavior",
Comm. ACM, 48(4), 2005, pp. 101-106.
[5] Brecht, F., Fabian, B., Kunz, S., and Mueller, S., "Are
You Willing to Wait Longer for Internet Privacy?", ECIS
Proceedings, 2011
[6] Briggs, S.R., "Assessing the Five-Factor Model of
Personality Description", J Pers, 60(2), 1992, pp. 253-293.
[7] Chauvin, B., Hermand, D., and Mullet, E., "Risk
Perception and Personality Facets", Risk Anal, 27(1), 2007,
pp. 171-185.
[8] Clemons, E.K., and Wilson, J., "Students' and Parents'
Attitudes Towards Online Privacy: An International
Study", HICSS Proceedings, 2015, pp. 4844-4853.
[9] Conner, M., and Abraham, C., "Conscientiousness and
the Theory of Planned Behavior: Toward a More Complete
Model of the Antecedents of Intentions and Behavior", Pers
Soc Pychol B, 27(11), 2001, pp. 1547-1561.
[10] Costa, P.T., and Mccrae, R.R., Revised NEO
Personality Inventory (NEO PI-R) and NEO Five-Factor
Inventory (NEO FFI): Professional Manual, Psychological
Assessment Resources, Odessa, FL, 1992.
[11] Costa, P.T., Mccrae, R.R., and Dye, D.A., "Facet
Scales for Agreeableness and Conscientiousness: A
Revision of the NEO Personality Inventory", Personality
and Individual Differences, 12(9), 1991, pp. 887-898.
[12] Culnan, M.J., and Bies, R.J., "Consumer Privacy:
Balancing Economic and Justice Considerations", J. Soc.
Issues, 59(2), 2003, pp. 323-342.
[13] Davis, F.D., "Perceived Usefulness, Perceived Ease of
Use, and User Acceptance of Information Technology",
MIS Quart., 13(3), 1989, pp. 319-340.
[14] Devaraj, S., Easley, R.F., and Crant, J.M., "Research
Note—How Does Personality Matter? Relating the FiveFactor Model to Technology Acceptance and Use", Inform.
Systems Res., 19(1), 2008, pp. 93-105.
[15] Diamantopoulos, A., Sarstedt, M., Fuchs, C.,
Wilczynski, P., and Kaiser, S., "Guidelines for Choosing
between Multi-Item and Single-Item Scales for Construct
Measurement: A Predictive Validity Perspective", J. of the
Acad. Mark. Sci., 40(3), 2012, pp. 434-449.
[16] Dimatteo, M.R., Haskard, K.B., and Williams, S.L.,
"Health Beliefs, Disease Severity, and Patient Adherence:
A Meta-Analysis", Med. Care, 45(6), 2007, pp. 521-528.
[17] Dinev, T., and Hart, P., "An Extended Privacy
Calculus Model for E-Commerce Transactions", Inform.
Systems Res., 17(1), 2006, pp. 61-80.
[18] Fornell, C., and Larcker, D.F., "Evaluating Structural
Equation Models with Unobservable Variables and
Measurement Error", J. Marketing Res., 1981, pp. 39-50.
[19] Gerlitz, J.-Y., and Schupp, J., "Zur Erhebung Der BigFive-Basierten Persönlichkeitsmerkmale Im SOEP", DIW
Research Notes, 2005, pp. 1-44.
[20] Goldberg, L.R., "The Development of Markers for the
Big-Five Factor Structure", Psychol Assessment, 4(1),
1992, pp. 26-42.
[21] Gosling, S.D., Rentfrow, P.J., and Swann, W.B., "A
Very Brief Measure of the Big-Five Personality Domains",
J Res Pers, 37(6), 2003, pp. 504-528.
Response Efficacy (REF, adapted from Witte et al. [52])
1. A PET is able to prevent privacy incidents.
2. Using a PET is effective in preventing privacy incidents.
3. If I use a PET, I am less likely to experience privacy incidents.
Ten-Item Personality Invent. (PER, Gosling et al. [21])
I see myself as:
1. Extraverted, enthusiastic.
2. Critical, quarrelsome. (reversed)
3. Dependable, self-disciplined.
4. Anxious, easily upset. (reversed)
5. Open to new experiences, complex.
6. Reserved, quiet. (reversed)
7. Sympathetic, warm.
8. Disorganized, careless. (reversed)
9. Calm, emotionally stable.
10. Conventional, uncreative. (reversed)
Privacy Concerns (PC, Dinev and Hart [17])
1. I am concerned that the information I submit on the
Internet could be misused.
2. I am concerned that a person can find private information about me on the Internet.
3. I am concerned about submitting information on the
Internet, because of what others might do with it.
4. I am concerned about submitting information on the
Internet, because it could be used in a way I did not
foresee.
Previous Privacy Experience (EXP, Xu et al. [55])
1. How often have you been a victim of what you felt
was an improper invasion of privacy?*
2. How much have you heard or read during the past
year about the use and potential misuse of information collected from the Internet?
3. How often have you experienced incidents where
your personal information was used by a company
without your authorization?
Behavioral Intention (BI, adapted from Venkatesh et al.
[49])
1. I intend to use PETs in the next few months.
2. I predict I would use PETs in the next few months.
3. I plan to use PETs in the next few months.
Actual Behavior (ACT, adapted from Liang and Xue [31])
I use a PET on my smartphone to protect me from privacy
incidents.
* Item has been removed for analyses.
References
[1] Agarwal, R., Sambamurthy, V., and Stair, R.M., "The
Evolving Relationship between General and Specific
Computer Self-Efficacy-an Empirical Assessment", Inform.
Systems Res., 11(4), 2000, pp. 418-430.
[2] Barrick, M.R., Mount, M.K., and Judge, T.A.,
"Personality and Performance at the Beginning of the New
Millennium: What Do We Know and Where Do We Go
Next?", Int J Select Assess, 9(1-2), 2001, pp. 9-30.
[3] Beaudry, A., and Pinsonneault, A., "Understanding
User Responses to Information Technology: A Coping
4840
4839
[39] Pyszczynski, T., Greenberg, J., and Solomon, S.,
"Why Do We Need What We Need? A Terror Management
Perspective on the Roots of Human Social Motivation",
Psychol Inq, 8(1), 1997, pp. 1-20.
[40] Renaud, K., Volkamer, M., and Renkema-Padmos, A.,
"Why Doesn’t Jane Protect Her Privacy?", Privacy
Enhancing Technologies Proceedings, 2014, pp. 244-262.
[41] Rindfleisch, T.C., "Privacy. Information Technology,
and Health Care", Comm. ACM, 40(8), 1997, pp. 93-100.
[42] Ringle, C.M., Wende, S., and Becker, J.-M.,
SmartPLS 3, SmartPLS, Hamburg, 2015.
[43] Rogers, R.W., "A Protection Motivation Theory of
Fear Appeals and Attitude Change", J. Psychol., 91(1),
1975, pp. 93-114.
[44] Rogers, R.W., "Cognitive and Physiological Processes
in Fear Appeals and Attitude Change: A Revised Theory of
Protection Motivation", in Cacioppo, J.T., and Petty, R.E.:
Social Psychophysiology: A Sourcebook, The Guilford
Press, New York, NY, 1983, pp. 153-177.
[45] Smith, H.J., Dinev, T., and Xu, H., "Information
Privacy Research: An Interdisciplinary Review", MIS
Quart., 35(4), 2011, pp. 989-1015.
[46] Smith, H.J., Milberg, S.J., and Burke, S.J.,
"Information Privacy: Measuring Individuals' Concerns
About Organizational Practices", MIS Quart., 20(2), 1996,
pp. 167-196.
[47] Solove, D.J., "A Taxonomy of Privacy", U. Pa. L.
Rev., 154(3), 2006, pp. 477-564.
[48] Sweeny, K., Melnyk, D., Miller, W., and Shepperd,
J.A., "Information Avoidance: Who, What, When, and
Why", Rev. Gen. Psychol., 14(4), 2010, pp. 340-353.
[49] Venkatesh, V., Morris, M.G., Davis, G.B., and Davis,
F.D., "User Acceptance of Information Technology:
Toward a Unified View", MIS Quart., 27(3), 2003, pp. 425478.
[50] Webb, T.L., and Sheeran, P., "Does Changing
Behavioral Intentions Engender Behavior Change? A MetaAnalysis of the Experimental Evidence", Psychol. Bull.,
132(2), 2006, pp. 249-268.
[51] Wirtz, J., Lwin, M.O., and Williams, J.D., "Causes and
Consequences of Consumer Online Privacy Concern", Int J
Serv Ind Manag, 18(4), 2007, pp. 326-348.
[52] Witte, K., Cameron, K.A., Mckeon, J.K., and
Berkowitz, J.M., "Predicting Risk Behaviors: Development
and Validation of a Diagnostic Scale", J. Health Commun.,
1(4), 1996, pp. 317-342.
[53] Woon, I., Tan, G.-W., and Low, R., "A Protection
Motivation Theory Approach to Home Wireless Security",
ICIS Proceedings, 2005
[54] Workman, M., Bommer, W.H., and Straub, D.,
"Security Lapses and the Omission of Information Security
Measures: A Threat Control Model and Empirical Test",
Comput. Hum. Behav., 24(6), 2008, pp. 2799-2816.
[55] Xu, H., Dinev, T., Smith, J., and Hart, P., "Information
Privacy Concerns: Linking Individual Perceptions with
Institutional Privacy Assurances", J. Assoc. Inf. Syst.,
12(12), 2011, pp. 798-824.
[22] Hair Jr., J.F., Hult, G.T.M., Ringle, C.M., and Sarstedt,
M., A Primer on Partial Least Squares Structural Equation
Modeling (PLS-SEM), SAGE Publications, Thousand
Oaks, 2014.
[23] Herck, K., Zuckerman, J., Castelli, F., Damme, P.,
Walker, E., and Steffen, R., "Travelers' Knowledge,
Attitudes, and Practices on Prevention of Infectious
Diseases: Results from a Pilot Study", J. Travel. Med,
10(2), 2003, pp. 75-78.
[24] Jackson, J.D., Yi, M.Y., and Park, J.S., "An Empirical
Test of Three Mediation Models for the Relationship
between Personal Innovativeness and User Acceptance of
Technology", Inform. Manage., 50(4), 2013, pp. 154-161.
[25] Johnson, J.D., Cancer-Related Information Seeking,
Hampton Press, Cresskill, NJ, 1997.
[26] Johnston, A.C., and Warkentin, M., "Fear Appeals and
Information Security Behaviors: An Empirical Study", MIS
Quart., 34(3), 2010, pp. 549-566.
[27] Johnston, A.C., Warkentin, M., and Siponen, M., "An
Enhanced Fear Appeal Rhetorical Framework: Leveraging
Threats to the Human Asset through Sanctioning Rhetoric",
MIS Quart., 39(1), 2015, pp. 113-134.
[28] Junglas, I.A., Johnson, N.A., and Spitzmüller, C.,
"Personality Traits and Concern for Privacy: An Empirical
Study in the Context of Location-Based Services", Eur. J.
Inform. Syst., 17(4), 2008, pp. 387-402.
[29] Kahneman, D., and Tversky, A., Choices, Values, and
Frames, Cambridge Univ. Press, Cambridge, UK, 2000.
[30] Kumar, N., Mohan, K., and Holowczak, R., "Locking
the Door but Leaving the Computer Vulnerable: Factors
Inhibiting Home Users' Adoption of Software Firewalls",
Decis. Support Syst., 46(1), 2008, pp. 254-264.
[31] Liang, H., and Xue, Y., "Understanding Security
Behaviors in Personal Computer Usage: A Threat
Avoidance Perspective", J. Assoc. Inf. Syst., 11(7), 2010,
pp. 394-413.
[32] Maddi, S.R., Personality Theories: A Comparative
Analysis, Dorsey Press, Homewood, IL, US, 1989.
[33] Maier, C., "Personality within Information Systems
Research: A Literature Analysis", ECIS Proceedings, 2012
[34] Mccrae, R.R., and Costa, P.T., "Personality, Coping,
and Coping Effectiveness in an Adult Sample", J Pers,
54(2), 1986, pp. 385-405.
[35] Mccrae, R.R., and Costa, P.T., "Adding Liebe Und
Arbeit: The Full Five-Factor Model and Well-Being", Pers
Soc Pychol B, 17(2), 1991, pp. 227-232.
[36] Mcelroy, J.C., Hendrickson, A.R., Townsend, A.M.,
and Demarie, S.M., "Dispositional Factors in Internet Use:
Personality Versus Cognitive Style", MIS Quart., 31(4),
2007, pp. 809-820.
[37] Pechmann, C., Zhao, G., Goldberg, M.E., and
Reibling, E.T., "What to Convey in Antismoking
Advertisements for Adolescents:The Use of Protection
Motivation Theory to Identify Effective Message Themes",
J. Marketing, 67(2), 2003, pp. 1-18.
[38] Picazo-Vela, S., Chou, S.Y., Melcher, A.J., and
Pearson, J.M., "Why Provide an Online Review? An
Extended Theory of Planned Behavior and the Role of BigFive Personality Traits", Comput. Hum. Behav., 26(4),
2010, pp. 685-696.
4841
4840