A Quantitative Investigation of the Security Factors Affecting the Use of IT
Systems in Public Networks
Sanjeev Mitra
College of Business Administration, Trident University International, Cypress, CA USA
[email protected]
Dr Indira R. Guzman, Ph.D.
Program Director, College of Information Systems, Trident University International
Cypress , CA, USA
[email protected]
Dr Gurpreet Dhillon, Ph.D.
Professor of Information Security at the School of Business
Virginia Commonwealth University, Virginia, USA
[email protected]
Dr Kiet Tran, Ph.D.
Professor, College of Business Administration
Trident University International, Cypress , CA, USA
[email protected]
Abstract
This research will investigate whether the System Security Quality of IT Systems like
mobile technologies when used in public networks like the Wi-Fi Internet has a positive
effect on their users’ behavioral intentions to use such systems. The motivation for doing
this research from the need to investigate what is the System Security Quality of mobile
technologies and how is it perceived by users of those technologies when used in public
networks like the Internet (Wi-Fi). The relevant theories are Unified Theory of
Acceptance and Use of Technology, Technology Acceptance Model, Theory of Reasoned
Action, Technology Threat Avoidance Theory, Theory of Planned Behavior, Self-Efficacy
in Information Security, Protection Motivation Theory and ‘IS’ Success Model. The main
constructs are System Security Quality of IT Systems, Users’ perceptions about System
Security Quality of IT Systems, Users’ Behavioral Intentions to use IT Systems, Users’
Self-Efficacy about IT Systems Security, Users’ Response Efficacy about IT Systems
security. Paper and web based questionnaire using Likert scale will be used for data
collection in restaurants/coffee-shops/bookstores. Statistical analysis will be done using
Confirmatory Factor Analysis, Anova and multiple regression analysis. Hypotheses
testing will be done for reflective variables by techniques like Structural Equation
Modeling, using AMOS or LISREL. For indicators of the formative construct the analysis
will be done using PLS. This research study will benefit the vendors of IT Systems like
mobile technologies by helping them to increase their users’ satisfaction with the security
of such systems for being used in public networks like the Wi-Fi based Internet, possibly
resulting in their more actual usage and increase in business for their respective
smartphone brands. The same study will be done in future in secured wired networks in
universities in US and other countries to assess the validity of the results obtain in
another context and to establish their generalizability.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 1
Mitra;Guzman;Dhillon;Tran
Introduction
In order to survive in the modern business world, individuals working in organizations use various ways
of information management since information is now recognized as an asset of organizations. The
technology used for managing and disseminating information includes computers, personal digital
assistants, smart phones and tablets, storage devices, virtual machines, and servers, etc. These artifacts of
Information Technology have one aspect in common for majority of their users in many countries of the
developed world like the USA. They are connected to some type of network, either wired or wirelessly, at
homes, offices or on the road.
Problem Statement
While retrieval and distribution of information has been made easy by this, nevertheless serious concerns
have sprung up about the effectiveness of their security for their individual users in organizations. This is
because persistent incidents of malware infection and data breaches experienced by users in organizations
continue to be on the rise, pointing to possible gaps in the effectiveness of IT security practices being
followed for individual users as a whole in companies. The ‘State of Endpoint risk 2011’ survey by
Ponemon Institute (2010) found that “The most frequently encountered IT network incidents are general
malware attacks (92 percent of respondents), web-borne malware attacks (75 percent of respondents),
botnet attacks (64 percent of respondents) and SQL injections (38 percent of respondents)”. The salient
findings of “2013 State of the Endpoint” survey research report by Ponemon Institute (2012), relevant to
this research study, were as follows




“Eighty percent of respondents believe laptops and other mobile data-bearing devices such as
smart phones pose a significant security risk to their organization’s networks or enterprise
systems because they are not secure.
Malware attacks are increasing. Fifty-eight percent of respondents say their organizations
have more than 25 malware attempts or incidents each month and another 20 percent are
unsure”
Out of these both general malware (86%) and Web-borne malware attacks (79%) and
Rootkits (65%) are the most occurring in organizations.
Advanced Persistent Threats (25%) and Hacktivism (15%), Zero Day Attacks (13%) and SQL
Injection (12%) are the ones most annoying.”
There was a recent report (Richmond, 2011) which stated that “RSA security suffered a sophisticated
hacker attack that resulted in the theft of sensitive information related to its popular SecurID two-factor
authentication products”. Though the RSA SecurID two-factor authentication is used in addition to the
username and password to connect securely to IT system networks, the fact that it has now been
successfully hacked may have a significant impact on whether users would feel confident about using the
IT Systems using this authentication method. Based on the above stated facts it can be concluded that the
number of malware attacks via Internet websites have increased on IT Systems like the Mobile
Technologies and has also resulted in compromise of their users’ confidential personal information.
Hence the motivation to do this research stems from the need to investigate what is the Systems Security
Quality of IT Systems and how is it perceived by users of IT Systems like Mobile Technologies when used
in public networks like the Internet (Wi-Fi). The justification of this motivation is based on Choobineh,
Dhillon, Grimaila, and Rees (2007) who have identified that “conceptualizations of information security
has been largely atheoretical” as one of the three “challenging issues in management of information
security”. This research study will attempt to address this issue by generating testable hypotheses and
creating a research model about use of IT Systems such as Mobile Technologies in the public networks
like the insecure Wi-Fi, based on the actual security effectiveness of such IT Systems. This study will help
the users by letting them know how effective is the security of IT Systems they are using.
2 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
In turn this could help the IT departments in companies to increase their users’ satisfaction with the
security effectiveness of their IT Systems, possibly resulting in their more actual usage by those users and
hence more business and better efficiencies for those companies.
The Context of this Research Study
The context of this research study is usage of IT system like the mobile technologies when used in wireless
public network like the Wi-Fi (Wireless Fidelity) based Internet. Mobile technologies is used as a context
of this study as “Fifty-six percent of U.S. adults own a smartphone of some type — up from 35% of adults
two years ago according to Pew Research Center survey” (Browdie, 2013). Majority of people in the US
who work in companies and the federal government use personal or provided smart-phone like iPhone,
Androids, BlackBerry, LG and Samsung. In this process they either use the 3G/4G data plans offered by
major carriers like Verizon, T-Mobile, Sprint-Nextel, AT&T and others to make phone calls or connect to
the Internet or they use the Wi-Fi based Internet to do such tasks. Since Internet is the largest and most
prolifically used wide area network system, hence this research study intends to focus on the actual usage
of the IT System like the Smartphone when using wireless public network like the Wi-Fi Internet. “The
federal government is in the process of creating a national mobility strategy that will attempt to replace ad
hoc policies with a coordinated cost-saving plan” (Hoover, 2012). This means consolidation of ad-hoc
policies that presently address the various aspects of the Wi-Fi based Internet access with a view to cost
savings for the plans used by federal employees while using their smart-phones are considered important
by the Federal Government. As an example, “the Department of Agriculture consolidated 843 wireless
plans (and more than 32,000 service lines) to three purchasing agreements. As a result, USDA reduced its
telecom expenses by 18%, or $4 million, annually” (Hoover, 2012).
There are various input factors that contribute to such costs incurred by users while using smart-phones.
These include the costs of data, time and productivity loss due to virus/spyware/malware. This is because
smart-phones are “easily lost or stolen, and prone to the vulnerabilities of downloadable software and the
Web. Malware is a growing concern on mobile devices, one that some agencies have yet to address. ATF,
for example, doesn’t run antivirus software on smartphones, and instead relies on MDM software to block
threats” (Hoover, 2012). As part of the firmware Wi-Fi chips can be vulnerable to attack from bugs in the
coding. An example of this type of vulnerability was disclosed by ‘Core Security’ in Oct 2012 with the issue
of an advisory detailing how the Wi-Fi NIC could be prevented from responding (Armin, 2013). Two
modes of wireless networking operations are in prevalence. One is the infrastructure mode and the other
is the ad-hoc mode. Yaniv (2006) stated that ad-hoc network mode obviates the necessity for having an
access point. It works using a 'peer-to-peer' (P2P) style of communication. Only wireless adapters are
needed to communicate. It does not depend on presence of routers, for example. This reduces the cost and
maintenance significantly as compared to that in a network designed around an access point. However
due to the P2P type of communication, ad-hoc mode should only be used for smaller networks. In many
small homes the ad-hoc network type wireless access is used. The big risk on the cellular networks is that
many users won't be as cognizant of the risks as when, for instance, they connect to a Wi-Fi network.
However, using the cellular network is generally more secure than using an open public Wi-Fi hotspot
(Shinder, 2011).
Overall security of cellular data transmission depends on the security of all the four major components of
such networks which include the wireless network and the Internet connection. When signals go through
the airwaves, it's easier to intercept them because physically tap into a line is not required. Anyone having
a transmitter/receiver could intercept those signals. It is very difficult to prevent the interception of the
signals; the key to securing a wireless network is encrypting those signals. Then the signals will be useless
for any unauthorized party who does intercept them. Early cellular networks did not adequately secure
the wireless signals in transit. However, 3G (and above) networks use strong cipher keys to encrypt the
signals. Two way authentication is used to prevent the use of cloned cellular devices. 3G networks are still
vulnerable to Denial of Service (DoS) attacks.
Shinder (2011) stated that threats like malware, DoS, intrusion and virus attacks can affect Internet
connections in Mobile Technologies just like they affect computers with Internet connections. Device
specific vulnerabilities also exist in Internet connection devices for Mobile Technologies (Shinder, 2011).
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 3
Mitra;Guzman;Dhillon;Tran
For instance, 3G MiFi mobile hotspots were vulnerable to unauthorized enabling of GPS on them
(Shinder, 2011). Similarly, the latest Near Field Communications or NFC technology being introduced in
Mobile Technologies used to exchange information between any two such devices using Radio
Frequencies without the Wi-Fi could be susceptible to interception or distortion of those radio waves and
hence the information passing between them.
In McAfee's report on mobile security Griffin (2011) stated that the Mobile and Security report was split
into two surveys - one for consumers, and the other for senior IT decision makers in companies with an
employee count of over 100. It shows a general lack of awareness for safekeeping of mobile data. Although
more than half of organisations are “heavily reliant on the use of mobile devices', and 95 per cent have
some sort of mobile security policy in place, less than one in three employees are aware of it. Less than 50
per cent of employees understand their mobile device access/permissions. Although mobile security is a
major problem and one that is only set to increase based on the current trajectory of Smartphone
adoption, losing the Smartphone is still the biggest fear for consumers and IT directors, alike. According
to the report, 19 per cent of users store credit card details on their phone. Alarmingly, 23 per cent store
passwords and pin codes as well, without any form of remote locking or a password lock on a device to
keep the thief away from your details" (Griffin, 2011).
Shema (2011) stated that “even though T-mobile has WPA level of secure access it is not offering the
WPA2 level encryption security which is available in our home networks. Whereas it is easy to set up
WPA2 on the home network, it is missing on the ubiquitous public Wi-Fi services of cafes and airplanes.
They usually avoid encryption altogether. Even still, encrypted networks that use a single password for
access merely reduce the pool of attackers from everyone to everyone who knows the password (which
may be a larger number than one would expect).” T-Mobile provides the wireless services at Starbucks. In
addition to Starbucks, T-Mobile hotspots are available in Borders, Kinko's, the Hyatt, Red Roof Inn,
Barnes & Noble, Dallas-Fort Worth International Airport, Los Angeles International Airport, San
Francisco International Airport, Hyatt Hotels and Resorts, Sofitel and Novotel Hotels, the airline clubs of
American, Delta, United and US Airways, and other select airports and hotels"
(http://antivirus.about.com/od/wirelessthreat1/a/starbucks.htm).
In addition to this is the emerging threat of sophisticated malware attack capable of being carried out by
well organized and equipped hackers from the mainstream travel, shopping and gaming websites
(Liebowitz, 2010). Users surfing these websites may not even know that they have been infected with
malware until after the fact. Stealth malware attacks are likely in future to “steal identities, co-opt
personal relationships and imitate people’s natural behaviors to avoid detection in future, due to
increasing use of social networking sites by people” (Fox, 2010) and increasingly greater sophistication of
the hackers. This is even more so because the Security Intelligence Report from Microsoft (2010) has
confirmed the increase of botnet type of web security threats in the United States in the last few quarters
as compared to the other parts of the world.
Enck, Ongtang and McDaniel (2009) have identified seven possible categories of malware in mobile
phones like “Proof-of-Concept, Destructive, Premeditated spyware, Direct Payoff, Information
scavengers, Ad-aware and Botnets”. Information scavengers and Botnet can provide “direct monetary
gain to the malware writer” and hence are likely to become more prevalent in mobile phones. (Enck et al.,
2009). Hence these types of malware, if downloaded from insecure public Wi-Fi on Mobile Technologies,
may also impact the actual use of the public Wi-Fi on such Mobile Technologies.
A research study by iBAHN (2010) on use of Internet by users who travelled found that though “80
percent of iTRAVELLERS considered data security as important to them, and were not satisfied with it,
yet they were willing to pay a premium for high quality, high-speed hotel Internet access (HSIA) service”.
Thus, users who travelled were skeptical about the security of data available to them in this type of
networked IT system. Yet, they were induced by the available speeds and quality of Internet connection to
pay a higher price to use this networked IT system. A study by Cornell University School of Hotel
Administration found that “Hotels in the U.S. are generally ill-prepared to protect their guests from
network security issues” (Jackson, 2008). Though it is not their job to do so, yet this can be a factor that
may discourage users from using their Mobile Technologies if they cannot use it on secure Internet
connection in such places. Hence this study intends to investigate the factors affecting the use of the Wi-Fi
4 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Internet based IT system in the context of the hospitality industry comprising coffeeshop/bookstore/restaurants. The coffee-shop/bookstore/restaurants have been selected as surrogate for
the hospitality industry for ease of data collection for this research study. This is also because the Internet
access is now available extensively in the form of Wi-Fi access in coffee-shop/bookstore/restaurants
where people tend to use the wireless Internet access on their smart-phones, iPads, tablets or laptops.
Hence it is possible that if coffee-shops/bookstores/restaurants cannot provide suitable protection to
their guests’ Internet connections on their Mobile Technologies from such sophisticated attacks, then
those guests may not perceive the security of their Mobile Technologies to be effective. In this context a
Google/IPSOS OTX MediaCT (2011) study on smart-phone users found that 93% users use the smartphone in home, 73% use them in restaurants, 72% use them at work and 54% use them in Café and
Coffee-Shops. 81% users used smart-phones to browse the Internet and 77% used it to search information
using search engine on the Internet. Hence Internet related use was found to be the largest percentage
use by users of smart-phones. 43% users were willing to give up beer and 36% were willing to give up
chocolate and 34% were willing to give up super-bowl tickets in exchange for using the Internet on the
Smartphone. The smart-phone is slated to replace the wallet in the near future as has been demonstrated
by use of Google wallet and is also slated to be used as the payment option in place of credit cards with
terminals for this already in use in area of New York (CNN, 2012). Hence secure storage and transmission
of confidential data like credit card numbers via the applications like ‘Square’ will become of increasing
importance in future. The very fact that valuation of the Square, Inc manufacturing the ‘Square’ device for
credit card transactions in smart-phone was to the tune of one billions of dollars in June 2011 shows the
importance which the industry attaches to this data storage feature in smart-phones. Starbucks
announced that it will start using Square to enable customer pay with credit or debit cards using their
smart-phones. However the Merchant User Agreement for a Square account at present prohibits its use in
twenty nine different areas, like “buyers or membership clubs, credit counseling or repair agencies” etc.
(Square, Inc., 2013). This could be due to possible security concerns about transmission of confidential
credit card data for these areas in particular, among other factors, from the Square device via the Internet
connection on the smart-phones. Hence the security effectiveness of such smart-phones using Wi-Fi
Internet public networks and NFC (near field communication) for communication of financial data will be
of high concern in the minds of customers (CNN, 2012).
In a recent webinar by Z-Scalar it was revealed that applications like CNN downloaded and installed on
the mobile phones were found to have been revealing the user id of users of those phones to hackers over
the Internet (Hazarika, 2013). According to InfoSecurity-magazine (2013) the potential targets of
cybercrime are “rooted or jailbroken devices (57% have no policy), compromised Wi-Fi hotspots (47%).
According to the latest malware report published by NQ Mobile, “mobile malware increased by 163% in
2012 – but infections rose by 200% to an estimated 32.8%.” Clooke (2013) reported that there is an
unpatched vulnerability in the Mobile Technologies like BlackBerry, Android, iPhone and some windows
devices which makes millions of mobile Wi-Fi users at risk from hackers”. Mobile Technologies with WiFi capability activated in them have a Preferred Networks List or PNL. This list contains the names of any
public Wi-Fi hotspots, or any other Wi-Fi connection set up previously in that smartphone. The
smartphone tries to access the networks on the PNL initially when its Wi-Fi capability is switched on,
since it announces the networks which it is seeking to join. When the smartphone is joined to a public WiFi, then by using stealth listening software the potential hackers can use this vulnerability to obtain the
PNL. They create a spurious Wi-Fi network with same particulars as on the PNL of the smartphone
including concealed service set identifier (SSID). Then the smartphone naturally gets connected to the
spurious Wi-Fi connection setup by the hacker, as it sends out the SSID of the networks contained in its
PNL that matches the concealed SSID of the fake Wi-Fi. Then the smartphone divulges all confidential
data like credit card numbers and passwords to the hacker, while it sends such data through the fake WiFi connection. This vulnerability is unpatched in the various smartphone operating systems like Apple iOS
versions 1 to 6 (if networks are added manually to the PNL by users), Android 2, 3 and 4 and BlackBerry
7. It was fixed by Microsoft recently in smartphones using its windows operating system (Clooke 2013).
Cannon (2011, p. 467) stated that “mobile broadband (802.16 or WiMax) using cellular based networks
that allow roaming the internet (Wi-Fi), does so without any real data security. Though WiMax is
becoming increasingly popular because of its low-cost availability in metropolitan areas, WiMax should
always be considered insecure network”. Hornat (2002) documented an issue called the “Wap Gap” in
security of Wireless Application Protocol which is used by wireless mobile devices like cell phones to
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 5
Mitra;Guzman;Dhillon;Tran
connect to the Internet using a common method. (Hornat, 2002). Wireless Transport Layer Security
(WTLS) used in WAP versions prior to 2.0, sent the transmission from Wireless device to WAP gateway in
encrypted format, where it is decrypted and then re-encrypted for use with Transport Layer
Security/Secure Socket Layer (TSL/SSL). Hence WAP gateway using versions prior to WAP 2.0 was not
considered secure as an attacker could hack into the wireless gateway and obtain all decrypted
information present in clear text on the gateway. This would make the user of the cell phone believe that
the communications sent via that devise to the internet were not secure. Though this issue does not exist
in WAP 2.0 as WTLA has been replaced by TLS, yet the implementation of WAP 2.0 could take much time
due to big difference in WAP technologies (Hornat, 2002).
Thus the ever increasing use of mobile technologies like Mobile Technologies in the Wi-Fi based Internet
connections on them for various types of uses has led to the prevalence of increasing security problems.
This study will investigate the effect such issues may have on the use of mobile technologies such as
Mobile Technologies when used for making Wi-Fi based Internet connections. Hence the Smartphone
type of IT mobile system when used in Wi-Fi type public network Internet connections in coffee-shops,
bookstores and restaurants were selected as the context of this study. The coffee-shops, bookstores and
restaurants in the continental United States of America, are identified as the locations for this study since
these places are known to offer Wi-Fi based public network connections that are often not secure. This
would also enable the testing of the generalizability of the results found by Tao (2009) in another setting
(Trochim, 2006). However in IS research the emphasis is now on validating the results of context specific
study from one context by comparing with results obtained by conducting the same study in another
context (Hong, Chan, Thong, Chasalow and Dhillon, 2013). Hence another possible context of this study
could be the secured Wi-Fi networks used in mobile technologies by graduate and undergraduate students
in universities in the continental USA. Based on the above the research questions for this research study
are:
Main Research Question
These are dependent on the context (Hong et al., 2013). Hence for the contexts of both insecure public
Wi-Fi networks and secured Wi-Fi networks the main research question is:
Does the System Security Quality of IT Systems such as mobile technologies, affect their users’ intention
to use those mobile technologies?
Original contribution potential of this research study
This research proposal meets the criterion for being termed as ‘original’ as it will test whether some of the
results obtained in previous research studies by Delone and McLean (1992, 2003), Tao (2009), D. Utin,
M. Utin and J. Utin (2008), Udo, Bagchi and Kirs (2010), Venkatesh, Morris, G. Davis and F. Davis
(2003) and Liang and Xue (2009) are also valid for the relatively new research area of IT Security (Estelle
& Pugh, 1987). To this degree this research will fit with the existing body of knowledge as it will draw from
these various seminal and other latest published works in IS success, Security, individual attitude and
behavior to create a new research model of System Security Quality of IT Systems. Theoretically this study
will uniquely contribute to knowledge by including Security Effectiveness as an additional aspect of
System Quality in the IS success model of DeLone & McLean (2003) instead of a metric of only
Information Quality. This research study will also make an original and unique contribution to knowledge
in extending in a small albeit important way the Technology Threat Avoidance model (Liang and Xue,
2009) by researching the impact of security effectiveness of specific types of IT Systems on their users’
intentions to use those IT Systems and in turn on their actual use of those specific IT Systems. While
doing so this study will also extend in an important way the IS Success Model (DeLone and McLean, 1992,
2003) and the Technology Acceptance Model (Davis, 1989). This contribution will be unique because as
Dhillon and Backhouse (2001) concluded evaluation studies about information systems security that
made use of the socio-organizational perspective are yet in theory-building stage. Hence this research will
fulfill an identified need for empirical research using socio-organizational perspective to “develop key
principles for preventing negative events and therefore to help in the management of security” (Dhillon
and Backhouse, 2001). Warfield (2011) reported “a lack of awareness and knowledge about IT security
6 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
effectiveness construct variables and their correlations” (Warfield, 2011). Hence this research study will
add to the body of IT security effectiveness by filling this gap and identifying the underlying variables for
this important construct in the field of IT security.
Another original contribution potential of this research study is the synthesizing of constructs taken from
the many diverse relevant theories of IT security and IS success under a single research model. Theories
like Unified Theory of Acceptance and Use of Technology, Technology Acceptance Theory, Technology
Threat Avoidance Theory, Technology Acceptance Model, Theory of Planned Behavior, Self-Efficacy in
Information Security, Protection Motivation Theory and ‘IS’ Success model have been used to formulate a
single unique integrated research model which has already been deemed as being ‘interesting’ in a
feedback by a senior academic in the field of MIS in a university in the USA.
This research will also contribute to the existing body of knowledge about IT Security use related behavior
by testing out the results already obtained by prior research studies, by attempting to verify them in
another place, time and amongst another set of people (Trochim, 2006) in order to test their
generalizability.
Literature Review
Chin Felt Sekar & Wagner (2012) conducted qualitative interviews and quantitative surveys of 60
smartphone users whom they sampled from advertisements they placed in Craigslist. One of the variables
in their study was “People’s relative level of concern about security and privacy on their phone vs. their
laptop” Chin et al. (2012). They found that users were more worried about their confidentiality on their
phone rather than on their laptop, even though they were less inclined to do banking transactions
involving money and shopping transactions involving their personal information like their social security
number or personal health record, from their phones. Chin et al. (2012) attributed this to an
augmentation of users’ propensity to do some tasks on their phones, which involved their privacy data like
photo sharing, text messaging and location. One of the reasons for this was the users’ “perception of the
security and privacy properties of the phones, and some prevalent misconceptions about the security of
their network connections on their phones” (Chin et al., 2012). While users downloaded more applications
on their phones it was found that they did not give attention to the “applications’ terms of service and
policy agreements”. Chin et al (2012) recommended an additional observational study to compensate for
the pleasing bias or underreporting issues with self-reported data collected by them.
Boss, Kirsch, Angermeier, Shingler, & Boss, (2009) used 7 point Likert scale to study impact of
Mandatoriness on individual Precaution Taking Behavior. They found that “mandatoriness and its
antecedents significantly impact individual precaution taking behaviors. The significance of CSE
(Computer Self Efficacy), in turn, may indicate that precaution taking is also a function of individual
comfort with computers and individual’s confidence in their own ability to utilize the computer to
accomplish tasks” (Boss et al., 2009). Boss et al. (2009) also recommended that future research should
investigate the relationship between Information Security and Computer Self Efficacy.
Malhotra, Kim and Agarwal (2004) did a study on impact of Internet Users’ Information Privacy
Concerns (IUIPC) on the type of Information and Behavioral intention to reveal personal information.
Other variables in their study were Risk Beliefs, Collection, Control, Awareness and Trusting Beliefs,
Global Information Privacy concern, Improper Access and Unauthorized Secondary Use and Errors. They
performed Exploratory Factor Analysis and Confirmatory Factor Analysis on Data collected. They found
that Trusting Beliefs significantly and positively and influenced Behavioral intention (p<0.001). Risk
Beliefs significantly but negatively influenced Behavioral intention (p<0.001). Level of sensitivity of
information requested had a significantly negative effect on Trusting Beliefs and Behavioral Intention
(p<0.01) but a significantly positive effect on Risk Beliefs (p<0.001). IUIPC had a significant negative
effect on trusting beliefs and a significant positive effect on risk beliefs (p<0.001). Trusting beliefs had a
negative effect on risk beliefs (p<0.01). Malhotra et al., 2004 stated that “behavioral intention is known
reliable predictor of actual behavior by a longitudinal study”. This study will test the generalizability of
this conclusion in another setting (Trochim, 2006) in the realm of IT security effectiveness.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 7
Mitra;Guzman;Dhillon;Tran
Karlson, Meyers, Jacobs, Johns and Kane (2009) researched mobile phone and PC usage patterns. Web
usage on the phone was found to be only at 9.4% (Karlson et al., 2009). However, currently web usage on
mobile phones is very high in the US as is evidenced by Google/IPSOS OTX MediaCT (2011) study on
smart-phone users. The Google study found that 81% users used smart-phones to browse the Internet and
77% used it to search information using search engine on the Internet. Hence this research study will
attempt to investigate the security implication of this apparent contradiction in volume of web usage by
users of phone, as the greater use of phones in unsecured public Internet or Wi-Fi can make it more prone
to attacks like malware.
Kankanhalli, Teo, Tan and Wei (2003) investigated the effectiveness of an information system, the overall
deterrent effect, the overall prevention effect, and the effect on assets. Kankanhalli et al. (2003) used a
seven point Likert scale to collect data using the survey research method. The results of this study
indicated that “Greater deterrent efforts (in the form of man-hours expended on IS security purposes) and
greater preventive efforts (in the form of more advanced IS security software) appear to contribute to
better IS security effectiveness” (Kankanhalli et al., 2003). For the future Kankanhalli et al. (2003)
recommended that wider range of deterrent and preventive measures should be used in a wider sample of
organizations to replicate these results. This research study will address this research gap by including
same and additional deterrent and preventive effort factors and a different sample of organizations in the
form of bookstores/coffee-shops/restaurants to test the findings of Kankanhalli et al. (2003).
Straub (1990) surveyed employees in multiple organizations and concluded that “Deterrence measures
such as policies and guidelines about appropriate system use and penalties are effective at improving
security.” Hence this research will test out this result to determine its generalizability in another setting or
place (Trochim, 2006).
Lederer et al. (2000) found that when web usage was measured by the 1–7 frequency scale, the impact of
usefulness and ease of use was significant (p<0.001). However usefulness (p<0.01) had a stronger effect
than ease of use (p<0.05). This study will test out that when IT security effectiveness is considered as an
additional measure of usefulness of System Security Quality based on the Delone and McLean (2003) IS
Success model, does this translate into greater usage for those IT Systems?
Conceptual Framework and Theory Development
This section of the literature review presents a brief description of the relevant theories for this research.
The framework of constructs and theoretical development of the various hypotheses for this research
study is based on following theories: Theory of Reasoned Action (Fishbein and Ajzen, 1975), Technology
Acceptance Model (TAM) (Davis, 1989), The Unified Theory of Acceptance and Use of Technology
(UTAUT) (Venkatesh, Morris, Davis, & Davis, 2003), the IS Success Model (DeLone & McLean, 1992,
2003), Technology Threat Avoidance Theory (Liang and Xue, 2009), Social Cognitive Theory (Bandura,
1986) and Protection Motivation Theory (Rogers 1975). This conceptual framework also uses Extension
of Technology Acceptance Model by Fang et al. (2006).
Theory of Reasoned Action (TRA)
According to the Theory of Reasoned Action ((Fishbein and Ajzen, 1975) the attitude towards behavior
and subjective norms are predictors of intentions for behavior which in turn is a predictor of behavior.
One of the core concepts of Theory of Reasoned Action is “Attitude towards behavior” (Venkatesh et al.,
2003). Fishbein and Ajzen (1975) defined it as “an individual’s positive or negative feelings (evaluative
effect) about performing the target behavior” (as cited in Venkatesh et al., 2003, p. 428). This theory is
relevant to this research study as it would be used in establishing the hypothesis for the relationships
between Subjective Norm as the predictor of Users’ Behavioral Intentions to use IT Systems. According to
Udo et al. (2010) “Ajzen (1985) extended TRA as the theory of planned behavior (TPB)” with “the addition
of one major predictor, perceived behavioral control, to the model. This addition was made to account for
times when people have the intention of carrying out a behavior, but the actual behavior is thwarted
because they lack confidence or control over behavior” (Miller, 2005, p. 127 as cited in Udo et al., 2010).
8 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Ramayah, Rouibah, Gopi, and Rangel (2009) have clarified that “Perceived behavioral control refers to
the perception of internal and external resource constraints on performing the behavior”.
Technology Acceptance Model (TAM)
TAM stated that users’ adoption or use of an information system can be explained by the users’ intention
to use the system, which in turn can be predicted by the users’ attitudinal beliefs (or perceptions) about
the using the system and the perceived usefulness of the system (Davis, 1989). The predictors of attitude
about using the system are both perceived usefulness and perceived ease of use whose predictors are
external factors. This model is relevant to this research study as it helps in identifying predictors of both
usage and behavioral intention to use an information system and helps identify predictor of the that users’
adoption or use of an information system.
Extension of Technology Acceptance Model (ETAM)
Extension of the Technology Acceptance Model by Fang et al. (2006) postulates that user intention to
transact is influenced by perceived usefulness and perceived security” (Fang et al. 2006). This theory is
relevant for this research study because it enables treating ‘Users’ perceptions about effectiveness of the
security’ to be equivalent to ‘perceived security’ and thus forms the basis of a hypothesis for between the
constructs Perceived Security Effectiveness and Behavioral Intention to Use.
Unified Theory of Acceptance and Use of Technology (UTAUT)
The UTAUT aims to explain user intentions to use an IS and subsequent usage behavior. The theory holds
that three out of four key constructs (performance expectancy, effort expectancy, social influence) are
direct determinants of usage intention and one construct (and facilitating conditions) is direct
determinant of usage behavior (Venkatesh et. al., 2003). Gender, age, experience, and voluntariness of
use are mediators of the impact of the relationship of some or all of these four key constructs on usage
intention and behavior (Venkatesh et. al., 2003). The theory was developed through a review and
consolidation of the constructs of eight models that earlier research had employed to explain IS usage
behavior (theory of reasoned action, technology acceptance model, motivational model, theory of planned
behavior, a combined theory of planned behavior/technology acceptance model, model of PC utilization,
innovation diffusion theory, and social cognitive theory). Subsequent validation of UTAUT in a
longitudinal study found it to account for 70% of the variance in usage intention (Venkatesh et. al.,
2003).” (York University, n.d.). This theory is pertinent to this research study as it enables identification
of pertinent factors in security realm that predict the construct Behavioral Intention to Use in addition to
already identified factors in this theory.
IS Success Model
The updated Information Systems (IS) Success Model (Delone and McLean, 2003) is “a framework and
model for measuring the complex-dependent variable in IS research” (Delone and McLean, 2003). There
are six interrelated constructs of IS success in the updated model. These are information quality, system
quality and service quality, intention to use/use, user satisfaction, and net benefits. “A system can be
evaluated in terms of information, system, and service quality; these characteristics affect the subsequent
use or intention to use and user satisfaction. As a result of using the system, certain benefits will be
achieved. The net benefits will (positively or negatively) influence user satisfaction and the further use of
the information system” (Müller and Urbach, 2011). The updated IS Success model propounded by
Delone and McLean (2003) used Information Quality, System Quality and Service Quality as the
independent variables that affected the subsequent use or intention to use and user satisfaction of any
individual user with that information system. Delone and Mclean (2003) stated that “To measure the
success of a single system, “information quality” or “system quality” may be the most important quality
component. Further they stated:
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 9
Mitra;Guzman;Dhillon;Tran
“System quality,” in the Internet environment, measures the desired characteristics
of an e-commerce system. Usability, availability, reliability, adaptability, and
response time (e.g., download time) are examples of qualities that are valued by
users of an e-commerce system.
“Information quality” captures the e-commerce content issue. Web content should
be personalized, complete, relevant, easy to understand, and secure if we expect
prospective buyers or suppliers to initiate transactions via the Internet and return
to our site on a regular basis.
Since none of the studies listed by ISWORLD (2005) were found to be using Security Effectiveness as a
measure of System Quality hence this research study plans to use Security Effectiveness of the IT Systems
as an important additional measure of System Security Quality because the more secure an IT system
would be, the better may be deemed to be its security quality. This is different from Delone and McLean
(2003) who have used security as a metric for Information Quality. Thus this research study intends to
update or modify Delone and McLean (2003) IS Success Model. Whereas Delone and McLean (2003) IS
Success Model refers to how the net benefits can impact the further use of the information systems, this
research study will attempt to further analyze whether the benefits of high security quality of IT systems
will result in more usage of such IT systems like mobile Technologies. Hence Delone and McLean (2003)
IS Success Model is relevant for this research.
Technology Threat Avoidance Theory (TTAT)
The technology threat avoidance theory (TTAT) (Liang and Xue, 2009), explains individual IT users'
behavior of avoiding the threat of malicious information technologies. It articulates that avoidance and
adoption are two qualitatively different phenomena and contend that technology acceptance theories
provide a valuable, but incomplete, understanding of users' IT threat avoidance behavior. Drawing from
cybernetic theory and coping theory, TTAT delineates the avoidance behavior as a dynamic positive
feedback loop in which users go through two cognitive processes, threat appraisal and coping appraisal, to
decide how to cope with IT threats. In the threat appraisal, users will perceive an IT threat if they believe
that they are susceptible to malicious IT and that the negative consequences are severe. The threat
perception leads to coping appraisal, in which users assess the degree to which the IT threat can be
avoided by taking safeguarding measures based on perceived effectiveness and costs of the safeguarding
measure and self-efficacy of taking the safeguarding measure. TTAT posits that users are motivated to
avoid malicious IT when they perceive a threat and believe that the threat is avoidable by taking
safeguarding measures; if users believe that the threat cannot be fully avoided by taking safeguarding
measures, they would engage in emotion-focused coping. TTAT is relevant for this research as it helps to
derive the hypothesis about relationship between the constructs Actual security effectiveness of IT
Systems and Users’ perceptions about security effectiveness of those IT Systems.
Social Cognitive Theory
In Social Cognitive Theory (Bandura, 1986) “people are viewed as self-organizing, proactive, selfreflecting and self-regulating rather than as reactive organisms shaped and shepherded by environmental
forces or driven by concealed inner impulses. From this theoretical perspective, human functioning is
viewed as the product of a dynamic interplay of personal, behavioral, and environmental influences”
(Pajares, 2002). One of the central concepts of Social Cognitive Theory is Self-Efficacy.
Bandura's (1997) key contentions as regards the role of self-efficacy beliefs in human functioning
is that "people's level of motivation, affective states, and actions are based more on what they
believe than on what is objectively true" (p. 2). For this reason, how people behave can often be
better predicted by the beliefs they hold about their capabilities than by what they are actually
capable of accomplishing, for these self-efficacy perceptions help determine what individuals do
with the knowledge and skills they have. This helps explain why people's behaviors are sometimes
disjoined from their actual capabilities and why their behavior may differ widely even when they
have similar knowledge and skills. Pajares (2002)
10 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Rhee et al. (2009) used the Social Cognitive Theory to models and tests relationships among self-efficacy
in information security, security practice behavior and motivation to strengthen security efforts. Thus this
theory is relevant for this research study as it will help to establish the hypothesis between the constructs
self-efficacy about the IT Systems security and behavioral intentions to use such IT Systems.
Protection Motivation Theory (PMT)
"Protection Motivation Theory (Rogers, 1975; 1983) is partially based on the work of Lazarus (1966) and
Leventhal (1970)" (University of Twente, 2013). It states the different ways of coping with threat to health
resulting from two appraisal methods. The appraisal of the health threat and the appraisal of the coping
responses produces the intention to perform either adaptive responses which are akin to protection
motivation or may lead to maladaptive responses. An individual can be placed at health risk as a result of
maladaptive responses. According to the Protection Motivation Theory the intention to protect oneself
depends upon four factors namely the perception of the severity of threat event, the perception about the
probability of the threat happening or the individual's vulnerability to it, the effectiveness of the behavior
recommended to prevent the threat (also called perceived response efficacy) and the confidence level in
the person's ability to undertake the recommended preventive behavior (also called perceived selfefficacy). This theory is pertinent to this research study as it posits that that moderate to high levels of
response efficacy are associated with positive inclinations of threat mitigation whereby a recommended
response is enacted. Hence it helps establish the hypothesis between the constructs users’ responseefficacy about the IT Systems security and users’ behavioral intentions to use such IT Systems.
Constructs for this research
Systems Security Quality of IT Systems
The definition of Software quality by IEEE states that "Quality is the Degree to which the Software Meets
User's Needs" (Anonymous, 2003). Hence System Quality is the degree to which the System meets its
user's needs. Since a System is comprised of Sub-systems or processes, hence an IT System like mobile
technology also has Sub-Systems such as various technologies like the operating system, the software, the
hardware components. Hence the quality of the security functions (if any) of these sub-systems will be the
parameters used to improve the overall Security functionality of the mobile technologies. This is
supported by the functionality aspect of a product or system in which security is shown as a subcharacteristic derived from the quality aspect of that functionality (Retna, Vargheese, Susaya and Joseph,
2010). One of the independent variables in the conceptual model of Gable, Sedera and Chan (2008) is
Quality (impacts anticipated). System quality was perceived by Gable, Sedera and Chan (2008) as being
one part of IT Artifact, the other being Information Quality. System quality in Delone and McLean's IS
Success model is mapped to the IS-Net by Gable, Sedera and Chan (2008) as part of IT-Artifact, which is
shown as a formative construct impacted by Capabilities and Practices of the IT function.
Delone and McLean (1992) characterize system quality as desired characteristics of the information
system itself such as its ease-of-use, functionality, reliability, flexibility, data quality, portability,
integration and importance. Serpanos and Wolf (2011) who have discussed the Quality of Service and
security for network systems and stated that “availability of access to network resources is an important
consideration that cannot be addressed by cryptographic protocols. To mitigate the impact of denial-ofservice attacks, additional functionality in network systems is necessary”. Since mobile technologies
access networks like Wi-Fi based Internet hence for this research study the System Security Quality of IT
Systems such as mobile technologies is defined as the desired security characteristics of those mobile
technologies in terms of prevention (encryption, security transmission, protection from infection) and
deterrence. Thus the desired security characteristics of mobile technologies are the security functionality
features required from these technologies and the 'Functionality' attribute is included in Delone and
McLean's Definition of System Quality.
Schneider (2012) has stated that a complete approach to mobile security involves five different security
features comprising the back-end, the application, out-of band authentication, the mobile operating
system and the hardware itself, which could include security layers in addition to that offered by the
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 11
Mitra;Guzman;Dhillon;Tran
mobile operating system. Hence the System Security Quality of IT Systems can also be defined as the
extent to which an IT system like the mobile technology is seen to be able to accomplish the security
objectives of these five different security features. This is because preventive efforts on are the ones that
prevent or thwart a security attack from happening. Examples of these are installed advanced security
tools like as authentication devices and firewalls (Schuessler, 2009). Similarly advanced software tools
like anti-virus, anti-malware and anti-spyware software, encryption software and use of virtual private
networks are some of the preventive efforts that help in stopping attacks on ‘IT Systems’ from the public
networks like the Wi-Fi. Hagen and Spilling (2009) reported that security policy was included as
deterrent measure by Wiant (2005). Straub Jr. (1990) also included the presence of IS security policy for
system use as a deterrent against computer Abuse. Thus System Security Quality of mobile technologies
can be stated in terms of their prevention capabilities (encryption, security transmission, protection from
infection) against security attacks and in terms of their deterrence capabilities against abuse of mobile
technologies by any malicious users using such technologies. It is envisaged that this will be a 2 nd order
construct in this research. Hence the better the System Security Quality of the mobile technologies the
more will they be useful to the users in keeping their confidential information transmitted via it or stored
in it to be secure.
Behavioral Intention to Use IT Systems
Dunkerley and Tejay (2011) define User Intention as “The intentions of the users toward protective
measures of an information system”. An individual’s motivation or intention to use a system has been
explained with the help of many theories like the Theory of Reasoned Action (Fishbein & Ajzen, 1975).
From information systems perspective, other relevant theories for this research include the Technology
Acceptance Model (TAM) (Davis, 1989), the Unified Theory of Acceptance and Use of Technology
(UTAUT) (Venkatesh, Morris, Davis, & Davis, 2003), the IS Success Model (DeLone & McLean, 1992,
2003). Consistent with Theory of Reasoned Action (TRA), TAM assumes that attitudes about a system
(operationalized as ‘perceived usefulness’ and ‘perceived ease of use’), will impact the motivation
(intention) to use a system, which in turn leads to actual usage. The TAM has been used and modified by
several studies and has been proven to be a reliable predictor of a person’s acceptance of information
technology (Gefen, Karahanna and Straub, 2003; King and He, 2006; Wang, 2002). In their study Udo et
al. (2010) have stated “UTAUT consistent with TAM also assumes that user intentions to use an
information system lead to subsequent usage behavior”. Trkman and Trkman (2009) have stated “in
order to be able to study Web 2.0 systems the construct ‘intention to use’/‘use’ should be separated into
two inter-connected constructs.” Hence this study is going to treat ‘Actual use of the IT Systems by the
users’ and ‘Users’ behavioral intentions to use IT system’ as two separate but related constructs with the
latter possibly affecting the former.
Users’ Perceptions about System Security Quality of IT Systems
Users’ perceptions comprise their perceptions about perceived usefulness and perceived ease of use with
the information system (Davis, 1989). “A system high in perceived usefulness, is one for which a user
believes in the existence of a positive use-performance relationship, whereas an application perceived to
be easier to use will more likely be used by users” (Davis, 1989). Hence an individual user’s positive or
negative feelings about the usefulness of security of the IT system and the ease of use experienced in
configuring the various security parameters may affect his or her behavioral intentions to use such IT
Systems. Madnick (2006) stated that “Perception is Reality and Behavior is based on your perceptions”.
Since an individual’s positive or negative feelings reflect those users’ perceptions based on usefulness and
ease of use of the system, hence users’ perceptions about IT security effectiveness may influence those
users’ intentions to use the respective IT Systems.
Another factor that may also impact users’ perceptions about IT security effectiveness is users’ knowledge
of any industry specific regulation for data security and privacy. As there is no such regulation presently
for the hospitality industry hence it is a moot point whether knowledge about such regulation would
strengthen users’ perceptions about security effectiveness of IT Systems in hotels, motels, resorts,
restaurants and book-stores, coffee-shops in hospitality industry, just like SOX, GLBA do in financial
sector and best practice frameworks of the IT Governance Institute (ITGI) and The Control Objectives for
12 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Information and related Technology (COBIT) do in other IT sectors. A facet of IT Security Management’s
maturity in hospitality industry is whether hotels, motels, resorts, restaurants and book-stores, coffeeshops provide knowledge about relevant legal and regulatory/compliance aspects of their industry to staff
and users of Mobile Technologies who use their Wi-Fi in various sectors of hospitality industry. Also
whether they provide general information about these aspects if published in their brochures and web
sites to potential and actual guests could impact these users’ perceptions about the effectiveness of
security of IT system like the Mobile Technologies when used in public networks like the Wi-Fi.
In case of IT Systems the safeguarding measure users may take is to avail of the security features of the IT
system to avoid the threats they perceive from it, by using that IT system. A study showing implications
for hotel industry of international comparison of approaches to online privacy protection(O’Connor,
2006) found that “two diametrically opposed philosophies to privacy protection exist - the self regulation
approach epitomized by the United States, or the legislative approach mandated by the European Union
which is now the de-facto standard adopted worldwide”. Hence if coffee-shops/bookstores/restaurants
allow unsecured Internet access to their employees then the employees can be held liable for any breach
that may happen on unsecured networks due to tenet of self regulation in the US. This in turn could
negatively affect such users’ perception about the security effectiveness of IT Systems using insecure WiFi based Internet and may decrease the usage of such IT Systems by employees in these places. Same type
of scenario may be applicable to guests of coffee-shop/bookstore/restaurant if they use insecure Wi-Fi
based Internet access available in these places on their respective Mobile technologies.
A paradox in IT security is that with all the awareness, tools and strategies for securing Information
Systems (IS) available, the incidents of malware infection and data breaches for users’ in organizations
continue to be on the rise (Ponemon Institute, 2010). The study also found that applications based on the
web and those created by third-party were most attacked by malware (Ponemon Institute, 2010). Hence
such malware attacks experiences could have negatively impacted individual user’s perceptions regarding
effectiveness of the security of the web based IT Systems they use in organizations. This is based on a new
theory called Technology Threat Avoidance theory (TTAT) “which explains individual IT users’ behavior
of avoiding the threat of malicious information technologies” (Liang and Xue, 2009). In this Liang and
Xue (2009) explained that in TTAT the way users perceive threats is a function of “perceived probability
of the threat’s occurrence and the perceived severity of the threat’s negative consequences.” According to
Liang and Xue (2009) whether a safeguarding measure can make a threat avoidable is evaluated by
individual users by on the basis of three factors, namely the effectiveness of the measure, the costs of the
measure, and users’ self-efficacy of taking the measure. Since IT Systems capability to avoid the security
threats is determined by their security features, hence the effectiveness of security of the IT Systems could
have an impact on their users' perceptions about the effectiveness of those IT systems. To test this the
following hypothesis is proposed.
Research Hypothesis 1 (H1)
System security quality of IT Systems (SSQ) will positively affect their users’ perceptions about the
systems security quality of those IT Systems (UPSSQ)
Based on extension of Technology Acceptance Model, Fang et al. (2006) found that “user intention to
transact is influenced by perceived usefulness and perceived security. A survey was conducted to collect
data about user perception of 12 tasks that could be performed on wireless handheld devices and user
intention to use wireless technology. Multiple regression analyses supported the proposed research
model.” Assuming ‘Users’ perceptions about effectiveness of the security’ to be equivalent to ‘perceived
security’, the following hypothesis is derived based on the extension of the Technology Acceptance Model
(Fang et al., 2006).
Research Hypothesis 2 (H2)
Users’ perceptions about the system security quality of IT Systems (UPSSQ) will positively affect their
behavioral intentions to use such IT Systems (UBIU).
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 13
Mitra;Guzman;Dhillon;Tran
As the prevention and deterrence constructs are also the indicator variables for the variable ‘Actual
Security Effectiveness’ of IT Systems, hence this will be used as an additional important aspect for System
Security Quality of IT Systems construct in this research. Hence as this research study plans to use Actual
Security Effectiveness of the IT Systems as an additional important aspect of System Security Quality in
the updated IS Success Model of Delone and McLean (2003), in turn this could positively impact the
users’ intention to use that IT system based on the Technology Acceptance Model (Davis, 1989) as higher
System Security Quality of the IT System will get reflected as higher perceived usefulness of that system.
Based on this the following hypothesis is derived for testing:
Research Hypothesis 3 (H3)
Systems security quality of IT systems (SSQ) will positively affect their users’ behavioral intentions to
use those IT systems (UBIU).
Users’ Self-Efficacy
Information systems research studies generally refer to the concept as ‘self-efficacy’ as the judgment of an
individual’s ability to use a computer technology (Compeau, Higgins & Huff, 1999). Torkzadeh, Chang
and Demirhan (2006) define self-efficacy as “Self-efficacy is a dynamic construct that changes as new
information and experiences are acquired”. Torkzadeh et al. (2006) introduced the term Internet selfefficacy in addition to computer self-efficacy. Computer self-efficacy is defined as the belief that an
individual has in his/her abilities to use computer (Torkzadeh et al., 2006). By extension Internet selfefficacy could be defined as the belief that an individual has in his/her abilities to use the Internet. This
belief could then affect that user’s intentions to use the Internet.
Rhee, Kim and Ryu (2009) have defined self-efficacy in information security (SEIS) as “a belief in one’s
capability to protect information and information systems from unauthorized disclosure, modification,
loss, destruction, and lack of availability.” This research will focus on the self-efficacy in information
security (SEIS) as the relevant construct.
The importance of self-efficiency in computing domain has been shown in many past studies repeatedly
(Chan, Thong, Venkatesh, Brown, Hu and Tam, 2010). Agarwal et al. (2000) found that computer use and
its early adoption were affected by self-efficacy. According to Brown et al. (2002) a key driver of intention
to use a technology is the users’ ability to use that technology. Self-efficacy reinforces users’ selfconfidence about their capability to use that technology (Brown et al., 2002). The results of study by
Yangil and Chen (2007) for adoption of smartphones “indicate that behavioral intention to use was largely
influenced by perceived usefulness (PU) and attitude toward using smartphone”. Hence Users’
Behavioral Intentions to use IT Systems like Mobile technologies could be influenced by their Self-Efficacy
about security of such IT Systems.
Rhee et al. (2009) found that SEIS demonstrated a significant positive relationship with intention to
strengthen security effort. Users with higher SEIS were more likely to exert high levels of effort to enhance
information security (p < .001). In another study Bulgurcu, Cavusoglu and Benbasat (2010) found that
users’ self –efficacy was more strongly related their behavioral intentions. Extant literature has also points
to users’ self–efficacy bring more strongly and positively related to their behavioral intentions. However
in a somewhat contrast Anderson & Agarwal (2010) concluded that Security behavior self-efficacy is
positively related to attitude toward security-related behavior and this in turn was positively related to
behavioral intentions to protect the Internet. Security technologies adopted by individuals include antivirus, anti-spyware, and pop-up blocking functions and ‘security risk management behavior’ includes
security compliance actions like using strong and complex passwords while using the Internet and
computer (Crossler and Belanger, 2009). Hence this study will test whether the above stated findings of
Bulgurcu, Cavusoglu and Benbasat (2010) are valid for the effect of users’ Self-Efficacy in Information
Security on their behavioral intentions to use such IT Systems and hence whether SEIS could impact
individual users’ intentions to use these security technologies for IT Systems.
14 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
According to Liang and Xue (2010) "self-efficacy (is) defined as users’ confidence in taking the
safeguarding measure". They identified three factors to be considered by users in evaluating threat
avoidance by applying relevant strategies. These factors, included in TTAT, are effectiveness, costs and
user self-efficacy in applying these strategies. According to Liang and Xue (2010) the preventive strategies
in IT security context are IT behaviors like anti-virus software installation, turning off of the cookies and
editing of the computer registry files. They also found from prior research that as the level of users’ selfefficacy increased, the more they became inspired to perform such IT security behaviors. For the purpose
of empirical testing, Liang and Xue (2010) selected spyware as the malicious IT and antispyware software
as the appropriate preventative IT technology.
IT security uses various technologies like encryption for safeguarding of information in smart-phones and
antispyware for removing any spyware or malware that may get downloaded via the insecure Wi-Fi use by
users of smart-phones. This is because the insecure yet free Wi-Fi is an alternative way for smart-phone
users to connect to the Internet, in comparison to the secure yet paid 3G/4G connections offered by the
vendors. Hence, this research study will test whether users’ “beliefs about their abilities” to use these
security features will also positively affect users’ behavioral intentions to use insecure Wi-Fi in smartphones. This research study will also focus on selected spyware as the one of the malicious IT threats and
antispyware software as the countering measure for insecure Wi-Fi use in smart-phones, to test out the
results of Liang and Xue (2010). This research study would also attempt to test the generalizability of
results obtained by Liang and Xue (2010), by using a different set of users all of whom may not necessarily
be college students and in a different context of bookstores/coffee-shops/restaurants providing Wi-Fi for
smart phones.
In another recent study Ooi, Sim, Yew and Lin (2011) found that Self-Efficacy was found to be
“significantly (p<0.01) and positively related with intention to use broadband”. Discussing these results
Ooi et al. (2011) stated that various studies conducted in the last five or six years found self-efficacy
impacting the broadband usage decision by users. Supporting this Ooi et al. (2011) concluded that
consumers are more likely to adopt the broadband services if they have higher confidence implying higher
self-efficacy with the broadband technology.
Johnston and Warkentin (2010) have stated that self-efficacy is “the degree to which an individual
believes in his or her ability to enact the recommended response”. They regard self-efficacy is as a
determinant of intent concerning a recommendation to address a threat. They also found that selfefficacy (p < .01) has significant positive effects on behavioral intent. Hence this research would also test
whether these results found by Johnston and Warkentin (2010) are valid in the context of
bookstores/coffee-shops/restaurants providing Wi-Fi for smart phones.
Research Hypothesis 4 (H4)
Users’ self-efficacy about the IT Systems security (USE) will positively affect their behavioral intentions
to use such IT Systems (UBIU).
Users’ Response Efficacy
Johnston and Warkentin (2010) define “response efficacy as the degree to which an individual believes
the response to be effective in alleviating a threat”. According to Johnston and Warkentin (2010), users
perform evaluation of the perceived effectiveness of the plausible response to nullify the identified threat.
Such response efficacy process is envisaged to be a thought based process. Users’ understanding derived
through their response efficacy will decide the way in which they opt to mitigate the risks from the threat.
According to Protection Motivation Theory (Rogers, 1975) moderate to high levels of response efficacy are
associated with positive inclinations of threat mitigation whereby a recommended response is enacted.
Johnston and Warkentin (2010) concluded that response efficacy had a significant positive effect on
behavioral intent (p < .01). Extending this argument to the realm of mobile security, it remains to be seen
whether an end-user will consider all the capabilities of the anti-spyware software and then form an
opinion whether to download, install and use anti-spyware software as a safeguard against spyware
infecting his/her smart-phone through the Wi-Fi. Hence this research study proposes the following
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 15
Mitra;Guzman;Dhillon;Tran
hypothesis to test out the conclusions of Johnston and Warkentin (2010) in another place, time and
among other set of people (Trochim, 2006). For the purposes of this research study the construct
Response Efficacy will be same as Users’ Response Efficacy.
Research Hypothesis 5 (H5)
Users’ response-efficacy about the IT Systems security (URE) will positively affect their behavioral
intentions to use such IT Systems.(UBIU).
Users’ Subjective norms
Subjective norms are “an individual’s perceptions of the presence or absence of the requisite resources or
opportunities necessary for performing behavior” Ajzen & Madden (1986) as cited in Luarn and Lin
(2005). Hence subjective norms are defined as “an individual’s subjective evaluation that the performance
of the behavior in question is approved or disapproved by most people who are important to him or her”
Ajzen (1991); Fishbein & Ajzen (1975) as cited in Ramayah et al. (2009). Ooi et al. (2011) have stated that
Subjective norm is one of the factors which comprise Behavioral Intentions in Theory of Planned
Behavior, which along with Attitude and Perceived Behavioral control drive the IT usage done by users.
Ooi et al. (2011) found that Primary Influences, which are akin to Subjective norms, “were found to be
significantly and positively related with intention to use broadband”. This is because subjective norms are
the beliefs on how users should behave regarding the usage of IT in relation to other people expectations”
(Ooi et al., 2011). Hence, it is possible that Subjective Norms could also positively affect users’ behavioral
intentions for using IT Systems.
Anderson and Agarwal (2010) stated that intentions to conform to security behavior in workplace are
positively influenced by social norms. They concluded that “Subjective norm, or what an individual
believes others think he/she should do, influences an individual’s protective behavior toward his/her own
computer but not the Internet as a whole” (Anderson and Agarwal, 2010). Extending this to realm of IT
system like Mobile technologies Hence this research study also proposes to test the generalizability of this
conclusion in another place, time and among other set of people (Trochim, 2006), regarding Wi-Fi use on
smart-phones in coffee-shops/bookstores/restaurants by the following hypothesis:
Research Hypothesis 6 (H6)
Users’ subjective norms about the IT Systems (USN) will positively affect their behavioral intentions to
use those IT Systems (UBIU).
Mediation
Assuming ‘Users’ perceptions about effectiveness of the security’ to be equivalent to ‘perceived security’,
can imply that the higher the systems security quality of IT systems the higher would be their users’
perceptions about security effectiveness of those IT systems which in turn would result in greater
behavioral intentions in those users to use such IT systems (Ronen & Mikulincer, 2009). Thus users’
perceptions about the security effectiveness of IT systems could intervene or mediate (Kenny, 2014)
between users' systems security quality of IT systems and their intentions to use IT systems. Hence based
on Technology Threat Avoidance Theory (Liang and Xue, 2009) and the extension of the Technology
Acceptance Model (Fang et al., 2006) users’ perceptions about IT Systems’ security effectiveness could be
a mediating variable in the relation between effectiveness of security of IT Systems and the users’
intentions to use such IT Systems (Huigang et al., 2007). Thus the hypothesis for this possible mediation
is proposed as:
Mediation Hypothesis 7 (H7)
Users’ perceptions about the system security quality of IT systems (UPSSQ) mediate the relationship
between system the security quality of such IT systems (SSQ) and Users' behavioral intentions to use IT
systems (UBIU).
16 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Users’ Response
Efficacy about IT
Systems Security
(URE)
Users’ SelfEfficacy about
IT Systems
Security (USE)
H4+ H5 +
Users’ perceptions
about System
Security Quality
of IT
H3(ii)+
Systems (UPSSQ)
H1+
System
Security
Quality of IT
Systems
(SSQ)
Users’ Subjective
Norms towards IT
Systems security
(USN)
(PSE)
MV
H7
H3+
H2+
Users’
Behavioral
Intentions to
use IT
Systems
(UBIU)
H6+
Users’ specific IT usage activities
(USUA)
Control Variable (CV)
Figure 1.Conceptual Research Model. This figure shows the independent, dependent and mediating
constructs for this research and the hypothesized causal relationships among them.
LEGEND:
MV: Mediating Variable
CV: Control Variable
Figure 1: Conceptual Research Model
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 17
Mitra;Guzman;Dhillon;Tran
Table 1- List of Hypotheses
Hypothesis
Statement
System security quality
H1
of IT Systems (SSQ) will
positively affect their
users’ perceptions about
the systems security
quality of those IT
Systems (UPSSQ).
Users’ perceptions about
H2
the
system
security
quality of IT Systems
(UPSSQ) will positively
affect their behavioral
intentions to use such IT
Systems (UBIU).
Systems security quality
H3
of IT systems (SSQ) will
positively affect their
users’
behavioral
intentions to use those
IT systems (UBIU)
H4
H5
H6
H7
Users’ self-efficacy about
the IT Systems (USE)
security will positively
affect their behavioral
intentions to use such IT
Systems (UBIU).
Users’ response-efficacy
about the IT Systems
security
(URE)
will
positively affect their
behavioral intentions to
use IT Systems (UBIU).
Users’ subjective norms
about the IT Systems
(USN) will positively
affect their behavioral
intentions to use those
IT Systems (UBIU).
Users’ perceptions about
the
system
security
quality of IT systems
(UPSSQ) mediate the
relationship between the
system security quality of
such IT systems (SSQ)
and Users' behavioral
intentions to use IT
systems (UBIU).
Relevant Theory
Technology Threat Avoidance Theory (Liang and Xue,
2009)
Technology Acceptance model (Davis, 1989), IS Success
Model (Delone & McLean 1992, 2003), Extension of
Technology Acceptance Model (Fang et al. 2006).
Technology Acceptance model (Davis, 1989), IS Success
Model (Delone & McLean 1992, 2003)
Self-efficacy beliefs in information security (SEIS) (Rhee
et al, 2009) based on Social cognitive theory (Bandura
1977). Technology Threat Avoidance Theory (TTAT)
(Liang and Xue, 2009).
Protection Motivation Theory (Rogers 1975)
Theory of Reasoned Action (Fishbein and Ajzen, 1975)
Technology Threat Avoidance Theory (Liang and Xue,
2009), extension of the Technology Acceptance Model
(Fang et al., 2006) Technology Acceptance model (Davis,
1989), IS Success Model (Delone & McLean 1992, 2003).
18 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
References
AccessIT (2000). What is electronic and information technology? The National Center on Accessible
Information Technology in Education. Retrieved from
https://www.washington.edu/accessit/articles?106
Agarwal, R., Sambamurthy, V., & Stair, R.M. (2000). Research Report: The Evolving Relationship
between General and Specific Computer Self-Efficacy-An Empirical Assessment. Information
Systems Research, 11(4), 418-430.
Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. J. Kuhl & J. Beckmann (Eds.).
Berlin: Springer.
Aladwani, A. M. & Palvia, P.C. (2002). Developing and validating an instrument for measuring userperceived web quality. Information & Management, 39, 467–476
Anderson, H. (2013). Study: Cybercrime Costs Grow 26%-Ponemon Report Sorts Through Key Factors.
Data Breach Today. Retrieved from http://www.databreachtoday.com/blogs/study-cybercrimecosts-grow-26-p1562?rf=2013-10-10
edbt&elq=685d805204e34086a62b3a1de8abc549&elqCampaignId=8036
Anderson, C. L., & Agarwal, R. (2010). Practicing Safe Computing: A Multimethod Empirical Examination
of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3), 613-643.
Anonymous (2003). IEEE Definition of Software Quality. Retrieved from
faculty.winthrop.edu/dannellys/csci626/02_Definition.ppt
April, G.D., & Pather, S. (2008). Evaluating Service Quality Dimensions within e-Commerce SMEs. The
Electronic Journal Information Systems Evaluation, 1(3), 109 – 124.
Armin, J. (2013). Mobile Threats and the Underground Marketplace. APWG White Paper: Mobile Fraud.
Retrieved from
http://docs.apwg.org/reports/mobile/apwg_mobile_fraud_report_april_2013.pdf
Bagozzi, R. P. (2011). Measurement and Meaning in Information Systems and Organizational Research:
Methodological and Philosophical Foundations. MIS Quarterly, 35(2), 261-292.
Bandura, A. (1986). Social foundations of thought and action: A social cognitive theory. Englewood Cliffs,
NJ: Prentice Hall.
Baron, R. M., & Kenny, D. A. (1986). “The Moderator–Mediator Variable Distinction in Social
Psychological Research: Conceptual, Strategic, and Statistical Considerations,” Journal of
Personality and Social Psychology, (51), 1173-1182.
Baroudi, J.J. & Orlikowski, W.J. (1989). The Problem of Statistical Power in MIS Research. MIS
Quarterly, 13(1), 87-106.
Beldona, S., & Cobanoglu, C. (2007). Importance-Performance Analysis of Guest Technologies in the
Lodging Industry. Cornell Hotel and Restaurant Administration Quarterly, 48(3), 299-312.
Retrieved from http://cqx.sagepub.com/content/48/3/299.
Bode, C., Wagner, S.M., Petersen, K.J., & Ellram, L.M. (2011). Understanding Responses To
Supply Chain Disruptions: Insights from Information Processing and Resource Dependence
Perspectives. Academy of Management Journal, 54(4), 833–856.
Boland, Jr., R.J., & Hirschheim, R.A. (1987). Critical issues in information systems research. New York,
NY: John Wiley & Sons, Inc.
Bollen, K.A. (2011). Evaluating Effect, Composite, and Causal Indicators in Structural Equation Models.
MIS Quarterly, 35(2), 359-372.
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., & Boss, R. W. (2009). If someone is watching, I’ll
do what I’m asked: mandatoriness, control, and information security. European Journal of
Information Systems, 18, 151-164.
Bostrom, R.P., Gupta, S., & Thomas, D. (2009). A Meta-Theory for Understanding Information Systems
within Socio-technical Systems. Journal of Management Information Systems, 26(1), 17–47.
Bradley, T. (2010). Introduction to Wireless Network Security-Security in 6 Easy Steps.
Retrieved from http://netsecurity.about.com/od/hackertools/a/aa072004b_2.htm
Breaugh, J. A. (2003). Effect Size Estimation: Factors to Consider and Mistakes to Avoid. Journal of
Management, 29(1), 79-97.
tmo_brian. (2011). Wireless Security Troubleshooting: Mobile HotSpots. In Welcome to T-Mobile
Support, 9. Retrieved from http://support.t-mobile.com/docs/DOC-2353
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 19
Mitra;Guzman;Dhillon;Tran
Browdie, B. (2013). Majority of Americans Own Smartphones, Pew Survey Finds. American Banker-Bank
Technology
News
June
2013.
Retrieved
from
http://www.americanbanker.com/issues/178_110/majority-of-americans-own-smartphonespew-survey-finds-1059709
1.html?ET=americanbanker:e15671:725399a:&st=email&utm_source=editorial&utm_medium=e
mail&utm_campaign=BTN_Weekly_071711_061013
Brown, S. A., Massey, A. P., Montoya-Weiss, M. M., & Burkman J. R. (2002). “Do I really have to? User
acceptance of mandated technology,” European Journal of Information Systems, 11(4), 283-295.
Beaudry, A., & Pinsonneault, A. (2010). The Other Side of Acceptance: Studying the Direct and Indirect
Effects of Emotions on Information Technology Use. MIS Quarterly, 34(4), 689-710.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance:
An
Empirical Study of Rationality-Based Beliefs. MIS Quarterly, 34(3), 523-548.
Cannon, D. L. (2011). CISA Certified Information Systems Auditor Study Guide Third
Edition. Wiley Publishing, Inc., Indianapolis, Indiana.
Carmitchel, K. (2011). Video: Wi-Fi Only iPad 2 GPS Navigation. Retrieved from
http://www.tabletmonsters.com/news/video-wi-fi-only-ipad-2-gps-navigation
Chan, F. K.Y., Thong, J.Y.L., Venkatesh, V., Brown, S. A., Hu, P. J-H., & Tam, K. Y. (2010). Modeling
Citizen Satisfaction with Mandatory Adoption of an E-Government Technology. Journal of the
Association for Information Systems 1(10), 519-549.
Chang, J., Torkzadeh, G., & Dhillon, G. (2004) “Reexamining the Measurement Models of Success for
Internet Commerce”. Information and Management, 41(5), 577-584.
Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated Failures, Diversification and Information Security
Risk Management. MIS Quarterly, 35(2), 397-422.
Chin, E., Felt, A.P., Sekar, V. & Wagner, D. (2012). Measuring User Confidence in Smartphone Security
and Privacy. Symposium on Usable Privacy and Security (SOUPS) 2012. Washington, DC.
Retrieved from http://cups.cs.cmu.edu/soups/2012/proceedings/a1_Chin.pdf
Choobineh, J., Dhillon, G., Grimalla, M. & Rees, J. (2007). Management of information security:
challenges and research directions. Communications of the AIS, 20, 958-971.
Clooke,
R.
(2013).
Hidden
Wi-Fi
Dangers
Revealed.
Retrieved
from
http://www.mobilesecurity.com/articles/567-hidden-wi-fi-dangers-revealed.
CNN (Producer). (2012, September 22). The CNN News [Television broadcast]. Atlanta, GA: CNN
Headquarters
Compeau, D. R., Higgins, C. A., & Huff, S. (1999). Social cognitive theory and individual reactions to
computing technology: A longitudinal study. MIS Quarterly, 23(2), 145-158
Constantine, R., Arger, G., Ling, P. & Sharma, R. (n.d.). An evaluation of the effectiveness of wireless LAN
in the provision of higher education. Swinburne University of Technology, Melbourne, Australia.
Crossler, R. E. & Belanger, F. (2009). The Effects of Security Education Training and Awareness
Programs and Individual Characteristics on End User Security Tool Usage. Journal of
Information System Security, 5(3), 3–22. Retrieved from
http://www.jissec.org/Contents/V5/N3/V5N3-Crossler.html
CustomInsight.com (2012). Survey Random Sample Calculator. Retrieved from
http://www.custominsight.com/articles/random-sample-calculator.asp
Davis, F.D. (1989). Perceived Usefulness, Perceived Ease Of Use, And User Acceptance of Information
Technology. MIS Quarterly, 13(3), 319-340.
Davis, F.D., Bagozzi, R.P. & Warshaw, P.R. (1989). User Acceptance of Computer Technology: A
Comparison of Two Theoretical Models. Management Science, 35(8), 982-1003.
Delone, W. H., & McLean, E.R. (1992). Information systems success: The Quest for the Dependent
Variable. Information Systems Research, March, 60-95.
DeLone, W.H., & McLean, E.R. (2003). The DeLone and McLean Model of Information Systems Success:
A Ten-Year Update. Journal of Management Information Systems, 19(4), 9-30.
Detmar, W.S. Jr. (1990). Effective IS Security: An Empirical Study. Information Systems Research 1(3),
255-276.
Dhillon, G. & Backhouse, J. (2001). Current directions in IS security research: toward socioorganizational perspectives. Information Systems Journal, 11(2), 127-153.
Dhillon, G. & Moores, T. (2001). Internet Privacy: Interpreting Key Issues. Information Resources
Management Journal, 14(4), 33-37.
20 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Diamantopoulos, A., Riefler, R., & Roth, K. (2007). Advancing Formative Measurement Models. Retrieved
from http://homepage.univie.ac.at/katharina.roth/research/Formative_Measurement_JBR.pdf
Duggan, M & Rainie, L. (2012). REPORT: MOBILE Cell Phone Activities 2012. Pew Internet and
American Life Project-A Project of the PewResearchCenter. Retrieved from
http://pewInternet.org/Reports/2012/Cell-Activities.aspx
Dunkerley, K.D., & Tejay, G. (2011). A Confirmatory Analysis of Information Systems Security Success
Factors. Proceedings of the 44th Hawaii International Conference on System Sciences, pp. 1-10
Edwards, J. R. (2011). The Fallacy of Formative Measurement. Organizational Research Methods.
Downloaded from http://orm.sagepub.com Enck, W., Ongtang, M., & McDaniel, P. (2009). On
Lightweight Mobile Phone Application Certification. Communications of the ACM, 235-245.
Retrieved from http://research.microsoft.com/pubs/80165/pervasive09_patterns_final.pdf
Estelle, M.P. & Pugh, D.S. (1987). How to get a PhD. Open University Press, Milton, Keynes.
Elpez, I. & Fink, D. (2006). Information System Success in the Public Sector: Stakeholders' Perspectives
and Emerging Alignment Model, Informing Science and Information Technology, 3, 219-230.
Fang, X., Chan, S., Brzezinski, J., & Xu, S. (2006). Moderating Effects of Task Type on Wireless
Technology Acceptance. Journal of Management Information Systems, 22(3), 123-157.
Festinger, L. (1957). Theory of Cognitive Dissonance. Stanford University Press, Stanford, CA.
Fishbein, M.A. & Ajzen, I. (1975). Belief, attitude, intention and behavior: an introduction to theory and
research. Reading, MA: Addison Wesley.
Freeze, R. D., & Raschke, R. L. (2007). An Assessment of Formative and Reflective Constructs in IS
Research. 15th European Conference on Information Systems. University of St. Gallen (Pub.), pp.
1481-1492.
Retrieved
from
http://docs.google.com/viewer?a=v&q=cache:cXr4f8_Fy_sJ:csrc.lse.ac.uk/asp/aspecis/200700
55.pdf+an+assessment+of+formative+and+reflective+constructs+in+is+research&hl=en&gl=us
&pid=bl&srcid=ADGEESijfG-q1j4sVTo7BMT0hQbh666NbxMPLzxp1dFsiGFw4bWis7cTuhFjhk9IFV-iJ-LjbRlmwdyggXFPj5XS44YW3xe8D2kbKv5bCMac32aCXsea0HS1WcQVoUXg1jyCcuQIaM&sig=AHIEtbRjpwQR3v2SIV72qvR
2iyfeLscDSA
Fox, F. (2010). Stealth malware steals, imitates social behavior. TechNewsDaily. Retrieved from
http://www.msnbc.msn.com/id/39691794/ns/technology_and_science-security/
Freeze, R.D., & Raschke, R.L. (2007). An Assessment of Formative and Reflective Constructs in IS
Research. Proceedings of the 15th European Conference on Information Systems ECIS2007
June, St Gallen Switzerland, Publisher: University of St. Gallen, pp: 1481-1492.
Furneaux, B. (2005). Theories Used in IS Research-Theory of Planned Behavior. Retrieved from
http://www.istheory.yorku.ca/theoryofplannedbehavior.htm
Furneaux, B. (2005). Theories Used in IS Research-Unified Theory of Acceptance and Use of Technology.
Retrieved from http://www.istheory.yorku.ca/UTAUT.htm
Gable, G.G., Sedera, D., & Chan, T. (2008). Re-conceptualizing Information System Success: The IsImpact Measurement Model. Journal of the Association for Information Systems, 9(7), 377408.
Garson, G. D. (2011). Univariate GLM, ANOVA, and ANCOVA. Retrieved from
http://faculty.chass.ncsu.edu/garson/PA765/anova.htm
Garson, G.D. (2009). Factor Analysis from StatNotes: Topics in Multivariate Analysis. Retrieved from
http://faculty.chass.ncsu.edu/garson/PA765/factor.htm#factoring
Garson,
G.
D.
(2008).
Structural
Equation
Modeling.
Retrieved
from
http://www2.chass.ncsu.edu/garson/pa765/structur.htm
Gebauer, J., Kline, D., & Ling, H. (2011). Password Security Risk versus Effort: An Exploratory Study on
User-Perceived Risk and the Intention to Use Online Applications. Journal of Information
Systems Applied Research, 4(2), 52-73.
Gefen, D., Karahanna, E., & Straub, D.W. (2003). Trust and TAM in Online Shopping: An Integrated
Model, MIS Quarterly, 27(1), 51-59.
GetSafeOnline.org. (2008). Wi-Fi security: GetSafeOnline warns of 'piggybacking' dangers. Retrieved
from http:// www.datamonitor.com
Google Mobile Help. (2012). Sharing your mobile data connection. Retrieved from
http://support.google.com/mobile/bin/answer.py?hl=en&answer=168932
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 21
Mitra;Guzman;Dhillon;Tran
Graziano, D. (2012). ComScore: More than 100 million smartphone users now in U.S. In BGR HOT
TOPICS. Retrieved from http://www.bgr.com/2012/03/08/comscore-more-than-100-millionsmartphone-users-now-in-u-s/
Griffin, B. (2011). McAfee: Attacks against mobile devices will escalate in 2011. Retrieved from
http://www.knowyourmobile.com/blog/906463/mcafee_attacks_against_mobile_devices_will_
escalate_in_2011.html
Grover, V. (n.d) A
Tutorial on Survey
Research: from Constructs to Theory.
http://www.umdnj.edu/idsweb/idst6000/MIS-SUVY.htm
Grover, V., Cheon, M. J., & Teng, J. T. C. (1996). The Effect of Service Quality and Partnership on the
Outsourcing of Information Systems Functions. Journal of Management Information Systems.
12(4), 89-116.
Hagen, J.M. & Spilling, P. (2009). Do Organisational Security Measures Contribute to the Detection and
Reporting of IT-System Abuses? Proceedings of the Third International Symposium on Human
Aspects of Information Security & Assurance (HAISA), pp. 71-81.
Hair, Jr. J.F., Black, W.C., Babin, B.J., & Anderson, R.E. (2010). Multivariate Data Analysis, 7th Edition.,
New Jersey: Prentice Hall.
Hayden, L. (2010). IT Security Metrics – A Practical Framework for Measuring Security & Protecting
Data. New York: The McGraw-Hill Companies.
Hardin, A., Chang, J. C. J., Fuller, M., & Torkzadeh, G. (2011). Formative Measurement and Academic
Research-In search of Measurement Theory. Educational and Psychological Measurement. 71(2),
281–305.
Hardin, A., Chang, J. C. J., & Fuller, M. (2008). Formative versus reflective measurement: Comment on
Marakas, Johnson, and Clay (2007). Journal of the Association for Information Systems, 9(9),
519-535.
Hardin, A., Chang, J. C. J., & Fuller, M. (2008). Clarifying the Use of Formative Measurement in the IS
Discipline-The Case of Computer Self-Efficacy. Journal of the Association for Information
Systems, 9(9), 544-546.
Hazarika, U. (2013). Security Analytics Webinar. ZScalar.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy
compliance in organisations. European Journal of Information Systems, 18, 106–125.
Henning, J. (2009). Demographic Questions: Sample Survey Template. Retrieved from
http://blog.vovici.com/blog/bid/18176/Demographic-Questions-Sample-Survey-Template
Hoover,
J.N.
(2012).
Going
Mobile.
Retrieved
from
http://twimgs.com/infoweek/green/022012gov/InformationWeek_Government_2012_02.pdf
Hornat, C. (2002). An Unwired Universe. In The Hitchhiker’s World (Issue # 5). Retrieved from http://
www.infosecwriters.com/hhworld/hh5.php.
Hong, W., Chan, F.K.Y, Thong, J.Y.L., Chasalow. L.C.& Dhillon, G. (2013). A Framework and Guidelines
for Context-Specific Theorizing in Information Systems Research. Information Systems
Research, Articles in Advance, 1–26.
Huigang, L., Saraf, N., Qing, H., & Yajiong, X. (2007). Assimilation of Enterprise Systems: The Effect of
Institutional Pressures and the Mediating Role of Top Management. MIS Quarterly, 31(1), 59-87.
iBAHN. (2010). iBAHN in the News - New Study Validates Profit Opportunity for High-Speed Internet.
Retrieved from http://www.ibahn.com/en-us/index.php?cid=1624&detail=y&story=1653
Im, K. S., & Grover, V. (2004). The Use of Structural Equation Modeling in IS Research: Review and
Recommendations, in The Handbook of Information Systems Research, M. E. Whitman and A. B.
Woszczynski (eds.), Hershey, PA: Idea Group Publishing, 44-65.
InfoSecurity-Magazine (2013). Most small businesses don't understand mobile security threats. Retrieved
from
http://www.infosecurity-magazine.com/view/32538/most-small-businesses-dontunderstand-mobile-security-threats/
Institute for Digital Research and Education-UCLA. 2013. SPSS Learning Module. Missing Data.
Retrieved from http://www.ars.ucla.edu/stat/spss/modules/missing.htm
Irvine, C. E. Levin, T. E. (2002). A cautionary note regarding the data integrity capacity of certain secure
systems. In Gertz, M.; Guldentops, E.; and Strous, L. (eds.), Integrity, Internal Control and
Security in Information Systems: Connecting governance and technology. Norwell,
Massachusetts: Kluwer Academic Publishers, pages 3 – 25. Retrieved from
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA435460
22 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
ISWORLD (2005). Information Systems Effectiveness-System Quality. Retrieved from
http://business.clemson.edu/ISE/html/system_quality.html
Jackson, J. (2008). Beware of hotel Internet connections. GCN –Government Computer News.
http://gcn.com/articles/2008/10/03/beware-of-hotel-Internet-connections.aspx
Johnston, A. C., & Warkentin, M. (2010). Fear Appeals and Information Security Behaviors: An Empirical
Study. MIS Quarterly, 34(3), 548-566.
Jaquith, A. (2007). Security Metrics-Replacing Fear, Uncertainty, and Doubt. Upper Saddle River, NJ:
Pearson Education, Inc.
Kable Intelligence Limited. (n.d.). FCA - GMP and Quality Systems Consultancy and Training. Retrieved
from
http://www.drugdevelopment-technology.com/contractors/consulting/fca/fca4.html
Kamani, D. (2012). Cryptzone says WPS security issues are just the tip of the insecurity iceberg. In
Vigilance the Security Magazine. Retrieved from http://www.vigilancesecuritymagazine.com/industry-news/information-security-and-management/1397-cryptzonesays-wps-security-issues-are-just-the-tip-of-the-insecurity-iceberg
Kang, I. (2004). An Empirical Study of a Trust Transfer Process from Offline to
Online Channel. Sungkyunkwan University.
Kankanhalli, A., Teo, H-H., Tan, B.C.Y., & Wei, K-K. (2003). An integrative study of information systems
security effectiveness. International Journal of Information Management, 23, 139-154.
Karimi, J., Gupta, Y.P., & Somers, T.M. (1996). Impact of competitive strategy and information
technology maturity on firms' strategic response to globalization. Journal of Management
Information Systems, 12(4), 55-88.
Karlson, A., Meyers, B., Jacobs, A., Johns, P., & Kane. S. (2009). Working Overtime: Patterns of
Smartphone and PC Usage in the Day of an Information Worker. Proceedings of the 7th
International Conference on Pervasive Computing, 398–405.
Kenny, D.A. (2014). Mediation. Retrieved from http://davidakenny.net/cm/mediate.htm
Kim, C., Tao, W., Shin, M., & Kim, K-S. (2010). An empirical study of customers’ perceptions of security
and trust in e-payment systems. Electronic Commerce Research and Applications, 9, 84-95.
Kim, G., Shin, B., & Grover, V. (2010). Investigating Two Contradictory Views of Formative Measurement
in Information Systems Research. MIS Quarterly, 34(2), 345-365.
Kim, S.H. (2008). Moderating effects of Job Relevance and Experience on mobile wireless technology
acceptance: Adoption of a Smartphone by Individuals. Information & Management, 45(6), 387393.
King, W. R. & He, J. (2006). A Meta-Analysis of the Technology Acceptance Model. Information &
Management, 43(6), 740-755.
Kumar, R.L., Park, S., & Subramaniam, C. (2008). Understanding the Value of Countermeasure
Portfolios in Information Systems Security. Journal of Management Information Systems, 25(2),
241–279.
Krebs, D. (2010). Total Cost of Ownership Models for Mobile Computing and Communication Platforms,
Third Edition Track II, Volume 1: Field Mobility. VDC Research.
Lederer, A.L., Maupin, D.J., Sena, M.P., & Zhuang, Y. (2000). The technology acceptance model and the
World Wide Web. Decision Support Systems 29, 269–282.
Ledesma, C. (2008). "FREE" WIRELESS INTERNET? REALLY? Lodging Hospitality, 64(2), 49.
Retrieved from http://lhonline.com/technology/telecomm/free_wireless_Internet/
Lee, A. J. (2005). Organizational Justice: A Mediated Model from Individual Well Being and Social
Exchange Theory Perspectives. Proposal presented at Touro University International, Cypress,
California
Leggatt, H. (2010). Internet use in hotels rose significantly in 2009. BizReport: Internet. Retrieved from
http://www.bizreport.com/2010/01/Internet_use_in_hotels_rose_significantly_in_2009.html#
Leyden, J, (2012). SMSZombie wraps self in nudie pics, slips into 500,000 Android devices. Retrieved
from http://www.theregister.co.uk/2012/08/20/android_smszombie/
Liang, H., & Xue, Y. (2009). Avoidance of Information Technology Threats: A Theoretical Perspective.
MIS Quarterly, 33(1), 71-90.
Liang, H., & Xue, Y. (2010). Understanding Security Behaviors in Personal Computer Usage: A Threat
Avoidance Perspective. Journal of the Association for Information Systems, 11(7), 394-413.
Liebowitz, M. (2010). Malware Attacks Becoming Difficult to Avoid. SecurityNewsDaily. Retrieved
October 17, 2010 from
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 23
Mitra;Guzman;Dhillon;Tran
http://www.securitynewsdaily.com/malware-attacks-difficult-to-avoid-0154/
Locke, L.F., Spirduso. W.W, & Silverman, S.J. (1992). Research proposals: Function and content. In R.
Galliers (Ed.), Information systems research: Issues, methods and practical guidelines, (pp.
167-181). Oxford, U.K.: Blackwell Scientific Publications.
Luarn, P., & Lin, H-H. (2005). Toward an understanding of the behavioral intention to use mobile
banking. Computers in Human Behavior, 2, 873-891.
Malhotra, N.K., Kim, S.S., & Agarwal, J. (2004). Internet Users' Information Privacy Concerns (IUIPC):
The Construct, the Scale, and a Causal Model. Information Systems Research, 15(4), 336-355
MacKenzie, S. B., Podsakoff, P.M., & Podsakoff, N.P. (2011). Construct Measurement and Validation
Procedures. MIS Quarterly, 35(2), 293-334
Madnick, S. (2006). Enterprise Security Perception and the House of Security. Presentation for Center for
eBusiness, Sloan School of Management, Massachusetts Institute of Technology. pp 1-37.
Mayer, J. & Fagundes, L.L. (2009). A Model to Assess the Maturity Level of the Risk Management Process
in Information Security. 4th IFIP/IEEE International Workshop on BDIM – 9 June. Retrieved
December 16, 2010 from http://www.slideshare.net/leolemes/app-mmgr-bdim09
Mehta, P.D. (2001). Control Variable in Research. International Encyclopedia of the Social & Behavioral
Sciences, Pergamon, Oxford. Neil J. Smelser and Paul B. Baltes, Editor(s)-in-Chief. pp. 27272730. Retrieved November 18, 2010 from
http://www.sciencedirect.com/science/article/B7MRM-4MT09VJB1/2/ee7a72bf22424acde3eab56746e9f0b1
Microsoft Corp. (2010). Security Intelligence Report. Vol. 9. Retrieved October 17, 2010 from
http://www.microsoft.com/security/sir/default.aspx
Miller, K. (2005). Communications theories: Perspectives, processes, and contexts. New York: McGrawHill.
Mishra, S., & Chasalow, L. (2011). Information Security Effectiveness: A Research Framework. Issues in
Information Systems, XII(1), 246-255.
Moores, T. T., & Chang, J. C. J. (2009). Self-Efficacy, Overconfidence, and the Negative Effect on
Subsequent Performance: A Field Study. Information & Management, 46(2), 69-76
Murdick, R. G., Ross, J. E. & Claggett, J. R. (1993). Information Systems for Modern Management.
Englewood Cliffs, N.J: Prentice-Hall.
Myers, M. D., & Klein, H. K. (2011). A Set of Principles for Conducting Critical Research in Information
Systems. MIS Quarterly, 35(1), 17-36.
Nieswiadomy, R. M. (2008). Foundations of Nursing Research. Upper Saddle River, NJ: Pearson
Education, Inc. Online Electronic Medical Library. Retrieved from
http://online.statref.com/document.aspx
Network Box (2010). Network Box white paper: Hotel IT security: a new guide from Network Box.
M2PressWIRE. Retrieved from http://www.network-box.co.uk/resources/white-papers
Newsom, J, (2012). Testing Mediation with Regression Analysis. Retrieved from
www.upa.pdx.edu/IOA/newsom/da2/ho_mediation.pdf.
Notenboom, L. (2008). Can hotels sniff my Internet traffic? Ask Leo. Retrieved from
http://askleo.com/can_hotels_sniff_my_Internet_traffic.html
O’Connor, P. (2006). An International Comparison of Approaches to Online Privacy Protection:
Implications for the Hotel Sector. Journal of Services Research, 6.
Ogle, J., Wagner, E.L., &Talbert, M.P. (2008). Hotel Network Security: A Study of Computer Networks in
U.S. Hotels. Cornell Hospitality Reports– The Center for Hospitality Research, 8(15), School of
Hotel Administration, Cornell University.
Okoli, C. (2010). Webster & Watson 2002: Analyzing the Past to Prepare for the Future: Writing a
Literature Review. Retrieved from http://chitu.okoli.org/research-reviews/webster-and-watson2002.html
Olphert, C. W. Damodaran, L., & May, A. J. (2005). Towards digital inclusion – engaging older people in
the ‘digital world, Department of Information Science, Loughborough University.
Ooi, K.-B., Sim, J.-J., Yew, K.-T. , & Lin, B. (2011). Exploring factors influencing consumers’ behavioral
intention to adopt broadband in Malaysia. Computers in Human Behavior, 27, 1168-1178.
Pather, S., Remenyi, D., & Erwin, G. (2004). E-commerce success: the quest for IS effectiveness
measurement: a conceptual framework for the e-commerce environment. South African
Computer Journal, 32, 34-43.
24 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Pajares, F. (2002).Overview of Social Cognitive Theory and of Self-Efficacy. Retrieved from
http://www.emory.edu/EDUCATION/mfp/eff.html
Peng, F. (2008). Perceptions of Travelers Regarding Wireless Local Area Networks at International
Airports. UNITEC Institute of Technology, New Zealand, 1-118.
Petter, S., Straub, D., & Rai, A. (2007). Specifying Formative Constructs in Information Systems Research.
MIS Quarterly, 31(4), 623-656.
Petter, S., Rai, A., & Straub, D. (2012). The Critical Importance of Construct Measurement Specification:
A Response to Aguirre-Urreta and Marakas. MIS Quarterly, 3(1), 147-155.
Phelps, T. (2011). Barnacle Wi-Fi Tethering App for Rooted Android Phones. Retrieved from
http://google.about.com/od/socialtoolsfromgoogle/fr/barnacle-tether-Wi-Fi-android-app.htm
Png. I. P. L. & Wang, Q-H. (2009). Information Security - Facilitating User Precautions Vis-à-Vis
Enforcement against Attackers. Journal of Management Information Systems, 26(2), 97–121.
Podsakoff, P.M., MacKenzie, S. B., Lee, J-Y., & Podsakoff, N. P. (2003). Common Method Biases in
Behavioral Research: A Critical Review of the Literature and Recommended Remedies. Journal of
Applied Psychology, 88(5), 879–903.
Ponemon Institute, LLC. (2012). 2013 State of the Endpoint. Research Report, 1-35.
Retrieved from
http://www.ponemon.org/local/upload/file/2013%20State%20of%20Endpoint%20Security%20
WP_FINAL4.pdf
Ponemon Institute, LLC. (2010). State of Endpoint Risk 2011 Survey, 1-31.
Retrieved from http://www.lumension.com/Resources/Resource-Center/2010-State-of-theEndpoint.aspx?rpLeadsourceID=2116
Price, S. M. (2008). Host-Based Security Challenges and ContrWLAN - A Survey of Contemporary
Research. Information Security Journal: A Global Perspective, 17, 170–178.
Ramayah, T. (2010). Archive for the ‘ATW 202 Business Research Method’ Category. Retrieved from
http://www.ramayah.com/?cat=3
Ramayah, T., Rouibah, K., Gopi, M., & Rangel, G. J. (2009). A decomposed theory of reasoned action to
explain intention to use Internet stock trading among Malaysian investors. Computers in Human
Behavior, 2 (6), 1222–1230.
Ramezan, M. (2009). Measuring the effectiveness of human resource information systems in national
Iranian oil company (an empirical assessment). Iranian Journal of Management Studies (IJMS),
2(2), 129-145.
Randolph, J.J. (2009). A Guide to writing the dissertation literature review. Practical Assessment,
Research & Evaluation, 14(13), 1-13. Retrieved from
http://pareonline.net/getvn.asp?v=14&n=13.
Ravenel, J.P. (2006). Effective Operational Security Metrics. EDPACS, 34(6). Retrieved from
ABI/INFORM Global.
Ray, A. (2006). Typical response rates. In Practical Surveys. Last Updated April 21, 2008. Retrieved
from http://www.practicalsurveys.com/respondents/typicalresponserates.php
Retna, J., Varghese, G., Soosaiya, M., Joseph, S. (2010). A Study on Quality Parameters of Software and
the Metrics for Evaluation. International Journal of Computer Engineering and Technology, 1(1),
235-249.
Ryan, J.E. (2006). A Comparison of Information Security Trends Between Formal and Informal
Environments. (Doctoral dissertation). UMI Number: 3225287
Recker, J., Rosemann, M., Green, P., & Indulska, M. (2011). Do Ontological Deficiencies in Modeling
Grammars Matter? MIS Quarterly, 35(1), 57-79.
Rhee, H., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users’
information security practice behavior. Computers & Security, 28, 816- 826
Richmond, R. (2011). RSA’s Secure IDs Hacked – What to Do. The New York Times. Retrieved from
http://gadgetwise.blogs.nytimes.com/2011/03/18/rsas-secure-ids-hacked-what-todo/?src=busln
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of
Psychology, 91, 93-114.
Ronen, S., Mikulincer, M. (2009). Attachment orientations and job burnout: The mediating roles of team
cohesion and organizational fairness. Journal of Social and Personal Relationships, 26(4), 549567.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 25
Mitra;Guzman;Dhillon;Tran
Sabherwal, R., Jeyaraj, R., & Chowa, C. (2006). Information System Success: Individual and
Organizational Determinants. Management Science, 52(12), 1849-1864.
Schneier, B. (2008), Security at What Cost? National ID System Is Not Worth The $23 Billion Price Tag.
Retrieved from http://www.schneier.com/essay-207.html.
Seddon, P. B. (1997). A respecification and extension of the DeLone and McLean model of IS success.
Information Systems Research, 8(3), 240-254.
Seliem, A. A. M., Ashour, A. S., Khalil, O. E. M., & Millar, S. J. (2003). The Relationship of Some
Organizational Factors to Information Systems Effectiveness: A Contingency Analysis of Egyptian
Data. Journal of Global Information Management, 11 (1), 40-72.
Serpanos, D. & Tilman, W. (2011). Chapter 10 – Quality of service and security in
Architecture of Network Systems- A volume in The Morgan Kaufmann Series in Computer
Architecture and Design. Massachusetts: Elsevier Inc. Pub., pp. 183–210.
Sharma, R., Yetton, P., & Crawford, J. (2009). Estimating the Effect of Common Method Variance: The
Method–Method Pair Technique with an Illustration from Tam Research. MIS Quarterly, 33(3),
473-490.
Shaver, J. M. (2005). Testing for Mediating Variables in Management Research: Concerns, Implications,
and Alternative Strategies. Journal of Management, 31(3), 330-353. Retrieved from
http://jom.sagepub.com
Shema, M. (2011). Web Security: Why You Should Always Use HTTPS. Retrieved from
http://mashable.com/2011/05/31/https-web-security/
Schneider, I. (2012). 5 Critical Strategies for Mobile Banking Security. Retrieved from
http://www.banktech.com/risk-management/240003902#.UCqzXGlMF4g.email
Schuessler, J.H. (2009). General Deterrence Theory: Assessing Information Systems Security
Effectiveness in Large Versus Small Businesses. (Doctoral dissertation). Retrieved from
http://digital.library.unt.edu/ark:/67531/metadc9829/m2/1/high_res_d/dissertation.pdf
Shih, Y. Y., & Fang, K. (2004). The use of decomposed theory of planned
behavior to study Internet banking in Taiwan. Internet Research, 14(3), 213–223.
Shinder, D. (2011). Security Issues when Connecting Computers to Cellular Networks. Retrieved from
http://www.windowsecurity.com/articles/Security-Issues-when-Connecting-ComputersCellular-Networks.html.com/
Snyder B. (2012). US-CERT Issues WPS Security Warning. Retrieved from
http://www.itsp.eu/index.php?option=com_content&view=article&id=701&Itemid=74
Sommer, L. (2011). The Theory of Planned Behavior and the Impact of Past Behavior. International
Business & Economics Research Journal, 10, 91-110.
Square, Inc. (2013). User Agreements, Merchant User Agreement. Retrieved from
https://squareup.com/legal/merchant-ua
Squires, M. (2011). Security of Guest Data Worries Hotel Technology Executives. Lodging Hospitality.
Retrieved from http://lhonline.com/technology/security/security_guest_data_worry_0404/
StatSoft, (n.d.). Principal Components and Factor Analysis. Retrieved from
http://www.statsoft.com/textbook/principal-components-factor-analysis/#basic
StarTrek (2012). Estimation in Statistics. Retrieved from http://stattrek.com/estimation/estimation-instatistics.aspx?tutorial=ap
Straub, D.W. Jr. (1990). Effective IS Security: An empirical Study. Information Systems Research, 1(3),
255-276.
Straub, D. W. (1989). Validating Instruments in IS Research. MIS Quarterly, 13(2), 147-169.
Straub, D. W. Jr., & Burton-Jones, A. (2007). Veni, Vidi, Vici: Breaking the TAM Logjam. Journal of the
Association of Information Systems, 8(4), 223-229. Retrieved from
http://iris.nyit.edu/~kkhoo/Spring2008/Topics/TAM/000BenTAMarticleComment2.pdf
Straub, D., Limayem, M., & Karahanna-Evaristo, E. (1995). Measuring System Usage: Implications for IS
Theory Testing. Management Science, 41(8), 1328-1342.
Straub, D. W. (1989). Validating Instruments in IS Research. MIS Quarterly, 13(2), 147-169.
Tao, D. (2009). Intention to Use and Actual Use of Electronic Information Resources: Further Exploring
Technology Acceptance Model (TAM). AMIA Annual Symposium Proceedings Archive, American
Medical Informatics Association, 629–633. Retrieved from
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2815463/
Taylor, S., & Todd, P. (1995). Assessing IT usage: The role of prior experience. MIS Quarterly, 19(4), 561570.
26 Editors: Gurpreet Dhillon and Spyridon Samonas
A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Thompson, R. L., Higgins, C. A., & Howell, J. M. (1991). Personal Computing: Toward a Conceptual Model
of Utilization. MIS Quarterly, 15(1), 124-143.
Torkzadeh, G., & Dhillon, G. (2002). Measuring factors that influence the success of Internet commerce.
Information Systems Research, 13(2), 187-204.
Torkzadeh, G., Chang, J. C. & Demirhan, D. (2006). A contingency model of computer and Internet selfefficacy. Information & Management, 43(4), 541–550.
Tourangeau, R., & Smith, T. W. (1996). Asking sensitive questions: The impact of data collection mode,
question format, and question context. Public Opinion Quarterly, 60(2), 275-304
Trkman, M., & Trkman, P. (2009). A Wiki as Intranet – a Critical Analysis Using the DeLone & McLean
Model. Online Information Review, 33(6), 1087-1102
Trochim, W. M. (2006). The Research Methods Knowledge Base, 2nd Edition. Retrieved from
http://www.socialresearchmethods.net/kb/power.php
Udo, G. J., Bagchi, K. K., & Kirs, P. J. (2010). An assessment of customers’ e-service quality perception,
satisfaction and intention. International Journal of Information Management, 30, 481-492.
University of Twente (2013). Protection Motivation Theory. Retrieved from
http://www.utwente.nl/cw/theorieenoverzicht/Theory%20clusters/Health%20Communication/
Protection_Motivation_Theory.doc/
Utin, D. M., Utin, M. A., & Utin, J. (2008). General Misconceptions about Information Security Lead to an
Insecure World. Information Security Journal: A Global Perspective, 17, 164–169.
Vance, A., Elie-dit-cosaque, C., & Straub, D.W. (2008). Examining Trust in Information Technology
Artifacts: The Effects of System Quality and Culture. Journal of Management Information
Systems, 24(4), 73–100.
Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F.D. (2003). User acceptance of information
technology: Toward a unified view. MIS Quarterly, 27(3), 425-478.
Venkatesh V., Sperier C., & Morris, M. G. (2002). User acceptance enablers in individual decision making
about technology: toward an integrated model. Decision Science, 33, 297–316.
Venkatesh, V. & Zhang, X. (2010). Unified theory of acceptance and use of technology: U.S. vs. China.
Journal of Global Information Technology Management, 13(1), 5-27.
Wade, M. & Hulland, J. (2004). The resource-based view and information systems research: review,
extension, and suggestions for future research. MIS Quarterly, 28(1), 107-142.
Wang, Y-S. (2002). The adoption of electronic tax filing systems: an empirical Study. Government
Information Quarterly, 20, 333–352.
Warfield, D.L. (2011). The Perceptions of U.S.-Based IT Security Professionals about the Effectiveness of
IT Security Frameworks: A Quantitative Study. (Doctoral dissertation).
Watson, J. (2001). How to Determine a Sample Size: Tipsheet #60. The Pennsylvania State University.
University Park, PA: Penn State Cooperative Extension. Retrieved from:
http://www.extension.psu.edu/evaluation/pdf/TS60.pdf
Webster, J., & Watson, R. T. (2002). Analyzing the Past to Prepare for the Future: Writing a Literature
Review. MIS Quarterly, 26(2), xiii – xxiii.
Whinston, A. B., & Geng, X. (2004). Operationalizing the Essential Role of the Information Technology
Artifact in Information Systems Research: Gray Area, Pitfalls, and the Importance of Strategic
Ambiguity, MIS Quarterly, 28(2), 149-159.
Wiant, T.L (2005). Information security policy’s impact on reporting security incidents.
Computers & Security, 24(6), 448-459.
Wikipedia (2012). Wi-Fi Protected Setup. Retrieved from Wikipedia, the free encyclopedia:
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
Wi-Fi-FreeSpot Directory. (2011). Wi-Fi-FreeSpot Directory - locations that offer Free Wi-Fi. Retrieved
from http://www.Wi-Fifreespot.com/faqs.html
Wu, K., Zhao, Y., Zhu, Q., Tan, X., & Zheng, H. (2011). A meta-analysis of the impact of trust on
technology acceptance model: Investigation of moderating influence of subject and context type.
International Journal of Information Management, 31(6), 572-581. Retrieved From
http://www.sciencedirect.com.lbproxy6.touro.edu/science/article/pii/S0268401211000429#
Yaniv, J. (2006). General Networking/Lan/Wan- ad hoc wireless. Retrieved from
http://en.allexperts.com/q/General-Networking-Lan-1049/ad-hoc-wireless.htm
Yangil P., & Chen, J.V. (2007). Acceptance and adoption of the innovative use of smartphone. Industrial
Management & Data Systems, 107(9), 1349 – 1365. Retrieved from
http://www.emeraldinsight.com/journals.htm?articleid=1636252&show=abstract
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 27
Mitra;Guzman;Dhillon;Tran
York University. (2010). Delone and McLean IS success model. Retrieved from
http://www.fsc.yorku.ca/york/istheory/wiki/index.php/Delone_and_McLean_IS_success_mod
el
28 Editors: Gurpreet Dhillon and Spyridon Samonas