a quantitative investigation of the...

A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks

Sanjeev Mitra College of Business Administration, Trident University International,

Cypress, CA [email protected]

Dr Indira R. Guzman, Ph.D.Program Director, College of Information Systems, Trident University

International Cypress , CA, [email protected]

Dr Gurpreet Dhillon, Ph.D.

Professor of Information Security at the School of Business Virginia Commonwealth University, Virginia, USA

[email protected]

Dr Kiet Tran, Ph.D.Professor, College of Business Administration

Trident University International, Cypress , CA, [email protected]

Abstract

This research will investigate whether the System Security Quality of IT Systems like mobile technologies when used in public networks like the Wi-Fi Internet has a positive effect on their users’ behavioral intentions to use such systems. The motivation for doing this research from the need to investigate what is the System Security Quality of mobile technologies and how is it perceived by users of those technologies when used in public networks like the Internet (Wi-Fi). The relevant theories are Unified Theory of Acceptance and Use of Technology, Technology Acceptance Model, Theory of Reasoned Action, Technology Threat Avoidance Theory, Theory of Planned Behavior, Self-Efficacy in Information Security, Protection Motivation Theory and ‘IS’ Success Model. The main constructs are System Security Quality of IT Systems, Users’ perceptions about System Security Quality of IT Systems, Users’ Behavioral Intentions to use IT Systems, Users’ Self-Efficacy about IT Systems Security, Users’ Response Efficacy about IT Systems security. Paper and web based questionnaire using Likert scale will be used for data collection in restaurants/coffee-shops/bookstores. Statistical analysis will be done using Confirmatory Factor Analysis, Anova and multiple regression analysis. Hypotheses testing will be done for reflective variables by techniques like Structural Equation Modeling, using AMOS or LISREL. For indicators of the formative construct the analysis will be done using PLS. This research study will benefit the vendors of IT Systems like mobile technologies by

Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 1

Mitra;Guzman;Dhillon;Tran

helping them to increase their users’ satisfaction with the security of such systems for being used in public networks like the Wi-Fi based Internet, possibly resulting in their more actual usage and increase in business for their respective smartphone brands. The same study will be done in future in secured wired networks in universities in US and other countries to assess the validity of the results obtain in another context and to establish their generalizability.

IntroductionIn order to survive in the modern business world, individuals working in organizations use various ways of information management since information is now recognized as an asset of organizations. The technology used for managing and disseminating information includes computers, personal digital assistants, smart phones and tablets, storage devices, virtual machines, and servers, etc. These artifacts of Information Technology have one aspect in common for majority of their users in many countries of the developed world like the USA. They are connected to some type of network, either wired or wirelessly, at homes, offices or on the road.

Problem StatementWhile retrieval and distribution of information has been made easy by this, nevertheless serious concerns have sprung up about the effectiveness of their security for their individual users in organizations. This is because persistent incidents of malware infection and data breaches experienced by users in organizations continue to be on the rise, pointing to possible gaps in the effectiveness of IT security practices being followed for individual users as a whole in companies. The ‘State of Endpoint risk 2011’ survey by Ponemon Institute (2010) found that “The most frequently encountered IT network incidents are general malware attacks (92 percent of respondents), web-borne malware attacks (75 percent of respondents), botnet attacks (64 percent of respondents) and SQL injections (38 percent of respondents)”. The salient findings of “2013 State of the Endpoint” survey research report by Ponemon Institute (2012), relevant to this research study, were as follows

“Eighty percent of respondents believe laptops and other mobile data-bearing devices such as smart phones pose a significant security risk to their organization’s networks or enterprise systems because they are not secure.

Malware attacks are increasing. Fifty-eight percent of respondents say their organizations have more than 25 malware attempts or incidents each month and another 20 percent are unsure”

Out of these both general malware (86%) and Web-borne malware attacks (79%) and Rootkits (65%) are the most occurring in organizations.

Advanced Persistent Threats (25%) and Hacktivism (15%), Zero Day Attacks (13%) and SQL Injection (12%) are the ones most annoying.”

There was a recent report (Richmond, 2011) which stated that “RSA security suffered a sophisticated hacker attack that resulted in the theft of sensitive information related to its popular SecurID two-factor authentication products”. Though the RSA SecurID two-factor authentication is used in addition to the username and password to connect securely to IT system networks, the fact that it has now been successfully hacked may have a significant impact on whether users would feel confident about using the IT Systems using this authentication method. Based on the above stated facts it can be concluded that the

2 Editors: Gurpreet Dhillon and Spyridon Samonas


number of malware attacks via Internet websites have increased on IT Systems like the Mobile Technologies and has also resulted in compromise of their users’ confidential personal information. Hence the motivation to do this research stems from the need to investigate what is the Systems Security Quality of IT Systems and how is it perceived by users of IT Systems like Mobile Technologies when used in public networks like the Internet (Wi-Fi). The justification of this motivation is based on Choobineh, Dhillon, Grimaila, and Rees (2007) who have identified that “conceptualizations of information security has been largely atheoretical” as one of the three “challenging issues in management of information security”. This research study will attempt to address this issue by generating testable hypotheses and creating a research model about use of IT Systems such as Mobile Technologies in the public networks like the insecure Wi-Fi, based on the actual security effectiveness of such IT Systems. This study will help the users by letting them know how effective is the security of IT Systems they are using.

In turn this could help the IT departments in companies to increase their users’ satisfaction with the security effectiveness of their IT Systems, possibly resulting in their more actual usage by those users and hence more business and better efficiencies for those companies.

The Context of this Research StudyThe context of this research study is usage of IT system like the mobile technologies when used in wireless public network like the Wi-Fi (Wireless Fidelity) based Internet. Mobile technologies is used as a context of this study as “Fifty-six percent of U.S. adults own a smartphone of some type — up from 35% of adults two years ago according to Pew Research Center survey” (Browdie, 2013). Majority of people in the US who work in companies and the federal government use personal or provided smart-phone like iPhone, Androids, BlackBerry, LG and Samsung. In this process they either use the 3G/4G data plans offered by major carriers like Verizon, T-Mobile, Sprint-Nextel, AT&T and others to make phone calls or connect to the Internet or they use the Wi-Fi based Internet to do such tasks. Since Internet is the largest and most prolifically used wide area network system, hence this research study intends to focus on the actual usage of the IT System like the Smartphone when using wireless public network like the Wi-Fi Internet. “The federal government is in the process of creating a national mobility strategy that will attempt to replace ad hoc policies with a coordinated cost-saving plan” (Hoover, 2012). This means consolidation of ad-hoc policies that presently address the various aspects of the Wi-Fi based Internet access with a view to cost savings for the plans used by federal employees while using their smart-phones are considered important by the Federal Government. As an example, “the Department of Agriculture consolidated 843 wireless plans (and more than 32,000 service lines) to three purchasing agreements. As a result, USDA reduced its telecom expenses by 18%, or $4 million, annually” (Hoover, 2012). There are various input factors that contribute to such costs incurred by users while using smart-phones. These include the costs of data, time and productivity loss due to virus/spyware/malware. This is because smart-phones are “easily lost or stolen, and prone to the vulnerabilities of downloadable software and the Web. Malware is a growing concern on mobile devices, one that some agencies have yet to address. ATF, for example, doesn’t run antivirus software on smartphones, and instead relies on MDM software to block threats” (Hoover, 2012). As part of the firmware Wi-Fi chips can be vulnerable to attack from bugs in the coding. An example of this type of vulnerability was disclosed by ‘Core Security’ in Oct 2012 with the issue of an advisory detailing how the Wi-Fi NIC could be prevented from responding (Armin, 2013). Two modes of wireless networking operations are in prevalence. One is the infrastructure mode and the other is the ad-hoc mode. Yaniv (2006) stated that ad-hoc network mode obviates the necessity for having an access point. It works using a 'peer-to-peer' (P2P) style of communication. Only wireless adapters are



needed to communicate. It does not depend on presence of routers, for example. This reduces the cost and maintenance significantly as compared to that in a network designed around an access point. However due to the P2P type of communication, ad-hoc mode should only be used for smaller networks. In many small homes the ad-hoc network type wireless access is used. The big risk on the cellular networks is that many users won't be as cognizant of the risks as when, for instance, they connect to a Wi-Fi network. However, using the cellular network is generally more secure than using an open public Wi-Fi hotspot (Shinder, 2011).

Overall security of cellular data transmission depends on the security of all the four major components of such networks which include the wireless network and the Internet connection. When signals go through the airwaves, it's easier to intercept them because physically tap into a line is not required. Anyone having a transmitter/receiver could intercept those signals. It is very difficult to prevent the interception of the signals; the key to securing a wireless network is encrypting those signals. Then the signals will be useless for any unauthorized party who does intercept them. Early cellular networks did not adequately secure the wireless signals in transit. However, 3G (and above) networks use strong cipher keys to encrypt the signals. Two way authentication is used to prevent the use of cloned cellular devices. 3G networks are still vulnerable to Denial of Service (DoS) attacks. Shinder (2011) stated that threats like malware, DoS, intrusion and virus attacks can affect Internet connections in Mobile Technologies just like they affect computers with Internet connections. Device specific vulnerabilities also exist in Internet connection devices for Mobile Technologies (Shinder, 2011). For instance, 3G MiFi mobile hotspots were vulnerable to unauthorized enabling of GPS on them (Shinder, 2011). Similarly, the latest Near Field Communications or NFC technology being introduced in Mobile Technologies used to exchange information between any two such devices using Radio Frequencies without the Wi-Fi could be susceptible to interception or distortion of those radio waves and hence the information passing between them.

In McAfee's report on mobile security Griffin (2011) stated that the Mobile and Security report was split into two surveys - one for consumers, and the other for senior IT decision makers in companies with an employee count of over 100. It shows a general lack of awareness for safekeeping of mobile data. Although more than half of organisations are “heavily reliant on the use of mobile devices', and 95 per cent have some sort of mobile security policy in place, less than one in three employees are aware of it. Less than 50 per cent of employees understand their mobile device access/permissions. Although mobile security is a major problem and one that is only set to increase based on the current trajectory of Smartphone adoption, losing the Smartphone is still the biggest fear for consumers and IT directors, alike. According to the report, 19 per cent of users store credit card details on their phone. Alarmingly, 23 per cent store passwords and pin codes as well, without any form of remote locking or a password lock on a device to keep the thief away from your details" (Griffin, 2011).

Shema (2011) stated that “even though T-mobile has WPA level of secure access it is not offering the WPA2 level encryption security which is available in our home networks. Whereas it is easy to set up WPA2 on the home network, it is missing on the ubiquitous public Wi-Fi services of cafes and airplanes. They usually avoid encryption altogether. Even still, encrypted networks that use a single password for access merely reduce the pool of attackers from everyone to everyone who knows the password (which may be a larger number than one would expect).” T-Mobile provides the wireless services at Starbucks. In addition to Starbucks, T-Mobile hotspots are available in Borders, Kinko's, the Hyatt, Red Roof Inn, Barnes & Noble, Dallas-Fort Worth International Airport, Los Angeles International Airport, San Francisco International Airport, Hyatt Hotels and Resorts, Sofitel



and Novotel Hotels, the airline clubs of American, Delta, United and US Airways, and other select airports and hotels" (http://antivirus.about.com/od/wirelessthreat1/a/starbucks.htm). In addition to this is the emerging threat of sophisticated malware attack capable of being carried out by well organized and equipped hackers from the mainstream travel, shopping and gaming websites (Liebowitz, 2010). Users surfing these websites may not even know that they have been infected with malware until after the fact. Stealth malware attacks are likely in future to “steal identities, co-opt personal relationships and imitate people’s natural behaviors to avoid detection in future, due to increasing use of social networking sites by people” (Fox, 2010) and increasingly greater sophistication of the hackers. This is even more so because the Security Intelligence Report from Microsoft (2010) has confirmed the increase of botnet type of web security threats in the United States in the last few quarters as compared to the other parts of the world.

Enck, Ongtang and McDaniel (2009) have identified seven possible categories of malware in mobile phones like “Proof-of-Concept, Destructive, Premeditated spyware, Direct Payoff, Information scavengers, Ad-aware and Botnets”. Information scavengers and Botnet can provide “direct monetary gain to the malware writer” and hence are likely to become more prevalent in mobile phones. (Enck et al., 2009). Hence these types of malware, if downloaded from insecure public Wi-Fi on Mobile Technologies, may also impact the actual use of the public Wi-Fi on such Mobile Technologies.

A research study by iBAHN (2010) on use of Internet by users who travelled found that though “80 percent of iTRAVELLERS considered data security as important to them, and were not satisfied with it, yet they were willing to pay a premium for high quality, high-speed hotel Internet access (HSIA) service”. Thus, users who travelled were skeptical about the security of data available to them in this type of networked IT system. Yet, they were induced by the available speeds and quality of Internet connection to pay a higher price to use this networked IT system. A study by Cornell University School of Hotel Administration found that “Hotels in the U.S. are generally ill-prepared to protect their guests from network security issues” (Jackson, 2008). Though it is not their job to do so, yet this can be a factor that may discourage users from using their Mobile Technologies if they cannot use it on secure Internet connection in such places. Hence this study intends to investigate the factors affecting the use of the Wi-Fi Internet based IT system in the context of the hospitality industry comprising coffee-shop/bookstore/restaurants. The coffee-shop/bookstore/restaurants have been selected as surrogate for the hospitality industry for ease of data collection for this research study. This is also because the Internet access is now available extensively in the form of Wi-Fi access in coffee-shop/bookstore/restaurants where people tend to use the wireless Internet access on their smart-phones, iPads, tablets or laptops.

Hence it is possible that if coffee-shops/bookstores/restaurants cannot provide suitable protection to their guests’ Internet connections on their Mobile Technologies from such sophisticated attacks, then those guests may not perceive the security of their Mobile Technologies to be effective. In this context a Google/IPSOS OTX MediaCT (2011) study on smart-phone users found that 93% users use the smart-phone in home, 73% use them in restaurants, 72% use them at work and 54% use them in Café and Coffee-Shops. 81% users used smart-phones to browse the Internet and 77% used it to search information using search engine on the Internet. Hence Internet related use was found to be the largest percentage use by users of smart-phones. 43% users were willing to give up beer and 36% were willing to give up chocolate and 34% were willing to give up super-bowl tickets in exchange for using the Internet on the Smartphone. The smart-phone is slated to replace the wallet in the near future as has been demonstrated by use of Google wallet and is also slated to be used as the payment option in place of credit cards with terminals for this already in use in area of New York (CNN, 2012). Hence secure storage and transmission of



confidential data like credit card numbers via the applications like ‘Square’ will become of increasing importance in future. The very fact that valuation of the Square, Inc manufacturing the ‘Square’ device for credit card transactions in smart-phone was to the tune of one billions of dollars in June 2011 shows the importance which the industry attaches to this data storage feature in smart-phones. Starbucks announced that it will start using Square to enable customer pay with credit or debit cards using their smart-phones. However the Merchant User Agreement for a Square account at present prohibits its use in twenty nine different areas, like “buyers or membership clubs, credit counseling or repair agencies” etc. (Square, Inc., 2013). This could be due to possible security concerns about transmission of confidential credit card data for these areas in particular, among other factors, from the Square device via the Internet connection on the smart-phones. Hence the security effectiveness of such smart-phones using Wi-Fi Internet public networks and NFC (near field communication) for communication of financial data will be of high concern in the minds of customers (CNN, 2012).

In a recent webinar by Z-Scalar it was revealed that applications like CNN downloaded and installed on the mobile phones were found to have been revealing the user id of users of those phones to hackers over the Internet (Hazarika, 2013). According to InfoSecurity-magazine (2013) the potential targets of cybercrime are “rooted or jailbroken devices (57% have no policy), compromised Wi-Fi hotspots (47%). According to the latest malware report published by NQ Mobile, “mobile malware increased by 163% in 2012 – but infections rose by 200% to an estimated 32.8%.” Clooke (2013) reported that there is an unpatched vulnerability in the Mobile Technologies like BlackBerry, Android, iPhone and some windows devices which makes millions of mobile Wi-Fi users at risk from hackers”. Mobile Technologies with Wi-Fi capability activated in them have a Preferred Networks List or PNL. This list contains the names of any public Wi-Fi hotspots, or any other Wi-Fi connection set up previously in that smartphone. The smartphone tries to access the networks on the PNL initially when its Wi-Fi capability is switched on, since it announces the networks which it is seeking to join. When the smartphone is joined to a public Wi-Fi, then by using stealth listening software the potential hackers can use this vulnerability to obtain the PNL. They create a spurious Wi-Fi network with same particulars as on the PNL of the smartphone including concealed service set identifier (SSID). Then the smartphone naturally gets connected to the spurious Wi-Fi connection setup by the hacker, as it sends out the SSID of the networks contained in its PNL that matches the concealed SSID of the fake Wi-Fi. Then the smartphone divulges all confidential data like credit card numbers and passwords to the hacker, while it sends such data through the fake Wi-Fi connection. This vulnerability is unpatched in the various smartphone operating systems like Apple iOS versions 1 to 6 (if networks are added manually to the PNL by users), Android 2, 3 and 4 and BlackBerry 7. It was fixed by Microsoft recently in smartphones using its windows operating system (Clooke 2013). Cannon (2011, p. 467) stated that “mobile broadband (802.16 or WiMax) using cellular based networks that allow roaming the internet (Wi-Fi), does so without any real data security. Though WiMax is becoming increasingly popular because of its low-cost availability in metropolitan areas, WiMax should always be considered insecure network”. Hornat (2002) documented an issue called the “Wap Gap” in security of Wireless Application Protocol which is used by wireless mobile devices like cell phones to connect to the Internet using a common method. (Hornat, 2002). Wireless Transport Layer Security (WTLS) used in WAP versions prior to 2.0, sent the transmission from Wireless device to WAP gateway in encrypted format, where it is decrypted and then re-encrypted for use with Transport Layer Security/Secure Socket Layer (TSL/SSL). Hence WAP gateway using versions prior to WAP 2.0 was not considered secure as an attacker could hack into the wireless gateway and obtain all decrypted information present in clear text on the gateway. This would make the user of the cell phone believe that the communications sent via that devise to the internet were not secure. Though this issue does not exist in WAP 2.0 as WTLA has been replaced by TLS, yet the implementation of WAP 2.0 could take much time due to big difference in WAP technologies (Hornat, 2002).



Thus the ever increasing use of mobile technologies like Mobile Technologies in the Wi-Fi based Internet connections on them for various types of uses has led to the prevalence of increasing security problems. This study will investigate the effect such issues may have on the use of mobile technologies such as Mobile Technologies when used for making Wi-Fi based Internet connections. Hence the Smartphone type of IT mobile system when used in Wi-Fi type public network Internet connections in coffee-shops, bookstores and restaurants were selected as the context of this study. The coffee-shops, bookstores and restaurants in the continental United States of America, are identified as the locations for this study since these places are known to offer Wi-Fi based public network connections that are often not secure. This would also enable the testing of the generalizability of the results found by Tao (2009) in another setting (Trochim, 2006). However in IS research the emphasis is now on validating the results of context specific study from one context by comparing with results obtained by conducting the same study in another context (Hong, Chan, Thong, Chasalow and Dhillon, 2013). Hence another possible context of this study could be the secured Wi-Fi networks used in mobile technologies by graduate and undergraduate students in universities in the continental USA. Based on the above the research questions for this research study are:

Main Research QuestionThese are dependent on the context (Hong et al., 2013). Hence for the contexts of both insecure public Wi-Fi networks and secured Wi-Fi networks the main research question is:

Does the System Security Quality of IT Systems such as mobile technologies, affect their users’ intention to use those mobile technologies?

Original contribution potential of this research studyThis research proposal meets the criterion for being termed as ‘original’ as it will test whether some of the results obtained in previous research studies by Delone and McLean (1992, 2003), Tao (2009), D. Utin, M. Utin and J. Utin (2008), Udo, Bagchi and Kirs (2010), Venkatesh, Morris, G. Davis and F. Davis (2003) and Liang and Xue (2009) are also valid for the relatively new research area of IT Security (Estelle & Pugh, 1987). To this degree this research will fit with the existing body of knowledge as it will draw from these various seminal and other latest published works in IS success, Security, individual attitude and behavior to create a new research model of System Security Quality of IT Systems. Theoretically this study will uniquely contribute to knowledge by including Security Effectiveness as an additional aspect of System Quality in the IS success model of DeLone & McLean (2003) instead of a metric of only Information Quality. This research study will also make an original and unique contribution to knowledge in extending in a small albeit important way the Technology Threat Avoidance model (Liang and Xue, 2009) by researching the impact of security effectiveness of specific types of IT Systems on their users’ intentions to use those IT Systems and in turn on their actual use of those specific IT Systems. While doing so this study will also extend in an important way the IS Success Model (DeLone and McLean, 1992, 2003) and the Technology Acceptance Model (Davis, 1989). This contribution will be unique because as Dhillon and Backhouse (2001) concluded evaluation studies about information systems security that made use of the socio-organizational perspective are yet in theory-building stage. Hence this research will fulfill an identified need for empirical research using socio-organizational perspective to “develop key principles for preventing negative events and therefore to help in the management of security” (Dhillon and Backhouse, 2001). Warfield (2011) reported “a lack of awareness and knowledge about IT security effectiveness construct variables and their correlations” (Warfield, 2011). Hence this research study will add to the body of IT security effectiveness



by filling this gap and identifying the underlying variables for this important construct in the field of IT security.

Another original contribution potential of this research study is the synthesizing of constructs taken from the many diverse relevant theories of IT security and IS success under a single research model. Theories like Unified Theory of Acceptance and Use of Technology, Technology Acceptance Theory, Technology Threat Avoidance Theory, Technology Acceptance Model, Theory of Planned Behavior, Self-Efficacy in Information Security, Protection Motivation Theory and ‘IS’ Success model have been used to formulate a single unique integrated research model which has already been deemed as being ‘interesting’ in a feedback by a senior academic in the field of MIS in a university in the USA.

This research will also contribute to the existing body of knowledge about IT Security use related behavior by testing out the results already obtained by prior research studies, by attempting to verify them in another place, time and amongst another set of people (Trochim, 2006) in order to test their generalizability.

Literature ReviewChin Felt Sekar & Wagner (2012) conducted qualitative interviews and quantitative surveys of 60 smartphone users whom they sampled from advertisements they placed in Craigslist. One of the variables in their study was “People’s relative level of concern about security and privacy on their phone vs. their laptop” Chin et al. (2012). They found that users were more worried about their confidentiality on their phone rather than on their laptop, even though they were less inclined to do banking transactions involving money and shopping transactions involving their personal information like their social security number or personal health record, from their phones. Chin et al. (2012) attributed this to an augmentation of users’ propensity to do some tasks on their phones, which involved their privacy data like photo sharing, text messaging and location. One of the reasons for this was the users’ “perception of the security and privacy properties of the phones, and some prevalent misconceptions about the security of their network connections on their phones” (Chin et al., 2012). While users downloaded more applications on their phones it was found that they did not give attention to the “applications’ terms of service and policy agreements”. Chin et al (2012) recommended an additional observational study to compensate for the pleasing bias or underreporting issues with self-reported data collected by them.

Boss, Kirsch, Angermeier, Shingler, & Boss, (2009) used 7 point Likert scale to study impact of Mandatoriness on individual Precaution Taking Behavior. They found that “mandatoriness and its antecedents significantly impact individual precaution taking behaviors. The significance of CSE (Computer Self Efficacy), in turn, may indicate that precaution taking is also a function of individual comfort with computers and individual’s confidence in their own ability to utilize the computer to accomplish tasks” (Boss et al., 2009). Boss et al. (2009) also recommended that future research should investigate the relationship between Information Security and Computer Self Efficacy.

Malhotra, Kim and Agarwal (2004) did a study on impact of Internet Users’ Information Privacy Concerns (IUIPC) on the type of Information and Behavioral intention to reveal personal information. Other variables in their study were Risk Beliefs, Collection, Control, Awareness and Trusting Beliefs, Global Information Privacy concern, Improper Access and Unauthorized Secondary Use and Errors. They performed Exploratory Factor Analysis and Confirmatory Factor Analysis on Data collected. They found that Trusting Beliefs significantly and positively and influenced Behavioral intention (p<0.001). Risk Beliefs significantly but negatively influenced Behavioral intention (p<0.001). Level of sensitivity



of information requested had a significantly negative effect on Trusting Beliefs and Behavioral Intention (p<0.01) but a significantly positive effect on Risk Beliefs (p<0.001). IUIPC had a significant negative effect on trusting beliefs and a significant positive effect on risk beliefs (p<0.001). Trusting beliefs had a negative effect on risk beliefs (p<0.01). Malhotra et al., 2004 stated that “behavioral intention is known reliable predictor of actual behavior by a longitudinal study”. This study will test the generalizability of this conclusion in another setting (Trochim, 2006) in the realm of IT security effectiveness.

Karlson, Meyers, Jacobs, Johns and Kane (2009) researched mobile phone and PC usage patterns. Web usage on the phone was found to be only at 9.4% (Karlson et al., 2009). However, currently web usage on mobile phones is very high in the US as is evidenced by Google/IPSOS OTX MediaCT (2011) study on smart-phone users. The Google study found that 81% users used smart-phones to browse the Internet and 77% used it to search information using search engine on the Internet. Hence this research study will attempt to investigate the security implication of this apparent contradiction in volume of web usage by users of phone, as the greater use of phones in unsecured public Internet or Wi-Fi can make it more prone to attacks like malware.

Kankanhalli, Teo, Tan and Wei (2003) investigated the effectiveness of an information system, the overall deterrent effect, the overall prevention effect, and the effect on assets. Kankanhalli et al. (2003) used a seven point Likert scale to collect data using the survey research method. The results of this study indicated that “Greater deterrent efforts (in the form of man-hours expended on IS security purposes) and greater preventive efforts (in the form of more advanced IS security software) appear to contribute to better IS security effectiveness” (Kankanhalli et al., 2003). For the future Kankanhalli et al. (2003) recommended that wider range of deterrent and preventive measures should be used in a wider sample of organizations to replicate these results. This research study will address this research gap by including same and additional deterrent and preventive effort factors and a different sample of organizations in the form of bookstores/coffee-shops/restaurants to test the findings of Kankanhalli et al. (2003).

Straub (1990) surveyed employees in multiple organizations and concluded that “Deterrence measures such as policies and guidelines about appropriate system use and penalties are effective at improving security.” Hence this research will test out this result to determine its generalizability in another setting or place (Trochim, 2006).

Lederer et al. (2000) found that when web usage was measured by the 1–7 frequency scale, the impact of usefulness and ease of use was significant (p<0.001). However usefulness (p<0.01) had a stronger effect than ease of use (p<0.05). This study will test out that when IT security effectiveness is considered as an additional measure of usefulness of System Security Quality based on the Delone and McLean (2003) IS Success model, does this translate into greater usage for those IT Systems?

Conceptual Framework and Theory DevelopmentThis section of the literature review presents a brief description of the relevant theories for this research. The framework of constructs and theoretical development of the various hypotheses for this research study is based on following theories: Theory of Reasoned Action (Fishbein and Ajzen, 1975), Technology Acceptance Model (TAM) (Davis, 1989), The Unified Theory of Acceptance and Use of Technology (UTAUT) (Venkatesh, Morris, Davis, & Davis, 2003), the IS Success Model (DeLone & McLean, 1992, 2003), Technology Threat Avoidance Theory (Liang and Xue, 2009), Social Cognitive Theory (Bandura, 1986) and Protection Motivation Theory (Rogers 1975). This conceptual framework also uses Extension of Technology Acceptance Model by Fang et al. (2006).



Theory of Reasoned Action (TRA)According to the Theory of Reasoned Action ((Fishbein and Ajzen, 1975) the attitude towards behavior and subjective norms are predictors of intentions for behavior which in turn is a predictor of behavior. One of the core concepts of Theory of Reasoned Action is “Attitude towards behavior” (Venkatesh et al., 2003). Fishbein and Ajzen (1975) defined it as “an individual’s positive or negative feelings (evaluative effect) about performing the target behavior” (as cited in Venkatesh et al., 2003, p. 428). This theory is relevant to this research study as it would be used in establishing the hypothesis for the relationships between Subjective Norm as the predictor of Users’ Behavioral Intentions to use IT Systems. According to Udo et al. (2010) “Ajzen (1985) extended TRA as the theory of planned behavior (TPB)” with “the addition of one major predictor, perceived behavioral control, to the model. This addition was made to account for times when people have the intention of carrying out a behavior, but the actual behavior is thwarted because they lack confidence or control over behavior” (Miller, 2005, p. 127 as cited in Udo et al., 2010). Ramayah, Rouibah, Gopi, and Rangel (2009) have clarified that “Perceived behavioral control refers to the perception of internal and external resource constraints on performing the behavior”.

Technology Acceptance Model (TAM)TAM stated that users’ adoption or use of an information system can be explained by the users’ intention to use the system, which in turn can be predicted by the users’ attitudinal beliefs (or perceptions) about the using the system and the perceived usefulness of the system (Davis, 1989). The predictors of attitude about using the system are both perceived usefulness and perceived ease of use whose predictors are external factors. This model is relevant to this research study as it helps in identifying predictors of both usage and behavioral intention to use an information system and helps identify predictor of the that users’ adoption or use of an information system.

Extension of Technology Acceptance Model (ETAM)Extension of the Technology Acceptance Model by Fang et al. (2006) postulates that user intention to transact is influenced by perceived usefulness and perceived security” (Fang et al. 2006). This theory is relevant for this research study because it enables treating ‘Users’ perceptions about effectiveness of the security’ to be equivalent to ‘perceived security’ and thus forms the basis of a hypothesis for between the constructs Perceived Security Effectiveness and Behavioral Intention to Use.

Unified Theory of Acceptance and Use of Technology (UTAUT)The UTAUT aims to explain user intentions to use an IS and subsequent usage behavior. The theory holds that three out of four key constructs (performance expectancy, effort expectancy, social influence) are direct determinants of usage intention and one construct (and facilitating conditions) is direct determinant of usage behavior (Venkatesh et. al., 2003). Gender, age, experience, and voluntariness of use are mediators of the impact of the relationship of some or all of these four key constructs on usage intention and behavior (Venkatesh et. al., 2003). The theory was developed through a review and consolidation of the constructs of eight models that earlier research had employed to explain IS usage behavior (theory of reasoned action, technology acceptance model, motivational model, theory of planned behavior, a combined theory of planned behavior/technology acceptance model, model of PC utilization, innovation diffusion theory, and social cognitive theory). Subsequent validation of UTAUT in a longitudinal study found it to account for 70% of the



variance in usage intention (Venkatesh et. al., 2003).” (York University, n.d.). This theory is pertinent to this research study as it enables identification of pertinent factors in security realm that predict the construct Behavioral Intention to Use in addition to already identified factors in this theory.

IS Success ModelThe updated Information Systems (IS) Success Model (Delone and McLean, 2003) is “a framework and model for measuring the complex-dependent variable in IS research” (Delone and McLean, 2003). There are six interrelated constructs of IS success in the updated model. These are information quality, system quality and service quality, intention to use/use, user satisfaction, and net benefits. “A system can be evaluated in terms of information, system, and service quality; these characteristics affect the subsequent use or intention to use and user satisfaction. As a result of using the system, certain benefits will be achieved. The net benefits will (positively or negatively) influence user satisfaction and the further use of the information system” (Müller and Urbach, 2011). The updated IS Success model propounded by Delone and McLean (2003) used Information Quality, System Quality and Service Quality as the independent variables that affected the subsequent use or intention to use and user satisfaction of any individual user with that information system. Delone and Mclean (2003) stated that “To measure the success of a single system, “information quality” or “system quality” may be the most important quality component. Further they stated:

“System quality,” in the Internet environment, measures the desired characteristicsof an e-commerce system. Usability, availability, reliability, adaptability, andresponse time (e.g., download time) are examples of qualities that are valued byusers of an e-commerce system.

“Information quality” captures the e-commerce content issue. Web content shouldbe personalized, complete, relevant, easy to understand, and secure if we expectprospective buyers or suppliers to initiate transactions via the Internet and returnto our site on a regular basis.

Since none of the studies listed by ISWORLD (2005) were found to be using Security Effectiveness as a measure of System Quality hence this research study plans to use Security Effectiveness of the IT Systems as an important additional measure of System Security Quality because the more secure an IT system would be, the better may be deemed to be its security quality. This is different from Delone and McLean (2003) who have used security as a metric for Information Quality. Thus this research study intends to update or modify Delone and McLean (2003) IS Success Model. Whereas Delone and McLean (2003) IS Success Model refers to how the net benefits can impact the further use of the information systems, this research study will attempt to further analyze whether the benefits of high security quality of IT systems will result in more usage of such IT systems like mobile Technologies. Hence Delone and McLean (2003) IS Success Model is relevant for this research.

Technology Threat Avoidance Theory (TTAT) The technology threat avoidance theory (TTAT) (Liang and Xue, 2009), explains individual IT users' behavior of avoiding the threat of malicious information technologies. It articulates that avoidance and adoption are two qualitatively different phenomena and contend that technology acceptance theories provide a valuable, but incomplete, understanding of users' IT threat avoidance behavior. Drawing from cybernetic theory and coping theory, TTAT delineates the avoidance behavior as a dynamic positive feedback loop in which users go through two cognitive processes, threat appraisal and coping appraisal,



to decide how to cope with IT threats. In the threat appraisal, users will perceive an IT threat if they believe that they are susceptible to malicious IT and that the negative consequences are severe. The threat perception leads to coping appraisal, in which users assess the degree to which the IT threat can be avoided by taking safeguarding measures based on perceived effectiveness and costs of the safeguarding measure and self-efficacy of taking the safeguarding measure. TTAT posits that users are motivated to avoid malicious IT when they perceive a threat and believe that the threat is avoidable by taking safeguarding measures; if users believe that the threat cannot be fully avoided by taking safeguarding measures, they would engage in emotion-focused coping. TTAT is relevant for this research as it helps to derive the hypothesis about relationship between the constructs Actual security effectiveness of IT Systems and Users’ perceptions about security effectiveness of those IT Systems.

Social Cognitive TheoryIn Social Cognitive Theory (Bandura, 1986) “people are viewed as self-organizing, proactive, self-reflecting and self-regulating rather than as reactive organisms shaped and shepherded by environmental forces or driven by concealed inner impulses. From this theoretical perspective, human functioning is viewed as the product of a dynamic interplay of personal, behavioral, and environmental influences” (Pajares, 2002). One of the central concepts of Social Cognitive Theory is Self-Efficacy.

Bandura's (1997) key contentions as regards the role of self-efficacy beliefs in human functioning is that "people's level of motivation, affective states, and actions are based more on what they believe than on what is objectively true" (p. 2). For this reason, how people behave can often be better predicted by the beliefs they hold about their capabilities than by what they are actually capable of accomplishing, for these self-efficacy perceptions help determine what individuals do with the knowledge and skills they have. This helps explain why people's behaviors are sometimes disjoined from their actual capabilities and why their behavior may differ widely even when they have similar knowledge and skills. Pajares (2002)

Rhee et al. (2009) used the Social Cognitive Theory to models and tests relationships among self-efficacy in information security, security practice behavior and motivation to strengthen security efforts. Thus this theory is relevant for this research study as it will help to establish the hypothesis between the constructs self-efficacy about the IT Systems security and behavioral intentions to use such IT Systems.

Protection Motivation Theory (PMT)"Protection Motivation Theory (Rogers, 1975; 1983) is partially based on the work of Lazarus (1966) and Leventhal (1970)" (University of Twente, 2013). It states the different ways of coping with threat to health resulting from two appraisal methods. The appraisal of the health threat and the appraisal of the coping responses produces the intention to perform either adaptive responses which are akin to protection motivation or may lead to maladaptive responses. An individual can be placed at health risk as a result of maladaptive responses. According to the Protection Motivation Theory the intention to protect oneself depends upon four factors namely the perception of the severity of threat event, the perception about the probability of the threat happening or the individual's vulnerability to it, the effectiveness of the behavior recommended to prevent the threat (also called perceived response efficacy) and the confidence level in the person's ability to undertake the recommended preventive behavior (also called perceived self-efficacy). This theory is pertinent to this research study as it posits that that moderate to high levels of response efficacy are associated with positive inclinations of threat mitigation whereby a



recommended response is enacted. Hence it helps establish the hypothesis between the constructs users’ response-efficacy about the IT Systems security and users’ behavioral intentions to use such IT Systems.

Constructs for this research

Systems Security Quality of IT SystemsThe definition of Software quality by IEEE states that "Quality is the Degree to which the Software Meets User's Needs" (Anonymous, 2003). Hence System Quality is the degree to which the System meets its user's needs. Since a System is comprised of Sub-systems or processes, hence an IT System like mobile technology also has Sub-Systems such as various technologies like the operating system, the software, the hardware components. Hence the quality of the security functions (if any) of these sub-systems will be the parameters used to improve the overall Security functionality of the mobile technologies. This is supported by the functionality aspect of a product or system in which security is shown as a sub-characteristic derived from the quality aspect of that functionality (Retna, Vargheese, Susaya and Joseph, 2010). One of the independent variables in the conceptual model of Gable, Sedera and Chan (2008) is Quality (impacts anticipated). System quality was perceived by Gable, Sedera and Chan (2008) as being one part of IT Artifact, the other being Information Quality. System quality in Delone and McLean's IS Success model is mapped to the IS-Net by Gable, Sedera and Chan (2008) as part of IT-Artifact, which is shown as a formative construct impacted by Capabilities and Practices of the IT function.

Delone and McLean (1992) characterize system quality as desired characteristics of the information system itself such as its ease-of-use, functionality, reliability, flexibility, data quality, portability, integration and importance. Serpanos and Wolf (2011) who have discussed the Quality of Service and security for network systems and stated that “availability of access to network resources is an important consideration that cannot be addressed by cryptographic protocols. To mitigate the impact of denial-of-service attacks, additional functionality in network systems is necessary”. Since mobile technologies access networks like Wi-Fi based Internet hence for this research study the System Security Quality of IT Systems such as mobile technologies is defined as the desired security characteristics of those mobile technologies in terms of prevention (encryption, security transmission, protection from infection) and deterrence. Thus the desired security characteristics of mobile technologies are the security functionality features required from these technologies and the 'Functionality' attribute is included in Delone and McLean's Definition of System Quality.

Schneider (2012) has stated that a complete approach to mobile security involves five different security features comprising the back-end, the application, out-of band authentication, the mobile operating system and the hardware itself, which could include security layers in addition to that offered by the mobile operating system. Hence the System Security Quality of IT Systems can also be defined as the extent to which an IT system like the mobile technology is seen to be able to accomplish the security objectives of these five different security features. This is because preventive efforts on are the ones that prevent or thwart a security attack from happening. Examples of these are installed advanced security tools like as authentication devices and firewalls (Schuessler, 2009). Similarly advanced software tools like anti-virus, anti-malware and anti-spyware software, encryption software and use of virtual private networks are some of the preventive efforts that help in stopping attacks on ‘IT Systems’ from the public networks like the Wi-Fi. Hagen and Spilling (2009) reported that security policy was included as deterrent measure by Wiant (2005). Straub Jr. (1990) also included the presence of IS security policy for system use as a deterrent against computer Abuse. Thus System Security Quality of mobile



technologies can be stated in terms of their prevention capabilities (encryption, security transmission, protection from infection) against security attacks and in terms of their deterrence capabilities against abuse of mobile technologies by any malicious users using such technologies. It is envisaged that this will be a 2nd order construct in this research. Hence the better the System Security Quality of the mobile technologies the more will they be useful to the users in keeping their confidential information transmitted via it or stored in it to be secure.

Behavioral Intention to Use IT SystemsDunkerley and Tejay (2011) define User Intention as “The intentions of the users toward protective measures of an information system”. An individual’s motivation or intention to use a system has been explained with the help of many theories like the Theory of Reasoned Action (Fishbein & Ajzen, 1975). From information systems perspective, other relevant theories for this research include the Technology Acceptance Model (TAM) (Davis, 1989), the Unified Theory of Acceptance and Use of Technology (UTAUT) (Venkatesh, Morris, Davis, & Davis, 2003), the IS Success Model (DeLone & McLean, 1992, 2003). Consistent with Theory of Reasoned Action (TRA), TAM assumes that attitudes about a system (operationalized as ‘perceived usefulness’ and ‘perceived ease of use’), will impact the motivation (intention) to use a system, which in turn leads to actual usage. The TAM has been used and modified by several studies and has been proven to be a reliable predictor of a person’s acceptance of information technology (Gefen, Karahanna and Straub, 2003; King and He, 2006; Wang, 2002). In their study Udo et al. (2010) have stated “UTAUT consistent with TAM also assumes that user intentions to use an information system lead to subsequent usage behavior”. Trkman and Trkman (2009) have stated “in order to be able to study Web 2.0 systems the construct ‘intention to use’/‘use’ should be separated into two inter-connected constructs.” Hence this study is going to treat ‘Actual use of the IT Systems by the users’ and ‘Users’ behavioral intentions to use IT system’ as two separate but related constructs with the latter possibly affecting the former.

Users’ Perceptions about System Security Quality of IT SystemsUsers’ perceptions comprise their perceptions about perceived usefulness and perceived ease of use with the information system (Davis, 1989). “A system high in perceived usefulness, is one for which a user believes in the existence of a positive use-performance relationship, whereas an application perceived to be easier to use will more likely be used by users” (Davis, 1989). Hence an individual user’s positive or negative feelings about the usefulness of security of the IT system and the ease of use experienced in configuring the various security parameters may affect his or her behavioral intentions to use such IT Systems. Madnick (2006) stated that “Perception is Reality and Behavior is based on your perceptions”. Since an individual’s positive or negative feelings reflect those users’ perceptions based on usefulness and ease of use of the system, hence users’ perceptions about IT security effectiveness may influence those users’ intentions to use the respective IT Systems.

Another factor that may also impact users’ perceptions about IT security effectiveness is users’ knowledge of any industry specific regulation for data security and privacy. As there is no such regulation presently for the hospitality industry hence it is a moot point whether knowledge about such regulation would strengthen users’ perceptions about security effectiveness of IT Systems in hotels, motels, resorts, restaurants and book-stores, coffee-shops in hospitality industry, just like SOX, GLBA do in financial sector and best practice frameworks of the IT Governance Institute (ITGI) and The Control Objectives for Information and related Technology (COBIT) do in other IT sectors. A facet of IT Security Management’s maturity in hospitality industry is whether hotels, motels, resorts, restaurants and book-stores, coffee-shops provide knowledge about relevant legal and



regulatory/compliance aspects of their industry to staff and users of Mobile Technologies who use their Wi-Fi in various sectors of hospitality industry. Also whether they provide general information about these aspects if published in their brochures and web sites to potential and actual guests could impact these users’ perceptions about the effectiveness of security of IT system like the Mobile Technologies when used in public networks like the Wi-Fi.

In case of IT Systems the safeguarding measure users may take is to avail of the security features of the IT system to avoid the threats they perceive from it, by using that IT system. A study showing implications for hotel industry of international comparison of approaches to online privacy protection(O’Connor, 2006) found that “two diametrically opposed philosophies to privacy protection exist - the self regulation approach epitomized by the United States, or the legislative approach mandated by the European Union which is now the de-facto standard adopted worldwide”. Hence if coffee-shops/bookstores/restaurants allow unsecured Internet access to their employees then the employees can be held liable for any breach that may happen on unsecured networks due to tenet of self regulation in the US. This in turn could negatively affect such users’ perception about the security effectiveness of IT Systems using insecure Wi-Fi based Internet and may decrease the usage of such IT Systems by employees in these places. Same type of scenario may be applicable to guests of coffee-shop/bookstore/restaurant if they use insecure Wi-Fi based Internet access available in these places on their respective Mobile technologies.

A paradox in IT security is that with all the awareness, tools and strategies for securing Information Systems (IS) available, the incidents of malware infection and data breaches for users’ in organizations continue to be on the rise (Ponemon Institute, 2010). The study also found that applications based on the web and those created by third-party were most attacked by malware (Ponemon Institute, 2010). Hence such malware attacks experiences could have negatively impacted individual user’s perceptions regarding effectiveness of the security of the web based IT Systems they use in organizations. This is based on a new theory called Technology Threat Avoidance theory (TTAT) “which explains individual IT users’ behavior of avoiding the threat of malicious information technologies” (Liang and Xue, 2009). In this Liang and Xue (2009) explained that in TTAT the way users perceive threats is a function of “perceived probability of the threat’s occurrence and the perceived severity of the threat’s negative consequences.” According to Liang and Xue (2009) whether a safeguarding measure can make a threat avoidable is evaluated by individual users by on the basis of three factors, namely the effectiveness of the measure, the costs of the measure, and users’ self-efficacy of taking the measure. Since IT Systems capability to avoid the security threats is determined by their security features, hence the effectiveness of security of the IT Systems could have an impact on their users' perceptions about the effectiveness of those IT systems. To test this the following hypothesis is proposed.

Research Hypothesis 1 (H1) System security quality of IT Systems (SSQ) will positively affect their users’ perceptions about the systems security quality of those IT Systems (UPSSQ)

Based on extension of Technology Acceptance Model, Fang et al. (2006) found that “user intention to transact is influenced by perceived usefulness and perceived security. A survey was conducted to collect data about user perception of 12 tasks that could be performed on wireless handheld devices and user intention to use wireless technology. Multiple regression analyses supported the proposed research model.” Assuming ‘Users’ perceptions about effectiveness of the security’ to be equivalent to ‘perceived security’, the following hypothesis is derived based on the extension of the Technology Acceptance Model (Fang et al., 2006).



Research Hypothesis 2 (H2)Users’ perceptions about the system security quality of IT Systems (UPSSQ) will

positively affect their behavioral intentions to use such IT Systems (UBIU).

As the prevention and deterrence constructs are also the indicator variables for the variable ‘Actual Security Effectiveness’ of IT Systems, hence this will be used as an additional important aspect for System Security Quality of IT Systems construct in this research. Hence as this research study plans to use Actual Security Effectiveness of the IT Systems as an additional important aspect of System Security Quality in the updated IS Success Model of Delone and McLean (2003), in turn this could positively impact the users’ intention to use that IT system based on the Technology Acceptance Model (Davis, 1989) as higher System Security Quality of the IT System will get reflected as higher perceived usefulness of that system. Based on this the following hypothesis is derived for testing:

Research Hypothesis 3 (H3) Systems security quality of IT systems (SSQ) will positively affect their users’ behavioral intentions to use those IT systems (UBIU).

Users’ Self-Efficacy

Information systems research studies generally refer to the concept as ‘self-efficacy’ as the judgment of an individual’s ability to use a computer technology (Compeau, Higgins & Huff, 1999). Torkzadeh, Chang and Demirhan (2006) define self-efficacy as “Self-efficacy is a dynamic construct that changes as new information and experiences are acquired”. Torkzadeh et al. (2006) introduced the term Internet self-efficacy in addition to computer self-efficacy. Computer self-efficacy is defined as the belief that an individual has in his/her abilities to use computer (Torkzadeh et al., 2006). By extension Internet self-efficacy could be defined as the belief that an individual has in his/her abilities to use the Internet. This belief could then affect that user’s intentions to use the Internet.

Rhee, Kim and Ryu (2009) have defined self-efficacy in information security (SEIS) as “a belief in one’s capability to protect information and information systems from unauthorized disclosure, modification, loss, destruction, and lack of availability.” This research will focus on the self-efficacy in information security (SEIS) as the relevant construct. The importance of self-efficiency in computing domain has been shown in many past studies repeatedly (Chan, Thong, Venkatesh, Brown, Hu and Tam, 2010). Agarwal et al. (2000) found that computer use and its early adoption were affected by self-efficacy. According to Brown et al. (2002) a key driver of intention to use a technology is the users’ ability to use that technology. Self-efficacy reinforces users’ self-confidence about their capability to use that technology (Brown et al., 2002). The results of study by Yangil and Chen (2007) for adoption of smartphones “indicate that behavioral intention to use was largely influenced by perceived usefulness (PU) and attitude toward using smartphone”. Hence Users’ Behavioral Intentions to use IT Systems like Mobile technologies could be influenced by their Self-Efficacy about security of such IT Systems.

Rhee et al. (2009) found that SEIS demonstrated a significant positive relationship with intention to strengthen security effort. Users with higher SEIS were more likely to exert high levels of effort to enhance information security (p < .001). In another study Bulgurcu, Cavusoglu and Benbasat (2010) found that users’ self –efficacy was more strongly related their behavioral intentions. Extant literature has also points to users’ self–efficacy bring more strongly and positively related to their behavioral intentions. However in a somewhat



contrast Anderson & Agarwal (2010) concluded that Security behavior self-efficacy is positively related to attitude toward security-related behavior and this in turn was positively related to behavioral intentions to protect the Internet. Security technologies adopted by individuals include anti-virus, anti-spyware, and pop-up blocking functions and ‘security risk management behavior’ includes security compliance actions like using strong and complex passwords while using the Internet and computer (Crossler and Belanger, 2009). Hence this study will test whether the above stated findings of Bulgurcu, Cavusoglu and Benbasat (2010) are valid for the effect of users’ Self-Efficacy in Information Security on their behavioral intentions to use such IT Systems and hence whether SEIS could impact individual users’ intentions to use these security technologies for IT Systems.According to Liang and Xue (2010) "self-efficacy (is) defined as users’ confidence in taking the safeguarding measure". They identified three factors to be considered by users in evaluating threat avoidance by applying relevant strategies. These factors, included in TTAT, are effectiveness, costs and user self-efficacy in applying these strategies. According to Liang and Xue (2010) the preventive strategies in IT security context are IT behaviors like anti-virus software installation, turning off of the cookies and editing of the computer registry files. They also found from prior research that as the level of users’ self-efficacy increased, the more they became inspired to perform such IT security behaviors. For the purpose of empirical testing, Liang and Xue (2010) selected spyware as the malicious IT and antispyware software as the appropriate preventative IT technology. IT security uses various technologies like encryption for safeguarding of information in smart-phones and antispyware for removing any spyware or malware that may get downloaded via the insecure Wi-Fi use by users of smart-phones. This is because the insecure yet free Wi-Fi is an alternative way for smart-phone users to connect to the Internet, in comparison to the secure yet paid 3G/4G connections offered by the vendors. Hence, this research study will test whether users’ “beliefs about their abilities” to use these security features will also positively affect users’ behavioral intentions to use insecure Wi-Fi in smart-phones. This research study will also focus on selected spyware as the one of the malicious IT threats and antispyware software as the countering measure for insecure Wi-Fi use in smart-phones, to test out the results of Liang and Xue (2010). This research study would also attempt to test the generalizability of results obtained by Liang and Xue (2010), by using a different set of users all of whom may not necessarily be college students and in a different context of bookstores/coffee-shops/restaurants providing Wi-Fi for smart phones. In another recent study Ooi, Sim, Yew and Lin (2011) found that Self-Efficacy was found to be “significantly (p<0.01) and positively related with intention to use broadband”. Discussing these results Ooi et al. (2011) stated that various studies conducted in the last five or six years found self-efficacy impacting the broadband usage decision by users. Supporting this Ooi et al. (2011) concluded that consumers are more likely to adopt the broadband services if they have higher confidence implying higher self-efficacy with the broadband technology.

Johnston and Warkentin (2010) have stated that self-efficacy is “the degree to which an individual believes in his or her ability to enact the recommended response”. They regard self-efficacy is as a determinant of intent concerning a recommendation to address a threat. They also found that self-efficacy (p < .01) has significant positive effects on behavioral intent. Hence this research would also test whether these results found by Johnston and Warkentin (2010) are valid in the context of bookstores/coffee-shops/restaurants providing Wi-Fi for smart phones.

Research Hypothesis 4 (H4)



Users’ self-efficacy about the IT Systems security (USE) will positively affect their behavioral intentions to use such IT Systems (UBIU).

Users’ Response EfficacyJohnston and Warkentin (2010) define “response efficacy as the degree to which an individual believes the response to be effective in alleviating a threat”. According to Johnston and Warkentin (2010), users perform evaluation of the perceived effectiveness of the plausible response to nullify the identified threat. Such response efficacy process is envisaged to be a thought based process. Users’ understanding derived through their response efficacy will decide the way in which they opt to mitigate the risks from the threat. According to Protection Motivation Theory (Rogers, 1975) moderate to high levels of response efficacy are associated with positive inclinations of threat mitigation whereby a recommended response is enacted. Johnston and Warkentin (2010) concluded that response efficacy had a significant positive effect on behavioral intent (p < .01). Extending this argument to the realm of mobile security, it remains to be seen whether an end-user will consider all the capabilities of the anti-spyware software and then form an opinion whether to download, install and use anti-spyware software as a safeguard against spyware infecting his/her smart-phone through the Wi-Fi. Hence this research study proposes the following hypothesis to test out the conclusions of Johnston and Warkentin (2010) in another place, time and among other set of people (Trochim, 2006). For the purposes of this research study the construct Response Efficacy will be same as Users’ Response Efficacy.

Research Hypothesis 5 (H5)Users’ response-efficacy about the IT Systems security (URE) will positively affect their behavioral intentions to use such IT Systems.(UBIU).

Users’ Subjective normsSubjective norms are “an individual’s perceptions of the presence or absence of the requisite resources or opportunities necessary for performing behavior” Ajzen & Madden (1986) as cited in Luarn and Lin (2005). Hence subjective norms are defined as “an individual’s subjective evaluation that the performance of the behavior in question is approved or disapproved by most people who are important to him or her” Ajzen (1991); Fishbein & Ajzen (1975) as cited in Ramayah et al. (2009). Ooi et al. (2011) have stated that Subjective norm is one of the factors which comprise Behavioral Intentions in Theory of Planned Behavior, which along with Attitude and Perceived Behavioral control drive the IT usage done by users. Ooi et al. (2011) found that Primary Influences, which are akin to Subjective norms, “were found to be significantly and positively related with intention to use broadband”. This is because subjective norms are the beliefs on how users should behave regarding the usage of IT in relation to other people expectations” (Ooi et al., 2011). Hence, it is possible that Subjective Norms could also positively affect users’ behavioral intentions for using IT Systems.

Anderson and Agarwal (2010) stated that intentions to conform to security behavior in workplace are positively influenced by social norms. They concluded that “Subjective norm, or what an individual believes others think he/she should do, influences an individual’s protective behavior toward his/her own computer but not the Internet as a whole” (Anderson and Agarwal, 2010). Extending this to realm of IT system like Mobile technologies Hence this research study also proposes to test the generalizability of this conclusion in another place, time and among other set of people (Trochim, 2006),



regarding Wi-Fi use on smart-phones in coffee-shops/bookstores/restaurants by the following hypothesis:

Research Hypothesis 6 (H6)Users’ subjective norms about the IT Systems (USN) will positively affect their behavioral intentions to use those IT Systems (UBIU).

MediationAssuming ‘Users’ perceptions about effectiveness of the security’ to be equivalent to ‘perceived security’, can imply that the higher the systems security quality of IT systems the higher would be their users’ perceptions about security effectiveness of those IT systems which in turn would result in greater behavioral intentions in those users to use such IT systems (Ronen & Mikulincer, 2009). Thus users’ perceptions about the security effectiveness of IT systems could intervene or mediate (Kenny, 2014) between users' systems security quality of IT systems and their intentions to use IT systems. Hence based on Technology Threat Avoidance Theory (Liang and Xue, 2009) and the extension of the Technology Acceptance Model (Fang et al., 2006) users’ perceptions about IT Systems’ security effectiveness could be a mediating variable in the relation between effectiveness of security of IT Systems and the users’ intentions to use such IT Systems (Huigang et al., 2007). Thus the hypothesis for this possible mediation is proposed as:

Mediation Hypothesis 7 (H7)Users’ perceptions about the system security quality of IT systems (UPSSQ) mediate the

relationship between system the security quality of such IT systems (SSQ) and Users' behavioral intentions to use IT systems (UBIU).

H4+ H5 +

H3(ii)+ H2+ H1+

MV

H7

H3+


System Security Quality of IT

Systems(SSQ)

Users’ perceptions about System Security Quality of IT Systems

(UPSSQ)

(PSE)Users’ Behavioral Intentions to use IT Systems(UBIU)

Users’ Self-Efficacy about IT Systems Security (USE)

Users’ Subjective Norms towards IT Systems security (USN)

Users’ Response Efficacy about IT Systems Security (URE)


H6+

Users’ specific IT usage activities (USUA)

Control Variable (CV)

Figure 1.Conceptual Research Model. This figure shows the independent, dependent and mediating constructs for this research and the hypothesized causal relationships among them.

LEGEND:

MV: Mediating Variable

CV: Control Variable

Figure 1: Conceptual Research Model

Table 1- List of HypothesesHypothesis Statement Relevant Theory

H1System security quality of IT Systems (SSQ) will positively affect their users’ perceptions about the systems security quality of those IT Systems (UPSSQ).

Technology Threat Avoidance Theory (Liang and Xue, 2009)

H2Users’ perceptions about the system security quality of IT Systems (UPSSQ) will positively affect their behavioral intentions to use such IT Systems (UBIU).

Technology Acceptance model (Davis, 1989), IS Success Model (Delone & McLean 1992, 2003), Extension of Technology Acceptance Model (Fang et al. 2006).

H3Systems security quality of IT systems (SSQ) will positively affect their users’ behavioral intentions to use those IT systems (UBIU)

Technology Acceptance model (Davis, 1989), IS Success Model (Delone & McLean 1992, 2003)

H4Users’ self-efficacy about the IT Systems (USE) security will

Self-efficacy beliefs in information security (SEIS) (Rhee et al, 2009) based on Social cognitive theory (Bandura 1977). Technology Threat Avoidance



positively affect their behavioral intentions to use such IT Systems (UBIU).

Theory (TTAT) (Liang and Xue, 2009).

H5Users’ response-efficacy about the IT Systems security (URE) will positively affect their behavioral intentions to use IT Systems (UBIU).

Protection Motivation Theory (Rogers 1975)

H6Users’ subjective norms about the IT Systems (USN) will positively affect their behavioral intentions to use those IT Systems (UBIU).

Theory of Reasoned Action (Fishbein and Ajzen, 1975)

H7 Users’ perceptions about the system security quality of IT systems (UPSSQ) mediate the relationship between the system security quality of such IT systems (SSQ) and Users' behavioral intentions to use IT systems (UBIU).

Technology Threat Avoidance Theory (Liang and Xue, 2009), extension of the Technology Acceptance Model (Fang et al., 2006) Technology Acceptance model (Davis, 1989), IS Success Model (Delone & McLean 1992, 2003).

ReferencesAccessIT (2000). What is electronic and information technology? The National Center on

Accessible Information Technology in Education. Retrieved from https://www.washington.edu/accessit/articles?106

Agarwal, R., Sambamurthy, V., & Stair, R.M. (2000). Research Report: The Evolving Relationship between General and Specific Computer Self-Efficacy-An Empirical Assessment. Information Systems Research, 11(4), 418-430.

Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. J. Kuhl & J. Beckmann (Eds.). Berlin: Springer.

Aladwani, A. M. & Palvia, P.C. (2002). Developing and validating an instrument for measuring user-perceived web quality. Information & Management, 39, 467–476

Anderson, H. (2013). Study: Cybercrime Costs Grow 26%-Ponemon Report Sorts Through Key Factors. Data Breach Today. Retrieved from http://www.databreachtoday.com/blogs/study-cybercrime-costs-grow-26-p1562?rf=2013-10-10 edbt&elq=685d805204e34086a62b3a1de8abc549&elqCampaignId=8036


https://www.washington.edu/accessit/articles?106


Anderson, C. L., & Agarwal, R. (2010). Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3), 613-643.

Anonymous (2003). IEEE Definition of Software Quality. Retrieved from faculty.winthrop.edu/dannellys/csci626/02_Definition.ppt

April, G.D., & Pather, S. (2008). Evaluating Service Quality Dimensions within e-Commerce SMEs. The Electronic Journal Information Systems Evaluation, 1(3), 109 – 124.

Armin, J. (2013). Mobile Threats and the Underground Marketplace. APWG White Paper: Mobile Fraud. Retrieved from http://docs.apwg.org/reports/mobile/apwg_mobile_fraud_report_april_2013.pdf

Bagozzi, R. P. (2011). Measurement and Meaning in Information Systems and Organizational Research: Methodological and Philosophical Foundations. MIS Quarterly, 35(2), 261-292.

Bandura, A. (1986). Social foundations of thought and action: A social cognitive theory. Englewood Cliffs, NJ: Prentice Hall.

Baron, R. M., & Kenny, D. A. (1986). “The Moderator–Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations,” Journal of Personality and Social Psychology, (51), 1173-1182.

Baroudi, J.J. & Orlikowski, W.J. (1989). The Problem of Statistical Power in MIS Research. MIS Quarterly, 13(1), 87-106.

Beldona, S., & Cobanoglu, C. (2007). Importance-Performance Analysis of Guest Technologies in the Lodging Industry. Cornell Hotel and Restaurant Administration Quarterly, 48(3), 299-312. Retrieved from http://cqx.sagepub.com/content/48/3/299.

Bode, C., Wagner, S.M., Petersen, K.J., & Ellram, L.M. (2011). Understanding Responses ToSupply Chain Disruptions: Insights from Information Processing and Resource Dependence Perspectives. Academy of Management Journal, 54(4), 833–856.

Boland, Jr., R.J., & Hirschheim, R.A. (1987). Critical issues in information systems research. New York, NY: John Wiley & Sons, Inc.

Bollen, K.A. (2011). Evaluating Effect, Composite, and Causal Indicators in Structural Equation Models. MIS Quarterly, 35(2), 359-372.

Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems, 18, 151-164.

Bostrom, R.P., Gupta, S., & Thomas, D. (2009). A Meta-Theory for Understanding Information Systems within Socio-technical Systems. Journal of Management Information Systems, 26(1), 17–47.

Bradley, T. (2010). Introduction to Wireless Network Security-Security in 6 Easy Steps.Retrieved from http://netsecurity.about.com/od/hackertools/a/aa072004b_2.htm

Breaugh, J. A. (2003). Effect Size Estimation: Factors to Consider and Mistakes to Avoid. Journal of Management, 29(1), 79-97.

tmo_brian. (2011). Wireless Security Troubleshooting: Mobile HotSpots. In Welcome to T-Mobile Support, 9. Retrieved from http://support.t-mobile.com/docs/DOC-2353

Browdie, B. (2013). Majority of Americans Own Smartphones, Pew Survey Finds. American Banker-Bank Technology News June 2013. Retrieved from http://www.americanbanker.com/issues/178_110/majority-of-americans-own-smartphones-pew-survey-finds-1059709 1.html?ET=americanbanker:e15671:725399a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=BTN_Weekly_071711_061013

Brown, S. A., Massey, A. P., Montoya-Weiss, M. M., & Burkman J. R. (2002). “Do I really have to? User acceptance of mandated technology,” European Journal of Information Systems, 11(4), 283-295.

Beaudry, A., & Pinsonneault, A. (2010). The Other Side of Acceptance: Studying the Direct and Indirect Effects of Emotions on Information Technology Use. MIS Quarterly, 34(4), 689-710.


http://www.americanbanker.com/issues/178_110/majority-of-americans-own-smartphones-pew-survey-finds-1059709%201.html?ET=americanbanker:e15671:725399a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=BTN_Weekly_071711_061013



http://support.t-mobile.com/docs/DOC-2353

http://netsecurity.about.com/od/hackertools/a/aa072004b_2.htm

http://cqx.sagepub.com/content/48/3/299

http://docs.apwg.org/reports/mobile/apwg_mobile_fraud_report_april_2013.pdf


Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs. MIS Quarterly, 34(3), 523-548.

Cannon, D. L. (2011). CISA Certified Information Systems Auditor Study Guide Third Edition. Wiley Publishing, Inc., Indianapolis, Indiana.

Carmitchel, K. (2011). Video: Wi-Fi Only iPad 2 GPS Navigation. Retrieved from http://www.tabletmonsters.com/news/video-wi-fi-only-ipad-2-gps-navigation

Chan, F. K.Y., Thong, J.Y.L., Venkatesh, V., Brown, S. A., Hu, P. J-H., & Tam, K. Y. (2010). Modeling Citizen Satisfaction with Mandatory Adoption of an E-Government Technology. Journal of the Association for Information Systems 1(10), 519-549.

Chang, J., Torkzadeh, G., & Dhillon, G. (2004) “Reexamining the Measurement Models of Success for Internet Commerce”. Information and Management, 41(5), 577-584.

Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated Failures, Diversification and Information Security Risk Management. MIS Quarterly, 35(2), 397-422.

Chin, E., Felt, A.P., Sekar, V. & Wagner, D. (2012). Measuring User Confidence in Smartphone Security and Privacy. Symposium on Usable Privacy and Security (SOUPS) 2012. Washington, DC. Retrieved from http://cups.cs.cmu.edu/soups/2012/proceedings/a1_Chin.pdf

Choobineh, J., Dhillon, G., Grimalla, M. & Rees, J. (2007). Management of information security: challenges and research directions. Communications of the AIS, 20, 958-971.

Clooke, R. (2013). Hidden Wi-Fi Dangers Revealed. Retrieved from http://www.mobilesecurity.com/articles/567-hidden-wi-fi-dangers-revealed.

CNN (Producer). (2012, September 22). The CNN News [Television broadcast]. Atlanta, GA: CNN Headquarters

Compeau, D. R., Higgins, C. A., & Huff, S. (1999). Social cognitive theory and individual reactions to computing technology: A longitudinal study. MIS Quarterly, 23(2), 145-158

Constantine, R., Arger, G., Ling, P. & Sharma, R. (n.d.). An evaluation of the effectiveness of wireless LAN in the provision of higher education. Swinburne University of Technology, Melbourne, Australia.

Crossler, R. E. & Belanger, F. (2009). The Effects of Security Education Training and Awareness Programs and Individual Characteristics on End User Security Tool Usage. Journal of Information System Security, 5(3), 3–22. Retrieved from http://www.jissec.org/Contents/V5/N3/V5N3-Crossler.html

CustomInsight.com (2012). Survey Random Sample Calculator. Retrieved from http://www.custominsight.com/articles/random-sample-calculator.asp

Davis, F.D. (1989). Perceived Usefulness, Perceived Ease Of Use, And User Acceptance of Information Technology. MIS Quarterly, 13(3), 319-340.

Davis, F.D., Bagozzi, R.P. & Warshaw, P.R. (1989). User Acceptance of Computer Technology: A Comparison of Two Theoretical Models. Management Science, 35(8), 982-1003.

Delone, W. H., & McLean, E.R. (1992). Information systems success: The Quest for the Dependent Variable. Information Systems Research, March, 60-95.

DeLone, W.H., & McLean, E.R. (2003). The DeLone and McLean Model of Information Systems Success: A Ten-Year Update. Journal of Management Information Systems, 19(4), 9-30.

Detmar, W.S. Jr. (1990). Effective IS Security: An Empirical Study. Information Systems Research 1(3), 255-276.

Dhillon, G. & Backhouse, J. (2001). Current directions in IS security research: toward socio-organizational perspectives. Information Systems Journal, 11(2), 127-153.

Dhillon, G. & Moores, T. (2001). Internet Privacy: Interpreting Key Issues. Information Resources Management Journal, 14(4), 33-37.

Diamantopoulos, A., Riefler, R., & Roth, K. (2007). Advancing Formative Measurement Models. Retrieved from


http://www.custominsight.com/articles/random-sample-calculator.asp

http://www.jissec.org/Contents/V5/N3/V5N3-Crossler.html

http://www.tabletmonsters.com/news/video-wi-fi-only-ipad-2-gps-navigation


http://homepage.univie.ac.at/katharina.roth/research/Formative_Measurement_JBR.pdf

Duggan, M & Rainie, L. (2012). REPORT: MOBILE Cell Phone Activities 2012. Pew Internet and American Life Project-A Project of the PewResearchCenter. Retrieved from http://pewInternet.org/Reports/2012/Cell-Activities.aspx

Dunkerley, K.D., & Tejay, G. (2011). A Confirmatory Analysis of Information Systems Security Success Factors. Proceedings of the 44th Hawaii International Conference on System Sciences, pp. 1-10

Edwards, J. R. (2011). The Fallacy of Formative Measurement. Organizational Research Methods. Downloaded from http://orm.sagepub.com Enck, W., Ongtang, M., & McDaniel, P. (2009). On Lightweight Mobile Phone Application Certification. Communications of the ACM, 235-245. Retrieved from http://research.microsoft.com/pubs/80165/pervasive09_patterns_final.pdf

Estelle, M.P. & Pugh, D.S. (1987). How to get a PhD. Open University Press, Milton, Keynes.

Elpez, I. & Fink, D. (2006). Information System Success in the Public Sector: Stakeholders' Perspectives and Emerging Alignment Model, Informing Science and Information Technology, 3, 219-230.

Fang, X., Chan, S., Brzezinski, J., & Xu, S. (2006). Moderating Effects of Task Type on Wireless Technology Acceptance. Journal of Management Information Systems, 22(3), 123-157.

Festinger, L. (1957). Theory of Cognitive Dissonance. Stanford University Press, Stanford, CA.

Fishbein, M.A. & Ajzen, I. (1975). Belief, attitude, intention and behavior: an introduction to theory and research. Reading, MA: Addison Wesley.

Freeze, R. D., & Raschke, R. L. (2007). An Assessment of Formative and Reflective Constructs in IS Research. 15th European Conference on Information Systems. University of St. Gallen (Pub.), pp. 1481-1492. Retrieved from http://docs.google.com/viewer?a=v&q=cache:cXr4f8_Fy_sJ:csrc.lse.ac.uk/asp/aspecis/20070055.pdf+an+assessment+of+formative+and+reflective+constructs+in+is+research&hl=en&gl=us&pid=bl&srcid=ADGEESijfG-q1j4sVTo7BMT0hQbh66-6NbxMPLzxp1dFsiGFw4bWis7cTuhFjhk9IFV-iJ-LjbRlmwdyggXFPj5XS44YW-3xe8D2kbKv5bCMac32aCXsea0HS1WcQVoUXg1jyCcuQIaM&sig=AHIEtbRjpwQR3v2SIV72qvR2iyfeLscDSA

Fox, F. (2010). Stealth malware steals, imitates social behavior. TechNewsDaily. Retrieved from

http://www.msnbc.msn.com/id/39691794/ns/technology_and_science-security/Freeze, R.D., & Raschke, R.L. (2007). An Assessment of Formative and Reflective

Constructs in IS Research. Proceedings of the 15th European Conference on Information Systems ECIS2007 June, St Gallen Switzerland, Publisher: University of St. Gallen, pp: 1481-1492.

Furneaux, B. (2005). Theories Used in IS Research-Theory of Planned Behavior. Retrieved from http://www.istheory.yorku.ca/theoryofplannedbehavior.htm

Furneaux, B. (2005). Theories Used in IS Research-Unified Theory of Acceptance and Use of Technology. Retrieved from http://www.istheory.yorku.ca/UTAUT.htm

Gable, G.G., Sedera, D., & Chan, T. (2008). Re-conceptualizing Information System Success: The Is-Impact Measurement Model. Journal of the Association for Information Systems, 9(7), 377-408.

Garson, G. D. (2011). Univariate GLM, ANOVA, and ANCOVA. Retrieved from http://faculty.chass.ncsu.edu/garson/PA765/anova.htm

Garson, G.D. (2009). Factor Analysis from StatNotes: Topics in Multivariate Analysis. Retrieved from http://faculty.chass.ncsu.edu/garson/PA765/factor.htm#factoring

Garson, G. D. (2008). Structural Equation Modeling. Retrieved from http://www2.chass.ncsu.edu/garson/pa765/structur.htm


http://www2.chass.ncsu.edu/garson/pa765/structur.htm

http://faculty.chass.ncsu.edu/garson/PA765/factor.htm#factoring

http://faculty.chass.ncsu.edu/garson/PA765/anova.htm

http://www.istheory.yorku.ca/UTAUT.htm

http://www.istheory.yorku.ca/theoryofplannedbehavior.htm

http://www.msnbc.msn.com/id/39691794/ns/technology_and_science-security/

http://docs.google.com/viewer?a=v&q=cache:cXr4f8_Fy_sJ:csrc.lse.ac.uk/asp/aspecis/20070055.pdf+an+assessment+of+formative+and+reflective+constructs+in+is+research&hl=en&gl=us&pid=bl&srcid=ADGEESijfG-q1j4sVTo7BMT0hQbh66-6NbxMPLzxp1dFsiGFw4bWis7cTuhFjhk9IFV-iJ-LjbRlmwdyggXFPj5XS44YW-3xe8D2kbKv5bCMac32aCXsea0HS1WcQVoUXg1jyCcuQIaM&sig=AHIEtbRjpwQR3v2SIV72qvR2iyfeLscDSA



http://research.microsoft.com/pubs/80165/pervasive09_patterns_final.pdf

http://orm.sagepub.com/

http://pewinternet.org/Reports/2012/Cell-Activities.aspx




Gebauer, J., Kline, D., & Ling, H. (2011). Password Security Risk versus Effort: An Exploratory Study on User-Perceived Risk and the Intention to Use Online Applications. Journal of Information Systems Applied Research, 4(2), 52-73.

Gefen, D., Karahanna, E., & Straub, D.W. (2003). Trust and TAM in Online Shopping: An Integrated Model, MIS Quarterly, 27(1), 51-59.

GetSafeOnline.org. (2008). Wi-Fi security: GetSafeOnline warns of 'piggybacking' dangers. Retrieved from http:// www.datamonitor.com

Google Mobile Help. (2012). Sharing your mobile data connection. Retrieved from http://support.google.com/mobile/bin/answer.py?hl=en&answer=168932

Graziano, D. (2012). ComScore: More than 100 million smartphone users now in U.S. In BGR HOT TOPICS. Retrieved from http://www.bgr.com/2012/03/08/comscore-more-than-100-million-smartphone-users-now-in-u-s/

Griffin, B. (2011). McAfee: Attacks against mobile devices will escalate in 2011. Retrieved from http://www.knowyourmobile.com/blog/906463/mcafee_attacks_against_mobile_devices_will_escalate_in_2011.html

Grover, V. (n.d) A Tutorial on Survey Research: from Constructs to Theory. http://www.umdnj.edu/idsweb/idst6000/MIS-SUVY.htm

Grover, V., Cheon, M. J., & Teng, J. T. C. (1996). The Effect of Service Quality and Partnership on the Outsourcing of Information Systems Functions. Journal of Management Information Systems. 12(4), 89-116.

Hagen, J.M. & Spilling, P. (2009). Do Organisational Security Measures Contribute to the Detection and Reporting of IT-System Abuses? Proceedings of the Third International Symposium on Human Aspects of Information Security & Assurance (HAISA), pp. 71-81.

Hair, Jr. J.F., Black, W.C., Babin, B.J., & Anderson, R.E. (2010). Multivariate Data Analysis, 7th Edition., New Jersey: Prentice Hall.

Hayden, L. (2010). IT Security Metrics – A Practical Framework for Measuring Security & Protecting Data. New York: The McGraw-Hill Companies.

Hardin, A., Chang, J. C. J., Fuller, M., & Torkzadeh, G. (2011). Formative Measurement and Academic Research-In search of Measurement Theory. Educational and Psychological Measurement. 71(2), 281–305.

Hardin, A., Chang, J. C. J., & Fuller, M. (2008). Formative versus reflective measurement: Comment on Marakas, Johnson, and Clay (2007). Journal of the Association for Information Systems, 9(9), 519-535.

Hardin, A., Chang, J. C. J., & Fuller, M. (2008). Clarifying the Use of Formative Measurement in the IS Discipline-The Case of Computer Self-Efficacy. Journal of the Association for Information Systems, 9(9), 544-546.

Hazarika, U. (2013). Security Analytics Webinar. ZScalar.Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for

security policy compliance in organisations. European Journal of Information Systems, 18, 106–125.

Henning, J. (2009). Demographic Questions: Sample Survey Template. Retrieved from http://blog.vovici.com/blog/bid/18176/Demographic-Questions-Sample-Survey-Template

Hoover, J.N. (2012). Going Mobile. Retrieved from http://twimgs.com/infoweek/green/022012gov/InformationWeek_Government_2012_02.pdf

Hornat, C. (2002). An Unwired Universe. In The Hitchhiker’s World (Issue # 5). Retrieved from http:// www.infosecwriters.com/hhworld/hh5.php.

Hong, W., Chan, F.K.Y, Thong, J.Y.L., Chasalow. L.C.& Dhillon, G. (2013). A Framework and Guidelines for Context-Specific Theorizing in Information Systems Research. Information Systems Research, Articles in Advance, 1–26.


http://www.infosecwriters.com/hhworld/hh5.php

http://twimgs.com/infoweek/green/022012gov/InformationWeek_Government_2012_02.pdf

http://twimgs.com/infoweek/green/022012gov/InformationWeek_Government_2012_02.pdf

http://blog.vovici.com/blog/bid/18176/Demographic-Questions-Sample-Survey-Template

http://blog.vovici.com/blog/bid/18176/Demographic-Questions-Sample-Survey-Template

http://www.umdnj.edu/idsweb/idst6000/MIS-SUVY.htm

http://www.knowyourmobile.com/blog/906463/mcafee_attacks_against_mobile_devices_will_escalate_in_2011.html

http://www.knowyourmobile.com/blog/906463/mcafee_attacks_against_mobile_devices_will_escalate_in_2011.html

http://www.bgr.com/2012/03/08/comscore-more-than-100-million-smartphone-users-now-in-u-s/

http://www.bgr.com/2012/03/08/comscore-more-than-100-million-smartphone-users-now-in-u-s/

http://support.google.com/mobile/bin/answer.py?hl=en&answer=168932

http://www.datamonitor.com/


Huigang, L., Saraf, N., Qing, H., & Yajiong, X. (2007). Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management. MIS Quarterly, 31(1), 59-87.

iBAHN. (2010). iBAHN in the News - New Study Validates Profit Opportunity for High-Speed Internet. Retrieved from http://www.ibahn.com/en-us/index.php?cid=1624&detail=y&story=1653

Im, K. S., & Grover, V. (2004). The Use of Structural Equation Modeling in IS Research: Review and Recommendations, in The Handbook of Information Systems Research, M. E. Whitman and A. B. Woszczynski (eds.), Hershey, PA: Idea Group Publishing, 44-65.

InfoSecurity-Magazine (2013). Most small businesses don't understand mobile security threats. Retrieved from http://www.infosecurity-magazine.com/view/32538/most-small-businesses-dont-understand-mobile-security-threats/

Institute for Digital Research and Education-UCLA. 2013. SPSS Learning Module. Missing Data. Retrieved from http://www.ars.ucla.edu/stat/spss/modules/missing.htm

Irvine, C. E. Levin, T. E. (2002). A cautionary note regarding the data integrity capacity of certain secure systems. In Gertz, M.; Guldentops, E.; and Strous, L. (eds.), Integrity, Internal Control and Security in Information Systems: Connecting governance and technology. Norwell, Massachusetts: Kluwer Academic Publishers, pages 3 – 25. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA435460

ISWORLD (2005). Information Systems Effectiveness-System Quality. Retrieved from http://business.clemson.edu/ISE/html/system_quality.html

Jackson, J. (2008). Beware of hotel Internet connections. GCN –Government Computer News. http://gcn.com/articles/2008/10/03/beware-of-hotel-Internet-connections.aspx

Johnston, A. C., & Warkentin, M. (2010). Fear Appeals and Information Security Behaviors: An Empirical Study. MIS Quarterly, 34(3), 548-566.

Jaquith, A. (2007). Security Metrics-Replacing Fear, Uncertainty, and Doubt. Upper Saddle River, NJ: Pearson Education, Inc.

Kable Intelligence Limited. (n.d.). FCA - GMP and Quality Systems Consultancy and Training. Retrieved from http://www.drugdevelopment-technology.com/contractors/consulting/fca/fca4.html

Kamani, D. (2012). Cryptzone says WPS security issues are just the tip of the insecurity iceberg. In Vigilance the Security Magazine. Retrieved from http://www.vigilance-securitymagazine.com/industry-news/information-security-and-management/1397-cryptzone-says-wps-security-issues-are-just-the-tip-of-the-insecurity-iceberg

Kang, I. (2004). An Empirical Study of a Trust Transfer Process from Offline to Online Channel. Sungkyunkwan University.Kankanhalli, A., Teo, H-H., Tan, B.C.Y., & Wei, K-K. (2003). An integrative study of

information systems security effectiveness. International Journal of Information Management, 23, 139-154.

Karimi, J., Gupta, Y.P., & Somers, T.M. (1996). Impact of competitive strategy and information technology maturity on firms' strategic response to globalization. Journal of Management Information Systems, 12(4), 55-88.

Karlson, A., Meyers, B., Jacobs, A., Johns, P., & Kane. S. (2009). Working Overtime: Patterns of Smartphone and PC Usage in the Day of an Information Worker. Proceedings of the 7th International Conference on Pervasive Computing, 398–405.

Kenny, D.A. (2014). Mediation. Retrieved from http://davidakenny.net/cm/mediate.htmKim, C., Tao, W., Shin, M., & Kim, K-S. (2010). An empirical study of customers’

perceptions of security and trust in e-payment systems. Electronic Commerce Research and Applications, 9, 84-95.

Kim, G., Shin, B., & Grover, V. (2010). Investigating Two Contradictory Views of Formative Measurement in Information Systems Research. MIS Quarterly, 34(2), 345-365.


http://www.vigilance-securitymagazine.com/industry-news/information-security-and-management/1397-cryptzone-says-wps-security-issues-are-just-the-tip-of-the-insecurity-iceberg



http://gcn.com/articles/2008/10/03/beware-of-hotel-internet-connections.aspx

http://gcn.com/articles/2008/10/03/beware-of-hotel-internet-connections.aspx

http://business.clemson.edu/ISE/html/system_quality.html

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA435460

http://www.ars.ucla.edu/stat/spss/modules/missing.htm

http://www.infosecurity-magazine.com/view/32538/most-small-businesses-dont-understand-mobile-security-threats/

http://www.infosecurity-magazine.com/view/32538/most-small-businesses-dont-understand-mobile-security-threats/

http://www.ibahn.com/en-us/index.php?cid=1624&detail=y&story=1653

http://www.ibahn.com/en-us/index.php?cid=1624&detail=y&story=1653


Kim, S.H. (2008). Moderating effects of Job Relevance and Experience on mobile wireless technology acceptance: Adoption of a Smartphone by Individuals. Information & Management, 45(6), 387-393.

King, W. R. & He, J. (2006). A Meta-Analysis of the Technology Acceptance Model. Information & Management, 43(6), 740-755.

Kumar, R.L., Park, S., & Subramaniam, C. (2008). Understanding the Value of Countermeasure Portfolios in Information Systems Security. Journal of Management Information Systems, 25(2), 241–279.

Krebs, D. (2010). Total Cost of Ownership Models for Mobile Computing and Communication Platforms, Third Edition Track II, Volume 1: Field Mobility. VDC Research.

Lederer, A.L., Maupin, D.J., Sena, M.P., & Zhuang, Y. (2000). The technology acceptance model and the World Wide Web. Decision Support Systems 29, 269–282.

Ledesma, C. (2008). "FREE" WIRELESS INTERNET? REALLY? Lodging Hospitality, 64(2), 49. Retrieved from http://lhonline.com/technology/telecomm/free_wireless_Internet/

Lee, A. J. (2005). Organizational Justice: A Mediated Model from Individual Well Being and Social Exchange Theory Perspectives. Proposal presented at Touro University International, Cypress, California

Leggatt, H. (2010). Internet use in hotels rose significantly in 2009. BizReport: Internet. Retrieved from

http://www.bizreport.com/2010/01/Internet_use_in_hotels_rose_significantly_in_2009.html#

Leyden, J, (2012). SMSZombie wraps self in nudie pics, slips into 500,000 Android devices. Retrieved from http://www.theregister.co.uk/2012/08/20/android_smszombie/

Liang, H., & Xue, Y. (2009). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly, 33(1), 71-90.

Liang, H., & Xue, Y. (2010). Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective. Journal of the Association for Information Systems, 11(7), 394-413.

Liebowitz, M. (2010). Malware Attacks Becoming Difficult to Avoid. SecurityNewsDaily. Retrieved October 17, 2010 fromhttp://www.securitynewsdaily.com/malware-attacks-difficult-to-avoid-0154/

Locke, L.F., Spirduso. W.W, & Silverman, S.J. (1992). Research proposals: Function and content. In R. Galliers (Ed.), Information systems research: Issues, methods and practical guidelines, (pp. 167-181). Oxford, U.K.: Blackwell Scientific Publications.

Luarn, P., & Lin, H-H. (2005). Toward an understanding of the behavioral intention to use mobile banking. Computers in Human Behavior, 2, 873-891.

Malhotra, N.K., Kim, S.S., & Agarwal, J. (2004). Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information Systems Research, 15(4), 336-355

MacKenzie, S. B., Podsakoff, P.M., & Podsakoff, N.P. (2011). Construct Measurement and Validation Procedures. MIS Quarterly, 35(2), 293-334

Madnick, S. (2006). Enterprise Security Perception and the House of Security. Presentation for Center for eBusiness, Sloan School of Management, Massachusetts Institute of Technology. pp 1-37.

Mayer, J. & Fagundes, L.L. (2009). A Model to Assess the Maturity Level of the Risk Management Process in Information Security. 4th IFIP/IEEE International Workshop on BDIM – 9 June. Retrieved December 16, 2010 from http://www.slideshare.net/leolemes/app-mmgr-bdim09

Mehta, P.D. (2001). Control Variable in Research. International Encyclopedia of the Social & Behavioral Sciences, Pergamon, Oxford. Neil J. Smelser and Paul B. Baltes, Editor(s)-in-Chief. pp. 2727-2730. Retrieved November 18, 2010 from http://www.sciencedirect.com/science/article/B7MRM-4MT09VJ-B1/2/ee7a72bf22424acde3eab56746e9f0b1


http://www.sciencedirect.com/science/article/B7MRM-4MT09VJ-B1/2/ee7a72bf22424acde3eab56746e9f0b1

http://www.sciencedirect.com/science/article/B7MRM-4MT09VJ-B1/2/ee7a72bf22424acde3eab56746e9f0b1

http://www.slideshare.net/leolemes/app-mmgr-bdim09

http://www.securitynewsdaily.com/malware-attacks-difficult-to-avoid-0154/

http://www.theregister.co.uk/2012/08/20/android_smszombie/

http://www.bizreport.com/2010/01/internet_use_in_hotels_rose_significantly_in_2009.html#

http://www.bizreport.com/2010/01/internet_use_in_hotels_rose_significantly_in_2009.html#

http://lhonline.com/technology/telecomm/free_wireless_internet/


Microsoft Corp. (2010). Security Intelligence Report. Vol. 9. Retrieved October 17, 2010 from http://www.microsoft.com/security/sir/default.aspx

Miller, K. (2005). Communications theories: Perspectives, processes, and contexts. New York: McGraw-Hill.

Mishra, S., & Chasalow, L. (2011). Information Security Effectiveness: A Research Framework. Issues in Information Systems, XII(1), 246-255.

Moores, T. T., & Chang, J. C. J. (2009). Self-Efficacy, Overconfidence, and the Negative Effect on Subsequent Performance: A Field Study. Information & Management, 46(2), 69-76

Murdick, R. G., Ross, J. E. & Claggett, J. R. (1993). Information Systems for Modern Management. Englewood Cliffs, N.J: Prentice-Hall.

Myers, M. D., & Klein, H. K. (2011). A Set of Principles for Conducting Critical Research in Information Systems. MIS Quarterly, 35(1), 17-36.

Nieswiadomy, R. M. (2008). Foundations of Nursing Research. Upper Saddle River, NJ: Pearson Education, Inc. Online Electronic Medical Library. Retrieved from http://online.statref.com/document.aspx

Network Box (2010). Network Box white paper: Hotel IT security: a new guide from Network Box. M2PressWIRE. Retrieved from http://www.network-box.co.uk/resources/white-papers

Newsom, J, (2012). Testing Mediation with Regression Analysis. Retrieved from www.upa.pdx.edu/IOA/newsom/da2/ho_mediation.pdf.

Notenboom, L. (2008). Can hotels sniff my Internet traffic? Ask Leo. Retrieved from http://askleo.com/can_hotels_sniff_my_Internet_traffic.html

O’Connor, P. (2006). An International Comparison of Approaches to Online Privacy Protection: Implications for the Hotel Sector. Journal of Services Research, 6.

Ogle, J., Wagner, E.L., &Talbert, M.P. (2008). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Cornell Hospitality Reports– The Center for Hospitality Research, 8(15), School of Hotel Administration, Cornell University.

Okoli, C. (2010). Webster & Watson 2002: Analyzing the Past to Prepare for the Future: Writing a Literature Review. Retrieved from http://chitu.okoli.org/research-reviews/webster-and-watson-2002.html

Olphert, C. W. Damodaran, L., & May, A. J. (2005). Towards digital inclusion – engaging older people in the ‘digital world, Department of Information Science, Loughborough University.

Ooi, K.-B., Sim, J.-J., Yew, K.-T. , & Lin, B. (2011). Exploring factors influencing consumers’ behavioral intention to adopt broadband in Malaysia. Computers in Human Behavior, 27, 1168-1178.

Pather, S., Remenyi, D., & Erwin, G. (2004). E-commerce success: the quest for IS effectiveness measurement: a conceptual framework for the e-commerce environment. South African Computer Journal, 32, 34-43.

Pajares, F. (2002).Overview of Social Cognitive Theory and of Self-Efficacy. Retrieved from http://www.emory.edu/EDUCATION/mfp/eff.html

Peng, F. (2008). Perceptions of Travelers Regarding Wireless Local Area Networks at International Airports. UNITEC Institute of Technology, New Zealand, 1-118.

Petter, S., Straub, D., & Rai, A. (2007). Specifying Formative Constructs in Information Systems Research. MIS Quarterly, 31(4), 623-656.

Petter, S., Rai, A., & Straub, D. (2012). The Critical Importance of Construct Measurement Specification: A Response to Aguirre-Urreta and Marakas. MIS Quarterly, 3(1), 147-155.

Phelps, T. (2011). Barnacle Wi-Fi Tethering App for Rooted Android Phones. Retrieved from http://google.about.com/od/socialtoolsfromgoogle/fr/barnacle-tether-Wi-Fi-android-app.htm

Png. I. P. L. & Wang, Q-H. (2009). Information Security - Facilitating User Precautions Vis-à-Vis Enforcement against Attackers. Journal of Management Information Systems, 26(2), 97–121.


http://google.about.com/od/socialtoolsfromgoogle/fr/barnacle-tether-wifi-android-app.htm

http://google.about.com/od/socialtoolsfromgoogle/fr/barnacle-tether-wifi-android-app.htm

http://www.emory.edu/EDUCATION/mfp/eff.html

http://chitu.okoli.org/research-reviews/webster-and-watson-2002.html

http://chitu.okoli.org/research-reviews/webster-and-watson-2002.html

http://askleo.com/can_hotels_sniff_my_internet_traffic.html

http://www.network-box.co.uk/resources/white-papers

http://online.statref.com/document.aspx

http://www.microsoft.com/security/sir/default.aspx


Podsakoff, P.M., MacKenzie, S. B., Lee, J-Y., & Podsakoff, N. P. (2003). Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies. Journal of Applied Psychology, 88(5), 879–903.

Ponemon Institute, LLC. (2012). 2013 State of the Endpoint. Research Report, 1-35.Retrieved from http://www.ponemon.org/local/upload/file/2013%20State%20of%20Endpoint%20Security%20WP_FINAL4.pdf

Ponemon Institute, LLC. (2010). State of Endpoint Risk 2011 Survey, 1-31.Retrieved from http://www.lumension.com/Resources/Resource-Center/2010-State-of-the-Endpoint.aspx?rpLeadsourceID=2116

Price, S. M. (2008). Host-Based Security Challenges and ContrWLAN - A Survey of Contemporary Research. Information Security Journal: A Global Perspective, 17, 170–178.

Ramayah, T. (2010). Archive for the ‘ATW 202 Business Research Method’ Category. Retrieved from http://www.ramayah.com/?cat=3

Ramayah, T., Rouibah, K., Gopi, M., & Rangel, G. J. (2009). A decomposed theory of reasoned action to explain intention to use Internet stock trading among Malaysian investors. Computers in Human Behavior, 2 (6), 1222–1230.

Ramezan, M. (2009). Measuring the effectiveness of human resource information systems in national Iranian oil company (an empirical assessment). Iranian Journal of Management Studies (IJMS), 2(2), 129-145.

Randolph, J.J. (2009). A Guide to writing the dissertation literature review. Practical Assessment, Research & Evaluation, 14(13), 1-13. Retrieved from http://pareonline.net/getvn.asp?v=14&n=13.

Ravenel, J.P. (2006). Effective Operational Security Metrics. EDPACS, 34(6). Retrieved from ABI/INFORM Global.

Ray, A. (2006). Typical response rates. In Practical Surveys. Last Updated April 21, 2008. Retrieved from http://www.practicalsurveys.com/respondents/typicalresponserates.php

Retna, J., Varghese, G., Soosaiya, M., Joseph, S. (2010). A Study on Quality Parameters of Software and the Metrics for Evaluation. International Journal of Computer Engineering and Technology, 1(1), 235-249.

Ryan, J.E. (2006). A Comparison of Information Security Trends Between Formal and Informal Environments. (Doctoral dissertation). UMI Number: 3225287

Recker, J., Rosemann, M., Green, P., & Indulska, M. (2011). Do Ontological Deficiencies in Modeling Grammars Matter? MIS Quarterly, 35(1), 57-79.

Rhee, H., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security, 28, 816- 826

Richmond, R. (2011). RSA’s Secure IDs Hacked – What to Do. The New York Times. Retrieved from http://gadgetwise.blogs.nytimes.com/2011/03/18/rsas-secure-ids-hacked-what-to-do/?src=busln

Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91, 93-114.

Ronen, S., Mikulincer, M. (2009). Attachment orientations and job burnout: The mediating roles of team cohesion and organizational fairness. Journal of Social and Personal Relationships, 26(4), 549-567.

Sabherwal, R., Jeyaraj, R., & Chowa, C. (2006). Information System Success: Individual and Organizational Determinants. Management Science, 52(12), 1849-1864.

Schneier, B. (2008), Security at What Cost? National ID System Is Not Worth The $23 Billion Price Tag. Retrieved from http://www.schneier.com/essay-207.html.

Seddon, P. B. (1997). A respecification and extension of the DeLone and McLean model of IS success. Information Systems Research, 8(3), 240-254.

Seliem, A. A. M., Ashour, A. S., Khalil, O. E. M., & Millar, S. J. (2003). The Relationship of Some Organizational Factors to Information Systems Effectiveness: A Contingency Analysis of Egyptian Data. Journal of Global Information Management, 11 (1), 40-72.


http://gadgetwise.blogs.nytimes.com/2011/03/18/rsas-secure-ids-hacked-what-to-do/?src=busln

http://gadgetwise.blogs.nytimes.com/2011/03/18/rsas-secure-ids-hacked-what-to-do/?src=busln

http://www.practicalsurveys.com/respondents/typicalresponserates.php

http://www.ramayah.com/?cat=3

http://www.lumension.com/Resources/Resource-Center/2010-State-of-the-Endpoint.aspx?rpLeadsourceID=2116

http://www.lumension.com/Resources/Resource-Center/2010-State-of-the-Endpoint.aspx?rpLeadsourceID=2116

http://www.ponemon.org/local/upload/file/2013%20State%20of%20Endpoint%20Security%20WP_FINAL4.pdf

http://www.ponemon.org/local/upload/file/2013%20State%20of%20Endpoint%20Security%20WP_FINAL4.pdf


Serpanos, D. & Tilman, W. (2011). Chapter 10 – Quality of service and security in Architecture of Network Systems- A volume in The Morgan Kaufmann Series in Computer Architecture and Design. Massachusetts: Elsevier Inc. Pub., pp. 183–210.

Sharma, R., Yetton, P., & Crawford, J. (2009). Estimating the Effect of Common Method Variance: The Method–Method Pair Technique with an Illustration from Tam Research. MIS Quarterly, 33(3), 473-490.

Shaver, J. M. (2005). Testing for Mediating Variables in Management Research: Concerns, Implications, and Alternative Strategies. Journal of Management, 31(3), 330-353. Retrieved from http://jom.sagepub.com

Shema, M. (2011). Web Security: Why You Should Always Use HTTPS. Retrieved from http://mashable.com/2011/05/31/https-web-security/

Schneider, I. (2012). 5 Critical Strategies for Mobile Banking Security. Retrieved from http://www.banktech.com/risk-management/240003902#.UCqzXGlMF4g.email

Schuessler, J.H. (2009). General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small Businesses. (Doctoral dissertation). Retrieved from http://digital.library.unt.edu/ark:/67531/metadc9829/m2/1/high_res_d/dissertation.pdf

Shih, Y. Y., & Fang, K. (2004). The use of decomposed theory of plannedbehavior to study Internet banking in Taiwan. Internet Research, 14(3), 213–223.

Shinder, D. (2011). Security Issues when Connecting Computers to Cellular Networks. Retrieved from http://www.windowsecurity.com/articles/Security-Issues-when-Connecting-Computers-Cellular-Networks.html.com/

Snyder B. (2012). US-CERT Issues WPS Security Warning. Retrieved from http://www.itsp.eu/index.php?option=com_content&view=article&id=701&Itemid=74

Sommer, L. (2011). The Theory of Planned Behavior and the Impact of Past Behavior. International Business & Economics Research Journal, 10, 91-110.

Square, Inc. (2013). User Agreements, Merchant User Agreement. Retrieved from https://squareup.com/legal/merchant-ua

Squires, M. (2011). Security of Guest Data Worries Hotel Technology Executives. Lodging Hospitality. Retrieved from http://lhonline.com/technology/security/security_guest_data_worry_0404/

StatSoft, (n.d.). Principal Components and Factor Analysis. Retrieved from http://www.statsoft.com/textbook/principal-components-factor-analysis/#basic

StarTrek (2012). Estimation in Statistics. Retrieved from http://stattrek.com/estimation/estimation-in-statistics.aspx?tutorial=ap

Straub, D.W. Jr. (1990). Effective IS Security: An empirical Study. Information Systems Research, 1(3), 255-276.

Straub, D. W. (1989). Validating Instruments in IS Research. MIS Quarterly, 13(2), 147-169.

Straub, D. W. Jr., & Burton-Jones, A. (2007). Veni, Vidi, Vici: Breaking the TAM Logjam. Journal of the Association of Information Systems, 8(4), 223-229. Retrieved from http://iris.nyit.edu/~kkhoo/Spring2008/Topics/TAM/000BenTAMarticleComment2.pdf

Straub, D., Limayem, M., & Karahanna-Evaristo, E. (1995). Measuring System Usage: Implications for IS Theory Testing. Management Science, 41(8), 1328-1342.

Straub, D. W. (1989). Validating Instruments in IS Research. MIS Quarterly, 13(2), 147-169.

Tao, D. (2009). Intention to Use and Actual Use of Electronic Information Resources: Further Exploring Technology Acceptance Model (TAM). AMIA Annual Symposium Proceedings Archive, American Medical Informatics Association, 629–633. Retrieved from http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2815463/

Taylor, S., & Todd, P. (1995). Assessing IT usage: The role of prior experience. MIS Quarterly, 19(4), 561-570.


http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2815463/

http://iris.nyit.edu/~kkhoo/Spring2008/Topics/TAM/000BenTAMarticleComment2.pdf

http://iris.nyit.edu/~kkhoo/Spring2008/Topics/TAM/000BenTAMarticleComment2.pdf

http://stattrek.com/estimation/estimation-in-statistics.aspx?tutorial=ap

http://www.statsoft.com/textbook/principal-components-factor-analysis/#basic

http://lhonline.com/technology/security/security_guest_data_worry_0404/

https://squareup.com/legal/merchant-ua

http://www.itsp.eu/index.php?option=com_content&view=article&id=701&Itemid=74

http://www.itsp.eu/index.php?option=com_content&view=article&id=701&Itemid=74

http://www.windowsecurity.com/articles/Security-Issues-when-Connecting-Computers-Cellular-Networks.html.com/

http://www.windowsecurity.com/articles/Security-Issues-when-Connecting-Computers-Cellular-Networks.html.com/

http://digital.library.unt.edu/ark:/67531/metadc9829/m2/1/high_res_d/dissertation.pdf

http://digital.library.unt.edu/ark:/67531/metadc9829/m2/1/high_res_d/dissertation.pdf

http://www.banktech.com/risk-management/240003902#.UCqzXGlMF4g.email

http://mashable.com/2011/05/31/https-web-security/

http://jom.sagepub.com/


Thompson, R. L., Higgins, C. A., & Howell, J. M. (1991). Personal Computing: Toward a Conceptual Model of Utilization. MIS Quarterly, 15(1), 124-143.

Torkzadeh, G., & Dhillon, G. (2002). Measuring factors that influence the success of Internet commerce. Information Systems Research, 13(2), 187-204.

Torkzadeh, G., Chang, J. C. & Demirhan, D. (2006). A contingency model of computer and Internet self-efficacy. Information & Management, 43(4), 541–550.

Tourangeau, R., & Smith, T. W. (1996). Asking sensitive questions: The impact of data collection mode, question format, and question context. Public Opinion Quarterly, 60(2), 275-304

Trkman, M., & Trkman, P. (2009). A Wiki as Intranet – a Critical Analysis Using the DeLone & McLean Model. Online Information Review, 33(6), 1087-1102

Trochim, W. M. (2006). The Research Methods Knowledge Base, 2nd Edition. Retrieved from http://www.socialresearchmethods.net/kb/power.php

Udo, G. J., Bagchi, K. K., & Kirs, P. J. (2010). An assessment of customers’ e-service quality perception, satisfaction and intention. International Journal of Information Management, 30, 481-492.

University of Twente (2013). Protection Motivation Theory. Retrieved from http://www.utwente.nl/cw/theorieenoverzicht/Theory%20clusters/Health%20Communication/Protection_Motivation_Theory.doc/

Utin, D. M., Utin, M. A., & Utin, J. (2008). General Misconceptions about Information Security Lead to an Insecure World. Information Security Journal: A Global Perspective, 17, 164–169.

Vance, A., Elie-dit-cosaque, C., & Straub, D.W. (2008). Examining Trust in Information Technology Artifacts: The Effects of System Quality and Culture. Journal of Management Information Systems, 24(4), 73–100.

Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F.D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425-478.

Venkatesh V., Sperier C., & Morris, M. G. (2002). User acceptance enablers in individual decision making about technology: toward an integrated model. Decision Science, 33, 297–316.

Venkatesh, V. & Zhang, X. (2010). Unified theory of acceptance and use of technology: U.S. vs. China. Journal of Global Information Technology Management, 13(1), 5-27.

Wade, M. & Hulland, J. (2004). The resource-based view and information systems research: review, extension, and suggestions for future research. MIS Quarterly, 28(1), 107-142.

Wang, Y-S. (2002). The adoption of electronic tax filing systems: an empirical Study. Government Information Quarterly, 20, 333–352.

Warfield, D.L. (2011). The Perceptions of U.S.-Based IT Security Professionals about the Effectiveness of IT Security Frameworks: A Quantitative Study. (Doctoral dissertation).

Watson, J. (2001). How to Determine a Sample Size: Tipsheet #60. The Pennsylvania State University. University Park, PA: Penn State Cooperative Extension. Retrieved from: http://www.extension.psu.edu/evaluation/pdf/TS60.pdf

Webster, J., & Watson, R. T. (2002). Analyzing the Past to Prepare for the Future: Writing a Literature Review. MIS Quarterly, 26(2), xiii – xxiii.

Whinston, A. B., & Geng, X. (2004). Operationalizing the Essential Role of the Information Technology Artifact in Information Systems Research: Gray Area, Pitfalls, and the Importance of Strategic Ambiguity, MIS Quarterly, 28(2), 149-159.

Wiant, T.L (2005). Information security policy’s impact on reporting security incidents.Computers & Security, 24(6), 448-459.Wikipedia (2012). Wi-Fi Protected Setup. Retrieved from Wikipedia, the free encyclopedia:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_SetupWi-Fi-FreeSpot Directory. (2011). Wi-Fi-FreeSpot Directory - locations that offer Free Wi-

Fi. Retrieved from http://www.Wi-Fifreespot.com/faqs.html


http://www.wififreespot.com/faqs.html

http://www.extension.psu.edu/evaluation/pdf/TS60.pdf

http://www.utwente.nl/cw/theorieenoverzicht/Theory%20clusters/Health%20Communication/Protection_Motivation_Theory.doc/

http://www.utwente.nl/cw/theorieenoverzicht/Theory%20clusters/Health%20Communication/Protection_Motivation_Theory.doc/

http://www.socialresearchmethods.net/kb/power.php


Wu, K., Zhao, Y., Zhu, Q., Tan, X., & Zheng, H. (2011). A meta-analysis of the impact of trust on technology acceptance model: Investigation of moderating influence of subject and context type. International Journal of Information Management, 31(6), 572-581. Retrieved From http://www.sciencedirect.com.lbproxy6.touro.edu/science/article/pii/S0268401211000429#

Yaniv, J. (2006). General Networking/Lan/Wan- ad hoc wireless. Retrieved from http://en.allexperts.com/q/General-Networking-Lan-1049/ad-hoc-wireless.htm

Yangil P., & Chen, J.V. (2007). Acceptance and adoption of the innovative use of smartphone. Industrial Management & Data Systems, 107(9), 1349 – 1365. Retrieved from http://www.emeraldinsight.com/journals.htm?articleid=1636252&show=abstract

York University. (2010). Delone and McLean IS success model. Retrieved from http://www.fsc.yorku.ca/york/istheory/wiki/index.php/Delone_and_McLean_IS_success_model


http://www.fsc.yorku.ca/york/istheory/wiki/index.php/Delone_and_McLean_IS_success_model

http://www.fsc.yorku.ca/york/istheory/wiki/index.php/Delone_and_McLean_IS_success_model

http://www.emeraldinsight.com/journals.htm?articleid=1636252&show=abstract

http://www.emeraldinsight.com/journals.htm?articleid=1636252&show=abstract

http://en.allexperts.com/q/General-Networking-Lan-1049/ad-hoc-wireless.htm

http://www.sciencedirect.com.lbproxy6.touro.edu/science/article/pii/S0268401211000429#

http://www.sciencedirect.com.lbproxy6.touro.edu/science/article/pii/S0268401211000429#

a quantitative investigation of the...

Documents