Thesis 1

INFORMATION TO USERS
This manuscript has been reproduced from the microfilm master. UMI films
the text directly from the original or copy submitted. Thus, some thesis and
dissertation copies are in typewriter face, while others may be from any type of
computer printer.
The quality of this reproduction is dependent upon the quality of the

copy submitted. Broken or indistinct print, colored or poor quality illustrations
and photographs, print bteedthrough, substandard margins, and improper
alignment can adversely affect reproduction.
In the unlikely event that the author did not send UMI a complete manuscript
and there are missing pages, these will be noted. Also, if unauthorized
copyright material had to be removed, a note will indicate the deletion.
Oversize materials (e.g., maps, drawings, charts) are reproduced by

sectioning the original, beginning at the upper left-hand comer and continuing
from left to right in equal sections with small overlaps.
Photographs included in the original manuscript have been reproduced

xerographicaUy in this copy. Higher quality 6’ x 9a black and white
photographic prints are available for any photographs or illustrations appearing
in this copy for an additional charge. Contact UMI directly to order.
ProQuest Information and Learning

300 North Zeeb Road, Ann Arbor, Ml 48106-1346 USA
800-521-0600
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.
THE FLORIDA STATE UNIVERSITY
COLLEGE OF EDUCATION
THE ROLE OF PERCEIVED RISK AND CONSUMER TRUST
IN RELATION TO ON-LINE SHOPPING AND SECURITY
By
MICHAEL KEHOE
A Dissertation submitted to the

Department o f Physical Education
in partial fulfillment o f the
requirements for the degree o f
Doctor o f Philosophy
Degree Awarded:
Spring Semester, 2002
UMI Number 3042024
UMI*
UMI Microform 3042024
Copyright 2002 by ProQuest Information and Learning Company.
All rights reserved. This microform edition is protected against
unauthorized copying under Title 17, United States Code.
ProQuest Information and Learning Company

300 North Zeeb Road
P.O. Box 1346
Ann Arbor, Ml 48106-1346
The members of the Committee approve the dissertation of Michael Kehoe
defended on January 25. 2002.
Charle:
Professor Directing
Dissertation
L eisiriy n n
Outside Committee Member
Brenda Pitts
Committee Member
Approv
Charles Imwold. Chair. Department of Physical Education
2/h /a J .
Richard Kurikel, Dean. College of Education
I would like to dedicate this work to my mother, Carol Kehoe, for her
tremendous love and support throughout my life. Her unwavering belief in me has
been a true source of inspiration. And to my father. Jack Kehoe, for always believing
and helping me in the pursuit of my goals. And, to my family, who although not
always close in proximity are never far from my heart.
iii
ACKNOWLEDGEMENTS
I would like to express my gratitude to my major professor. Dr. Charles

Imwold, for his years o f help, encouragement, and support. Much appreciation also
goes to my committee members: Dr Dewayne Johnson, Dr. Brenda Pitts, and Dr.
Leisa Flynn. Each o f these individuals in their own ways provided instruction,
support, and guidance.
I would also like to thank my friends and colleagues throughout this journey:
Seann Taylor, for his giving nature and willingness to patiently and repeatedly
explain the statistical analyses and procedures used in the data analysis; John Lata,
who provided the motivation and competition for success; and Dr. Debby Mitchell,
for her support in the final stages o f balancing professional responsibility with
academic completion.
My thanks and appreciation go to theses individuals, and to countless others,
who contributed with words o f encouragement, collaboration, advice, and various
other forms o f assistance.
TABLE OF CONTENTS
List of Tables ........................................................................................................... viii
Abstract .................................................................................................................... ix
Chapter Page
1. INTRODUCTION .......................................................................... 1
REVIEW OF THE LITERATURE ................................................ 8
Electronic Com m erce............................................................. 9

Growth o f the Internet ............................................. 10
Impediments to Commercial Use ............................ 12
Customer Reluctance to Shop On-Line .................. 14
Electronic Payment Systems .................................... 17
Effectiveness Criteria for IPS .................................. 22
Security .................................................................................. 25
Management View o f Security ............................... 26
Principles o f Security .............................................. 28
Internet Crime ........................................................... 29
Security Criteria for Electronic Commerce ............ 36
Types of Security Procedures ................................. 39
Cryptographic Technology ...................................... 41
Commercial Cryptographic Applications .............. 47
Risk and Risk Perception .................................................... 49
Risk Defined ............................................................. 49
Perspectives on Risk ............................................... 52
Risk as a Multidimensional Construct .................. 54
Trust ...................................................................................... 56
Analysis o f Trust ...................................................... 57
Levels of Trust ......................................................... 58
Decline o f Trust ...................................................... 60
Relationship o f Risk and Trust .............................. 61
Administrative Implications o f Research Findings ........... 62
Factors o f Risk Perception ...................................... 63
Research and In-Home Mail/Phone Order Shopping 65
Application to On-Line Shopping .......................... 67
Future of On-Line Shopping .................................. 70
Summary ............................................................................... 72
Statement o f the Problem .................................................... 73
Rationale ................................................................................ 73
Operational Definitions ....................................................... 74
Research Questions and Hypotheses .................................. 75
Significance o f the Study ..................................................... 79
2. METHODOLOGY AND PROCEDURES ..................................... 80
Subjects ................................................................................... 80
Variables .................................................................................. 81
Independent Variables ............................................... 81
Dependent Variables .................................................. 82
Instrumentation ....................................................................... 83
Procedure ................................................................................. 84
Data Analysis ......................................................................... 85
Limitations ............................................................................... 87
Delimitations ........................................................................... 87
3. RESULTS .AND DISCUSSION ......................................................... 89
Demographic Information ....................................................... 91

Results for Research Questions .............................................. 93
Research Question One ............................................... 93
Research Question Two .............................................. 97
Research Question Three ............................................ 98
Research Question Four .............................................. 99
Research Question 5 and Hypothesis 7 .................. 100
Research Hypothesis 8 and Research Question 1 .... 103
4. SUMMARY, CONCLUSIONS, AND FUTURE RESEARCH ....... 108
Summary ................................................................................... 108

Conclusions ............................................................................... 110
Future Research ........................................................................ Ill
.APPENDICES ...................................................................................... 113
Informed Consent ..................................................................... 113

Inventory ........................................................................... 114
vi
Human Subjects Committee Approval ................................... 118
REFERENCES ........................................................................................ 119
BIOGRAPHICAL SK ETCH ................................................................... 132
vu
LIST OF TABLES
Table Page
1. Summary o f Descriptive Statistics............................................................. 90
2. Internet A ccess............................................................................................. 92
3. Frequency oflntem et Use ................................................................. 92
4. Coefficient Alphas - Criterion Risk and Risk Component S cales 93
5. Risk Component Inter-correlational Measures ....................................... 94
6. Risk Perception - Regression Model Summary 95
7. Descriptives - Perceived Risk Scale (PRS)................................................. 98
8. Descriptives - Trust Security Technology Scale (TST) ......................... 99
9. Means o f Risk Perception in Methods o f Shopping ........................... 100
10. On-Line Shopping Compared to Other Methods o f Shopping ............. 101
11. Correlation o f PRS and Security Technology Knowledge (K N O W ) 102
12. Correlation o f KNOW and On-Line Shopping Frequency (FREQ) ..... 104
13. Correlation o f PRS and FREQ ................................................................ 104
14. PRS Comparison o f Non Shoppers and Shoppers .......................... 106
15. TOM Comparison o f Non Shoppers and Shoppers .......................... 107
16. TST Comparison o f Non Shoppers and Shoppers .......................... 107
viii
ABSTRACT
The growth and expansion o f the Internet and the World Wide Web continues to
impact society in new and amazing ways. What began as an informational tool for
universities has exploded into a "human social phenomenon” (Denning and Denning,
1998). The role of economic commerce has not been as dynamic as some predicted, but
has still demonstrated remarkable success and tremendous potential (Burke, 1997). Any
failure to meet some o f the expectations may be explained in large pan by questions and
concerns surrounding existing methods o f electronic commerce and o f the Internet itself.
A key negative perception centers on the security involved in Internet practice and
electronic payment systems. The lack o f an effective and trusted payment system that
can be used in conjunction with on-line shopping has been a limiting factor in the growth
o f Internet sales (Shon and Swatman. 1998). Consumers are hesitant to provide personal
information, including credit card details, over the Internet because o f high perceptions o f
risk and concerns with privacy (Aldridge, White, & Forcht, 1997; Culnan and Armstrong,
1999). Negative perceptions are then compounded and reinforced by massive media
exposure o f Internet security incidents (Jones and Vijayasarathy, 1998). From a lack o f
positive experiences and negative perceptions, many consumers still lack the necessary
trust in on-line merchants and Internet security procedures and continue to use the Web to
simply browse (Pitkow and Kehoe, 1996; Wintrob, 1995; Booker, 1995).
ix
This paper provides an overview o f electronic commerce and the impact o f risk
and trust on on-line shopping consumer behavior. Due to the growth and potential o f on
line shopping and the lack o f academic-based research on Internet-related consumer
behavior (Lewis, 1995; Rao, 1996), there is a tremendous need for impartial, academic
investigation into the behavior and perceptions o f on-line consumers. The present study
collected data on the perceptions o f risk and trust in relation to perceived risk, on-line
merchants and Internet security technology from a student sample at a large southeastern
university. The data were then analyzed using descriptives and parametric analyses.
CHAPTER 1
INTRODUCTION
Since the Industrial Revolution, technology has continued to advance at a
phenomenal rate and numerous technological advancements have had tremendous impact
on society as a whole. The automobile revolutionized the way in which people traveled.
The telephone made it possible for individuals on opposite ends o f the continent to carry
on a conversation. The discovery o f penicillin and several vaccines have virtually
eliminated the threat of diseases such as smallpox and polio and other medical
advancements have had dramatic effect on life expectancy and quality o f life. Man has
even taken steps on the moon and built satellites that send back unbelievable images from
the farthest reaches of space, continuing to fire the dreams and inspiration o f successive
generations.
The latest product o f technology continues to impact society in new and exciting
ways. The Internet, which began as an informational tool for universities, has exploded
into a “human social phenomenon” (Denning and Denning, 1998). Today’s users are
provided with a global telecommunications network, a virtual home entertainment center,
a convenient banking branch, a highly accessible library complete with vast stores o f
knowledge and information, a forum to share ideas and thoughts with anyone and
everyone, a shopping outlet with an incomparable selection o f products, and a means to
travel and see the world without ever leaving their home. The possibilities seem to be
limited only by one’s own imagination.
The arrival o f Tim Bemers-Lee’s trio o f programs that comprised the World Wide
Web (WWW) on the Internet in the summer o f 1991 (Schwartz, 1997) marked the start of
one of the most dynamic and tumultuous times ever in the global business world. This
movement was further promoted that same year when the National Science Foundation
(NSF) ceased financial support for the Internet, causing networks to become privately
operated and opening the door for commercial interests (KJzza, 1998; Caskey and Delpy,
1999). The Internet has since become a tool o f business with potential still undetermined.
Individuals and corporations alike have attempted to grasp the immense possibilities of
this new era in technology and gain some perspective on its potential applications for the
future (Shon and Swatman, 1998).
A brief glimpse at the statistics gives the observer a notion o f the sheer magnitude
o f growth of the network. In 1998. the U.S. Commerce Dept, reported an estimated 100
million people were currently on-line and that Internet traffic was doubling every 100
days (Caskey and Delpy, 1999). The fiscal year 1995 produced an estimated S20 million
in revenue from Internet transactions (Rosner, 1995), fiscal 1996 produced an estimated
S560 million in Internet sales (Burke, 1997), and business to business electronic
commerce (EC) was projected to surpass S I75 billion in fiscal 2001 (Shaw, 2000). The
UCLA Internet Project (2001) found that the number o f Americans on-line had risen
from 66.9% in 2000 to 72.3% in 2001.
Despite impressive growth in the number o f host computers and users, actual
Internet sales figures have fallen short o f some original predictions (Jones and
Vijayasarathy, 1998). The failure to meet some expectations may be explained in large
part by numerous aspects involving existing methods o f electronic commerce and o f the
Internet itself. First, as previously mentioned, the Internet was originally developed as an
information-sharing and research network and, as such, was not designed with security as
a prime factor (Ratnasingham, 1998a). In the developmental phase o f the basic
underlying protocols, little thought was given to the issues o f privacy and security
because all information was freely provided to anyone interested (Shon and Swatman,
1998; Denning, 1998). The success o f the Internet itself has been attributed to the open
exchange o f information and ideas and ready access to the masses - characteristics that
run completely counter to the basic objectives o f sound business practice, where
information must be protected and individuals granted access only when necessary
(Liddy, 1996). A message sent across the Internet may be routed through several
different networks with each new network presenting an additional security risk (Forcht,
Thomas, Usrv and Egan. 1995).
Second, although the number o f host computers and users is increasing daily, not
everyone has access to the Internet. User retention is an issue that concerns a number o f
Internet network and site operators. CommerceNet/Nielsen (1996) conducted a follow-
up study and found that 21% o f those who had Internet access in the initial study no
longer had access 7-S months later. A major reason for the reduction in users was
students leaving a university situation and free Internet access. Kingsley and Anderson
(1998) describe a body o f research that demonstrates a growing population o f ex-Intemet
users who have had extensive opportunity to experience the Internet and decided to
discontinue access. Additionally, the authors point out that the individuals leaving the
Internet are young, well-educated, and computer-literate - a highly desirable market to
virtually every business venture on-line. “Those interested in promoting electronic
commerce would like to see a rapidly expanding market rather than one where numbers
o f potential buyers remain stable. Marketing practitioners are increasingly concerned
with the retention of customers as well as the recruitment o f new ones, and therefore any
significant hemorrhaging of Internet users will be o f concern to them” (Kingsley and
Anderson, 1998, p. 308).
Finally, slow sales growth in Internet sales can be directly associated with
negative consumer perceptions o f Internet commercial ventures. From a technical
standpoint, limited bandwidth leads to heavy congestion and slow connection speeds
(Kingsley and Anderson, 1998; Aldridge, et al., 1997; Jarvenpaa and Todd, 1997). The
method o f shopping involves technology that is new and unfamiliar and many consumers
do not yet have the level o f experience and comfort necessary to make a purchase (Cox
and Rich. 1964; Zikmund and Scott, 1973; Caskey and Delpy, 1999; Ratnasingham,
1998a). Many companies have blindly entered cyberspace without the prerequisite
information and skills necessary and have only succeeded in wasting precious resources
and creating an image o f instability (Bell and Tang, 1998).
A key negative perception centers on the security involved in Internet practice and
electronic payment systems. “However successful, the use o f the Internet as an accepted
technology has been hampered by the lack o f security, either real or perceived” (Liddy,
1996). The lack o f an effective and trusted payment system that can be used in
conjunction with on-line shopping has been a limiting factor in the growth o f Internet
sales (Shon and Swatman, 1998). Consumers are hesitant to provide personal
information, including credit card details, over the Internet because o f concerns with
privacy (Denning and Denning, 1998; Aldridge, et al., 1997; Culnan and Armstrong,
1999) and fraud (Dinnie, 1999; Caskey and Delpy, 1999; Kizza, 1998). Negative
perceptions of questionable Internet security procedures are then compounded and
reinforced by massive media exposure o f every Internet security incident (Jones and
Vijasayarathy, 1998; Kasperson, et al., 1988). As a unit, these factors likely explain a
great portion o f why most consumers still prefer the Internet for information searches
rather than purchases (Pitkow and Kehoe, 1996; Pope, Brown, and Forrest, 1999; Booker,
1995; Wintrob, 1995). The objective o f site operators and Internet marketing
practitioners is to identify and address the causes for concern o f the sizable percentage of
Internet users who are still hesitant to purchase over the Internet.
The incredible explosion o f Internet interest and expansion has created a virtual
environment that progresses and evolves at an extraordinary rate. Although exciting and
adventurous as a user, the dynamic nature o f the Internet can make it difficult to measure
the impact and effect o f marketing strategy (Deighton, 1997). An analysis o f failed
business ventures on the Internet will illustrate to the current marketer that there are
distinct differences between Web marketing and conventional marketing methods.
Numerous failures are the result o f marketers attempting to apply the lessons learned
from conventional advertising directly to the Web (Kiani, 1998). The relatively short
existence o f Internet business practice does not offer much experience for administrators
to base marketing decisions upon (Rowley, 1996) and the constant change makes it
difficult to conduct an in-depth, long-term investigation (Jones and Vijayasarathy, 1998).
A contemporary marketer must take what has been learned from previous consumer
behavior research and modify these models to account for the differences and intricacies
o f the Web domain (Hoffman and Novak, 1996).
As mentioned, one o f the most significant concerns o f users involves the negative
perception o f security surrounding on-line shopping. Two areas o f consumer behavior
that would apply to this concern are risk and trust. The concept o f risk was introduced as
early as 1960 (Bauer, 1960) and the concept o f trust has received a great deal o f attention
in recent years (Ratnasingham, 1998a). Research has demonstrated that perceived risk
can be extended to the store (Cox and Rich, 1964; Dash, Schiffman, and Berenson, 1976;
Hirsch. Domoff. and Reman, 1972; Spence, Engel, and Blackwell, 1970) as well as to the
method o f shopping (Cox and Rich, 1964; Schiffman, Schus, and Winer, 1976; Simpson,
and Lakner, 1993). As a result, the concerns o f privacy and fraud and their effects on
perceived levels o f risk and trust apply both to the virtual business and to the technology
that supports the ordering and payment systems utilized in on-line shopping. The
elements of risk and trust are valid concerns for both the manufacturer and the consumer
for all transactions conducted over the Internet. A major obstacle for companies that
conduct business on the WWW is the need to gain the trust o f potential consumers.
Sport organizations and administrators should be encouraged by some o f the
research findings. Although the Internet has been described as “a difficult place to do
serious business" (Poon and Swatman, 1995) and few sites have been able to report a
profitable Internet operation (Caskey and Delpy, 1999), sport-related websites are among
the most popular. An Intelliquest Worldwide Internet poll reported that 52% o f on-line
users surveyed had visited a sport-related website within the past month (“Industry
Spotlight: Sports on the Web”, 1998) and ESPN’s website, Sportszone, is consistently
among the 25 most trafficked sites ("Top drawing Traffic Sites”, 1997). Additionally,
demographics o f the average Internet user, as reported in a 1998 study by e-Marketer
(“Quickee Profile”, 1998), are male, well-educated, mid-30’s, and affluent. This profile
matches remarkably well with that o f typical visitors to sport sites such as
ESPN.Sportszone (Caskey and Delpy, 1999).
This paper provides a brief overv iew o f electronic commerce (EC) followed by an
examination o f the concerns and mechanisms o f EC security. The paper concludes with
an examination o f risk and trust and their relationship to EC. The purpose o f the paper is
to enhance the sport practitioner’s understanding o f the elements involved in the
development o f consumer perceptions surrounding on-line shopping and Internet
security. With Internet commerce figures showing great promise and the popularity and
demographics o f sport-related websites, it becomes incumbent upon the sport industry to
investigate the perceptions of consumers and current security methods to ascertain
whether they are meeting their objectives and what modifications might be necessary. If
research studies and statistical proof are not available in the near future to give credence
to the effectiveness of sport-related Internet commerce, it is possible that a valuable
revenue stream could be drastically reduced and opportunity wasted.
Review o f the Literature
Depending on your view, the Internet and the WWW may be considered the
ultimate business domain, perfectly designed for commercial exchange (Flanagan, 1994).
Others have suggested that the Internet is essentially a social place for the exchange o f
information and ideas. Proponents o f this view are generally not in favor o f the growth
or the intrusion of business practice on the Web (Laquey, 1994; Frost, 1994). It would
appear, however, that these business practices are here to stay. Maignan and Lukas
(1997) list four distinct functions o f the Internet: 1) a source o f information; 2) a place or
object of consumption; 3) a communication tool; and 4) a social system. These four
functions transcend the boundaries o f personal use and business application and reach
into nearly every comer of an individual's life. Added to these Internet functions, now, is
a world of virtual commerce. The Internet provides the modem consumer with resources
and options as never before. .And yet, with the potential benefits come unique concerns
and risks.
The area o f electronic commerce and Internet shopping is a relatively new arrival
to the world of retail and sales growth has been slower than some anticipated, although
encouraging (Jones and Vijayasarathy, 1999; Burke, 1997; Birch, 1997; Rowley, 1996;
Foo, Leong, Hui. and Liu. 1999). In order to capitalize on the vast market potential o f the
Internet, there is a critical need for marketers to investigate consumer perceptions o f on
line shopping (Jones and Vijayasarathy. 1999). Concern exists over results o f many
surveys and studies o f consumer demographics and user characteristics as a large part of
existing research has been conducted by parties with “distinct commercial interest” in the
results (Lewis, 1995). A consistent theme throughout the research is a consumer concern
over the security and risk involved in on-line shopping (Pope, et al., 1999; Ratnasingham,
1998b; Fumell, Dowland, and Sanders, 1999). “However successful, the use o f the
Internet as an accepted technology has been hampered by the lack o f security, either real
or perceived” (Liddy, 1996). The future success o f the Internet as a viable mechanism
for successful commerce depends not only on the development o f safe and effective
Internet payment systems (IPS), but also on the education o f consumers and the alteration
o f the negative perceptions of Internet security.
An examination of current electronic commerce practice is presented along with
existing electronic payment systems (EPS) and Internet security concerns. This is
followed by a review o f the consumer behavior literature involving the variables o f risk
and trust. The review concludes with a discussion o f the development o f risk perception
and its application to on-line shopping.
Electronic Commerce
Business trends are telling forecasters what intuitively most already know. The
future of business is inexorably tied to the successful establishment o f an Internet
presence. Commercial domains are the fastest growing segment o f the Internet and
business operations comprise the bulk o f traffic on the WWW. The majority o f Fortune
500 companies already operate on the Internet and thousands o f companies register new
domain names for the first time every month (Cronin. 1996). Rayport and Sviokla (1995)
clearly state the point: “Every business today competes in two worlds: a physical world
o f resources that managers can see and touch and a virtual world made o f information.
The latter has given rise to the world o f electronic commerce” (Rayport and Sviokla,
1995, p. 75).
Growth o f the Internet
A number of factors have contributed to the incredible growth o f the Internet and
the WWW. Kahle and Meeske (1999), Rowley (1996) and many others identify several
major characteristics o f the technology that make this medium attractive to the marketer
and the consumer alike. First, since the Internet origins are as an information-sharing
technology, it is an extremely effective tool for information access and storage. The
Internet is fast and efficient. With the proper equipment, and if the user knows where to
look, information access can be virtually instantaneous. This feature allows an individual
to follow, in real-time, either stock market figures or the score o f a sporting event. The
technology also provides for a great deal o f convenience. Information can be accessed,
communications can be sent and received, and products can be ordered and delivered
from the privacy o f home.
The technology is interactive and allows the customer service opportunity of
providing a personalized service or product. For example. Gateway computers will allow
the user to design an individualized computer package that fits the consumer’s needs.
The user chooses from a variety of options and an associated price is generated for the
specifications. The consumer has the opportunity to manipulate options and prices to
develop a package that meets personal specifications (n-wu-. satewav.com). The customer
actually becomes an active participant in the production o f the product (Blattberg and
Deighton. 1996).
10
From a business operations standpoint, there are several more features changing
business perspectives. The cost o f operating a virtual business is considerably less than
the costs o f overhead in a traditional setting. The falling costs o f business software
programs are offsetting normally high costs o f billing and collections (Birch, 1997). In
daily business operations, companies can utilize the Internet to reduce the cost o f inter
business and intra-business communications. Internet communication has shown the
ability to ease the burden on such expenses as private-line networks, faxes, and
messenger and overnight courier services (Cronin, 1996). Rayport & Sviokla (1995)
describe benefits associated with the “redefining o f economies o f scale” that will allow
small firms competitive pricing in markets against large companies. The global reach of
the WWW also allows the smaller organizations to reach markets that would have been
restricted by modest marketing budgets and traditional media.
Additionally, the time required for transport o f important information can be
drastically reduced for such functions as ordering inventory or filling orders. A
company’s efficiency can be dramatically enhanced by connecting inventory to the
website, so that customers are given immediate feedback as to the availability o f a
product. Corresponding inventory, purchasing, and financial reports can be generated
and transmitted globally. Indirect cost savings can be credited to reduced transaction
costs, avoidance o f distributor slotting fees, and more effective use o f advertising
resources. The monthly cost to operate a website can be as minimal as twenty dollars a
month and involve simply getting listed with a directory in Yahoo!, Lycos, or some other
web browser. Finally, many companies whose trade is information have demonstrated
substantial cost reduction in the cost o f production. For example, Fidelity Investments as
11
a result o f direct distribution over the Internet has claimed savings in the millions of
dollars (McEachem and O ’Keefe, 1998). An example o f a prototype virtual business is
eBay.com. The company has no structural storefront and its only public shopping area
exists in cyberspace.
Impediments to Commercial Use
The major concerns involved in establishing a business presence on the WWW
and conducting electronic commerce over the Internet center around three main
categories. These categories are connectivity, technical concerns, and Internet payment
systems (IPS). Connectivity is the ability o f a company to establish Internet links with
other businesses and the target markets. Undoubtedly, network connectivity links in the
future will be as commonplace as telephone connections are at this time. However,
currently there are major connectivity gaps in Internet access. First, only a small
percentage of small and medium-sized manufacturing companies in the U.S. operate on
the Internet and many o f the companies, in comparing cost outlay with potential benefits,
still do not consider establishing a connection as feasible. Second, this characteristic
could extend into personal use o f the Internet in the home. One study reported that, of
the 2500 respondents from a national phone survey, only 8% reported being current
Internet users. 8% reported being former Internet users, and 69% reported having heard
o f the Internet, but never being a user (Katz and Aspden. 1997).
Finally, there is a tremendous connectivity gap on a global scale. In 1995, more
than 60% o f all the computers registered worldwide were located in the U.S. This can be
attributed to the fact that difficulties and cost o f establishing a connection outside the
12
U.S. are magnified (Cronin, 1996). In the U.S., the cost o f access to the Internet is
charged at the rate of local telephone services and this has aided the expansion o f markets
and services. In addition, in the U.S. and U.K., there has been an extensive network of
free Internet access associated with universities. However, on an international scale,
there are high costs associated with Internet access due to national monopolies o f
telecommunications corporations as well as limitations caused by governmental policies,
laws, and practices (Forcht and Fore. 1997; Ratnasingham, 1998c).
Technical concerns would cover the problems associated with the development
and operations o f a website. Unless the company has the knowledge and expertise in-
house, a consulting firm will have to be hired. As with other forms o f technology,
Internet technology is advancing at a phenomenal rate, which translates to escalating
costs of consultants’ technical expertise. Furthermore, personnel may have to be trained
or additional positions created to operate and maintain new systems. A huge technical
concern is the bandwidth that the site will operate on. The decision over which Internet
Service Provider (ISP) to conduct business with will determine whether the site operates
on a high or low-bandwidth connection. Many ISP’s have limited bandwidth, which
leads to a longer amount of time required to access or download files. ISP’s with greater
bandwidth connections operate at a quicker rate, but are more expensive. McEachem &
O ’Keefe (1998) compare this decision to the location o f a business being “just off the
highway” or “up a back road.” Levels o f congestion continue to increase and the
resulting slower connections are o f great concern. Coupled with the added traffic o f a
growing number o f users is an increase in the use o f intensive multimedia applications
13
(Rowley, 1996). A future concern is the uncertainty o f cost o f domestic Internet access
as capacity becomes limited (Brody, 1995).
The last inhibiting factors are the concerns with the collection o f payments over
the Internet. Numerous early payment methods have been developed in an attempt to
meet the demand for a safe and effective payment mechanism. Most have utilized the
services o f existing credit card companies, in one manner or another. However, no single
method has become the standard and the lack o f universally accepted standards o f
payment has limited growth (Shon & Swatman, 1998; Ratnasingham, 1998). The
collection o f small value transactions, or micropayments, has been difficult as the cost
per transaction of most methods has not been feasible (Glassman, Manasse, Abadi,
Gauthier, and Sobalvarro, 1995;. The greatest concerns are associated with security
features and will be discussed in greater detail later in the review.
Customer Reluctance to Shop On-line
A survey conducted by Stores (1996) identified the following four primary
concerns o f consumers in relation to on-line shopping: credit card fraud (66%),
unsolicited mailing lists (65%), merchant legitimacy (59%), and lack o f data privacy
(57%). These concerns are extremely consistent throughout the literature as reasons
consumers have given for not shopping on-line (Jones and Vijayasarathy, 1998; Aldridge,
et al„ 1997; Rowley, 1996; Pope, et al., 1999; Stone and Gronhaug, 1993; Caskey and
Delpv, 1999; Ratnasingham, 1998b; Kizza, 1998) and for using the Internet primarily as a
tool for gathering information and browsing (Booker. 1995; Wintrob, 1995). Additional
concerns expressed for in-home shopping include a concern over substandard products
14
(Kizza, 1998) and difficulty in returning or exchanging merchandise (Simpson and
Lakner, 1993).
Fraud - A major factor in the negative consumer perceptions o f Internet security
methods is the belief that the channels that the information passes through are not secure
(Jones and Vijayasarathy, 1998).
“Built-in security• is not provided by the Internet as messages and

information sent via computer may be routed through many different
systems before reaching their destination. Each different system
introduces unwanted individuals ...[and the potential for] damage,
copying, or eavesdropping” (Forcht and Fore, 1993).
More recent security measures implement cryptographic technology to scramble the data
and make it unintelligible to eavesdroppers, but the negative perceptions o f weak Internet
security procedures remain. Consumers are fearful o f the interception and misuse or
abuse o f their credit card information (Liddy, 1996).
Unsolicited Mailing Lists - The term “spamming” has come to represent the
unwanted, intrusive mass mailings o f companies to e-mail lists o f consumers (Beth,
1995). The electronic version o f “junk mail,” many consumers have expressed
annoyance at the frequency of the messages. Attempts to mass market through the use o f
e-mail by organizations have been met with instant and decided disapproval from on-line
users. “Flames” are complaints directed at businesses that have breached the unwritten
code o f the Internet and most companies learning their way around the Internet are often
eager to avoid these types of reactions (Teague, 1995). As a result o f these methods,
many consumers are hesitant to distribute their e-mail address, much like an unlisted
telephone number. This causes a problem since many on-line shopping businesses will
require an e-mail address for verification o f an order.
15
Merchant Legitimacy - An attractive feature to some is the anonymity provided
by the Internet. However, from a business standpoint, this feature represents an inherent
danger. Consumers may not be entirely certain that the site provider is a legitimate
business and not an illicit operation. Unless the consumer is dealing with a recognized
company or has some other form o f assurance that the merchant is legitimate, he/she may
not be willing to provide personal information and/or credit card details. Once the
information has been sent over the Internet, the consumer has no assurance that the
account will not be charged without ever delivering the goods. Additionally, bogus
schemes and cons, like pyramids and "get rich quick” promises that have been used in
telemarketing operations, have resurfaced in Internet operations (Kizza, 1998).
Lack of Data Privacy - In addition to the issue o f misuse and abuse o f credit
card information, consumers are also concerned with personal information such as
addresses, telephone numbers, and purchasing habits. In some cases, companies have
sold consumers’ personal information to other companies interested in marketing details
and purchasing patterns (Ratnasingham. 1998a; Culnan and Armstrong, 1999). Other
consumers simply worry that the personal information provided to companies will at
some point be displayed on a website for anyone to access (Caskey and Delpy, 1999).
Substandard Products and Exchange/Return Policies - Research has
demonstrated that many consumers are wary o f ordering products sight unseen. They
experience concern about the inability to inspect the merchandise in advance and about
the inability or difficulty associated with returning the merchandise for a refund (Simpson
and Lakner. 1993; “Light mail order buyers surveyed”, 1987). In some cases, the
16
consumer may believe they are ordering a product o f a certain quality, but actually
receive a substandard or damaged product (Kizza, 1998; Spence, et al., 1970).
Electronic Payment Systems (EPS)
The physical world o f money has been changing for a number o f years. Through
the use o f checking accounts, credit cards, debit accounts, automatic payroll deposit, and
payment drafting, the majority o f money that a person earns and spends is often never
seen as hard currency. Rather, the individual tracks finances through figures and
balances on statements and computer screens. “Money has become, in recent years, an
increasingly abstract concept” (McEachem and O ’Keefe, 1998, p. 239). Electronic
commerce is a relatively new concept and the Internet is helping dictate change in the
financial operations o f many.
An EPS, or electronic payment system, is any system o f payment that allows
financial transactions to be made securely through the use o f telecommunications, and
often from a remote location. Businesses realized quickly that existing systems o f
payment would be unable to meet the security concerns o f conducting trade over the
Internet and the development o f electronic payment systems developed rapidly (Shon and
Swatman. 1998; Panurach, 1996). The most efficient method o f payment for this type of
transaction is through the use o f a credit card account. However, as previously discussed
many consumers have been unwilling to transmit these details over open Internet
connections. “The technologies o f payment, rather than the technologies o f connection,
are the real trigger for the expansion o f electronic commerce” (Birch, 1997). Current
payment systems as they apply on-line commerce include: house accounts, third-party
17
based systems, SmartCard based systems, secure Webserver based systems, electronic
token based systems, and micropayment based systems.
House Accounts - These accounts simply require the consumer to place a deposit
into an account separate from the on-line application. For example, the consumer could
call the company or mail a payment to the company. When the deposit is received, the
consumer receives a password and/or PIN in order to access the account. The cost
associated with items ordered is deducted from the account balance. All financial
transactions are undertaken separate from the ordering process and the account can be
recharged at the discretion of the consumer.
Third-party based systems - These types o f systems employ the use o f an
independent third party to verify the identities o f the two negotiating parties. Known as
trusted third parties (TTP’s ) or certification authorities (CA’s), these entities provide
some measure of protection from fraud for both the consumer and the retailer (Liddy,
1997; Wilson, 1997). In 1994, FirstVirtual (FV) bank arrived on the scene and was one
of the earliest systems o f secure payment on the Web. FV’s success was due in large part
to its simplicity (Buck, 1996). The system did not require extensive technology and
simply used basic electronic mail (e-mail) messaging. The consumer established an
account with FV using a credit card to secure a personal profile. In return, FV issued the
client a Virtual PIN. The consumer would give the PIN to the manufacturer who then
sent an e-mail message to FV indicating the consumer PIN and amount o f purchase.
When FV received the manufacturer’s message, a request for confirmation was
electronically mailed to the client to ensure authenticity o f the order. Only when the
18
client had confirmed the purchase did the credit card exchange with the merchant take
place (McEachem and O ’Keefe, 1998).
By acting as the third party, FV provided the consumer with a means o f security
and provided identification verification for both parties. The security o f the transaction
was guaranteed because the details o f the credit card transaction were never transmitted
over the Internet (Crede, 1996). Through the Internet, the consumer has worldwide
access wherever there is acceptance o f credit card technology. Mastercard (1995)
reported a global figure o f 13 million acceptance locations and partnership relations with
22,000 member financial institutions internationally.
SmartCard based systems - These card-based systems are also known as stored
value cards and are similar to pre-paid phone cards. The latest generation o f SmartCard
technology utilizes a microchip to provide security. The stored value can be spent
anywhere by inserting the card into a reading device at the point o f purchase (Richards,
1996). Some types o f cards are disposable while others are associated with accounts that
can be replenished. Once the limit is depleted, the consumer must contact the company
to deposit additional funds into the account.
Monde.x is a system implementing SmartCard technology that is already in place.
Users have the ability to transfer funds in a variety o f ways. Through the use o f an
“electronic wallet” containing a microchip, the consumer can transfer funds from their
"wallet” to their card or to another card. The UK has installed the first 1000 Mondex-
compliant telephones and the first 250 Mondex compliant public pay phones to enable
the user to transfer funds via the telephone (Birch, 1997). Ideally, funds can even be
19
transferred over a network, as long as a communications channel can be established
between two card-reading devices.
"The impending migration o f credit cards from magnetic stripe to SmartCard

technology, the likely adoption o f SmartCards as electronic checkbooks, and the existing
use o f SmartCards as electronic cash will lead to SmartCard readers becoming as
ubiquitous as ... floppy disk drives" (Card Technology Today, 1995, p. 13).
SmartCards have already become popular in Europe and Asia where
approximately 400 million were distributed in 1996. The expansion into the U.S. market
began on a large scale at the 1996 Olympic Games in Atlanta. An estimated 300,000
rechargeable cards and 700,000 disposable cards in denominations o f S25.00, S50.00, and
SI 00.00 were issued (Birch, 1997). An attractive feature o f these methods is that all
transactions are immediate. Another advantage is that SmartCards can be assimilated
into existing ATM technology and networks (Crede, 1996). It has been pointed out that
all o f these methods indicate a trend o f the future is currency that has become “fluid and
global” (McEachem and O ’Keefe, 1998, p. 245). The use o f the technology seems to be
a good match for American spending habits since it is estimated that 88% o f transactions
are completed by cash or check and that 83% have a transaction value o f less than SI 0.00
(Birch, 1997).
Secure Webserver based systems - The practical theory behind webserver-
based payment systems lies in the concept that both the consumer and the merchant must
use the same Webserver for the transaction (Shon and Swatman, 1998). The Webserver is
then supported by a software program, or security protocol, that scrambles the
information to outside viewers and secures the connection. The most well known
20
security protocols are S-HTTP and SSL, which will be discussed in more detail later in
the review.
Electronic Token based systems - Several methods o f payment that implement
digital cash have also been introduced. E-cash is one system that is the virtual
equivalent of traveler’s checks. The purchaser sends payment to the issuing bank which
returns equivalent E-cash credit. A distinct advantage o f digital cash is that, like hard
currency payment, the consumer may remain anonymous. These systems are extremely
secure in that they implement several security techniques, including digital signatures and
cryptography (both o f which will be discussed shortly) and are extremely difficult to
forge. However, one drawback is that the tokens are uninsured. In a worst-case scenario,
in which both the customer’s hard drive and the bank’s system were to go down
simultaneously, the bank would have no way to establish a link between the credit and
the customer for reimbursement (Richards, 1996).
Micropayment based systems - As the statistics provided by Birch (1997)
demonstrated, there is a large proportion o f small value transactions that comprise the
bulk o f transactions in the U.S. Combined with the fact that credit card transactions often
include a high cost per transaction fee, a number o f payment systems have been
specifically designed to avoid the high transaction fees and capitalize on the market
potential. Some o f the systems in use include Micromint, Payword, Micropayment
Transfer Protocol (MPTP), and Millicent (Shon and Swatman, 1998). For example,
Millicent limits the cost per transaction by minimizing the amount o f information sent
across the network and avoiding expensive security procedures. This is accomplished by
implementing components called scrip and brokers. Scrip is the account that a customer
21
establishes with a single vendor that is used one time and disposed of. The assumption is
that by keeping transaction amounts low and not reusing scrip, the likelihood and
profitability o f criminal attack is greatly diminished. Every transaction on a particular
scrip requires a security number known only by the customer. Independent brokers are
used to control the accounts o f the customers and vendors and handle the actual exchange
o f funds. Justification of funds can be completed independently by either consumer or
vendor software as a control mechanism against potential illegal activity on the part of
the brokers (Shon and Swatman, 1998).
Effectiveness Criteria for IPS
Internet Payment Systems (IPS) are electronic payment systems (EPS) used in
conjunction with electronic commerce conducted over the Internet. Several studies have
collected survey data from the individuals who conduct virtual business in order to
establish criteria important for the operation o f IPS (Shon and Swatman, 1998; Buck,
1996; Panurach, 1996). The collected data reveal a number o f significant characteristics
or attributes that consumers and vendors feel are important for an IPS to be an effective
tool. Although every study did not compile the exact same list o f variables for system
effectiveness, the findings were relatively consistent. The list is not organized in order of
importance and some o f the indicators may overlap somewhat in scope (e.g. Anonymity /
Privacy; Profitability / Low Transaction Cost).
1) Refunds - merchants should be able to refund payments to consumers when

necessary.
2) Dual Operational - the system should be able to support both on-line and off-line
activity in case the computer system is down.
22
3) Acceptability - IPS should be accepted at a wide variety o f vendors, merchants,
and banks.
4) Accountability - transactions must have the ability to be accounted for.
5) Anonymity - the ability to conceal the identity o f the consumer if desired.
6) Authentication - the ability to verify the identities o f the users o f the system.
7) Customer Support - the system should be able to assist customers electronically at
little or no cost whenever necessary.
8) Duration o f Transaction - the time needed for the transaction process should be
minimized as much as possible.
9) Convenience - the system should be user friendly and should be almost as easy to
use as physical currency.
10) Fungibilitv - funds should be easily exchanged between the parties conducting
business.
11) Flexibility - the operating system should support different kinds o f IPS.
12) Functionality - the system should be able to perform numerous operations that
might be critical to the transaction process.
13) Irrefutability - the ability to ensure that the payments cannot be refuted at a later
point and are binding.
14) Legal Certainty - the payments conducted with the IPS should be legally accepted
and binding.
15) Low Fixed Costs - the amount o f expense on the part o f the consumer and the
vendor to operate the system should be minimal. For example, costs could be
related to setup, equipment, infrastructure, or operations.
16) Low Transaction Cost - cost per transaction must be as near to zero as possible
just like hard currency.
17) Portability - the ability of the IPS to operate with remote access.
18) Privacy - the ability to protect the privacy o f the information transmitted.
19) Profitability - the overall cost-effectiveness o f the system should be reasonable
for operation.
20) Regulatory Framework - the regulation o f the system by enforcement agencies
must be accounted for.
21) Reliability - the system must be considered trustworthy by both consumer and
merchant.
22) Responsibility - the IPS must be held responsible for any fraud, data security, or
data privacy intrusion as a result o f IPS operation.
23) Scalability - the operations o f the system should avoid routing o f information
through a small number or congested networks. In other words, the ability to
avoid “bottlenecks” should be taken into account.
24) Security - the system must have secure operating procedures to protect the details
o f the transactions and parties from illegal activity.
25) Traceabilitv - the system must have the ability for transactions to be traced or
backtracked, especially in episodes o f illegal activity.
26) Transferability - customers must have the ability to transfer funds in both
directions. In many cases, merchants may also be consumers.
27) Universality - a standard interface should allow use from any location globally.
23
28) Unobtrusiveness - the system should have the ability to fit into the daily
operations o f an individual’s life with little inconvenience.
Shon & Swatman (1998) surveyed six major groups involved with IPS in an
attempt to determine if the desired effective criteria were consistent across all groups.
The respondents represented financial institutions, IPS providers/manufacturers,
merchants/vendors, consumers, regulators, and network providers. The results indicated
that two primary concerns consistent across all groups were security and reliability. Each
individual group also identified a primary issue or concern.
Financial institutions specifically identified a need to be able to authenticate
individual transactions and a desire for an IPS to integrate with existing networks to be
cost-effective. IPS providers/manufacturers expressed the desire to develop a system
that adequately adapts to the level o f service desired for the transaction and is flexible
enough to avoid bottlenecks and slow response time. Merchants are looking for a cost-
effective system to encourage consumer use without high associated merchant cost.
Regidators, as one might expect, expressed a need to be able to trace transactions for
legal purposes. Network providers desired an IPS with strong universality o f
performance and acceptance since each procedure is expensive to setup and provide.
Finally, in the response most applicable to the review, the consumers were
concerned with security details and low transaction costs. It has been theorized that, in
order for an IPS to be accepted by consumers, the transaction costs must not be more than
traditional payment systems (Shon and Swatman, 1998). Additionally, the effectiveness
indicators are likely to vary as the value o f a transaction changes. For example, a
consumer may desire speed and efficiency more for a transaction value o f SI.00, but be
24
more concerned with security and privacy for a transaction o f SI 00.00. Other research,
such as Panurach (1996), suggest that the most important factor to consumers is the wide
acceptance (universality) o f the system and the ability to integrate the IPS with existing
networks in which they already conduct business (e.g. credit cards, ATM systems, etc...).
Security
The fact that the Internet is extremely open and easily accessible is both a strength
and a liability for electronic commerce. The Internet was designed for the free exchange
o f ideas and information and not with secure transmissions in mind. Security is one o f
the most challenging and critical issues facing an organization today. An organization
must decide what information is to be protected, who should have access, and whether
authorization codes are necessary. When a company opens a Webserver to conduct
business, it opens the possibility of tremendous reward and realistic risk o f criminal
intrusion. The same channels that open the door for commercial exchange also open a
window for a myriad o f potential crimes. Verity (1995) states the problem very clearly:
"We will never reach perfect security in this world o f ever-increasing

technology. However, we can reach a level o f security we can live with.
The risk that remains is the cost o f doing business. ”
The perceived lack o f security o f Internet operations on the part o f the consumer has
limited the growth and potential o f Internet commerce. These perceptions are based on
25
real situations o f system corruption, fraud, theft, and viruses that have occurred with early
commercial interests in the world o f virtual business (Aldridge, et al., 1997).
Management View o f Security
The security incidents that have occurred involving Internet operations have been
further compounded by the actions o f management in reacting to these incidents. The
response of many administrators and executives has been a public stance that the security
of their systems is intact. This denial that security incidents can occur is a primary
contributor to the problem itself (Anderson, 1994). In an attempt to reassure the public,
management has often ignored the existence o f critically poor security procedures for
their systems.
Businesses are starting to realize that security is a critical necessity. One has only
to look at recent statistics to see reason for serious concern. The 2nd Annual Global
Information Survey' was conducted by Ernst & Young and compiled responses from 4254
Information Technology (IT) managers from 29 countries and across all industry groups
(Dinnie, 1999). Fifty-seven percent (57%) o f companies say that security risks are higher
than the previous year, compared to only 4% that say they have reduced. Seventy-five
percent (75%) o f senior managers rate security as “important” or “extremely important”
but only 30% o f the companies have formal IT policies and only 23% provide awareness
training to their employees. Nine out o f ten organizations (90%) rated their own security
as “poor” and 43% rated the security o f their Internet services provided as no better than
“fair” (Dinnie, 1999).
26
As early as 1992,1.2 million intrusions were reported (Forcht and Fore, 1995)
and the number o f intrusions into government, business, and university computer systems
increased 344% between the years o fl9 9 3 and 1995 (Keating, 1996). A federal law
enforcement estimate placed a figure o f SIO billion annually in on-line theft o f data in the
U.S. One expert estimates that 85-97% o f all system break-ins are never detected and, of
the few that are, even fewer are reported fearing bad press and a negative public image o f
“system weaknesses” and “management incompetence”(Kizza, 1998).
A significant contributing factor for many security inadequacies has been
budgetary concerns. The Ernst & Young survey indicated 45% o f companies surveyed
do not even have budget allowance for information security (Dinnie, 1999). A 1996
report indicated that 59% o f the companies surveyed indicated they lacked human
resources to focus on more security and 55% indicated an inadequate budget to support
Internet security (Internet Security Survey Results, 1996). Understandably, organizations
will have to operate within specific budgetary limitations, but the issue should not be
treated simply as a budgetary concern. It is important that organizations view security as
an “enabler” o f electronic commerce and not as a “constraint.” It is the responsibility o f
senior management to decide what level o f risk is acceptable and budget adequate
resources for a consistent level o f security throughout the entire system (Dinnie, 1999).
Recent advances in security technology have made on-line shopping and
electronic commerce immeasurably safer. Some feel that techniques and innovations like
firewalls, cryptography, and digital certificates and signatures have made Internet
commerce as secure as traditional payment methods (Buck, 1996). Still others have
27
speculated that the adoption o f these technologies will make Internet commerce even
more secure than current practices (Fumell, et al.,1999).
" There will never be a totally secure computer system because the
security o f a system depends on the intertwined security o f its 3 basic
components: software, hardware, and humanware. Hence, the only
known secure system is one that has no contact with the outside
world, no modem connections, no network connection and is
completely closed as in a bunker, but such a system would be useless "
(Kizza, 1998, p. 59).
Principles o f Security
Security can be defined as any “act to prevent the unauthorized use, access,
alteration, and/or theft of property and physical damage to property" (Kizza, 1998, p. 58).
The data contained in commercial transmissions would be included in the definition o f
property. A strong security system must detect potential illicit activity as well as
minimize the potential negative effects that can be sustained. It is naive for an
organization or top administrators to think that their computer system will not be
attacked. O f the companies represented in the Ernst & Young security survey, 16% o f
the firms had suffered, or believed they had suffered, at least one intrusion through the
Internet (Dinnie, 1999). Kizza (1998) identifies the three principles o f a sound security
system as protection, detection, and reaction.
Protection encompasses the technology involved in securing the system. Most
security systems rely on a strong perimeter security, but do not require the same degree of
security for access points within the system. As a result, if an attack can find a loophole
or window into the system, once entry has been gained, the entire system is vulnerable.
28
The strength o f security for the entire network is only as strong as that o f its weakest
point (Forcht, et al., 1995). Additionally, the more options and capabilities that the
Webserver offers and the more flexible the site, the greater the potential for attack
(Aldridge, et al., 1997).
Successful detection requires a constant monitoring o f the system and the
assumption that an attack is inevitable. The system should be constantly reviewed for
potential problems from both internal and external sources. The rapid advancements of
technology make some aspects o f systems, or even entire systems, obsolete at an
outstanding rate. The company may not even realize that the system is out-of-date until it
is too late (Kizza, 1999). Even though an analysis o f security incidents indicates that a
high percentage o f problems come from an insider attack or employee error, most
organizations are still more concerned with external attack (Dinnie, 1999).
Finally, an organization must have a contingency plan in place ahead o f time to react to
an attack. The system o f recovery to update files or secure connections and eliminate
security gaps should have as little detrimental effect on normal business operations as
possible (Kizza, 1998).
Internet Crime
An inspection o f the latest statistics demonstrates that Internet crime is increasing
at the same pace as the growing sales figures for electronic commerce. On March 5,
1999, the Computer Security Institute released the findings from its Computer Crime and
Security Survey conducted in conjunction with the San Francisco Bureau FBI Computer
Intrusion Squad (Computer Security Institute, 2000). The study was based on 95
29
respondents representing corporate interests throughout the U.S. The findings showed
that 96% o f the organizations were operating a site on the Internet and 30% o f those sites
conducted electronic commerce o f some sort. At least one instance o f unauthorized
access or misuse was reported by 20% o f the respondents within the previous 12 months
and 33% responded with an unsettling “Don’t Know.” For the third consecutive year,
cases of system penetration increased with 30% reporting instances. The percentage of
networks that reported their site as “a frequent point o f attack” increased from 37% in
1996 to 57% in 1999. Also, for the third consecutive year, financial losses exceeded
SI 00 million. Theft of proprietary information totaled S42,496,000.00 by 23 respondents
and financial fraud totaled S39,706,000.00 by 27 respondents. The types o f attacks that
were specified by the report are listed, followed by the percentages o f respondents that
reported incidents o f that type: vandalism (98%), denial o f service (93%), financial fraud
(27%), and theft o f transaction information (25%) (Computer Security Institute, 2000).
An understanding o f the motives and attractions o f the criminal attacks can help
security professionals detect and prevent computer intrusions. Rubin (1996) identifies
seven characteristics of the Internet that make it fertile ground for illicit activity.
1. Speed. The speed o f both Internet connections and telecommunications has
dramatically reduced the time required to transmit and/or receive extensive files
of digital data. As a result, the time required to illegally access and copy vast
amounts o f information has been significantly reduced.
2. Anonymity. The privacy that the Internet provides allows virtual criminals a
shield from regulators and enforcement agencies. Even if the attacks are detected,
they are generally routed through several different servers to inhibit tracking
30
which makes identifying the criminals an extremely difficult prospect.
Additionally, the attacks may be made from anywhere in the world and, at the
present time, there is no single authority to deal with Internet crime incidents
across international borders. Rubin (1996) also discusses the aspect o f “moral
distancing” o f responsibility that the attackers may achieve through anonymity.
3. Nature of the medium. Information that is stored in computer files is coded
digitally and can be stolen without being removed. Copies of the original
document or data may be made while maintaining the impression that nothing has
changed. Access logs of files can be traced for signs o f irregular activity, but
careful attacks may even alter the log files to make detection even more difficult.
4. Aesthetic attraction. “Humanity is endowed with a competitive zeal to achieve
far beyond our limitations. So, we naturally feel a sense o f accomplishment
whenever we break down the efforts o f our opponents or the walls o f the
unknown. The sense o f accomplishment brings about a creative pride...” (Rubin.
1996, p. 37). Criminals may attack specific sites just because they are there or
simply to see if they can. Coupled with the anonymity provided by the computer
and a minimal chance of being caught, a successful intrusion may have more
value to the attacker than the information that is stolen.
5. Increased availability of potential victims. The increasing number o f sites and
users has dramatically increased the potential for computer attacks. Additionally,
many o f these new access points have minimal or under-strength security systems.
The fact that many o f these systems can be invaded with little effort and the
effects can have broad and far-reaching effects can fill the intruders with a “sense
31
o f amusement” and power. This realization o f power over others may even turn
curious intrusions into malicious and destructive acts (Rubin, 1996).
6. International scope. The influence o f the Internet is global in reach and the
incentives provided by the magnified effects o f an international scope and
visibility can be either economic or political.
7. The power to destroy. The potential for destruction o f communications and
operations apply on a variable scale for individuals, small companies, large
organizations, or even national military installations or utility power grids.
Computer intrusions and attacks have been accomplished by a number of
different methods depending on the motives o f the attack. All attacks identify and
exploit some weakness o f system security. As mentioned, some attacks are relatively
harmless intrusions where the individual may be just curious or looking around in
cyberspace. Other types o f attacks may be more damaging and have well conceived
intent. Each computer attack will be unique due to the differing security systems
encountered and the individual abilities o f the attacker. Some o f the major categories
o f methods o f attack will be examined.
1. Eavesdropping and Packet Sniffing. When a file is transmitted over the
Internet, the file is broken down into small segments, or packets, o f information
and sent in this manner. When the packets arrive at their destination,
instructions have been included on how to reassemble the information to return
the file to its original form. Some attacks will utilize a packet sniffer, which is a
simple computer program written to search the traffic as it passes through a
32
server for files with specific characteristics. One example may be searching
transmissions for data strings that match credit card numbers. This passive
interception of traffic does not necessarily require defeating any security
procedures, as unprotected files can be intercepted and viewed in transit by
virtually anyone (Denning and Denning, 1998).
2. Snooping and Downloading. This type o f attack is similar to eavesdropping in
that the primary objective is to gather information, which may or may not have
been the original intent o f the attack. The main difference between the
eavesdropping and snooping is that eavesdropping merely intercepts messages
as they pass through a network, while snooping involves illegal entry into a
computer system. These types o f attacks can be from either an internal or an
external source and involve filtering through an individual’s or organization’s
confidential documents, e-mail messages, or other files. Once again, the
objective may be simply curiosity or the attacker may have a specific intent for
what is being searched. When the attacker locates information o f interest, the
files may be copied by downloading them to the attacker’s personal computer or
stored somewhere else on the Internet. Unless the security system is effectively
monitored, the attacker may enter, locate and transmit files, and leave without
ever being noticed. The copying o f the information does not alter the content at
all (Denning and Denning, 1998; Kizza, 1998).
3. Tampering. Tampering is the illegal entry into a system followed by the
unauthorized alteration o f data stored in the system. Changes may be to account
information like names, dates, figures, or balances or entire files could be
^ •*
deleted. An extremely dangerous version o f this type o f attack is when the
intruder manages to gain root access to the system. With root access, the
attacker assumes total control and becomes able to access and alter any file
within the system. Denning and Denning (1998) describe two cases in which
the motives for the tampering were vandalism and personal amusement. In the
first case, attackers gained entry into the Department o f Justice website. The
home page was replaced with a separate page containing a swastika and a nude
photo. The second incident was an attack on the New York City Police
Department. Hackers gained access to the phone system and changed the
message that callers receive to the following: “ Tom have reached the New York
City Police Department. For any real emergencies dial 1-1-9. Anyone else,
we re a little busy right now eating some donuts and having coffee " (Denning
and Denning, 1998. p. 35). Often times, the attackers will then alter the log
files and disable audits to cover their entry.
4. Spoofing. This type o f attack has the attacker impersonating another user or
computer. Through eavesdropping or snooping, an attacker may be able to
identify an individual’s login ID and password. By pretending to be a
legitimate user, the attacker can gain entry to the system with this information.
Once connected, the attacker has access to all o f the user files and e-mail
messages. By gaining entry at one point, the attacker can then make attacks
against other systems while continuing to shield his/her true identity and
location.
34
Each computer that is connected to the Internet has an individual Internet
Protocol address, or IP address. IP Spoofing is an attack where an individual
will pretend to be another computer by transmitting messages with a false IP
address. If the bogus address is the IP address o f a trusted computer on the
system, the user can then pose as a legitimate access point to gain entry. In
extreme cases, attackers have managed to gain access to a site and establish a
system in which all network traffic, to and from a particular site, was
intercepted. By posing as the company, the attackers were able to edit all
messages in both directions and gather personal information like names,
passwords, PIN numbers, and credit card numbers.
5. Fraud. Cases o f fraud may involve either an individual intercepting the
transmissions intended for a legitimate business or bogus websites advertising
products they do not have, to collect and charge credit card accounts, with no
intent of conducting business whatsoever. As discussed, fraud may also involve
tampering with accounts and balances in an organization’s financial records.
6. Jamming or Flooding. An attack o f this sort is not one in which an attacker
attempts to gain entry or steal information. Rather, this type o f attack is o f
malicious intent and is designed to shut down or make a system inoperable. An
individual or a group o f individuals will inundate a system with messages
requesting a system connection. When the system responds to the requests, the
messages have included fake IP return addresses and the host systems computer
memory begins to fill with information about the connections that were unable
to be established. When a sufficient number o f fake connection requests have
35
flooded the host system, there is no room for legitimate users to log on and the
system is temporarily incapacitated.
7. Viruses and malicious code. Attacks in this category typically involve the
injection o f a malicious computer program through an outside source such as a
network connection, an e-mail message, or a floppy disk. The term viruses and
worms have come to represent these types o f programs. The offending
computer code is often not an entire program, but rather a fragment o f code that
is written to attach itself to application type programs. They are usually self-
replicating, which allows them to be spread from system to system, and become
activated when the application program to which they are attached is started.
Some of these attacks are merely a nuisance to the user and may be nothing
more than the addition o f a footer to each document created. Others, however,
are more destructive and could cause devastating damage to a system’s hard
drive or computer files. For example, the Michelangelo virus rewrites the initial
portion o f a hard drive if the computer is started on March 6, Michelangelo’s
birthday. Extreme cases involve viruses that encrypt an organization’s data
with the intent of extortion. The information is not destroyed, but unless the
company pays the attackers to receive the decryption key, the information
remains inaccessible and, therefore, useless (Denning and Denning, 1998).
Security Criteria for EC
In a business transaction conducted over the Internet, both the consumer and the
manufacturer face the very real possibility that the party at the other end is
36
misrepresenting themselves. Each side o f the transaction faces the possibility o f
receiving fraudulent information. The consumer requires some guarantee that the
organization truly exists, the product will be delivered, and any personal information
disclosed will be secure and protected. The manufacturer desires assurance that
consumers are whom they say and that payment information is legitimate. For a
successful virtual business transaction, there are seven conditions that must be satisfied
from a standpoint of security (Grant. 1996; Shon and Swatman, 1998; Ratnasingham,
1998a; Wilson, 1999). These conditions are:
1. Authentication. Authentication is one o f the most difficult security issues to
address. Both parties of a transaction must prove they are whom they say. Physical
devices, such as keys or credit cards, may be used for verification. Verification also may
be obtained through the knowledge o f classified or personal information, such as
passwords or a mother's maiden name, often used with credit card verifications.
Occasionally, technology will be advanced enough in a virtual environment to allow the
use o f a signature, fingerprint, or picture identification. The use o f a third party is often
used to guarantee buyer/seller identity.
2. Authorization. Similar in many ways to authentication, authorization is
comprised o f the procedures for determining whether a user has the right to access
business functions or systems. For example, many companies operating a commercial
enterprise on the Internet sell access to a product or information available through the
Internet. The product could be a subscription to an on-line professional journal or
membership to an entertainment site. In either case, the business will provide the user
with some means o f identification to access the product. Usually, the consumer will
37
select a username and a password that will authorize entry into the private areas o f the
site.
3. Availability. Information or files in the host system should be available to the
consumer at their convenience. A process for legitimate access to the services should be
made possible from remote systems as well as from the user’s primary' access point.
Also, the user wants the assurance that the information will be available at a later date.
4. Integrity. The issue o f integrity focuses on the potential for information sent
being intercepted, altered, and resubmitted. Paper documents are more difficult to tamper
with, but computer data are easily altered. (Wilson, 1999). Even the use o f a third party
can not absolutely guarantee that this did not happen. However, encryption technology
and third party intermediaries heighten the level o f confidence o f consumers and
manufacturers.
5. Nonrepudiability. Nonrepudiability is the ability to identify the sender and the
receiver o f on-line transactions. Electronic mail can be altered to change the apparent
sender (Grant, 1996) and IP spoofing procedures allow messages to be sent from a false
address. Traditionally, a written signature on paper is binding, but with the lack o f face-
to-face interaction in the virtual world, this is often not possible. Techniques for
nonrepudiability prevent a party from later denying a transaction happened. Once again,
a third party can be used to attest to the identification o f both parties.
6. Privacy. The possibility that an attacker could illegally enter a system and
intercept information is relatively high. Too many companies have inadequate security
networks to prevent such intrusions. At this time, the volume o f business transactions on
the Web is fairly small when compared to the total volume. However, most companies
38
hold the view that as the volume o f business transactions grows, so will the threat to
privacy and the frequency o f criminal acts. When a user commits to a commercial
transaction over the Internet, personal information is disclosed to the company. The
necessity o f the protection o f transaction information is crucial. The illegal collection o f
personal information could lead to the development o f false identities for criminals and
posing as legitimate consumers (Ratnasingham, 1998c). Secure encryption protocols,
such as SSL and S-HTTP (discussed later in the review), have been developed to ensure
privacy o f transmissions.
7. Confidentiality. The user expects not only that the technology is adequate to
secure the transmission and protect the information, but also that the organization
maintains proper internal controls and will not sell information, such as names, addresses,
and purchasing habits, to other companies. The information should only be available to
parties with legitimate need.
Types o f Security Procedures
Denning captures the essence o f Internet security in the following statement: “It is
never possible to achieve 100% security. Systems are too complex. Humans make
mistakes. Unanticipated events arise. New technology arrives before its security
implications are fully understood” (Denning, 1998, p. 50). In the battle against Internet
crime, a variety of security techniques have been developed. Due to the rapid pace o f
technological advancement, criminal tactics continue to evolve at a rapid pace and
security methods and experts must attempt to keep pace. Present techniques range from
39
the very simple and inexpensive to the latest high-tech cryptographic design, depending
on the individual needs and allotted budget.
The foundation o f any security system should begin with common sense and
education o f employees. The term social engineering refers to the technique used by
many attackers o f obtaining vital information for the attack by talking to employees of
the targeted company (Denning and Denning, 1998). The individual will call the
company and pretend to be an employee from another branch, an agent with an
enforcement agency, or some other individual with a legitimate need for secure
information. They will act as if they have forgotten a password or login information or
pretend to be having problems accessing from a remote location and ask for help. If the
“helpful” employee is not aware o f this style o f attack, the individual is often provided
with all the information needed to launch a successful attack and no technical expertise is
even required. In other cases, simple human error might give an attacker the opening or
information needed. Proper training o f employees and awareness and adherence to a
strict security plan will minimize this threat. A comprehensive security plan should be
developed at the organizational level and at the departmental level. Guidelines for lost or
forgotten passwords and remote access should be developed and enforced. Services or
operations that are not currently in use should be turned o ff since dormant programs are
often targeted by attacks (Foo, et al., 1999). As part o f the overall plan, an organization
should also conceive a contingency policy in the event o f an attack. Finally, once in
place, the security system should be routinely and closely monitored (especially the
audits and access logs) for unusual or suspicious activity and should include a periodic
40
review and update. The proper training and awareness o f the “human” factor is often the
cheapest and most effective part of any security plan (Aldridge, et al., 1997).
Beyond the basic outlines o f employee training and policies, access restrictions to
information should be established. Since it is estimated that 80-95% o f all security
incidents are the result o f an insider attack (Bernstein, Bhimani, Schultz, and Siegel,
1996), particular attention should be placed on access controls for networks, secure files,
transaction records, and hardware devices. With regards to remote use or consumer
availability, access restrictions are generally accomplished with the use offirewalls and
passwords. Firewalls are computer gateways that traffic must pass through. By
establishing a firewall, an organization can restrict entry to a secure area to users with
legitimate access. Most often, a system o f usernames and corresponding passwords are
used to pass through the firewall. However, if the usernames and passwords are not
encrypted, the information can be intercepted as it is transmined. Also, the length o f time
that a remote user is connected to the system may be relatively long, which gives an
attacker ample opportunity to intercept traffic. The final element to a complete security
program is the use of a cryptographic program design to support and facilitate the other
elements of the security system. Cryptographic technology and encryption applications
will be examined in the following section.
Cryptographic Technology
The terms, encryption and cryptography, are often used interchangeably and refer
to the technology that aids in EC transaction security. A mathematical algorithm is
developed that transposes information into digitally coded data. A 64-bit encryption
41
scheme uses 64 numbers to represent each alphanumeric character in the message being
sent. The longer the key, the more alphanumeric characters are used, which results in a
more secure transmission. The message is scrambled using the algorithmic code,
transmitted across an unsecured network, and decrypted, or restored to the original
plaintext form, once received. In this manner, even if the message is intercepted during
transit, it would be unintelligible without the proper “key” to decode it (Denning, 1998).
The premise is for crypto-system developers to stay one step ahead o f the existing
technology that could be used to break the codes, ostensibly by continuing to increase the
length o f the key.
Cryptographic designs have two basic types: single key, symmetric cryptography
and public-key, asymmetric cryptography. In single key systems, the same confidential
key is used by all parties to code and send messages and to decode and authenticate
messages received. However, the longer a single-key system is used and the more parties
that have possession of the key, the more vulnerable the system becomes to attack, since
security depends on the safekeeping o f the key at all locations. Public key systems utilize
a "private” key, which is kept under tight control, and copies o f a “public” key, which are
distributed as needed. The two keys are mathematically linked, in which one key is used
to encrypt the data and the other is used to decrypt it (Bhimani, 1996). The security of
the system relies on one-way mathematical exponentiation that is easy to perform if you
have the correct information but impossible to undo (Beth, 1995). In both types o f
systems, the mathematical functions are intensive and are performed by computer
application. The only technical responsibility on the part o f the user is the safekeeping of
the key, which can be stored on a disk or, ideally, on a SmartCard (Wilson, 1999).
42
Encryption provides the answer to virtually all o f the security criteria with the
exception of availability (Wilson, 1999; Liddy, 1996). If the message is intercepted and
altered in any manner, the mathematical function will not work and tampering will be
evident. Thus, data integrity is insured. With single key systems, the security issues of
authentication, authorization, confidentiality, nonrepudiation, and privacy are all
acceptable as long as the copies o f the key are kept secure. However, if any copy o f the
key is lost or stolen, these security issues are all compromised. With public key
technology, it is of critical importance that the private key be kept under tight control.
Additionally, for the purposes of authentication, the system should be able to match
public keys with users. Through the use o f digital certificates and digital signatures,
additional mathematical functions that can be added to the end o f transmissions, a third
party can validate identities o f the parties involved in a transaction (Bhimani, 1996).
Authentication o f transactions and identity has long been associated with symbols such as
signatures, seals or organization letterhead; digital signatures and certificates are simply
the latest version o f this process (Denning, 1998b)
With new and inexpensive methods o f encryption technology, public key systems
are becoming standard features for business operations and software (Liddy, 1996;
Wilson, 1999). In the discussion o f the findings from Ernst & Young's 2nd Annual
Global Information Survey, the authors write: “We would consider data encryption to be
a fundamental level o f protection, and that no business should be conducting e-commerce
without employing at least a basic level o f encryption” (Dinnie, 1999, p. 117). Although
far from the answer to all security issues, public key cryptography is a valuable weapon.
The central issue for IPS is security o f transmissions and it has been suggested that
43
“developers easily and quickly overcame problems with security by applying encryption
techniques” (Shon and Swatman, 1998. p. 208). Some would argue that commercial
transactions conducted with this technology are actually safer than some purchases made
in person or over the telephone, because the sale can be verified before it is even made
(Aldridge, et al., 1997).
A number o f factors that surround public key technology have inhibited total
acceptance into the marketplace. First, numerous forms o f similar technology have been
developed and a small number of universal standards will have to be adopted. Next, the
necessary infrastructure to support a widespread system does not exist. The current
systems o f certification authorities (CA’s), network providers, and software corporations
will have to expand and develop the necessary support systems. Also, the level o f
expertise and trained professionals to meet the current demands is inadequate.
Businesses are having to hire or train the necessary personnel as well as modify methods
of production and delivery (Liddy, 1996).
Finally, government restrictions on the development and export o f encryption
technology have limited international acceptance and application. The science o f
cryptography has a history as a powerful tool o f governments for protecting information
of national security (Liddy, 1997). A point o f contention has arisen between
governments and enforcement agencies and consumers and organizations about the types
and levels o f encryption technology permitted. The problem is that the same technology
that permits secure transactions for commercial or government purposes can also be used
by criminals for illegal activities. The controversy predates the arrival o f the WWW and
the Internet and dates back to 1977 when the U.S. government passed the Data
44
Encryption Standard, requiring all government data and systems utilize 56-bit technology
(Anderson, 1994; Denning and Denning, 1998). Regulations limited the strength, or bit
length, o f encryption technology permitted for export to 40-bit, with a maximum o f 56-
bit under special circumstances. In August 1995, the Clinton administration announced it
would allow the export o f 64-bit software encryption if key recovery procedures were
met (Denning, 1998a). Then, in January 1997, the U.S. Commerce Department
announced it would allow export o f non-recoverable encryption technology o f unlimited
bit length for specific financial use. The U.S. government has since relaxed regulations.
The policy o f the U.S. government on domestic versions has been to prevent the
use o f systems that are stronger than it can break or have access to the “private” key in
escrow. Internationally, South Africa (1986) and the Netherlands (1994) backed off
policies attempting to ban public cryptography after serious pressure from banks, utilities,
broadcasters and oil companies resulted (Anderson, 1994). The argument from the
commercial sector is that if the strength o f code is weak enough for the government to
break then it is probably vulnerable to criminal attack as well.
Obviously, cryptography is a powerful tool and has had a dramatic impact on
electronic commerce, but it can not stand alone. The adaptation o f encryption has
received a great deal o f attention and interest and may be perceived as the solution to all
security problems with EC. Denning and Denning (1998) point out that this is a
“dangerous misconception” since a number o f successful computer attacks have taken
advantage o f elements that cryptography can not control. The strongest encryption
program designed is useless if an attacker can bypass the system or find a loophole in the
45
overall security framework. Security system deficiencies can be the result o f a number o f
different factors.
1. Lack of system monitoring. Purchasing a strong security solution will
not guarantee secure operations. An organization must assume that, sooner or later, an
intrusion is going to at least be attempted. Advanced technology continues to provide
criminals with better equipment and ideas that might make a system obsolete overnight.
Access logs and audits should be checked regularly for suspicious activity. Unnecessary
or out-of-date services should be eliminated or turned off.
2. Poor password policies and control. Policies for the selection and
changing o f passwords should be developed and strictly enforced. Simple or easy to
guess passwords make a system extremely vulnerable, especially with the ability to write
simple programs to crack passwords. Strict physical control o f username/password
combinations should be maintained, a regular schedule o f password changing should be
enforced, alphanumeric combinations and case sensitive passwords should be required,
and verification requests o f usemame/password transmissions should be encrypted
(Denning, 1998b).
3. Problems with Web server configuration. Since the specific security
needs o f each organization are unique, the security solutions will differ according to the
situation. The proper configuration o f file permissions and access privileges must be
designed to allow legitimate users access to the necessary areas while limiting access to
areas in which they are not granted access. Security loopholes may occur by granting
access to critical files to the wrong individuals or by failing to restrict access at all. Tight
perimeter security is o f critical importance in security designs where there is only an
46
initial verification. Without additional internal security mechanisms (each o f which
makes the system more complex and loopholes more likely), an attack has access to any
files or services once entry has been gained. The more dynamic and complex the
operating system, the more difficult it becomes to protect (Aldridge, et al., 1997).
4. Mistakes in program design. Some security risks may be a result o f
flawed design in the applications being run. Both Microsoft and Netscape, who are
responsible for approximately 90% o f the Web browser market, have experienced
situations in which their products contained serious security problems (Kizza, 1998). The
Netscape flaw allowed attackers to access files on the hard drive o f any user operating
Netscape Navigator Version 4.0. Microsoft Windows 95 and Windows NT Explorer 3.0
and 3.1 allowed remote access of user programs to an attack without the host ever being
aware of access being granted. In both cases, an attack had the capability to launch
viruses or trapdoors to facilitate the attacker’s return. Many o f the flaws present in
program design have been attributed to the pressures felt by program designers. Due to
the extremely short shelf life o f software products, shortcuts are taken in an attempt to get
the product to market quickly (Ratnasingham, 1998a).
Commercial Cryptographic Applications
Since most Internet payment systems (IPS) utilize the services o f existing credit
card capabilities, it should come as no surprise that Visa and Mastercard were involved in
the development o f the existing technology. When it became apparent that there was a
need for these types o f systems, both companies responded to the problem immediately in
an attempt to gain competitive advantage as the sole provider o f secure transactions over
47
the Internet. Visa allied with Microsoft while Mastercard joined forces with Netscape.
After a brief competition, both sides soon realized that the best option would be to merge
ideas and develop a combined product. The result was a hybrid encryption technology
protocol for credit card transactions called Secure Electronic Transactions, or SET
(McEachem and O ’Keefe, 1998).
Two encryption methods commonly used are Secure Sockets Layer (SSL) and
Secure Hyper-Text Transport Protocol (S-HTTP) which were introduced at
approximately the same time in 1995. A consortium called CommerceNet, in
conjunction with two o f the leading Web browser manufacturers at the time, Spry and
Spyglass, presented S-HTTP. Netscape was responsible for SSL and, realizing that
cooperation would enhance the position o f both groups, efforts were combined.
Netscape, Spry, and Spyglass then teamed up with IBM and Apple to form a new
company called Teresa Systems. The prime directive o f this new organization was to
develop a common set of standards that would allow a company to adopt either S-HTTP
or SSL, but have the ability to support both (McEachem and O ’Keefe, 1998).
It has been theorized that the main limiting factor for EC is the perceived lack o f
security in the payment mechanisms rather than difficulties encountered in connection
(Birch, 1997), and that EC will grow “exponentially” as more advanced technology is
developed (Kizza, 1998). Some even suggest that with the widespread application o f
technologies such as SET that Internet commerce will be the safest way to shop (Fumell,
et al., 1999).
48
Risk and Risk Perception
Ever since Bauer (I960) introduced the concept o f perceived risk to the social
sciences, researchers and marketing practitioners have been attempting to apply the
concept to predict consumer behavior. A review o f the literature shows that perceived
risk has been analyzed in relation to such areas as information search (Gemunden, 1985;
Locander and Herman, 1979; Zikmund and Scott, 1973; Lutz and Reilly, 1973), brand
preference and loyalty (Roselius, 1971; Hirsch, et al., 1972; Peter and Ryan, 1976),
purchase decision-making (Cox and Rich, 1964; Pope, et al., 1999; Zikmund and Scott,
1973; Perry and Hamm, 1968), personality traits (Zikmund and Scott, 1973; Peter and
Ryan, 1976; Schaninger, 1976; Brody and Cunningham, 1968), and methods o f risk-
handling (Cox and Rich, 1964; Cox, 1967; Peter and Ryan, 1976; Dowling and Staelin,
1994). O f particular importance to this review, perceived risk, as it applies to shopping
mediums, has also been investigated (Pope, et al., 1999; McCorkle, 1990; Cox and Rich,
1964; Festervand, Tsalikas, and Snyder, 1986; Hawes and Lupmkin, 1986; Korgaonkar,
1982; Spence, et al.., 1970; Akaah and Korgaonkar, 1988). A “fundamental problem” of
this body o f literature is that no consistent conceptual definition is applied, making it
difficult for broad application and comparison o f the research findings (Pope, et al.,
1999).
Risk Defined
Over the course o f an average day, an individual is faced with hundreds o f
situations in which a decision must be made. In most cases, there is no lengthy,
49
conscious deliberation o f the pros and cons o f each option. The individual simply
assesses the situation, immediately weighs potential alternatives, makes a decision, and
acts accordingly. The entire process may be as simple as whether or not to switch lanes
while driving on the highway or whether to go to the bank at lunch or after work. Lopez
(1987) theorizes that risk and security are "counter concepts” and have an inverse
relationship. An individual desires safety and security, but must accept risks as part of
life. Decisions on options are then based on best possible scenarios.
Bauer (1960) proposed that risk includes an element o f uncertainty and the
consequences that are associated with each course of action. Theoretically, the consumer
will follow the option that is perceived to have the most favorable outcome. However,
the probability o f perceived outcome for a purchase situation is unknown (Cox, 1967;
Cox and Rich, 1964). Each situation will also differ in the degree o f perceived risk. The
amount o f risk that a consumer will experience is a function o f two variables: the amount
at stake (consequences) and the individual’s feeling o f subjective certainty o f success or
failure (Cox and Rich. 1964). Conceptually, something can only be gained if something
else is risked (Luhmann, 1993). The amount at stake is that which will be lost if the
situation is not successful or if the wrong choice is made. In a purchase situation, the
amount at stake is tied to the buying goals o f the consumer (economic, physical,
psychological, etc...) (Cox and Rich, 1964). The inability to act, or the act o f doing
nothing, will carry its own set o f consequences. The feeling o f subjective certainty
pertains to the likelihood of success that a consumer perceives in a situation. If the
consumer feels very strongly that a purchase is the correct decision, the corresponding
level o f risk will be small. Additionally, research indicates that the feelings o f subjective
50
certainty and risk assessment are context-dependent (Bierman, Bonini, and Hausman,
1969; Coleman, 1990).
An extremely important concert in terms o f risk perception is that risk is
inherently subjective. The same purchase situation when presented to two different
individuals may result in two very different levels o f risk perception (Murphy and Enis,
19S6). “The ‘true’ or ‘actual’ probabilities o f loss are not relevant to the consumer’s
reaction to risk insofar as past experience is the basis for present perception. The
consumer can only react to the amount o f risk she actually perceived and only to her
subjective interpretation o f that risk” (Cunningham, 1969, p. 84). Perceived risk is the
result o f subjective interpretation o f objective criteria. In applying risk to situations
involving technological considerations, Starr (1969) posed the question, “How safe is
safe enough?” The answer seems to be a subjective one.
If the consumer perceives the level o f risk associated with purchasing a product or
service as too high, he/she will not complete the transaction. The consumer may initiate
risk-reducing behaviors to account for the high levels o f perceived risk (Gemunden,
1985). The consumer may either reduce the amount at stake or reduce the perceived
uncertainty o f the situation. Reducing the amount at stake may be accomplished by such
acts as comparison shopping, trying a product sample, or purchasing insurance. The
main way in which a consumer will reduce levels o f uncertainty is by seeking more
information. Sources o f information sought can be obtained from past experiences of
others, published consumer reports and test studies, manufacturer’s brochures,
commercials and advertisements, news reports, on-line consumer groups and bulletin
boards, and newspaper and magazine stories (Zikmund and Scott. 1973).
51
Some research suggests that individuals will attempt to mediate levels of
perceived risk in different ways. Peter and Ryan (1976) theorize that individuals’ unique
personalities are the key factor. The authors research findings suggest that consumers
who are highly “risk averse” perceive purchase situations more in terms o f potential
losses than gains. Also theorized is that the probability o f loss and the importance o f loss
are unique phenomena to individuals. This would help explain why individuals have
subjective levels of risk perception. Research has demonstrated that high risk-perceivers
engage in greater amounts o f risk-reducing strategies than low risk-perceivers (Zikmund
and Scott, 1973; McCorkle, 1990).
Perspectives on Risk
The psychological perspective on risk centers on the notion that has been
presented that the perception of risk is what is important and whether or not it reflects
reality is irrelevant. Once the consumer makes an assessment as to the level of risk
associated with a situation or product, the evaluations become difficult to change. Often
times, individuals will form strong opinions with limited information. As new
information is presented, the initial human reaction is to want to accept new evidence that
supports the original perception and reject that which is contrary (Leiss and Chociolko,
1994). Any undesirable effects that are associated with a specific cause are important,
regardless o f whether there is a true cause-effect relationship. Mazur (1987) and Plough
and Krimsky (1987) suggest that this focus is also the major weakness o f the
psychological perspective. The extensive amount of subjective information that is
accumulated in forming judgments causes serious problems when trying to quantify
52
individual risk perceptions and make comparisons. Additionally, perceptions can be
altered by pre-existing biases and personal limitations that may skew one’s view o f
reality (Kahneman, Slovic, and Tversky, 19S2). Renn (1989) demonstrated that risk
perceptions differ considerably between social and cultural groups. Intuitively, this
seems to make sense since individual perceptions are affected by one’s personal
experiences and beliefs.
Included in this view o f risk is the belief that personality characteristics will differ
and are unique to each individual. The work mentioned earlier by Peter and Ryan,
(1976), with “risk averse” consumers, and by Zikmund and Scott (1973) and McCorkle
(1990), with high and low risk-perceivers, lies within this domain. A number of
researchers have examined the variation in personal preference o f the amount o f risk that
an individual is willing to accept and identified predictor variables (Pollatsek and
Tversky. 1970; Lopes, 1983; Luce and Weber. 1986). Kahneman and Tversky (1979)
propose that people are risk-averse if the amount at stake is high and are risk-prone if the
possible rewards are high. The following contextual variables have all been shown to
have an impact on the magnitude o f risk perception: the catastrophic potential o f loss,
familiarity with the risk, the potential to blame others for failure, and pre-existing
attitudes about the source o f the risk (Slovic, Fischoff, and Lichtenstein, 1981; Vlek and
Stallen, 1981; Renn, 1989; 1990; Covello, 1983). The last category would include
attitudes about new technologies and products.
The essential component of the sociological perspective on risk is the rational
actor concept. The key to this viewpoint is that any action taken by an individual is
deliberate and is intended to promote self-interests (Dawes, 1988). The concept is a
53
standard o f basic economic theory and analysis as well, where it is believed consumers
with full information will behave according to their own best interests (Freeman, 1986;
Sen, 1977). Jungermann (1986) further stipulates that all consumer motives are
subjective in nature and decisions are made only after weighing the options with regard to
these motives.
Risk as a Multidimensional Construct
Early studies on risk, such as the work by Spence, et al. (1970), viewed risk as a
unidimensional construct with the consumer exhibiting a consistent level o f risk,
regardless o f the situation presented. Subsequent studies have attempted to separate risk
into related, but independent, components. The results are relatively consistent in
identifying six components o f risk, or predictor variables o f the overall criterion variable
of risk (Roselius, 1971; Jacoby and Kaplan, 1972; Zikmund and Scott, 1973; Stone and
Gronhaug. 1993; Mitra, Reiss, and Capella, 1999; Stone and Mason, 1995; Pope, et al.,
1999). These six components may vary in exact terminology, but relate to the same
concepts:
1. Financial Risk. Financial risk is associated with not receiving value for the
amount paid or with paying more for a product than was necessary (Roehl and
Fesenmaier, 1992). Studies have demonstrated that financial, or economic, risk is
consistently rated as having the greatest importance to consumers (Kwon, Paek, and
Arzeni, 1994; Minsall. Winaker, and Swinnev, 1982; Winaker and Lubner-Rupert, 1983).
The financial cost o f making a bad purchase decision is also the most common
association made when the concept o f risk is presented (Cox and Rich, 1964).
54
2. Physical Risk. Physical risk covers the potential for a service or product to pose
a threat to the health or well-being o f an individual as a result o f its use or possession.
3. Functional Risk. Functional risk is also known as performance risk, or quality
risk. This covers the concern that a product or service will not meet performance
expectations of the consumer or will not match the advertised product specifications
(Bauer, 1960). This type of risk would cover the fears o f on-line consumers who are
concerned that substandard products will be delivered.
4. Psychological Risk. Psychological risk deals with concerns that use or
possession o f the product will not match the personality o f a consumer and how they
perceive themselves. These are concerns that an individual has about himself or herself.
5. Social Risk. Similar to psychological risk, social risk instead covers the
concerns resulting from others. Social risk describes the fear that a product or service
will not convey the proper image to others or that might make the consumer self-
conscious.
6. Time-Loss Risk. This type o f risk is associated with the amount o f time required
to make a purchase, wait for a product to be delivered, or wasted as a result o f having to
return or replace the product.
There is some disagreement in the literature as to the exact relationship o f these
six components and whether or not the six-component model sufficiently covers the
criterion variable o f risk. Jacoby and Kaplan (1972) argue that each o f the six
components represent independent risk dimensions o f their own. Other studies suggest
that each component is related to the other components in varying degrees and each
contributes some percentage to the whole in terms o f the criterion variable o f risk.
55
However, the exact percentage of contribution by each component will vary from
individual to individual and from purchase situation to purchase situation by each
individual (Stone and Gronhaug, 1993; Pope, et al., 1999). Research findings have varied
somewhat in their results in terms o f explained variance by the six variable model. In
Jacoby and Kaplan (1972) more than a third o f the variance was unaccounted for. Stone
and Gronhaug (1993) were successful in capturing 90% o f the explained variance, but
Pope, et al. (1999). only managed 70%. These varied results support the argument that
the criterion risk model is lacking a component(s), since the degree o f unexplained
variance is too great to simply be attributed to measurement error.
Trust
"Electronic commerce is about business. Businesses are built on relationships and
relationships are built on trust... ” (Ratnasingham, 1998b. p. I).
No single factor may be more important to commercial ventures on the Internet
than gaining and maintaining the trust o f consumers. High levels o f trust and positive
electronic commerce experiences increase the likelihood o f consumers returning and
establishing continuing relationships (Zucker, 1986; Ratnasingham, 1998a; 1998b).
Additionally, high trust fosters consumer willingness to increase the amount o f
information-sharing that enables EC to operate (Hart and Saunders. 1997). The key issue
is that developing positive trust relationships, which can prove difficult in normal
business operations, is made even more difficult simply by the nature o f the medium.
56
Analysis o f Trust
Trust, like risk, has been discussed for several decades and has been analyzed in
such social science literatures as psychology, sociology, political science, anthropology,
history, sociobiologv, and economics (Lewicki and Bunker, 1996). With its application
to the various fields, trust has been defined in many different ways. It has been described
as the act o f committing to an exchange before it is known how the other party will act
(Coleman, 1990). Mayer, et al. (1995) describe it as a willingness o f an individual to be
vulnerable to another with the expectation that the other will perform a particular action.
Barber (1983) simply describes trust as '“anticipated cooperation.”
Deutsch (1960) identifies three elements that must be present in a situation for
trust to occur. First, there must be some degree o f uncertainty about future course of
actions. Second, the actions of the parties involved in the situation must have the ability
to affect outcomes. Finally, the potential negative outcomes must be o f greater
magnitude than the potential positive outcomes. Schlenker, Helm, and Tedeschi (1973)
identify three similar elements for the same scenario. These must be a risky situation
present with uncertain outcomes. There must be cues present to provide the parties with
some way to measure probabilities o f outcomes. Finally, the individual must demonstrate
behavior in accordance to the uncertain information. Consistent components throughout
the trust literature are the elements o f uncertainty o f future outcomes, presence o f risk in
the situation, and the willingness o f parties to act in accordance with expected actions on
the part o f another.
57
In a purchase situation, the consumer must enter into the trusting relationship with
the merchant. Arrow (1973. p. 24) states “typically one object o f value changes hands
before the other one does, and there is confidence that the countervalue will in fact be
given up." Ratnasingham (1998a) further points out the importance o f the presence of
risk factors by suggesting that trust is only relevant in a situation where the consumer has
no control over the situation and stands to lose something o f value. Stated another way,
no trust is needed for a consumer to enter into action if there is nothing to lose and only
something to gain.
Zucker (1986) identifies three central sources o f trust production. Process-based
trust is the trust that a consumer places in past experience. Brand loyalty and reputation
are examples o f process-based trust. Characteristic-based trust is associated with
specific qualities about the product or company. Thomas (1991) relates this type o f trust
to taxi-drivers who must make a quick judgment about whether to pick up a potential fare
based on the setting, the physical appearance and dress o f the individual, and the way that
the individual acts. Since there may be no previous experience with that individual, these
characteristics may be all the driver has on which to base a decision. Website attributes
or spokespersons could influence a consumer in this manner. Finally, institution-based
trust encompasses the trust that a consumer would associate with formal institutions or
certifications, such as the banking industry or an athletic trainer’s certification. The
geographic distance that is possible between consumer and merchant and the large
number o f transactions that are likely make institutional-based trust o f great importance
to EC. The main factor seems to be that it allows the consumer to place trust in
something with which they are familiar.
58
Levels o f Trust
As a relationship builds, be it consumer/merchant or other, it progresses through
three stages o f trust: calculus-based trust, knowledge-based trust, and identification-based
trust (Lewicki and Bunker, 1996; Shapiro, Sheppard, and Cheraskin, 1992;
Ratnasingham, 1998a; 1998b). Each level of trust is prerequisite to the next level in the
relationship.
Calculus-based trust, is also known as deterrence-based trust, and occurs in the
early stage o f any relationship (Shapiro, et al., 1992). At this point, trust is still being
developed and is. therefore, quite fragile. Consistency of partners, in acting according to
expectations, is extremely important. Little has been invested and little would be lost if
the relationship were to be terminated. From an economic perspective, the calculation
that occurs is a comparison o f the values associated with continuing the relationship and
the potential value that could be obtained by ending it. At this level, brand or product
loyalty has not been established and the consumer may compare the offers or benefits
associated with a relationship of competing companies. If an offer from another
company seems more beneficial, the consumer may end the relationship with the first
company to begin an association with the second. Progress is often slow and open to
influence from outside factors. The relationship is developed between two parties, but
the interaction, opinions, and gossip o f third parties could prove very powerful. “T rust is
by definition interpersonal, but rarely private” (Burt and Knez. 1996, p. 69). The term
deterrence-based trust is used because, at this level, behavior is often mediated by the
threat of punishment. In an economic sense, the punishment would be the loss o f the
relationship and the time, effort, and resources spent in building it (Ratnasingham,
59
1998b). On the part o f the consumer, the investment is not great and the threat may not
be all that important if negative factors are of sufficient magnitude (Lewicki and Bunker,
1996).
Knowledge-based trust is established when the parties have sufficient interaction
and experience to predict behavior of the other. This knowledge leads the individual to
anticipate trustworthiness in the actions o f the other (Lindskold, 1978; Rotter, 1971). For
a consumer, knowledge-based trust is built after successful shopping experiences build
confidence in the merchant. The more experience that a consumer has, the better able
that he/she can accurately predict the behavior of the merchant, thus increasing trust
(Shapiro, et al.. 1992). The greater the level o f information (past experience) and the
more frequent the interaction, the stronger the trust. Hirschman (1984) makes an
intriguing point by stating that trust is unique as a resource because it increases in
strength when used rather than being depleted.
Identification-based trust is based on mutual values and understanding o f the
needs o f each party. The understanding is developed to the point that one party could act
or speak for the other (Lewicki and Bunker, 1996). Kramer (1993) discusses the type of
identification-based trust in which an individual may identify with the beliefs or goals of
a group through affiliation. In the consumer/merchant construct, an example o f this type
of trust relationship may be found with personal shoppers .
Decline o f Trust
Trust relationships are dynamic and evolving entities that may fluctuate over time
(Lewicki and Bunker. 1996). The application o f trust to economics implies that when
60
consumers place trust in merchants, an assumption is made that the merchant will act in a
dependable manner and fulfill commitments (Cummings and Bromiley, 1996; Mishra,
1996). However, every relationship is likely to have situations in which the expectations
o f one party or another are not met. Inconsistent behavior on the part o f the merchant
could take many forms, from the relatively minor to severe, and could include such things
as lost or delayed orders, inconsistencies in billing, defective or damaged merchandise, or
even fraud. Minor problems that occur infrequently are not likely to have serious effect
on the trust relationship. However, erosion o f the trust relationship can occur over time if
the problems persist. At the calculus-based level, these types o f problems undermine the
confidence o f the consumer in the organization and make it difficult to build trust. Other
relationships may be sought. At the knowledge-based level o f trust, some degree o f
loyalty has likely been established and the consumer may react with more understanding,
giving the merchant more latitude. However, the consumer is likely to harbor some
degree o f “tentativeness" to the relationship with future interactions (Lewicki and
Bunker. 1996). If the trust violation is severe enough, all trust may be eliminated
instantly. Instances of fraud or violations o f consumer privacy are examples o f cases o f
adequate severity that often warrant the immediate termination o f consumer/merchant
relationships by the consumer.
Relationship o f Risk and Trust
In the practice of law. the terms risk and trust are often used interchangeably
(Williamson. 1993). In the social sciences literature, there is little question that it is
important to understand risk and how it applies to trust, but there is some debate as to
61
exactly how these two concepts are related (Blau, 1964; Coleman, 1990; Griffin, 1967;
Good, 1988; Lewis and Weigart, 1985; Luhmann, 1988; March and Shapira, 1987; Riker,
1974; Schlenker, et al., 1973; Kee and Knox, 1970; Mayer, Davis, and Schoorman, 1995;
Ratnasingham, 1998a; 1998b). The presence o f risk has been shown to be a necessary
ingredient for the development o f trust, but one does not need to risk anything in order to
trust. One must, however, take a risk to engage in trusting action (Mayer, et al., 1995).
Furthermore, trust is not involved in all risk-taking behaviors. An individual may have
no trust whatsoever, but be forced into risky behavior. Risk is necessary for trust, but it is
the presence of trust that allows people to enter into risk-taking behaviors (Ratnasingham.
1998b; Mayer, et al., 1995). Research has demonstrated that as levels o f trust decrease, a
consumer becomes less likely to take risks (Ratnasingham, 1998a).
Maver. et al. (1995) suggest that it is unclear whether trust is an antecedent of
risk, is the same as risk, or is a by-product o f risk. In their model, the authors propose
that the level of trust is compared to the level o f perceived risk in a situation before a
decision is made on the course o f action. The action is undertaken only if the level of
trust exceeds the level o f perceived risk. This work builds on the assumption o f studies
by Williamson (1993) and Blau (1964) that the willingness to engage in risk-taking
behavior implies an adequate level o f trust.
Administrative Implications o f Research Findings
For years, entrepreneurs have attempted to realize a profit by providing a product
that meets the needs or desires o f the public. The essence o f commerce is the provision
62
o f a product or service that meets these needs or desires in exchange for compensation.
Companies, products, consumers, and services will continue to change, but the essence o f
commerce will remain the same. At its most basic level, commerce can be viewed as a
multitude o f continuous, simultaneous exchange transactions. The addition o f the
Internet and on-line shopping simply adds another variable to the overall economic
equation.
Factors o f Risk Perception
Research has shown perceived risk to be a multidimensional construct that will
vary, sometimes dramatically, from purchase situation to purchase situation. Studies
have consistently illustrated the presence o f at least six components o f risk: financial,
physical, functional, psychological, social, and time-loss. However, marketing
practitioners require a better understanding o f the factors that influence the components
o f risk to be able to effectively apply this information. To this end, researchers have
examined the effects of numerous variables on the levels o f perceived risk in consumers.
Several studies have documented findings that risk perception is greatly reduced
if prior experiences in purchase situations have proven successful (Simpson and Lakner,
1993; Festervand, et al.. 1986; Schiffan. et al., 1976; Cunningham and Cunningham.
1973). It would seem that as the level o f uncertainty required for risk is reduced, so too is
the level o f risk perceived by the consumer. Bauer (1960) and Cox and Rich (1964)
examined the relationship between perceived risk and corresponding frequency of
telephone shopping. The results suggested that the degree o f perceived risk acted as a
deterrent to ordering products by telephone. New products and companies present a risky
63
situation that is unique. Consumers have no basis o f prior experience to draw upon,
which elevates levels of uncertainty and perceived risk. Early research in catalog
shopping has indicated that early adopters demonstrate a high “willingness” to take risk
and have been shown to possess high needs for achievement, change, exploration, and
dominance (Popielarz. 1967; Opinion Research Corporation, 1959)
Zikmund and Scott (1973) evaluated risk by examining product attributes. By
breaking down a product into a number o f variables, the researchers were able to attach
perceived risk to specific product components. Product-specific risk can be further
extended to company brands. A number o f studies have demonstrated that a common
risk-reducing strategy o f consumers is the development o f brand loyalty (Mitra, 1999;
Bauer. 1967; Lutz. 1973; Roselius, 1971; Peter, 1976; Hirsch. et al., 1972). A consumer
may attempt to reduce the level of perceived risk in a purchase situation by searching for
a brand that he/she has conducted business with and has experience to draw from,
concerning product quality and merchant legitimacy. When Cox and Rich (1964)
surveyed telephone shoppers about factors affecting consumer confidence (a reflection of
risk perception), the two most common responses were being able to identify products by
brand, color and size and purchasing a product they are acquainted with or had used
before.
Even if the consumer has no prior experience with the brand or company, simple
brand recognition has been shown to reduce levels o f perceived risk over unfamiliar
brand names. The presence o f a recognized manufacturer's name gives the product
source credibility and reduces risk perception (Akaah and Korgaonkar, 19SS; Mitra, et
al.. 1999: Hovland. Janis. and Kelley (1953). Endorsements and guarantees are
64
Reproduced with permission o f the copyright owner. Further reproduction prohibited without permission.
techniques that businesses have used to reduce levels o f perceived risk in potential
consumers and have achieved mixed results (Simpson and Lakner, 1993; Dash, et al.,
1976; Hirsch. et al., 1972), with some findings suggesting an unfavorable response by
consumers (Roselius, 1971). McCorkle (1990) suggests that the relative ineffectiveness
of some money-back guarantees may be caused by a lack o f confidence in source
credibility, and hence, a lack of confidence in the guarantee. Other researchers suggest
that guarantees satisfy only financial risk and do not account for the physical, functional,
social or psychological risk components (Settle, Alreck, and McCorkle, 1994).
Research and In-Home Mail/Phone Order Shopping
Due to the relatively recent arrival o f the Internet and on-line shopping, limited
applicable research has been conducted on behavioral characteristics o f virtual
consumers. Much of the research that has been conducted has focused extensively on
consumer demographics and much o f the research has been conducted by parties with
"distinct interest in their outcome*’ (Katz and Aspden. 1997, p. 172; Rao, 1996; Lewis,
1995). Studies analyzing characteristics o f in-home shoppers have consistently found
these consumers to have a higher than average income and a head o f household with a
higher than average level of education (Cunningham and Cunningham, 1973; Gillett,
1970; Lumpkin and Hawses, 1985). Katz and Aspden (1997) found similar characteristics
o f Internet users in their sample (n=2500 respondents) in which 66% o f the respondents
had a BS degree or better and 59% reported a household income over S50,000.00 U.S.
An on-line survey conducted in 1998, by e-Marketer, developed a user profile o f the
average Internet user as “well educated” and “affluent” (e-Marketer. 1998). Enough
65
purchase situation similarities exist between in-home catalog shopping and on-line
shopping that many organizations have looked for answers from catalog-shopping
research as a foundation for marketing plans. Similarities include: lack o f face-to-face
interaction; benefits o f convenience and time-savings by shopping from home (Kwon, et
al., 1991); predominant use o f credit card payment mechanisms (Shon and Swatman,
1998; Buck, 1996); and. the presence o f numerous risks not found in store-based
purchase situations (Mitra. et al., 1999; Hirsch, et al., 1972).
Spence, et al. (1970) identified three factors that cause consumers to perceive
mail-order shopping as high-risk. First, the consumers do not have the ability to
physically examine the product. Second, if the product was unsatisfactory or damaged,
there is greater difficulty in returning the merchandise for a refund or exchange. Finally,
consumers have demonstrated concern involving the business practices o f some mail
order companies. Multiple studies have supported the authors’ position with findings that
consumers perceive greater risk in shopping by mail than when compared to a store (Cox
and Rich, 1964; Festervand. et al., 1986; Korgaonkar, 1988; Akaah and Korgaonkar,
1988; Hawes and Lumpkin, 1986). Some studies found that in-home shoppers perceive
less risk than non-in-home shoppers (Cox and Rich, 1964; Schiffan. et al., 1976), which
would seem to support the position that experience lessens the uncertainty and risk
perceived in a situation. Consumers have compensated for the higher risk perceived in
mail-order shopping by purchasing products and brands with which they are familiar
(Akaah and Korgaonkar. 1988; Mitra. et al., 1999; Korgaonkar, 1982; Simpson and
Lakner. 1993: Roselius, 1971), by purchasing products o f smaller value (Cox and Rich,
1964; Akaah and Korgaonkar, 19S8; McCorkle, 1991), or by avoiding purchase
66
altogether (Cox and Rich, 1964; Gillett, 1970; Lumpkin and Hawes, 1985). Kwon, et al.
(1991) indicated that catalog shoppers perceived the following four risk components in
decreasing order o f importance: I) financial, 2) social, 3) function, and 4) time-loss.
Studies have also been able to attach risk to the shopping medium itself (Cox and
Rich, 1964; Spence, et al., 1970). Settle, et al. (1994) conducted a comparison o f
determinants o f shopping mode selection. The mediums examined were five mail/phone
order shopping media (catalog, television, newspapers, magazines, and direct mail) and
were compared to store-based purchase situations. The study, which did not include
analysis o f on-line shopping, compared the media on eight dimensions: economical,
enjoyable, feasible, fast, safe, convenient, sensible, and practical. The findings indicated
that mail/phone order media were significantly lower than retail stores in the dimensions
of sensibility, practicality, and safety.
Application to On-Line Shopping
Several o f the risk factors described in the previous section can be easily applied
to on-line shopping situations. An analysis o f virtual transactions to this point indicates a
high proportion o f name brand items and low cost items being purchased (Pope, et al.,
1999). Frequently purchased items on the Internet to this point include travel services,
newspaper and magazine publishing companies, music and video services, information
services, and software and computer companies (Buck, 1996). This would seem to
reflect the risk reduction methods of: a) brand loyalty, and b) reducing the amount at
stake in a purchase situation by limiting cost. The risks associated with the inability to
inspect merchandise, with difficulty in returning or exchanging merchandise, and with
67
the shopping medium transfer easily as Internet shopping is still a form o f phone/mail
order purchasing.
However, some elements o f a virtual sales situation present unique risks to the
traditional phone/mail order scenario. First, the on-line shopping involves the use of new
technology, both in the ordering process itself and in the security mechanisms used to
secure the transmissions. The unfamiliarity o f the technology and the uncertainty
associated with anything new are important considerations for commercial Internet
ventures (Krimsky and Golding, 1992). With a lack of experience or available
information and training, consumers may continue using the Web simply to collect
information and not to purchase (Pitkow and Kehoe, 1996; Booker, 1995; Wintrob,
1995).
Luhmann (1993, p. 83), in discussing the perception o f risk in modem society,
states "more than any other single factor, the immense expansion o f technological
possibilities has contributed to drawing public attention to the risks involved.” In 1997,
estimates for Internet fraud were approximately S I00 million as compared to an
estimated S60 billion in fraud for telemarketing; yet, the nature o f the medium and the
fascination associated with anything virtual leads to a “disproportionate” amount o f news
and media coverage (Machlis and Wagner, 1997). Additionally, risk perception research
has demonstrated that people have a tendency to overestimate the occurrence o f rare
events and underestimate the occurrence o f common events (Kahneman, et al., 1982).
Kximsky and Golding (1992) describe the irrational fear o f nuclear plants and cite the
reason for the negative risk perceptions as the intensity associated with the event
68
Reproduced with permission o f the copyright owner. Further reproduction prohibited without permission.
compounded by extensive media reinforcement. This combination makes it easy to see
how negative perceptions o f Internet security are so prevalent.
It has been theorized that the two most significant barriers to full scale electronic
commerce are the security of Internet networks and applications and the security of
commercial transactions conducted over the Internet (Ratnasingham, 1998b). These
security concerns are o f extreme importance to commercial ventures in order to reduce
potential risks and enhance the level o f trust on the part o f consumers. With the
increasing retail options available on the Net and the addition o f encryption technologies,
security has become more of a psychological issue than a financial or technological
concern (Weber, 1996). In EC, the ability o f companies to reduce perceived risk and the
establishment of trust between consumers and merchants is critical for consumers to
engage in a virtual transaction beyond an initial purchase (Ratnasingham, 1998a).
"Commerce is more than just the buying and selling o f goods or

services, it includes customer service, buyer and merchant
authentication, fraud detection systems, and billing.. .
[Howe\-er] the further that commerce departs from a simple cash
and carry' transaction, the greater the need fo r trust and the higher
the risk that trust may be displaced" (Grant, 1996, p. 212).
Trust can be achieved or forfeited at several stages o f a transaction. First, the
quality o f goods and services must be satisfactory. Second, the consumer must trust the
manufacturer that the product or service will be delivered. Third, the consumer must
trust the server and the manufacturer with the credit card transaction. Fourth, the
consumer must trust the technology involved in establishing and maintaining security and
privacy in the transaction (Ratnasingham. 1998a). Fifth, the consumer must trust that if
69
the product is damaged, defective, or unacceptable, the manufacturer will honor some
form o f return policy.
Future of On-Line Shopping
It is unfortunate for on-line shopping that negative perceptions have been formed
and that these perceptions are likely to be difficult to change. However, in order for
marketing practitioners and commercial Internet interests to capitalize on the potential of
the new medium, the negative consumer perceptions must be countered. One method
that should prove successful is the education o f users and potential consumers in the use
and functions o f new technology. In doing so, organizations can help reduce some o f the
uncertainty and risk associated with on-line shopping. Another important factor o f
analysis for in-home shopping has been the concern o f privacy on the part o f the
consumers. The personal information that a consumer discloses to a company during a
transaction can be invaded in two ways: transaction integrity and information protection.
Information can be accessed as a result o f a security breach or it can be copied and
disclosed to other companies without consent (Culnan and Armstrong, 1999). In making
a decision to complete a mail/phone order transaction, the consumer must weigh the risks
o f disclosing the information to the company with the benefits gained by developing the
consumer/merchant relationship (Derlega, Mens, Petronio, and Derluga, 1993). As long
as the consumer perceives the benefits to outweigh the risks, the likelihood o f a
continuing relationship increases.
70
When applied to a virtual transaction, Ratnasingham (1998c) recommends these
principles be categorized into three critical actions that must be taken by the
manufacturers:
1) Business Practices Disclosure. The company should disclose its practices for
virtual transactions on the website and complete all transactions in accordance
with the displayed policies.
2) Transaction Integrity. The company should ensure that all virtual transactions
are secure and technology maintained. Means of security should be explained and
customer privacy should be maintained from initial information collection
through billing.
3) Information Protection. The company should ensure controls that all customer
information will remain confidential and will not be shared or sold to other
entities with unrelated business.
In many cases, after securing their own systems, organizations have begun requiring
business partners to utilize adequate security procedures as well (von Solms, 1998).
Muiznieks (1995) identifies some o f the key concerns about on-line shopping
with respect to customer levels of trust. The explosion o f software products has led to
questionable procedures in software development as companies rush their products from
development to sale. The resulting flaws and breakdowns in operating systems and
Internet browser protocols have undermined consumer trust. Additionally, the inability
of any entity to effectively manage the Internet increases consumer unease. The U.S.
Congress conducted a survey o f major U.S. corporations and found that 75% o f the
executives that responded indicated that they lacked confidence at that time in the
71
Internet as a tool o f commerce. The primary reason listed was the lack o f trust due to
“inherent vulnerabilities” o f the Internet itself (Bequai, 1996). The Internet holds
tremendous potential, but carries with it an equally sizable potential for risk. The value
o f trust in consumer behavior is evident. The challenge for companies o f the new
millenium ready to conduct virtual commerce is to provide the convenience o f the
Internet and overcome the lack o f trust that develops when face-to-face interaction is lost.
Summary
As long as someone is interested in marketing and selling a product, individuals
will attempt to improve their chances o f commercial success by attempting to predict
panems o f behavior. Just as certain is the guarantee that the criminal element will
attempt to take advantage o f consumers and manufacturers in any way possible. For on
line shopping to be successful, consumers must develop enough trust in the commercial
entities operating on the Internet and in the mechanisms o f security to feel confident
enough to conduct business. Consumers will continue to shop over the Internet as long as
the perceived benefits exceed the perceived risks. “Developing information practices that
address this perceived risk results in positive experiences with a firm over time,
increasing the customer’s perceptions that the firm can be trusted” (Cuinan and
Armstrong, 1999, p. 106). Additionally, the positive experiences will strengthen the
customer’s perceptions that the technology o f the security transactions can be misted.
For business to continue to thrive over the Internet, it is imperative that electronic
commerce becomes a safe and trusted option for consumers. With the establishment o f
encryption technology, such as SSL and S-HTTP, Internet security has become more o f a
72
psychological issue than a technological one. (Weber, 1996). Yet, trust must exist for a
purchase to take place (Ratnasingham, 1998a). It has become extremely important for
businesses and practitioners to continue to research and develop more advanced security
mechanisms as well as to inform and educate the public. If a company has an
outstanding, user-friendly website, but no one knows about it, it can not be successful.
By the same token, the world of business must embrace technology and allow the
consumer to become comfortable with its operation or the level o f technology will not
matter.
Statement o f the Problem
The purpose of the proposed study is to investigate the level o f risk and trust of
on-line shopping and security technology perceived by consumers. The study will focus
on the perceptions of risk and trust in relation to on-line shopping and Internet security
technology; the effects of experience o f on-line shopping and knowledge o f Internet
security procedures on on-line shopping frequency; and, differences in perceptions o f on
line shoppers and non on-line shoppers, in terms o f risk and trust.
Rationale
The World Wide Web has been in existence less than a decade and has already
had tremendous impact on society as a whole. Economic statistics indicate the potential
for Internet-based electronic commerce is immense. International Data Corporation
73
(1997) estimates Internet sales will exceed SU.S. 100 billion by the end o f 2000. Also, an
estimated % o f consumers connecting to the Internet in the first half o f 1998 made an on
line purchase (NUA Internet Surveys. 1998). Yet, the majority o f the statistics and
estimates available are the result of studies conducted by parties with commercial interest
in the findings. Concerns and controversy over the accuracy o f reported findings exists
(Lewis, 1995; Rao. 1996). There is an urgent need for impartial, academic investigation
into the behavior and perceptions o f consumers in relation to Internet use and on-line
shopping.
Operational Definitions
For the purposes o f this study, the following terms will be used:
Cryptography - the technology used to scrambles messages transmitted across the
Internet to ensure privacy and security of the EC transaction details.
Downloading - the act o f making a copy o f a file from the Internet and storing it in
another location.
Electronic Commerce (EC) - commercial transactions that take place through the use o f
an electronic network.
Encryption - the technology that utilizes cryptography for Internet security' functions.
IP address - the unique address o f a computer, or access point, connected to the Internet.
K.ev - the mathematical algorithm used by encryption technology to scramble and
unscramble digitally coded messages.
On-line shopping - consumer purchases conducted over the Internet.
74
Packet sniffing - the use of a computer program to eavesdrop on Internet traffic as it
passes through a network and search for specific characteristics o f information, such as
credit card details.
Perceived risk — a consumer’s assessment o f a purchase situation involving the amount
at stake and the feeling o f subjective certainty o f success or failure o f potential outcomes
(Bauer, 1960).
Root access - the ability to have access and total control over a network system and all
files located within the system.
SmartCard - a type o f stored-value card similar to pre-paid phone cards.
Trust - the willingness of a consumer to share personal information over the Internet
during a commercial transaction with the expectation that the information sent will be
protected during and after the transaction and the merchant will act as expected.
Virtual - anything having to do with Internet operations or procedures.
World Wide Web (WWW) -- the set of protocols designed to operate on the Internet.
Research Questions and Hypotheses
Q 1: Is the criterion variable o f risk adequately explained by the six sub-component
model?
H I: The six variable model of risk will explain a significant portion o f the total
variance associated with the risk criterion variable.
75
Rationale: Stone and Gronhaug (1993) were successful in capturing 90% of
the explained variance in the criterion risk variable. However, Pope, et al.
(1999) and Jacoby and Kaplan (1972) were only successful in accounting
for approximately 70% and 66% respectively.
Q2: How do consumer perceptions o f risk and trust involving Internet security
technology and procedures affect on-line shopping?
H2: Consumers will perceive on-line shopping as a high-risk venture.
Rationale: A key factor in the presence of risk is the uncertainty o f outcomes in
a situation (Bauer, 1960). Krimsky and Golding (1992) suggested that the impact
on perceived risk caused by the unfamiliarity o f the technology and the
uncertainty associated with anything new are important considerations for on-line
shopping.
H3: Consumers will possess low levels o f trust in Internet security technology
as measured by a mean value o f 2.0 or below on the Trust Security
Technology scale.
Rationale: Ratnasingham (1998a) discussed the establishment o f trust between
companies and consumers as critical for consumers to engage in a transaction
beyond an initial purchase. Wintrob (1995) and Booker (1995) suggested that
76
most consumers still just use the Web to browse. Luhmann discussed the
perception of risk in modem society as directly attributable to rapid technological
expansion.
H4: Consumers will perceive a significant difference in risk associated with
on-line shopping when compared to store, catalog, television, telephone,
magazine, and direct-mail order purchase situations (p < .05).
Rationale: Settle, et al. (1994) demonstrated significant differences in
consumer risk perception associated with all forms o f mail-phone order shopping
when compared to store situations. On-line shopping was not included in the
study, however.
Q3: How do the variables of on-line shopping experience and knowledge o f Internet
security methods impact perceptions of risk and trust in on-line shopping?
H5: The level o f knowledge o f Internet security technology and consumer
perceptions o f risk involved in on-line shopping will have a significant
negative correlation (p< .05).
H6: There will be a significant positive correlation between knowledge o f on
line security procedures and on-line shopping frequency (p< .05).
77
Rationale: A common risk-reducing strategy is to collect information to
reduce the uncertainty present in a situation (Zikmund and Scott, 1973).
Awareness o f security technology in place should reduce amounts of
consumer uncertainty.
H7: The frequency o f on-line shopping and consumer perceptions o f risk
involved in on-line shopping will have a significant negative correlation
(P< -05).
H8: There will be a significant difference in perceptions o f risk present in on
line shopping between on-line shoppers and non on-line shoppers (p< .05).
Rationale: Several studies have documented findings that risk perception is
reduced if prior experiences in purchasing situations have proven
successful (Simpson and Lakner, 1993; Festervand, et al., 1986; Winer,
1976; Cunningham and Cunningham, 1973).
H9: There will be a significant difference in levels o f trust between on-line
shoppers and non on-line shoppers in relation to on-line commercial merchants.
H10: There will be a significant difference in levels o f trust between on-line
shoppers and non on-line shoppers in relation to Internet security technology.
Rationale: Culnan and Armstrong (1999) suggested that companies that
address the perceived risk and build positive experience relationships with
consumers over time will also build their trust.
Significance o f the Study
The relatively recent arrival o f Internet-based commerce has created a tremendous
interest and need for theoretical findings related to virtual consumer behavior (Anon,
1996). Studies such as the current one may provide marketing practitioners with the
information necessary to understand and predict on-line user behavior. A number of
organizations have failed in their initial attempts at marketing over the Internet as a result
of attempting to apply traditional marketing practices to the Web (Kiani, 199S).
Consumers and corporate executives have expressed concern over the viability of
the Internet as a successful vehicle of commerce. The most frequent concern given is a
lack o f perceived security over the Internet. An understanding o f consumer perceptions
will help site providers and commercial site operators more successfully direct their
efforts and resources. The present study will contribute to the body o f theoretical
research in the areas of perceived risk, trust, and on-line shopping. In addition, the non
vested interest and academic approach o f the study should be of value to corporations and
practitioners that are, or may soon be, operating an Internet site.
79
CHAPTER 2
METHODOLOGY AND PROCEDURES
The proposed study was designed to investigate the perceptions o f risk and levels
of trust of consumers in relation to on-line shopping. The following sections describe the
subjects, instrumentation, procedures for data collection, and methods o f data analysis for
the proposed study.
Subjects
A sample of students enrolled in a major southeastern university’s elective
physical education program will be surveyed. There is some precedent for using a student
sample to survey on-line behavior o f users and consumers. The consistent demographic
characteristic of tertiary-educated users (Pope, et al., 1999) and the frequent provision of
free Internet access at many U.S. and U.K. universities (Rowley, 1996) are two strong
supporting factors. The university setting for the proposed study provides free point-of-
site computer and Internet access and free remote Internet access through a dial-up
connection. The selection of elective physical education classes is a result of the broad
80
representation of student classifications and major disciplines of study that the classes
provide.
Variables
Independent Variables
> Knowledge of Internet security technology. The knowledge o f Internet
security procedures will serve as an independent variable for the proposed
study. The variable will be measured using a 5-point Likert-type scale
question to determine the respondent’s level of knowledge of, or experience
with, firewalls, digital signatures, digital certificates, and encryption
technology protocols, such as SET, SSL, or S-HTTP.
> On-line shopping frequency. The frequency of shopping on-line by a
consumer will also serve as an independent variable. Frequency counts, or the
number of occasions that a consumer has purchased a product or service on
line in the last 12 months, will be used to aid in respondent understanding.
On-line shoppers will be designated as a consumer who has made 2 or more
purchases on-line within the last 12 months. Non on-line shoppers will be
designated as respondents who have not purchased on-line or made only a
single purchase on-line in the last 12 months. For the purposes o f the
proposed study, a single purchase in the last 12 months would not meet the
level of use and experience with the shopping medium of a frequent shopper.
81
> Mode of shopping. The mode of shopping will also be used as an independent
variable. The proposed study will examine responses in relation to on-line
shopping, retail store purchase situations, and other methods o f phone-mail
order shopping, such as magazines, television, direct-mail, and catalog
shopping.
Dependent Variables
> Risk perception. The subjective risk a consumer perceives will vary according
to a number of variables, including (but not limited to) the amount at stake to
be gained or lost, the degree of uncertainty of potential outcomes, and the
amount o f knowledge or previous experience with the purchase situation
(Bauer, 1960; Cox & Rich, 1964; Cunningham, 1969; Murphy & Enis, 1986).
The risk perceived by a consumer will be examined in several different
methods of shopping. The criterion variable of risk will be examined as well
as the six sub-constructs of risk identified in the research literature: financial,
security, physical, time-loss, social, and psychological (Pope, et al., 1999;
Jacoby & Kaplan, 1972; Stone & Gronhaug, 1993).
> Trust. Trust can only occur when the consumer stands to lose something of
value (Ratnasingham, 1999a). A risky situation must be present and the
consumer must demonstrate a willingness to enter into a situation where the
cooperation and actions o f another entity are assumed to occur (Mayer, Davis.
& Schoonnan. 1995; Coleman. 1990; Arrow, 1973). For the proposed study,
the objects of trust are the merchants operating commercially on the Internet
and the security procedures that are in place to ensure privacy and prevent
illicit activity. The respondents will be asked to rate each of these components
in terms of trust production with the use of 5-point Likert-type questions.
Instrumentation
The survey instrument that will be utilized in the proposed study is composed of
three elements (See Appendix B). The first portion of the survey is the risk assessment
instrument used by Pope, et al. (1999) to examine overall risk and the six risk dimensions
(financial, security, physical, social, psychological, and time-loss). After factor analysis
of the risk items, the researchers obtained six sub-constructs o f risk. Functional risk was
included with financial risk under a heading o f “value for money” and a separate sixth
sub-component identified for on-line shopping was security risk. The authors also
examined the relationship of the elements of innovativeness and involvement. Items
pertaining to these elements were deleted from the inventory. The second portion o f the
survey is composed of elements to examine trust and comprise a collation of several
existing studies analyzing the trust construct. No specific instrument could be found that
investigated consumer trust in Internet entities and operations. As a result, survey
questions were drawn from Culnan and Armstrong’s (1999) investigation on impersonal
trust. Morgan and Hunt’s (1994) analysis of a commitment-trust theory o f relationship
marketing, and Swan. Trawick. Rink, and Robert’s (1988) measurement o f purchaser
83
trust in industrial salespeople. The third portion of the instrument is composed of
questions to gather demographic data on the respondents.
Modifications to survey questions were made as to the object o f trust, so that in
lieu of the salesperson or significant other, the object of trust becomes the Internet vendor
or security technology. Unlike Pope, et al.’s (1999) survey structure where the questions
of risk dimensions were grouped together, the questions were mixed throughout the
survey to prevent leading the respondent or influencing a response due to previous
questions. For consistency, all rating questions will be measured on a 5-point Likert-type
scale.
Procedure
Surveys will be conducted by the investigator at the beginning o f the physical
education class meetings. The surveys will be of pencil and paper format, rather than an
on-line format, to make certain not to exclude responses o f students who may utilize
Internet access rarely or not at all. Brief instructions will be given by the investigator
prior to the surveys to ensure accurate completion of the instruments. Students who have
completed the survey in a prior physical education section will be excused, to prevent
duplication o f response by a single individual.
84
Data Analysis
Once the data have been collected, it will be coded according to the question
format. Numerous items on the inventory will be reverse-coded (#1, #4, #6, #19, #20,
#25, #27, #29, #33, #39a-g, #40a-g). Statistical treatment and procedures will vary
according to the stated hypothesis. For H I, the criterion variable will be handled as a
separate construct from the sub-components. The factors will be subjected to an item
reliability analysis and items will be deleted where necessary to achieve a Cronbach’s
alpha of .70 (Nunnally, 1978). The remaining items will comprise the independent sub
constructs of risk (Spector, 1992). The sub-construct items will undergo factor analysis
to determine explained variance and percentage of the model explained.
The statistical analysis of H2 will be determined through the use o f the overall
perceived risk items (#1, #7, #17, #33, #34). With a 5 point Likert-type scale for risk
items, a value of 5 would represent maximum perceived risk and a value of 1 would
represent minimum perceived risk. With a value of 3 as moderate perceived risk, a value
of 4 would represent a level of high-perceived risk. The four items will be summed and a
mean of 4 or greater for the criterion risk variable scale will represent a perception of on
line shopping as a high-risk venture. Alternatively, a mean of 2 or less would represent
the perception o f on-line shopping as a low-risk venture.
The trust items for H3, H9, and H10 will also be subjected to the same item
reliability analysis and will be deleted where necessary to achieve a Cronbach’s alpha of
.70. For these items, the same format of scale will be designated for determination of
85
levels of low-trust (mean <2), moderate-trust (2<mean<4), and high-trust (mean>4).
The items that will comprise the trust-security technology scale for H3 and H10 are items
#19, #25, #29, and #36. The items that will comprise the trust-on-line merchant scale for
H9 are #6, #15, #20, #27, and #31. The respondent means for these scales will be
compared to the designated levels. For a determination of on-line shoppers and non on
line shoppers, it was designated that 2 or more on line purchases in the last 12 months
would represent an on-line shopper. Non on-line shoppers would be designated as the
respondents who answered item #38 with a value of “4” or “5”. In terms of item #38, the
Likert-type scale was further designated for respondent understanding by identifying the
following responses with frequency or purchase in the last 12 months (See Appendix,
#38):
“ 1” = 6+ purchases “4” = one purchase, or “Once”

“2” = 4-5 purchases “5” = “Never”, or 0 purchases.
“3” = 2-3 purchases
The rationale for the designation was that a single purchase on-line in the last 12 months
would not necessarily constitute an adequate frequency of utilizing the shopping medium.
The responses of on-line shoppers (responses of “ 1”, “2”, or “3” to item #38) and non on
line shoppers (responses of “4” or “5” to item #38) will be correlated with a Pearson
product correlation with the trust-on-line merchant scale (H9) and with knowledge of
Internet security procedures from item #37 (H10).
For H4, a one-way anova will be conducted for the mean of risk associated with
on-line shopping in comparison to store purchase situations and each o f the other mail-
phone order options in #39. H5 and H6 will treat the data using a Pearson product
86
correlation. HS will correlate the responses from #37 (on-line) with the criterion risk
scale used in H2. H6 will correlate the responses from #37 (on-line) with the frequency
response in #38 (on-line).
H7 and H8 will also use Pearson product correlations. H7 will examine the
correlational relationship between on-line shopping frequency from item #38 (on-line)
and consumer perceptions of risk involved in on-line shopping from the criterion risk
variable scale used in H2. H8 will examine the differences in the perceptions of on-line
shoppers and non on-line shoppers using the frequency of shopping on-line designation
described earlier with item #38 and the criterion risk variable scale used in H2.
Limitations
The following limitations are place on the proposed study: (a) the survey method
assumes that the respondent will make an honest effort to understand and answer the
questions truthfully; (b) a possible negative correlational relationship may exist between
computer use and physical activity; and (c) the proposed study examines rating behavior
and it is suggested that the relationship would manifest itself in actual purchase behavior.
Delimitations
A number of delimitations will be placed on the proposed study. First, the
students enrolled in the physical education sections at the time of the study will comprise
87
the sample. The same survey conducted during a different semester or at a different
setting may not realize the same results. Second, it is assumed that the physical education
classes that will provide the sample will provide a broad representation o f the university
student body. However, it is possible that the nature of the physical activity of the classes
will represent a potential bias.
88
CHAPTER THREE
RESULTS AND DISCUSSION
This chapter will illustrate the results of the statistical analyses and provide a
discussion of the findings. The purpose of the research was to examine the perceptions of
risk and trust in relation to on-line shopping and the security technology in place for
Internet commercial ventures, as well as similarities or differences between on-line
shoppers and non on-line shoppers. From the total sample size of 1,173, six hundred
fifty-eight questionnaires (n=658) were usable, yielding a return rate of 56%.
Questionnaires were excluded if they were incomplete or if each question was
consistently answered with the same response throughout the instrument. Once all the
questionnaires had been collected, they were coded in the top, right comer for later
examination. Upon completion of data entry, a printout of the data tables and the
frequencies was examined for error. In most cases the item in question could be
answered by referring back to the questionnaire. In cases where there existed duplicate
answers or missing items, the questionnaires were deemed incomplete and excluded from
the sample.
89
Table 1 Summary o f Descriptive Statistics
Age Frequency Percent Valid Percent Cumulative

Percent
17 8 1.2 1.2 1.2
18 144 21.9 21.9 23.1
19 138 21.0 21.0 44.1
20 123 18.7 18.7 62.8
21 127 19.3 19.3 82.1
22 52 7.9 7.9 90.0
23 22 3.3 3.3 93.3
24 11 1.7 1.7 95.0
25 8 1.2 1.2 96.2
26 3 .5 .5 96.7
27 5 .8 .8 97.4
29 1 .2 .2 97.6
30 2 .3 .3 97.9
31 2 .3 .3 98.2
32 1 .2 .2 98.3
35 1 .2 .2 98.5
37 2 .3 .3 98.8
40 2 .3 .3 99.1
44 1 .2 .2 99.2
45 1 .2 .2 99.4
50 2 .3 .3 99.7
53 1 .2 .2 99.8
58 1 .2 .2 100.0
Total 658 100.0 100.0
N Mean Median S tandard Dev. Variance

658 20.48 20.00 3.84 14.76
Frequency Percent Valid Percent Cumulative

Percent
Female 3801 57.8 57.8 57.8
Male 278 42.2 42.2 100.0
Total I 658 I 100.0 100.0
Demographic Information
The instrument was administered to all students enrolled in the elective
physical education program at a major southeastern university. The mean age o f the
sample was 20.48 years of age and the median was 20 years of age. An examination of
the data shows that 95% of the respondents were between the ages of 18-25 and 97.3% of
the respondents were under the age of 35 years of age. The gender breakdown for the
sample was 57.8% female (n=380) and 42.2% male (n=278). A breakdown of the
applicable statistics is provided in Table 1.
In examining access to the Internet, 58.7% of the sample indicated that they had
access to the Internet at work and 91.9% indicated they had Internet access in their
homes. O f the total sample, only 30 respondents, or 4.56%, indicated that they did not
have Internet access either at work or at home. It should be noted, however, that every
respondent in the study also had free Internet access a result o f being a student at the
university, a prime determinant in the sample in the first place (Pope, et al., 1999;
Rowley, 1996). Table 2 represents an overview o f the demographical information in
relation to Internet access.
Finally, the respondents were asked to indicate the number of hours per week that
they spend on the Internet. Only 2.6% responded that they spent zero hours per week
utilizing the Internet with 76.9% indicating that they are on-line between 1-10 hours per
week. These findings provide an indication that some of the respondents that do not have
Internet access at work or at home are utilizing Internet access somewhere, whether at the
91
university or some other location. Table 3 represents the breakdown o f Internet use per
week.
Table 2 In te rn e t Access
Internet Access - Home

Frequency Percent Valid Cumulative
Percent Percent
No 53 8.1 8.1 8.1
Yes 605 91.9 91.9 100.0
Total 658 100.0 100.0
Internet Access - Work
Frequency Percent Valid Cumulative
Percent Percent
No 272 41.3 41.3 41.3
Yes 386 58.7 58.7 100.0
Total 658 100.0 100.0
Table 3 Frequency of Internet Use
Hours per Frequency Percent Valid Percent Cumulative

week Percent
0 17 2.6 2.6 2.6
1-5 301 45.7 45.7 48.3
5-10 205 31.2 31.2 79.5
10-20 83 12.6 12.6 92.1
20 + 52 7.9 7.9 100.0
Total 658 100.0 100.0
92
Results for Research Questions
Research Question One
Question one examines the variable of risk and whether the six sub-component
model of risk adequately explains the total variance. For HI and H2, five items from the
inventory (#1, #7, #17, #33, #34) were combined to comprise the Perceived Risk Scale
(PRS) in order to e x a m in e the criterion variable of risk. A reliability analysis was run on
the PRS sub-scale and the resulting coefficient alpha was .78, indicating that the scale
was highly reliable in measuring the criterion variable of perceived risk. The inventory
design was taken from Pope, et al. (1999) who modified the risk inventory from Stone, et
al. (1993) to account for the Internet as the “distinct mode of shopping.” From the Pope
inventory design, the remaining risk items pertained to one of the six sub-components of
risk: financial, physical, psychological, social, security or time-loss. Due to some
concern over the security scale being measured by only two items, a third item was
added. Pope, et al. (1999) reported all seven coefficient alphas (one for the criterion, or
overall, risk scale and one for each o f the six subscales) at or exceeding .70. Even so,
reliability analyses were run for each of the six risk variables. Table 4 reports the
coefficient alphas for all risk measures included in the study.
Table 4 Coefficient Alphas - Criterion Risk and Risk Component Scales
PRS FIN TIM SEC PSY so c PHY PHY(r)
a .78 .81 .70 .72 .73 .67 .42 .56
93
As seen from Table 4, five of the scales proved highly reliable in measuring the intended
variable as evidenced by coefficient alphas of .70 or greater. Only the social risk
subscale (SOC; a=.67) and the physical risk subscale (PHY; a=.42) led to some concern
over the reliability of the scales. However, when item #3 was deleted from the PHY
scale, the resulting coefficient alpha was raised to .56 (PHY(r); a=.56).
Table 5 reports the correlation coefficients between PRS and each of the six
measures of risk as well as the inter-correlational relationships between each dimension.
Each risk dimension correlates positively with PRS as well as with each o f the other risk
dimensions. Additionally, even though the magnitudes vary from .196 (PHY(r)-SEC) to
.784 (PRS-FIN), all of the relationships between all seven dimensions o f risk are
significant at the 0.01 level. These findings support the assertion that Stone, et al. (1993)
made that the relationships between the separate dimensions o f risk need not be
unrelated. The findings also support previous research that examined the criterion
variable of risk and the interrelationships of the risk dimensions (Pope, et al., 1999;
Jacoby, et al., 1972).
Table 5 Risk Component Inter-correlational Measures
r PRS F IN SOC PSY TIM SEC PHY(r)

PR S - .78 .38 .60 .68 .61 .26
F IN .78 - .45 .57 .65 .60 .33
SOC .38 .45 - .54 .49 .20 .50
PSY .60 .57 .54 - .55 .41 .43
TIM .68 .65 .49 .55 - .44 .39
SEC .61 .60 .20 .41 .44 - .20
PHY(r) .26 .jj .50 .43 .39 .20 -
94
In order to test H I, the items were subjected to a linear regression to determine
what percentage of the criterion variable of risk was explained by the model. A stepwise
linear regression was used and the results are reported in Table 6. The risk dimension
that contributed the greatest to the overall risk variable was that o f financial risk (FIN).
In the first step of the model, FIN proved to account for 61.5% o f the total variance in the
model and was significant at the 0.01 level. As seen by Table 6, each subsequent step
made a significant contribution to the overall model resulting in a model that captured
70.8% o f the overall risk and was significant at the 0.01 level. This finding is in support
of HI that a significant portion of overall risk would be captured by the six construct
model. Additionally, the findings are very much in line with Pope, et al. (1999) who also
accounted for 70% o f the total variance of the overall risk variable.
Table 6 Risk Perception - Regression Model S u m m a ry
Model R R Square F Change Std Err of Est. d fl df2 Sig F Change
1 .784 .615 1049.351 .5566 1 656 .000
2 .814 .663 93.020 .5212 1 655 .000
3 .829 .688 51.158 .5023 1 654 .000
4 .837 .700 27.615 .4924 1 653 .000
5 .841 .708 17.269 .4864 1 652 .000
Model Predictors
1 Predictors: (Constant), FIN
2 Predictors: (Constant), FIN, TIM
3 Predictors: (Constant), FIN, TIM, SEC
4 Predictors: (Constant), FIN, TIM, SEC, PSY
5 Predictors: (Constant), FIN, TIM, SEC, PSY, PHY(r)
Dependent Variable: PRS
95
The only component scale that made no contribution to the overall model was the
social risk component. The fact that social risk (SOC) made no contribution and physical
risk (PHYr) contributed less than 1% to the overall risk model can be explained in several
ways. First, there is some concern due to the reliability measures o f the two scales used
to measure the social and physical risk components. Second, on-line shopping and the
social and physical risk associated with this mode of purchase may simply be perceived
as too minor. Additionally, the ambiguity of the actual product being purchased on-line
could have contributed to the negligible contributions. Had an actual product been used
that contained more of a potential, intrinsic physical risk (e.g., parachute) or social risk
(e.g., political t-shirt), the results reported may have proven to be very different. In any
case, risk is very situation-specific and prior studies have commented on the likelihood of
perceived risk varying from product group to product group (Pope, et al., 1999).
If the six variable model of risk used in this study were perfect it would account
for 100% of the variance associated with risk. Undoubtedly some o f the variance not
captured can be attributed to error in measurement, but the percentage that remained
unaccounted for is too great for that to be the only explanation. This finding is very
much in line with past research. Although research examining the criterion variable of
risk is still lacking, the few past studies have reported widely varying results ranging
from Jacoby, et al. (1972) explaining 61.5% of the total variance o f risk to Stone, et al.’s
(1993) reported 88.8% results. The current study’s finding supports the argument that the
criterion risk model seems to be lacking a component. Furthermore, the fact that each
risk component contributed significantly to the overall risk model and that they were all
significantly, positively correlated would suggest that each o f the risk scales do overlap to
96
some degree but that each measures a separate construct from the others. However, it is
the situation-specific nature of perceived risk that makes comparisons o f research
findings difficult and the criterion risk variable difficult to quantify and measure.
Research Question Two
Krimsky, et al. (1992) suggested that the impact on perceived risk caused by the
unfamiliarity of the technology and the uncertainty associated with anything new could
have an adverse effect on on-line shopping. Examining PRS, a 5-point Likert-type scale
was used. With a mean value of 5 representing the maximum perceived risk and a mean
value of 1 representing the minimum perceived risk, a mean value o f 4 represented a
level of high perceived risk. The findings from the study did not support H2 that the
consumers would perceive on-line shopping as a high-risk venture. In fact, as seen from
Table 7, the mean value of PRS was found to be 2.86 which would appear to suggest that
the consumers not only did not perceive on-line shopping as a high-risk venture but
possibly perceived on-line shopping as only a moderately risky venture. The lack of a
high risk perception associated with on-line shopping may be attributed to the familiarity
of the respondents with computers and the Internet in general. However, this perception
may not be able to be generalized to individuals who do not have the level o f experience
and exposure with the Internet that the current sample has. As mentioned earlier, the
mean age of the sample was 20.48 year o f age and the age group from 18-25 represented
97.3 °tc of the respondents. It is quite possible that these individuals would have had more
opportunity with Internet procedures through more contemporary schooling than
consumers who represent possibly even slightly older age brackets.
97
Table 7 Descriptives - Perceived Risk Scale (PRS)
PRS N Min Max Mean SD Variance
658 1.0 5.0 2.86 .8967 .804
Research Question Three
Ratnasingham (1998a) discussed the establishment of trust between companies
and consumers as a critical need in order for consumers to engage in a transaction beyond
an initial purchase. It was theorized in this study that the same trust relationship can be
transferred to the mode of shopping as well. Consumers must possess enough trust in
Internet shopping and the security technology that supports the transaction to engage in
an on-line purchase. A scale to measure the levels of trust on the part o f the consumers
in relation to on-line security technology was comprised of four items (#19, #25, #29,
#36) and was called the Trust Security Technology (TST) scale. The same format and
Likert-type scale of response that was used with PRS was used with TST (i.e., a mean
value of 1 represented a minimum level of trust and a mean value o f 5 represented a
maximum level of trust). The TST scale was subjected to the same reliability analysis
and a corresponding coefficient alpha of .73 was found, indicating that the scale was
highly reliable in measuring the level o f trust in relation to on-line security technology.
A mean value of 2 for the TST scale was established to demonstrate low levels of
trust on the part of the consumer. The findings from the study did not support H3 that
consumers would have low levels of trust in on-line security technology. Inspection of
98
Table 8 shows that the mean value of TST was found to be 2.68 which would appear to
suggest that the consumers had moderate levels of trust in relation to the security methods
and procedures supporting on-line shopping. Once again, however, just as with the lack
o f a high-risk perception in relation to on-line shopping, these findings may not translate
to all age brackets and markets. Also, as mentioned earlier, the ambiguity o f the product
being ordered could have had an impact on the results. If the item being ordered on-line
had been specified as an item of value greater than $500.00, the trust or lack of trust in
the security technology may be vastly different from the responses given for an item
under $20.00. Further research investigating these factors in relation to product price is
warranted.
Table 8 Descriptives • Trust Security Technology Scale (TST)
TST N Min Max Mean SD Variance
658 1.0 5.0 2.68 .8616 .742
Research Question 4
Table 9 displays the means o f risk perceptions associated with on-line shopping
and six other purchase situations. Table 10 displays the findings of the comparison
between means of on-line shopping risk perception and each of the six purchase
situations. Respondents were asked to rate the perceived level of risk from extremely
risky (1) to very safe (5). The methods of shopping included were retail stores, direct
99
mail, telephone shopping, catalog shopping, on-line shopping, television shopping, and
magazine shopping. An inspection of Table 10 shows that a significantly greater
(p<0.00l) level of risk was perceived with on-line shopping when compared to each of
the other modes of shopping. This finding would suggest that, even though by the
current study findings consumers do not perceive on-line shopping as a high-risk venture,
they still associate greater risk in this method of shopping when compared to other
methods of shopping. This greater level of risk perception could be interpreted as an
indication that, given the choice of on-line shopping or some other method o f shopping,
consumers still lack confidence in choosing on-line shopping as a preferred method of
shopping. Further investigation of the factors involved in on-line purchase decision is
warranted.
Table 9 Means of Risk Perception in Methods o f Shopping
N Min Max Mean SD Variance

Retail 658 1.0 5.0 1.48 .90 .813
Direct Mail 658 1.0 5.0 2.56 1.11 1.239
Telephone 658 1.0 5.0 2.80 1.16 1.342
Catalog 658 1.0 5.0 2.25 1.05 1.111
On-Line 658 1.0 5.0 3.11 1.17 1.377
Television 658 1.0 5.0 3.04 1.16 1.336
Magazines 658 1.0 5.0 2.77 1.12 1.258
Research Question 5 and Hypothesis 7
Zikmund. et al. (1973) noted that consumers deal with risk-reducing strategies in
uncertain situations in numerous ways. One common strategy reported was to collect
100
information in an attempt to reduce the uncertainty present in a purchase situation. It was
theorized in the present study that the greater the knowledge the respondent had of
Internet security technology and procedures, the less risk would be perceived in relation
to on-line shopping. A scale was developed to measure the respondents knowledge of
Internet security technology and procedures (KNOW) and asked the respondent to
evaluate their knowledge of firewalls, digital signatures, digital certificates, and
encryption technology on a scale of “ I” (“very aware”) to “5” (“no knowledge o f ’). An
item reliability analysis was run on the KNOW scale and resulted in a coefficient alpha of
Table 10 On-Line Shopping Compared to Other Methods o f Shopping
Sum of df Mean F Sig.

Squares Square
R etail Between Groups 16.589 4 4.147 5.231 .000
W ithin Groups 517.727 653 .793
Total 534.316 657
Direct M ail Between Groups 74.017 4 18.504 16.330 .000
W ithin Groups 739.929 653 1.133
Total 813.945 657
Telephone Between Groups 91.448 4 22.862 18.891 .000
W ithin Groups 790.261 653 1.210
Total 881.710 657
Catalog Between Groups 114.091 4 28.523 30.234 .000
W ithin Groups 616.031 653 .943
Total 730.122 657
Television Between Groups 234.450 4 58.613 59.469 .000
W ithin Groups 643.600 653 .986
Total 878.050 657
M agazines Between Groups 158.667 4 39.667 38.795 .000
W ithin Groups 667.681 653 1.022
Total 826.348 657
101
.91, giving a strong indication that the scale was reliable in measuring the respondents
knowledge of on-line security technology and procedures. When PRS and KNOW were
correlated, a significant, negative correlation was obtained (Table 11: r= -2.17; p < 0.0 1)
which appears to suggest support for a strong, negative relationship (H5). When a
consumer has a clear understanding of the strength and effectiveness o f the tools in place
to protect credit card details and information privacy, there seems to be an associated
reduction in risk. The question of a possible inverted-U relationship does exist, however.
Future studies should examine the possibility that as knowledge o f security procedures
goes to either extreme there is a corresponding rise in perceived risk. Individuals with a
strong knowledge of security procedures may actually know enough to create even more
anxiety and increased perceived risk.
Table 11 Correlation o f PRS and Security Technology Knowledge (KNOW)
Descriptive Statistics Mean SD N

PRS 2.86 .90 658
KNOW 2.39 134 658
PRS KNOW
PRS Pearson Correlation 1.000 -31 7 •*
Sig. (2 -ta iled ) • .000
KNOW Pearson Correlation -.217 ** 1.000
Sig. (2 -ta iled ) .000 •
** Correlation is significant at the .01 level (2-tailed).
Just as consumers will gather information as a risk-reducing strategy, past
experience can be used to diminish perceived risk. Numerous studies have documented
102
findings that if prior experiences have proven successful in purchase situations, the
associated risk perception is greatly reduced (Simpson, et al., 1993; Festervand. et al.,
1986; Schiffan, et al., 1976; Cunningham, et al., 1973). The current study findings
appear to suggest support for these past findings in an on-line purchase situation (H5b).
When the KNOW scale and on-line shopping frequency were correlated, a significant,
positive relationship was indicated (Table 12: r=.320; p < 0.01). It seems likely that, as
consumers gain knowledge of the procedures associated with on-line shopping, a portion
of the uncertainty associated with the procedures is alleviated, thus giving them the
confidence to utilize the method of shopping more frequently (once again, however, it
should be noted that the possibility o f the existence o f an inverted-U relationship
warrants further study). As Stone, et al. (1993, p. 40) noted: “uncertainty, more than
risk, would seem to characterize what consumers experience.” The perceived risk is the
risk of the unknown and the uncertainty of future outcomes due to a lack o f experience.
As consumers gain experience and are successful with on-line shopping, uncertainty and
perceived risk are diminished. A correlation of PRS with on-line shopping frequency in
the current study lends support to this particular viewpoint with a significant, negative
relationship (Table 13: r= -.493; p < 0.01), which appears to suggest support for H7.
Hypothesis 8 and Research Question 7
Based on the findings of the previously mentioned studies (as well as the findings
of the current study), perceived risk has been shown to be reduced through experience
and success in a purchase situation. Intuitively, it would follow that there would be
103
Table 12 Correlation of KNOW - On-Line Shopping Frequency (FREQ)

KNOW 239 134 658
FREQ 1.97 1.23 658
KNOW FREQ
KNOW Pearson Correlation 1.000 320**
Sig. (2 -ta iled ) • .000
FREQ Pearson Correlation .320** 1.000
Sig. (2 - tailed) .000 •
Table 13 Correlation of PRS - FREQ

PRS 2.86 .90 658
FREQ 1.97 1.23 658
PRS FREQ
PRS Pearson Correlation 1.000 -.493 **
Sig. (2 -ta iled ) • .000
FREQ Pearson Correlation -.493 ** 1.000
Sig. (2 -ta iled ) .000 •
differences in the thought processes and perceptions of individuals who utilize the
shopping medium and those who do n o t The current study examined the degree of
difference to see if there was a significant difference between the two groups. For the
purposes of this study, the sample was divided into shoppers and non-shoppers, with
shoppers being characterized as individuals who had purchased on-line at least twice in
the last twelve months. The rationale for the designation of two or more on-line purchase
situations being considered an on-line shopper was that if a consumer analyzed the risks
involved in shopping on-line and decided to purchase, not once but twice in the last
twelve months, then they were likely to do so again. Individuals who had only
purchased once may or may not have had a bad experience and could be willing to try
again, but had not done so at that point in time.
When the means of perceived risk (PRS) for shoppers and non-shoppers were
compared, the means for non-shoppers were significantly higher for PRS than the
corresponding means for shoppers. This finding appears to suggest support for H8 (see
Table 14). Interestingly, although the non-shoppers mean perceived risk value indicated
only a moderate level of perceived risk (3.12 +/- .84), the mean perceived risk value for
shoppers was only 2.25 (+/- .71) indicating more of a low-risk situation. These findings
support previous research in other methods of shopping where in-home shoppers
perceived less risk than non in-home shoppers when shopping by mail (Cox and Rich,
1964; Schiffan, et al.. 1976). As mentioned with earlier hypotheses, it is possible that
these findings could be the result of the experience that the current sample has with the
operations of a computer and experience with the Internet. These same findings may not
be realized for all samples and the corresponding perceived risk values could be higher
for an older sample that may have less experience with Internet technology.
While there is a need for research involving trust as it applies to on-line shopping
purchase situations, there is an intuitive sense that the lessons learned from risk studies in
purchase situations may give the marketer insight into the application o f trust. Just as
with the reported findings that past purchase situation experience helps to reduce levels
of perceived anxiety, the same experience may help to increase levels o f trust in
105
Table 14 PRS Comparison of Non Shoppers and Shoppers
N Mean SD Std Error

Non Shoppers 462 3.12 .84 3.91E-02
Shoppers 196 2.25 .71 5.05E-02
95% Confidence Interval
of the Difference
Sig. Mean
t df (2-tailed) Difference Lower Upper
Non Shoppers 79.80 461 .000 3.12 3.05 3.19
Shoppers 44.52 195 .000 235 2.15 2.35
relation to: a) on-line security procedures and technology; b) on-line merchants; and, c)
on-line shopping as a method of shopping.
A scale was developed to examine respondents’ levels o f trust in on-line
merchants and was comprised of five items from the inventory (#6, #15, #20, #27, #31).
An item reliability analysis was run for the Trust On-line Merchant (TOM) scale and the
resulting coefficient alpha was .67. The means of trust values for shoppers and non-
shoppers were compared in relation to both on-line merchants (TOM) and to on-line
security technology and procedures. The results for the means comparisons are
represented by Table 15 and Table 16. Inspection of the findings demonstrate that the
non-shoppers reported significantly lower levels of trust in both the merchants and the
security technology and procedures. Just as with the risk comparison in H8, the non
shoppers reported moderate levels of trust but the shoppers reported much higher levels
of trust. This appears to suggest that previous experiences of the shoppers have allowed
them to establish enough trust in the security technology and the merchants to utilize the
106
shopping medium. Research has demonstrated that as levels o f trust decrease, a
consumer becomes less likely to take risks (Ratnasingham, 1998a). However, as
suggested in previous research by Williamson (1993) and Blau (1964) the willingness to
engage in risk implies adequate levels of trust.
Table 15 TOM Comparison o f Non Shoppers and Shoppers
N Mean SD Std Error

Non Shoppers 462 2.60 .71 3J2E-02
Shoppers 196 3.22 .67 4.78E-02
o f the Difference
Sig. Mean
Non Shoppers 78J0 461 .000 2.60 2.53 2.66
Shoppers 67 J 3 195 .000 3.22 3.13 3.31
Table 16 TST Comparison of Non Shoppers • Shoppers
N Mean SD Std Error

Non Shoppers I 462 2.51 A5 3.97E-02
Shoppers 196 3.08 .74 5J3E-02
of the Difference
Sig. Mean
Non Shoppers 63.26 461 .000 | 2J1 2.44 2.59
Shoppers 58.36 195 .000 3.08 2.98 3.19
CHAPTER FOUR
SUMMARY, CONCLUSIONS. AND FUTURE RESEARCH
Summary
The primary purpose of this study was to examine consumers’ perceptions or risk
and trust in relation to on-line shopping, on-line merchants, and the underlying security
procedures of the Internet. The secondary purpose was to add empirical data to the
academic body of research regarding Internet perceptions and use.
A questionnaire was developed from two existing inventories to examine the
constructs of risk and trust. The instrument was administered to all students who were
currently enrolled in an elective physical education course at a major southeastern
university. The procedure collected 1,173 questionnaires, which yielded six hundred and
fifty-eight (56%) that were able to be used for the study. Data collected from the
instrument was used to examine the six component model of risk, as well as consumer
perceptions of on-line shopping, on-line merchants, and on-line shopping security.
Finally, comparisons were drawn between on-line shoppers and non on-line shoppers.
Linear regression was used to examine what percentage of variance was explained
by the six component model of risk. The model captured 70.8% of the overall risk, but
108
was consistent with past research in that the model seemed to be lacking a risk
component. The largest contribution to the overall model was that of financial risk which
accounted for 61.5% of the total variance in the current sample. Additionally, each of the
six components of risk was significantly and positively correlated, but each component
(with the exception of social risk) also added a significant addition to the overall criterion
variable model. This seems to support the assertion that each component, though
independent, need not be unrelated.
In examining consumer perceptions of risk, it was found that consumers did not
perceive on-line shopping as a high-risk venture. However, when compared to other
methods of shopping, on-line shopping still was perceived as significantly higher in risk
than retail stores, direct mail, telephone shopping, catalog shopping, television shopping,
and magazine shopping. When the construct of trust was examined, the consumers
evidenced moderate levels of trust in the security procedures and methods that support
on-line shopping. However, it was discussed that the ambiguity of the item being ordered
could have played a role in the moderate levels of risk and trust reported by the
consumers. The same individuals may have given markedly different responses if the
value of the item being ordered was of great value.
When the overall risk variable was correlated with the consumers’ knowledge of
Internet security procedures and techniques, a significant negative relationship was
realized. Also, a significant, negative relationship was found between on-line shopping
frequency and overall perceived risk associated with on-line shopping. This appears to
suggest that as the consumer’s knowledge of the security protection afforded by shopping
on-line increases, some measure of the uncertainty and associated perceived risk is
109
alleviated. Furthermore, a significant, positive relauonship was found between the
consumer’s Internet security knowledge and their on-line shopping frequency. In all of
these relationships, however, it is possible that an inverted-U relationship exists wherein
as the consumers’ security knowledge moves to either extreme there is a corresponding
increase in perceived risk and decrease in on-line shopping frequency. The rationale for
this possible relationship is that consumers with a strong knowledge of security
procedures may actually know enough to perceive greater risk.
Finally, the perceptions of respondents who had made two or more purchases in
the last twelve months (“shoppers”) were compared to the respondents who had not
(“non shoppers”). As expected, the on-line shoppers reported significantly lower levels
of perceived risk in on-line shopping and significantly higher levels of trust in on-line
merchants and on-line security procedures. Somewhat surprising was that non-shoppers
did not possess high levels of risk or low levels of trust. In fact, moderate levels of risk
and trust were reported by non-shoppers. Somewhat surprisingly, however, was that on
line shoppers possessed relatively low levels of perceived risk associated with on-line
shopping and relatively high levels of trust in both on-line merchants and Internet
security technology.
Conclusions
Based on the findings within the limits of this investigation, the following conclusions
have been made:
1. The six component model does not adequately explain the criterion variable of risk.
110
2. Consumers do not perceive on-line shopping as a high-risk venture.
3. Consumers do not possess low levels of trust in Internet security technology.
4. Consumers perceive a significantly higher level of risk associated with on-line
shopping as compare to retail stores, direct mail, telephone, catalog, television, and
magazine shopping.
5. There is a negative relationship between knowledge of Internet security technology
and the perceived risk associated with on-line shopping.
6. There is a relationship between knowledge of Internet security technology and on-line
shopping frequency.
7. There is a negative relationship between the perceived risk associated with on-line
shopping and on-line shopping frequency.
8. On-line shoppers perceive less risk in on-line shopping than non on-line shoppers.
9. On-line shoppers have higher levels of trust in on-line merchants than non on-line
shoppers.
10. On-line shoppers have higher levels of trust in Internet security technology than non
on-line shoppers.
Future Research
When Internet research is conducted and reported, it is incumbent upon the reader
to investigate the source. Due to the relatively recent arrival o f commercialism to the
Internet and the vast majority of the studies being conducted by companies and
111
organizations with a vested interest in the success of the Internet, there is a tremendous
need for academic research in all facets of on-line shopping and Internet topics.
In the area of risk, further clarification of the components o f risk and studies
analyzing the criterion variable of risk are needed. Additionally, the characteristic of
situation specificity should be investigated as the contribution of the risk components
undoubtedly varies according to the product price and purchase situation. Also, the
possibility of an inverted-U relationship involving Internet security technology and both
perceived risk and on-line shopping frequency seems to be a valuable area of research.
Although both risk and trust were investigated in the current study, the
relationship of the two variables was not examined. The Internet and on-line shopping
provides a good platform for the investigation of these two constructs as the need for
Internet related research and on-line consumer demographics and characteristics
continues to grow. Further research should focus on the relationship of risk and trust and
how the presence of high or low perceived risk impacts the development of trust. Once
again, just as with perceived risk, future studies need to examine how differences in
product price and purchase situation alter trust development. Finally, the perceptions of
consumers who have chosen not to return to shopping on-line should be examined to
identify major concerns and maintain the viability of on-line shopping.
112
APPENDIX A
Dear Florida State University Student,
This research is being conducted by Michael Kehoe, a doctoral student in the Department
of Physical Education at Florida State University. The purpose of this study is to
investigate the perceptions of consumers as they relate to on-line shopping. If you
participate in the project, you will be asked questions about your purchasing habits and
perceptions of purchase options, as well as general information about yourself.
By choosing to complete the attached questionnaire, you are freely and voluntarily and
without element of force or coercion, consenting to be a participant in the research
project entitled “The Role of Perceived Risk and Consumer Trust in Relation to On-Line
Shopping and Security.” No academic reward for participating in this study will be
awarded.
You will be asked to fill out a paper and pencil questionnaire. The total time
commitment will be about 10 minutes. Your participation is totally voluntarily and you
may stop participation at any time, without prejudice or penalty. All answers to questions
will be kept confidential and identified by a subject code number. Only group findings
will be reported.
You have the right to ask and have answered any inquiry concerning this study. You
may contact Michael Kehoe, Florida State University Physical Education, for answers to
questions about this research or your rights. All questions will be answered to the fullest
extent possible.
Thank you in advance for your cooperation and participation in this study.
Sincerely,
Michael P. Kehoe
117 Tully Gymnasium
Department of Physical Education
Florida State University
(850) 644-7903
113
APPENDIX B
INVENTORY
1. In the next 12 months, do you think you are likely to buy XXXXXX over the Web?
Definitely will buy 1 2 3 4 5 Definitely will not buy
2. The demands on my schedule are such that purchasing XXXXXX over the Web
would create even more time pressures on me that I don't need.
Strongly Disagree 1 2 3 4 5 Strongly Agree
3. I am concerned about the potential physical risks associated with purchasing

XXXXXX over the Web.
4. I am confident about the ability of an on-line XXXXXX vendor to perform as expected.

5. The thought of purchasing XXXXXX over the Web causes me to experience unnecessary
tension.
6. I have as much confidence in the business ethics of on-line merchants as I do in merchants of

other modes of shopping.
7. All things considered, I think I would be making a mistake if I bought XXXXXX over the
Web.
8. Purchasing XXXXXX over the Web would cause me to be thought of as foolish by some
people whose opinions I value.
9. As I consider the purchase of XXXXXX over the Web, I worry about whether they will
perform as well as they are supposed to.
10. If you purchase XXXXXX over the Web, your credit card details are likely to be stolen.
114
11. Purchasing XXXXXX over the Web will take too much time or be a waste of time.
12. Purchasing XXXXXX over the Web would be a bad way to spend my money.
13. I am concerned that using the Web may lead to uncomfortable physical side effects such as
bad sleeping, backaches,and the like.
14. The thought of purchasing XXXXXX over the Web gives me a feeling of unwanted anxiety.
15. On-line merchants cannot be trusted to deliver the same products that they advertise.
16. How important would it be to you to make the right choice of Web-based vendor?
Not at all important. 1 2 3 4 5 Extremely important.
17. When all is said and done, I really feel that the purchase of XXXXXX over the Web poses
problems for me that I just don’t need.
18. Purchasing XXXXXX over the Web would not provide value for the money I spent.
19. I am confident that the technology used to secure my credit card details and personal
information, when sent over the Internet, is safe.
20. I would buy something over the Web, even if I had not heard of the on-line vendor before.
21. The thought of buying XXXXXX over the Web causes me concern because some friends
would think I was just being showy.
22. Purchasing XXXXXX over the Web could lead to an inefficient use of my time.
23. If I bought XXXXXX over the Web, I would be concerned that the financial investment I
would make would not be wise.
24. One concern I have about purchasing XXXXXX over the Web is that eyestrain could result
from looking at the computer.
25. If you purchase XXXXXX over the Web, the security technology will protect your credit
card details and personal information.
115
26. The thought of purchasing XXXXXX over the Web makes me feel psychologically
uncomfortable.
27. On-line merchants can be counted on to do what is right.

28. Purchasing XXXXXX over the Web will adversely affect others’ opinion of me.
29. I am confident that the security procedures on the Web will keep my personal information
confidential.
30. In making your choice of Web-based XXXXXX vendor, how concerned would you be about
the outcome of your choice.
Not at all concerned. 1 2 3 4 5 Very much concerned.
31. I am concerned that if I purchase XXXXXX over the Web, the vendor will not keep my
personal information private.
32. If I were to purchase XXXXXX over the Web, I would be concerned that they would not
provide the levels of benefits that I would be expecting
33. Considering the possible problems associated with an on-line XXXXXX vendor’s
performance, a lot of risk would be involved with purchasing them over the Web.
34. Overall, the thought of buying XXXXXX over the Web causes me to be concerned with
experiencing some kind of loss if I went ahead with the purchase.
35. If I bought XXXXXX over the Web, I would be concerned that I really would not get my
money’s worth from the tickets.
36. New technology is needed to make the Web a safe place to conduct business.
37. I would consider my knowledge of XXXXXX as:

Firewalls Very aware I 2 3 4 5 no knowledge of
Digital Signatures Very aware 1 2 3 4 5 no knowledge of
Digital Certificates Very aware 1 2 3 4 5 no knowledge of
Encryption technology Very aware 1 2 3 4 5 no knowledge of
(SET. SSL S-HTTP)
116
38. Within the last 12 months, I have purchased products or services at, or by, XXXXXX:
# o f times 6± 4-5 2-3 Once Never
Retail Stores very often 1 2 3 4 5 never at all
Direct Mail very often I 2 3 4 5 never at all
Telephone very often I 2 3 4 5 never at ail
Catalog very often 1 2 3 4 5 never at all
On-line very often I 2 3 4 5 never at all
Television very often 1 2 3 4 5 never at all
Magazines very often 1 2 3 4 5 never at all
39. I would consider shopping by XXXXXX as:

Retail Stores extremely risky 1 2 3 4 5 very safe
Direct Mail extremely risky I 2 3 4 5 very safe
Telephone extremely risky 1 2 3 4 5 very safe
Catalog extremely risky 1 2 3 4 5 very safe
On-line extremely risky 1 2 3 4 5 very safe
Television extremely risky 1 2 3 4 5 very safe
Magazines extremely risky 1 2 3 4 5 very safe
40. I would consider the security technology and procedures for XXXXXX as:
Retail Stores extremely unsafe 1 2 3 4 5 very safe
Direct Mail extremely unsafe 1 2 3 4 5 very safe
Telephone extremely unsafe 1 2 3 4 5 very safe
Catalog extremely unsafe 1 2 3 4 5 very safe
On-line extremely unsafe 1 2 3 4 5 very safe
Television extremely unsafe 1 2 3 4 5 very safe
Magazines extremely unsafe 1 2 3 4 5 very safe
41. Do you have Internet access at work? Yes No

42. Do you have Internet access in your home? Yes No
43. What is your gender? Male Female
44. What is your age? ___________
45. On average, how many hours per week do you spend on the Internet?
a. 0 hours per week
b. 1-5 hours per week
c. 10-20 hours per week
d. 20+ hours per week
117
APPENDIX C
H onda State
UNIVERSITY
Office of th e V ice P resid en t
for R esearch
Tallahassee, rie ru la 32306-27t>3
(S50) 644-32M) • FAX (S50) 644-4392
A P P R O V A L MEMORANDUM
from the H um an S ubjects Comm ittee
b a te : Ju ly 6, 2000
From : David Q uadagno, Chaii
T o: Michael P. Kehoe
2229 Paul Russell Circle
Tallahassee, Ft. 32301
D e p t: Physical Education
R e: U s e o f H u m a n s u b j e c t s in R e s e a r c h
P r o je c t e n title d : The Role of Perceived Risk and Consumer Trust in Relation to On-Line Shopping
The forms mat you submitted to tnis office in regard to me u se of human suBjects w me proposal referenced
aBove nave oeen reviewed By me Secretary, me Chatr. and two m em bers of m e Human Subjects Committee
Your project is determined to Be exempt per 45 CFR § 46 101(b)2 and has been approved by an accelerated
review process
T he Hum an S u b jects Com m ittee h a s not evaluated y o u r p ro p o sal for scientific m erit, ex cep t to weigh th e
risk to th e hum an participants and th e a s p e c ts of the p ro p o sal related to potential risk an d benefit. T his
ap p ro v al d o e s not replace any departm ental o r other ap p ro v als w hich m ay be required.
If m e project h as not been completed by July 6 , 200t you m ust request renewed approval for continuation of tne
project
You are advised mat any change m protocol in mis project m ust be approved by resubmission of the project to the
Committee for approval Also, me pnnapal investigator must promptly report in wnting. any unexpected problems
causing risks to research subjects or others
By copy of this memorandum, me chairman of your department and/or your major professor is reminded mat
he/sne is responsible for being informed concerning research projects involving human subjects in me
d epartm ent and should review protocols of such investigations a s often a s needed to insure mat m e project is
being conducted in compliance with our institution and with OHHS regulations
This institution h as an Assurance on file with me Office for Protection from Research Risks The Assurance
Number is M1339.
cc C imwQid
APPUCATICN NO 00 232
118
REFERENCES
Akaah, I. & Korgaonkar, P. K. (1988). A conjoint investigation o f the relative

importance of risk relievers in direct marketing. Journal of Advertising Research. 28.
38-44.
Alrdidge, A., White, M., & Forcht, K. (1997). Security considerations o f doing
business via the Internet: cautions to be considered. Internet Research. 7. 9-15.
Anderson, R. J. (1994). Whither cryptography? Information Management and

Computer Security. 2. 13-20.
Anon, R. (1996). Caught in the Net: what to make of user estimates. Public
Perspective. 7. 37-40.
Arrow, K. (1973). Information and Economic Behavior. Stockholm, Sweden:

Federation of Swedish Industries.
Barber, B. (1983). The logic and limits of trust. New Brunswick, N J.: Rutgers
University Press.
Bauer, R. A. (1960). Consumer behavior as risk taking. In R. F. Hancock (Ed.),

Dynamic Marketing for a Changing World (pp. 389-398). Chicago, IL: American
Marketing Association.
Bell, H. & Tang, N.K.H. (1998). The effectiveness of commercial Internet web
sites: a user’s perspective. Internet Research. 8 .219-228.
Bequai, A. (1996). Securing electronic commerce with digital signatures.

Computer Audit Update. 2 .28-32.
Bernstein, T., Bhimani, A. B., Schultz, E., & Siegel, C. L. (1996). Internet
security for business. New York, N.Y.: Wiley & Sons.
Beth. T. (1995). Confidential communication on the Internet. Scientific

American. 274. 88-91.
119
Bhimani, A. (1996). Securing the commercial Internet. Communications o f the
ACM. 39. 29-35.
Bierman, H., Jr., Bonini, C. P., & Hausman, W. H. (1969). Quantitative analysis
for business decisions (3rd ed.V Homewood, IL: Irwin.
Birch, D. (1997). Real electronic commerce - SmartCards on the superhighway.

Internet Research. 7. 116-119.
Blattberg, R.C. & Deighton, J. (1996). Interactive marketing: exploiting the age
of addressability. Sloan Management Review. 3 3 .5-14.
Blau, P. M. (1964). Exchange and power in social life. New York, N.Y.: Wiley
& Sons.
Booker, E. (1995). Internet users cruising for info, not purchases.

Computerworld. 2 9 .6.
Brody, H. (1995). Internet at crossroads. Technology Review. 98. 24-31.
Brody, R. P. & Cunningham, S. M. (1968). Personality variables and the

consumer decision process. Journal of Marketing Research. 5 . 50-57.
Buck, S. P. (1996). Electronic commerce - would, could, and should you use
current Internet payment mechanisms? Internet Research. 6. 5-18.
Burke, R. R. (1997). Do you see what I see? The future o f virtual shopping.
Journal of the Academy of Marketing Science. 25. 352-360.
Bun, R. S. & Knez, M. (1996). Trust and third parties: the social production of
cooperation. Chicago, IL: University of Chicago, Graduate School o f Business.
Card Technology Today (1996). Survey: SmartCards and the Internet. Card
Technology Today. 3. 12-16.
Caskey, R. & Delpy, L. (1999). An examination of sport web sites and the
opinion of Web employees toward the use and viability of the World Wide Web as a
profitable sports marketing tool. Sport Marketing Quarterly. 8. 13-24.
Cole, J. I. (2001). The UCLA Internet Report 2001: Surveying the digital future.
Available: http://www.ccp.ucla.edu/pdf/UCLA-Intemet-Report-2001 .pdf
Coleman, J. S. (1990). Foundations in social theory. Cambridge, MA: Harvard

University Press.
120
CommerceNet/Nielsen (1996). Internet demographics recontact study
March/April 1996 executive summary. Available: www.commerce.net/nielsen/exec.html
Computer Security Institute (2000). Available:

ww\v.gocsi.com/prelea990301.htm
Covello, V. T. (1983). The perception o f technological risks: a literature review.

Technological Forecasting and Social Change. 2 3 .285-297.
Cox, D. F. (1967). Risk handling in consumer behavior an intensive study of two

cases. In D. F. Cox (Ed.) Risk taking and information handling in consumer behavior.
Boston, MA: Harvard University Press.
Cox, D. F. & Rich, S. U. (1964). Perceived risk and consumer decision-making:

the case of telephone shopping. Journal o f marketing Research. 1. 32-39.
Crede, A. (1996). Electronic commerce and the banking industry: the required
and opportunities for new payment systems using the Internet. The Journal of Computer-
Mediated Communication. 1.
Cronin, M. (1995). The Internet Strategy Handbook. Boston, MA: Harvard

Business School Press.
Culnan, M. J. & Armstrong, P. K. (1999). Fairness and impersonal trust: an

empirical investigation. Organization Science. 10. 104-115.
Cummings, L. L. & Bromiley, P. (1996). The organizational trust inventory

(OTI): development and validation. In R. M. Kramer & T. R. Tyler (Eds.), Trust in
Organizations (pp. 302-320). Thousand Oaks, CA: Sage.
Cunningham, S. M. (1969). The major dimensions o f perceived risk. In D. F.

Cox (Ed.), Risk taking and information handling in consumer behavior ( pp. 82-108).
Boston, MA: Harvard University Press.
Cunningham, I. C. M. & Cunningham, W. H. (1973). The urban in-home

shopper: socioeconomic and attitudinal characteristics. Journal of Retailing. 4 9 .42-50.
Dash, J., Schiffman, L., & Berenson, C. (1976). Risk and personality-related
dimensions of store choice. Journal of Marketing. 4 0 .32-39.
Dawes, R. M. (1988). Rational choice in an uncertain world. San Diego, CA:

Harcourt Brace.
Deighton, J. (1997). Commentary on exploratory: the implications o f the Internet

for consumer marketing. Journal of the Academy of Marketing Science. 2 5 .347-351.
121
Denning, D. E. (1998a). Cyberspace attacks and countermeasures. In D. E.
Denning & P. J. Denning (Eds.), Internet Besieged (pp. 29-55). New York, N.Y.: ACM
Press.
Denning, P. J. (1998b). Electronic commerce. In D. E. Denning & P. J. Denning

(Eds.), Internet Besieged (pp. 377-388). New York, N.Y.: ACM Press.
Denning, D. E. & Denning, P. J. (1998). Internet Besieged. New York, N.Y.:
ACM Press.
Derlega, V. J., Metts, S., Petronio, S., & Margulis, S. T. (1993). Self disclosure.
Newbury Park, N. J.: Sage.
Deutsch, M. (1960). The effect o f motivational orientation upon trust and

suspicion. Human Relations. 1 3 .123-139.
Dinnie, G. (1999). The 2nd annual global information security survey.

Information Management and Computer Security. 7 . 112-120.
Dowling, G. R. & Staelin, R. (1994). A model of perceived risk and intended risk
handling activity. Journal of Consumer Research. 2 1 .119-134.
e-Marketer (1998). Quickee Profile. Available:

www.emarketer.com/estats/demo profile.html
Festervand, T. A., Snyder, D. R., & Tsalikas, J. D. (1986). Influence o f catalog

vs. store shopping and prior satisfaction on perceived risk. Journal o f the Academy of
Marketing Science. 14.28-36.
Flanagan (1994). Demystifying the information highway. Management Review.

83,34-39.
Foo, S., Leong, P. C., Hui, S. C., & Liu, S. (1999). Security considerations in the
delivery of Web-based applications: a case study. Information Management and
Computer Security, 7,40-50.
Forcht, K.A. & Fore, R.E. (1995). Security issues and concerns with the Internet.
Internet Research, 5, 23-31. Available: www.emerald-librarv.com
Forcht, K., Thomas, D. S., Usry, M. L., & Egan, K. (1997). Control of the
Internet. Information Management and Computer Security, 5,23-28.
Freeman, A. M. (1986). The ethical basis o f the economic view o f the

environment. In D. VanDeVeer and C. Pierce (Eds.), People, penguins, and plastic trees:
basic issues in environmental ethics (pp. 218-226). Belmont, CA: Wadsworth.
122
Frost (1994). Cyberpoet’s guide to virtual culture. Available:
homepage.seas.upenn.edu/~mengwong/cuber/cgvc 1.htm
Fumell, S. M., Dowland, P. S., & Sanders, D. W. (1999). Dissecting the Hacker
Manifesto. Information Management and Computer Security, 7,69-75.
Gemunden, H. G. (1985). Perceived risk and information search: a systematic

meta-analysis of the empirical evidence. International Journal of Research in Marketing.
2. 79-100.
Giffin, K. (1967). The contribution of studies of source credibility to a theory of

interpersonal trust in the communication department. Psychological Bulletin. 68. 104-
120.
Gillett, P. L. (1970). In-home shoppers - an overview. Journal o f Marketing. 34.

40-45.
Glassman, S., Manasse, M., Abadi, M., Gauthier, P., & Sobalvarro, P. (1995).
The Millicent protocol for inexpensive electronic commerce. 4th International WWW
Conference. July.
Good, D. (1988). Individuals, interpersonal relations, and trust. In D. G.

Gambetta (ed.).
Grant, G. (1996). Emerging platforms for commerce over the Internet. In M.

Cronin (Ed.), The Internet Strategy Handbook (pp. 211-248). Boston, MA: Harvard
Business School Press.
Hawes, J. M. & Lumpkin, J. R. (1986). Perceived risk and the selection of a retail
patronage model. Journal o f the Academy o f Marketing Science. 14. 37-42.
Hart, P. & Saunders, C. (1997). Power and trust: critical factors in the adoption
and use of electronic data interchange. Organization Science. 8 .23-41.
Hirsch, R. D., Domoff, R. J., & Keman, J. B. (1972). Perceived risk in store
selection. Journal of Marketing Research. 9 . 435-439.
Hirschman, A. O. (1984). Against parsimony: three easy ways o f complicating

some categories of economic discourse. American Economic Review. 7 4 .88-96.
Hovland, C. L, Janis, L, & Kelley, H. H. (1953). Communication and persuasion.

New Haven, CT: Yale University Press.
“Industry spotlight: sports on the Web" (1998, May 11). The Indusny Standard.
36,1.
123
International Data Corporation (1997). Unprecedented growth in global Internet
and World Wide Web usage. Available: www.idcresearch.com/HNR/cpr4ic.htm
Internet Security Survey Results (1996). Available:

www.guidep.infoseek.com/www/ns/tabies/BTitles?qt=Intemet+securitv+col=WWWS
st=10
Jacoby, J. & Kaplan, L. B. (1972). The components of perceived risk. In M.
Venkatesan (Ed.), Proceedings o f the 3rd Annual Conference o f the Association for
Consumer Research, (pp. 382-393). College Park, MD: Association for Consumer
Research.
Jarvenpaa, S. L. & Todd, P. A. (1997). Is there a future for retailing on the

Internet? In R. A. Peterson (Ed.), Electronic marketing and the consumer (pp. 139-154).
Thousand Oaks, CA: Sage.
Jones, J. M. & Vijayasarathy, L. R. (1998). Internet consumer catalog shopping:

findings from an exploratory study and directions for future research. Internet Research.
8, 322-330.
Jungermann, H. (1986). Two camps of rationality. In H. L. Arkes & K. R.

Hammond (Eds.), Judgment and decision-making: an introductory reader (pp. 627-641).
Cambridge, England: Cambridge University Press.
Kahle, L. R. & Meeske, C. (1999). Sports marketing and the Internet: it’s a whole
new ball game. Sport Marketing Quarterly. 8 .9-12.
Kahneman, D. & Tversky, A. (1979). Prospect theory: an analysis of decision

under risk. Econometrica. 4 7 .263-291.
Kahneman, D., Slovic, P., & Tversky, A. (1982). Judgment under certainty:
heuristics and biases. New York, N.Y.: Cambridge University Press.
Kasperson, R. E., Renn, O., Slovic, P., Brown, H. S., Emel, J., Goble, R.,
Kasperson, J. X., & Ratick, S. (1988). The social amplification of risk: a conceptual
framework. Risk Analysis. 8 . 177-187.
Katz, J. & Aspden, P. (1997). Motivations for and barriers to Internet usage :
results of a national public opinion survey. Internet Research. 7. 170-188.
Keating, P. (1996, February). Protect your money from cybertheft. Money. 25.
20.
Kee, H. W. & Knox, R. E. (1970). Conceptual and methodological considerations

in the study of trust. Journal of Conflict Resolution. 14.357-366.
124
Kiani, G. (1998). Marketing opportunities in the digital world. Internet Research.
8, 185-194.
Kingsley, P. & Anderson, T .( 1998). Facing life without the Internet. Internet
Research. 8. 303-312.
Kizza, J. M. (1998). Civilizing the Internet: global concerns and efforts toward
regulation. Jefferson, N.C.: McFarland and Company.
Kramer, R. M. (1993). Cooperation and organizational identification. InK .

Mumighan (Ed.), Social psychology in organizations: advances in theory and research
(pp. 244-268). Englewood Cliffs, N J.: Prentice Hall.
Korgaonkar, P. (1982). Non-store retailing and perceived product risk. In B. J.

Walker (Ed.), An assessment of marketing thought and practice (pp. 204-207). Chicago,
IL: American Marketing Association.
Krimsky, S. & Golding, D. (1992). Social theories o f risk. Westport, CT:

Greenwood Publishing Group.
Kwon, Y., Paek, S. L., & Arzeni, M. (1991). Catalog vs. non-catalog shoppers of
apparel: perceived risks, shopping orientations, demographics, and motivations. Clothing
and Textiles Research Journal. 10. 13-19.
Laquey (1994). The Internet companion: a beginner’s guide to global

networking. Reading, MA: Wesley.
Leiss, W. &Chociolko, C. (1994). Risk and responsibility. Montreal, CA:

McGill-Queens University Press.
Lewicki, R. J. & Bunker, B. B. (1996). Developing and maintaining trust in

work relationships. In R. M. Kramer & T. R. Tyler (Eds.), Trust in organizations:
frontiers of theory and research (pp. 114-139). Thousand Oaks, CA: Sage.
Lewis, J. D. & Weigart, A. (1985). Trust as a social reality. Social Forces. 63.
967-985.
Lewis, P. H. (1995, December 13). Report of high Internet use is challenged.

New York Times, p. D5.
Liddv, C. (1996). Commercial security on the Internet. Internet Research. 6 . 75-

78.
Liddy, C. (1997). Commercialization o f cryptography. Information Management

and Computer Security. 5. 87-89.
125
“Light mail order buyers surveyed” (1987). Direct Marketing. 49. 12.
Lindskold, S. (1978). Trust development, the GRIT proposal, and the effects of
conciliatory acts on conflict and cooperation. Psychological Bulletin. 8 5 .772-793.
Locander, W. B. & Herman, P. W. (1979). The effect of self-confidence and

anxiety on information seeking in consumer risk reduction. Journal of Marketing
Research. 16. 268-274.
Lopes, L. (1983). Some thoughts on the psychological concept of risk. Journal of

Experimental Psychology: Human Perception and Performance. 9. 137-144.
Lopez, L. L. (1987). Between hope and fear; the psychology of risk. Advances in
Experimental Psychology. 2 0 .255-259.
Luce, R. D. & Weber, E. U. (1986). An axiomatic theory of conjoint, expected

risk. Journal of Mathematical Psychology. 3 0 .188-205.
Luhmann. N. (1993). Risk: a sociological theory. New York, N.Y.: Aldine de

Gruyter.
Lumpkin, J. & Hawes, J. (1985). Retailing without stores: an examination of

catalog shoppers. Journal of Business research. 13. 139-151.
Lutz, R. J. & Reilly, P. J. (1973). An exploration of the effects of perceived

social and performance risk on consumer information acquisition. In S. Ward & P.
Wright (Eds.), Advances in Consumer Research. Vol. 1 (pp. 393-405). Urbana, IL:
Association for Consumer Research.
Machlis, S. & Wagner, M. (1997). E-commerce brings applause, some fears.

Computerworld. 31. 1-28.
Maignan, I. & Lukas, B. (1997). The nature and social uses o f the Internet: a
qualitative investigation. Journal of Consumer Affairs. 31. 346-371.
March, J. G. & Shapira, Z. (1987). Managerial perspectives on risk and risk

taking. Management Science. 33. 1404-1418.
Mastercard (1995). Available: www.mastercard.com.
Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of

organizational trust. Academy of Management Review. 20. 709-734.
Mazur, A. (1981). The dynamics of technical controversy. Washington, D.C.:

Communications Press.
126
McCorkle, D. E. (1990). The role of perceived risk in mail order catalog
shopping. Journal of Direct Marketing. 4. 26-35.
McEachem, T. & O ’Keefe, B. (1998). Re-Wiring Business: Uniting management

and the Web. New York: Wiley and Sons Publishing.
Minsall, B., Winakor, G., & Swinney, J. L. (1982). Fashion preferences of males
and females, risks perceived, and temporal quality of styles. Home Economics Research
Journal. 10. 369-379.
Mishra, A. K. (1996). Organizational responses to crisis: the centrality of trust.

In R. M. Kramer & T. R. Tyler (Eds.), Trust in organizations: frontiers of theory and
research (pp. 261-287). Thousand Oaks, CA: Sage.
Mitra, K., Reiss, M. C., & Capella, L. M. (1999). An examination o f perceived

risk, information search, and behavioral intentions in search, experience, and credence
services. The Journal of Services Marketing. 13. 208-228.
Morgan, R. R. & Hunt, S. D. (1994). The commitment-trust theory of

relationship marketing. Journal of marketing. 58. 20-38.
Muiznieks, V. (1995). The Internet and EDI. Telecommunications. 1 .45-48.
Murphy, P. E. & Enis, B. M. (1986). Classifying products strategically. Journal

of Marketing. 50. 24-42.
Network Wizards (1996). Internet growth statistics. Available: www.nw.com
Nunnally, J. L. (1978). Psychometric theory (2nd ed.1. New York, N.Y.: McGraw
Hill.
“On-line purchasing doubles” (1998, October 12). NUA Internet Surveys.

Available: www.nua.ie/survevs/?f=VS&art id=905354418&rel=true
Opinion research Corporation (1959). America’s Tastemakers: Tastemaker

Research Report No. 1. Princeton, N J.: Opinion Research.
Panurach, P. (1996). Money in electronic commerce: digital cash, electronic fund

transfer, and Ecash. Communications of the ACM. 3 9 .45-50.
Perry, M. & Hamm, B. C. (1968). Canonical analysis o f relations between socio

economic risk and personal influence in purchase decisions. Journal of Marketing
Research. 6. 351-354.
Peter, J. P. & Ryan, M. J. (1976). An investigation of perceived risk at the bamd

level. Journal of Marketing Research. 13. 184-188.
127
Pitkow, J. E. & Kehoe, C. (1996). Emerging trends in the WWW user population.
Communications of the ACM. 3 9 .106-108.
Plough, A. & Krimsky, A. (1987). The emergence o f risk communication studies:

social and political context. Science. Technology, and Human Values. 12.4-10.
PoUatsek, A. & Tversky, A. (1970). A theory of risk. Journal o f Mathematical
Psychology. 7 . 540-553.
Poon, S. & Swatman, P.M.C. (1997). Internet-based small business

communications: seven Australian cases. In Proceedings o f the 1997 PACIS Conference.
Brisbane, Australia.
Pope, N., Brown, M., & Forrest, E. (1999). Risk, innovativeness, gender, and
involvement factors affecting the intention to purchase sport product online. Sport
Marketing Quarterly. 8 .25-34.
Popielarz, D. T. (1967). An exploration of perceived risk and willingness to try

new products. Journal of Marketing Research. 4. 368-372.
“Quickee Profile” (1998). E-Marketer. Available:

www.emarketer.com/estats/demo profile.html
Rao, R. M. (1996, March 18). Nielsen’s Internet survey: does it carry any
weight? Fortune, p. 24.
Ratnasingham, P. (1998a). The importance of trust in electronic commerce.

Internet Research. 8. 313-321.
Ratnasingham, P. (1998b). Trust in Web-based electronic commerce security.

Information Management and Computer Security. 6 . 162-166.
Ratnasingham, P. (1998c). Internet based EDI trust and security. Information

Management and Computer Security. 6 . 33-39.
Rayport, J.F. & Sviokla, J J . (1995). Managing in the marketspace. Harvard

Business Review. 75. 75-85.
Renn, O. (1989). Risk communication in the community: European lessons from

the Seveso Directive. Journal of the Air Pollution Control Association. 4 0 . 1301-1308.
Renn, O. (1990). Risk perception and risk management: a review. Risk

Abstracts. 7. 1-9.
128
Richards, S. (1996). Electronic banking resource cen ter electronic
money/Internet payment systems. Available: www2.cob.ohiostate.edu/
{richards/bankpay.htm
Riker, W. H. (1974). The nature of trust. In J. T. Tedeschi (Ed.), Perspectives on

social power (pp. 63-81). Chicago, IL: Aldine.
Roehl, W. S. & Fesenmaier, D. R. (1992). Risk perceptions and pleasure travel:

an exploratory analysis. Journal of Travel Research. 3 0 .17-26.
Roselius, T. (1971). Consumer rankings of risk reduction methods. Journal of

Marketing. 39. 56-61.
Rosner, H. (1995). What am I doing here? (Advertising on the World Wide

Web). Brandweek. 3 6 .40-41.
Rotter, J. B. (1971). Generalized expectancies for interpersonal trust. American

Psychologist. 2 6 .443-452.
Rowley, (1996). Retailing and shopping on the Internet. Internet Research. 6. 81-
91.
Rubin. R. (1996). Moral distancing and the issue o f information technologies: the
seven temptations. In J. M. Kizza (Ed.), Social and ethical effects o f the computer
revolution (pp. 124-135). Jefferson, N.C.: McFarland and Company.
Schaninger, C. M. (1976). Perceived risk and personality. Journal o f Consumer

Research. 3 .95-100.
Schiffan, L., Schus, S., & Winer, L. (1976). Risk perception as a determinant of
in-home consumption. Journal of the Academy of Marketing Sciences. 4 . 753-763.
Schlenker, B., Helm, B., & Tedeschi, J. (1973). The effects o f personality and
situational variables on behavioral trust. Journal o f Personality and Social Psychology.
25,419-427.
Sen, A. K. (1977). Rational fools: a critique of the behavioral foundations of

economic theory. Philosophy and Public Affairs. 6 . 317-344.
Settle, R. B.. Alreck, P. L., & McCorkle, D. E. (1994). Consumer perceptions of

mail/phone order shopping media. Journal of Direct Marketing. 8 . 30-45.
Shapiro, D., Sheppard, B. H. & Cheraskin, L. (1992). Business on a handshake.

The Negotiation Journal. 8 .365-378.
129
Shaw, M. J. (2000). Electronic Commerce: State of the Art. In M. Shaw, R.
Blanning,R. Strader, & A. Whinston (Eds.), Handbook on Electronic Commerce ( pp. 3-
24). Heidelberg, N.Y.: Springer Publishing.
Shon, T. H. & Swatman, P. M. C. (1998). Identifying effectiveness criteria for

Internet payment systems. Internet Research. 8 . 202-218.
Simpson, L. & Lakner, H. B. (1993). Perceived risk and mail order shopping for
apparel. Journal for Consumer Studies and Home Economics. 17. 377-389.
Slovic, P., Fischoff, B„ & Lichtenstein, S. (1981). Perceived risk: psychological

factors and social implications. Proceedings of the Roval Society o f London. 376. 17-34.
Spector, P. E. (1992). Summated ratine scale construction. Newbury Park, N J.:

Sage.
Spence, H. E., Engel, J. F., Blackwell, R. D. (1970). Perceived risk in mail-order

and retail store buying. Journal of Marketing Research. 7 . 364-369.
Starr, C. (1969). Social benefit versus technological risk: what is our society
willing to pay for safety? Science. 165. 1232-1238.
Stone, R. N. & Gronhaug, K. (1993). Perceived risk: further considerations for

the marketing discipline. European Journal o f Marketing. 2 7 .39-50.
Stone, R. N. & Mason, J. B. (1995). Attitude and risk: exploring the relationship.
Psychology and Marketing. 12. 135-153.
Stores (1996). Internet shopping! New competitor on new frontier? Stores.

MCI-MC. 23.
Swan, J. E., Trawick, J. F., Rink, Jr., D. R., & Roberts, J. J. (1988). Measuring
dimensions of purchaser trust of industrial salespeople. Journal of Personal Selling and
Sales Management. 8 . 1-9.
Teague, J. (1995). Marketing on the World Wide Web. Technical

Communication. 4 2 .236-242.
Thomas, C. (1991). Public trust in organizations and institutions: a sociological

perspective. New York, N.Y.: Putnam.
“Top Traffic-Drawing Sites” (1997, Nov. 24). Min’s New Media Report. 7.
Verity, J. W. (1995, November 13). Bullet-proofing the Net. Business Week. 98-
99.
130
Vlek, C. A. J. & Stallen, P. J. M. (1980). Rational and personal aspects of risk.
Acta Psvchologica. 45. 273-300.
Von Solms, R. (1998). Information security management (1): why information

security is so important. Information Management and Computer Security. 6 . 174-177.
Weber, T.E. (1996, February 6). ATT will insure its card customers on its web
service. The Wall Street Journal, p. B5.
Westin, A. F. (1967). Privacy and freedom. New York, N.Y.: Atheneum.
Williamson, O. E. (1993). Calculativeness, trust, and economic organization.

Journal of Law and Economics. 3 6 .453-486.
Wilson, S. (1997). Certificates and trust in EC. Information Management and

Computer Security. 5. 175-181.
Winaker, G. & Lubner-Rupert, J. (1983). Dress style variation related to

perceived economic risk. Home Economics Research Journal. 11.343-351.
Wintrob, S. (1995). Cyberspace consumers still just looking, not buying.

Computing Canada. 21. 34.
Zikmund, W. G. & Scott, J. E. (1973). A multivariate analysis of perceived risk,

self-confidence, and informational sources. In S. Ward & P. Wright (Eds.), Advances in
Consumer Research. 1 (pp. 41-54). Urbana, IL: Association for Consumer Research.
Zucker, L. G. (1986). Production of trust: institutional sources of economic

structure, 1840-1920. Research in Organizational Behavior. 8 . 53-111.
131
BIOGRAPHICAL SKETCH
Michael P. Kehoe was born in St. Clair, Michigan, on May 19, 1968. After
graduating from South Mecklenburg High School in Charlotte, N.C., he attended East
Carolina University in Greenville, N.C. and received his Bachelor of Science and
Masters in Education degrees. He began teaching at East Carolina University while a
graduate assistant and moved to North Carolina State University in Raleigh, N.C.,
where he taught an additional two years in the Department o f Physical Education.
Deciding to pursue a doctorate in Sport Administration, he moved to Tallahassee and
enrolled at Florida State University in the Fall semester, 1998. During his tenure at
Florida State University, he worked as the Coordinator of the Lifetime Activities
Program in the Department of Physical Education. Shortly after arriving in
Tallahassee, he accepted an internship with the Tallahassee Tiger Sharks Professional
Hockey Franchise and became the Director of Ticket Operations within a year. In his
professional career, he has also worked with professional hockey franchises in El
Paso, TX, and Port Huron, MI.
132

Thesis 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thesis 1

Uploaded by

Copyright:

Available Formats

INFORMATION TO USERS

The quality of this reproduction is dependent upon the quality of the

Oversize materials (e.g., maps, drawings, charts) are reproduced by

Photographs included in the original manuscript have been reproduced

ProQuest Information and Learning

THE ROLE OF PERCEIVED RISK AND CONSUMER TRUST

IN RELATION TO ON-LINE SHOPPING AND SECURITY

A Dissertation submitted to the

ProQuest Information and Learning Company

Charles Imwold. Chair. Department of Physical Education

I would like to express my gratitude to my major professor. Dr. Charles

List of Tables ........................................................................................................... viii

REVIEW OF THE LITERATURE ................................................ 8

Electronic Com m erce............................................................. 9

2. METHODOLOGY AND PROCEDURES ..................................... 80

3. RESULTS .AND DISCUSSION ......................................................... 89

Demographic Information ....................................................... 91

4. SUMMARY, CONCLUSIONS, AND FUTURE RESEARCH ....... 108

Summary ................................................................................... 108

.APPENDICES ...................................................................................... 113

Informed Consent ..................................................................... 113

REFERENCES ........................................................................................ 119

BIOGRAPHICAL SK ETCH ................................................................... 132

1. Summary o f Descriptive Statistics............................................................. 90

3. Frequency oflntem et Use ................................................................. 92

4. Coefficient Alphas - Criterion Risk and Risk Component S cales 93

5. Risk Component Inter-correlational Measures ....................................... 94

6. Risk Perception - Regression Model Summary 95

7. Descriptives - Perceived Risk Scale (PRS)................................................. 98

8. Descriptives - Trust Security Technology Scale (TST) ......................... 99

9. Means o f Risk Perception in Methods o f Shopping ........................... 100

10. On-Line Shopping Compared to Other Methods o f Shopping ............. 101

11. Correlation o f PRS and Security Technology Knowledge (K N O W ) 102

13. Correlation o f PRS and FREQ ................................................................ 104

14. PRS Comparison o f Non Shoppers and Shoppers .......................... 106

15. TOM Comparison o f Non Shoppers and Shoppers .......................... 107

16. TST Comparison o f Non Shoppers and Shoppers .......................... 107

line shopping and the lack o f academic-based research on Internet-related consumer

Since the Industrial Revolution, technology has continued to advance at a

on a conversation. The discovery o f penicillin and several vaccines have virtually

provided with a global telecommunications network, a virtual home entertainment center,

limited only by one’s own imagination.

future (Shon and Swatman, 1998).

from 66.9% in 2000 to 72.3% in 2001.

a prime factor (Ratnasingham, 1998a). In the developmental phase o f the basic

Thomas, Usrv and Egan. 1995).

Internet network and site operators. CommerceNet/Nielsen (1996) conducted a follow-

(1998) describe a body o f research that demonstrates a growing population o f ex-Intemet

Internet are young, well-educated, and computer-literate - a highly desirable market to

virtually every business venture on-line. “Those interested in promoting electronic

o f potential buyers remain stable. Marketing practitioners are increasingly concerned

significant hemorrhaging of Internet users will be o f concern to them” (Kingsley and

Anderson, 1998, p. 308).

negative consumer perceptions o f Internet commercial ventures. From a technical

and creating an image o f instability (Bell and Tang, 1998).

perceptions of questionable Internet security procedures are then compounded and

distinct differences between Web marketing and conventional marketing methods.

o f the Web domain (Hoffman and Novak, 1996).

perception o f security surrounding on-line shopping. Two areas o f consumer behavior

Sport organizations and administrators should be encouraged by some o f the

demographics o f the average Internet user, as reported in a 1998 study by e-Marketer

ESPN.Sportszone (Caskey and Delpy, 1999).

to enhance the sport practitioner’s understanding o f the elements involved in the