Professional Documents
Culture Documents
Management Information Systems Research Center, University of Minnesota
Management Information Systems Research Center, University of Minnesota
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .
http://www.jstor.org/page/info/about/policies/terms.jsp
.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of
content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms
of scholarship. For more information about JSTOR, please contact support@jstor.org.
Management Information Systems Research Center, University of Minnesota is collaborating with JSTOR to
digitize, preserve and extend access to MIS Quarterly.
http://www.jstor.org
1996 167
MISQuarterly/June
168 MISQuarterly/June1996
MISQuarterly/June1996 169
1996
170 MISQuarterly/June
1996 171
MISQuarterly/June
Table 2. Dimensions
172 MISQuarterly/June1996
174 MISQuarterly/June1996
Stage 1: Techniques/Proce
Specifydomainand dimensionality Literature
review
of the construct Experiencesurveys
'I
+ Focusgroups
Generatesampleof items
Stage | 2: I
I I
Administerinstrumentto sample I
i
Assess itemsand instrument
factoranalysis
Exploratory
(purifyitemsand/orunderstanding Interitem
reliabilities
of construct)
Comparealternativemodelsof factoranalysis
Confirmatory
the construct
(LISREL)
Stage 3:
Assess internalvalidity factoranalysis
Confirmatory
- construct (LISREL)
- concurrent Pearsoncorrelations
- nomological OLSregressions
MISQuarterly/June1996 175
1996
176 MISQuarterly/June
* n's reported in this table are for the total samples. These n's may differslightly from those in
subsequent tables, which report effective sample sizes (in which responses with some missing
data have been removed).
**All 186 of these students completed a "test"of the instrument,and these 186 responses were
used for the "generalizability"exercise. One hundredtwenty-threeof the 186 also completed the
retest"of the instrumenteight weeks later)and were used in the "test-retest"exercise. Halfof the
retest"group was randomlyselected to complete a "cynicaldistrust"scale; 59 of these, who had
also completed the "test,"were correlatedwiththe "cynicaldistrust"scale.
These 170 students were randomlyassigned to complete, in additionto the informationprivacy
***
instrument,eithera "paranoia" or a "socialcriticism"scale.
MISQuarterly/June1996 177
Technique/ Samples
Stage* Task Procedure (See Table 3a) Results
1 Interpret Semistructuredinterviews 1, 2 Preliminaryresearch
organizational understandingof
participants' constructdomain
understandingof and dimensionality.
matterspertainingto
construct domain and -
dimensionality
1 Improveinterpretation Semistructuredinterviews 3 Refinedresearch
of the organizational understandingof
participants' constructdomain
understandingof and dimensionality;
matterspertainingto used in generating
constructdomainand set of 72 survey
dimensionality items.
1 Assess content validity Judgingexercise 4 33 items discarded,
-
of initial item set resulting in a 39-item
set.
1 Test content validityof Judgingexercise 5 Itemsdeleted and
reduced item set reworded,resulting
in a new 32-item set.
1 Test refinementof Follow-upinterviews 6 Confidencein refined
constructdomainand understandingof
dimensionality constructdomain
prliir. and dimen$ionality,
1 Pilottest preliminary Focus group:fillin survey 7 Itemsdeleted and
survey and discuss i reworded,resulting
jina new 20-item $et.
2 Assess items and Exploratoryfactoranalysis 8 20 items includedon
instrument and interitemreliabilities instrument.Deleted
3, added 2, and
modified8 forclarity,
resultingin a 19-item
instrument.
9 19 items includedon
instrument.Deleted
2, added 8, and
modified6 for clarity,
resultingin a 25-item
instrument.
10 Secondary internal
and externaluse
converged intoa
single dimension.
Also deleted items
that did not clearly
load onto single
factors and items
that were
redundant,resulting
in a 15-item
instrument(see
Table 1). Of these 15
1996
178 MISQuarterly/June
* As shown in
Figure 1.
1996 179
MISQuarterly/June
1996
180 MISQuarterly/June
the subscales: Collection (4 items), Errors(4 measures than competing models. The chi-
items), UnauthorizedSecondary Use (4 items), square statistics for all models estimated were
and ImproperAccess (3 items). Examinationof significant,but-given the large samples used
the exploratory factor analysis revealed that in the study-the significantchi-squares were
the unauthorizedinternal secondary use and likely artifacts of sample size (Bentler and
the external secondary use dimensions had Bonett,1980) . Thus, a comparisonof the GFI,
converged onto a single factor,the salient fea- AGFIand RMRmeasures-which are indepen-
ture being that the secondary use of the infor- dent of sample size (Bagozzi and Yi, 1988)-
mationhad not been authorizedby the individ- was performedto assess the model's fit. As
uals involved. Chosen items all had factor shown in Table4, boththe GFIand the AGFIof
loadings greaterthan .60 on the same factorin the four-factormodel are higherthan those for
all factoranalyses performed.(The finalinstru- the three competing models. Further, RMRs
ment is shown in Table 1.) are also considerablyhigher in the competing
models (more residualvariance remains)than
Stage 2 included one final step: to determine in the hypothesized model. Finally,the coeffi-
whether the hypothesized model of a four-
cient of determination,a criterionfor evaluating
dimensionconstructprovidedthe best fitto the
data as comparedto alternativeplausiblemod- the globalfitof a model by assessing explained
els. To accomplish this, the overallfits of four variance(i.e., how well the items serve as joint
measures of the latent variable), was exam-
theoretically plausible alternative models (a
unidimensional model, a three-dimensional ined. As shown in Table 4, the coefficient of
determinationis as high or higher in the four-
model, a model with two main factors and
three sub-factors, and the hypothesized four- factor model as in the other three models.
factor model) were compared using the CFA Thus, of the fourmodels compared,the hypoth-
esized four-factormodel providedthe best fitto
program LISREL (Joreskog and Sorbom,
1984). Four statistics provided in the LISREL the data and was ultimatelyaccepted.
programthat are commonly used to compare
model fits are the non-adjusted and adjusted
goodness-of-fitindices (GFIand AGFI,respec- validationresults-
Instrument
tively),root mean square residuals (RMR),and 3
chi-squarestatistics (Bagozzi and Yi, 1988). stage
Comparison of these statistics (see Table 4) Stage 3 included assessments of the instru-
suggests that the hypothesized four-factor ment's internal validity, its reliability,and its
model performsbetter on the overall model fit generalizability.
MISQuarterly/June1996 181
1996
182 MISQuarterly/June
These results are froma sample of 147 business graduatestudents fromFall 1992. Allloadings
above .40 are listed above.
Interitemreliabilities(Cronbach'salpha):Collection,.88; Errors,.84; Secondary Use, .80; Improper
Access, .75.
1996 183
MISQuarterly/June
1996
184 MISQuarterly/June
MISQuarterly/June1996 185
theoretical relationships to levels of concern, trust, (2) paranoia, and (3) social criticism.
and (3) some future behavioralintentionsthat Therefore,the instrumentwas administeredin
should be associated withlevels of concern. conjunction with scales measuring the sug-
gested related personalityfactors to separate
Antecedents: Two theoretically plausible
samples of undergraduatebusiness students
"causal"variables were assessed. It has been as follows:
suggested that (a) previous personal experi-
ences may impact one's concerns about infor- It is argued that cynical distrustmay be posi-
mation privacy (Culnan, 1993; Stone and
tively correlated with concern for information
Stone, 1990), and (b) media coverage may privacy in that individualswith high levels of
increase the.level of concern about information distrust may also be more concerned about
privacy(Westin, 1990). These assertions lead the use and dissemination of their personal
to a reasonable set of propositions.Itwas pro-
information.Examinationof the responses to
posed that individualswho had been exposed the "cynicaldistrust"and the "overalllevel of
to, or been the victim of, personal information
misuses should have stronger concerns concern"scales supports this contention (n =
59,18 correlation = .30,19 p< .05).
regardinginformationprivacy.To that end, 77
business graduate students from two geo-
Paranoia is a second personalitytrait argued
graphically dispersed U.S. universities were to be positively correlated with concern for
asked to complete our instrument and were
informationprivacy.Itis plausiblethat individu-
also asked to answer the followingquestions
als who are paranoidare also likelyto be more
(on seven-point Likertscales) (1) "Howoften
have you personally been the victim of what concerned about the privacyof their personal
information. When both the paranoia scale
you felt was an improperinvasion of privacy?"
and (2) "Howmuch have you heard or read (Fenigstein and Vanable, 1992) and the infor-
duringthe last year about the use and poten- mation privacy concern scale were adminis-
tial misuse of computerizedinformationabout tered to undergraduates,a significantcorrela-
consumers?"17The first question examines, to tion was observed (n = 87, correlation= .37,
some degree, the respondent's perception of p< .001).
his or her own experiences with respect to
information handling. The latter question The social criticism scale measures "the
examines the respondent's level of knowledge degree of acceptance or rejection of the val-
regardingcollection and use of personal infor- ues, norms, and practices of...society"(Jessor
mation. Results of regression analyses, with and Jessor, 1977). It is proposed that con-
overallconcern as the dependent variableand sumers who reject society's values, norms,
experience and knowledge as independent and practices would also be highlyconcerned
variables, strongly support these research about informationprivacy.Correlationalanaly-
propositions,with beta coefficients of .16 and sis of responses to the information privacy
.22, respectively(p < .01 for both). concern instrument and the social criticism
scale showed supportfor this proposition(n =
Individual Personality Factors: Prior
83, correlation = .37,20 p< .001).
research has suggested that informationpriva-
cy concerns may also be associated withvari-
ous personalityfactors (e.g., Berscheid, 1977; 18Studentsin this sample were also used in the test-retest
Cozby, 1973; Kelvin,1973; Lauferand Wolfe, reliabilityexercise (see section below). They responded
to the "cynicaldistrust"scale followingthe "retest"of the
1977; Levin and Askin, 1977; Stone, 1986; privacyconcern instrument.The reportedcorrelationuti-
Warrenand Laslett, 1977). Some factors that lizes the "test"score for the privacyconcern instrument
one might expect to be correlated with infor- (completedeightweeks earlier).
mation privacyconcerns include: (1) trust/dis- 19The correlationsin this section refer to our OVERALL
scale.
17Both of these questions were patterned after those in 20This correlationis reported as an absolute value; its
Equifax(1990). directionis consistentwiththe proposition.
186 MISQuarterly/June1996
MISQuarterly/June
1996 187
correlations for individualitems ranged from chy of concern regardingthe various dimen-
.39 to .66 (p< .001 for all). sions. It was observed that the highest levels
of concern were associated with Improper
Access and Unauthorized Secondary Use.
Lowerlevels of concern were associated with
Generalizability Collectionand Errors.Withinthese categories,
however, there seem to be some distinctions
To achieve its full usefulness, an instrument between samples (see Table 9). For example,
should be applicable to "othersubjects, other ISACA members ranked Unauthorized
groups, and other conditions"(Kerlinger,1986, Secondary Use as theirtop concern, while the
p. 299). Such a concern is includedunder the other respondents indicated more concern
rubricof "externalvalidity,"which is defined as about ImproperAccess.
"persons,settings, and times to which findings
can be generalized"(Straub 1989). While our
instrumentwas initiallybased upon inputfrom
numeroussources (as described in Stage 1), it Discussion
must also be validated with differentpopula-
tions. To achieve generalizabilityof the instru-
This study providestwo majorcontributionsto
ment, it was administered to, and validated
the privacyliterature:(1) a frameworkdescrib-
with, two diverse sample populations in addi-
tion to the sample of graduate business stu- ing the primarydimensions of individuals'con-
dents: undergraduate business students (n= cerns about organizationalinformationprivacy
186) and U.S.-based members of the ISACA practices and (2) a validated instrument for
(n= 354).22 As can be seen in Table 8, the measuring those concerns. The development
results of CFA analyses on data from these process includedexaminationsof privacyliter-
ature and U.S. laws; experience surveys and
samples supports the validityand reliabilityof
the instrument across these populations as focus groups; and the use of expert judges.
well. Specifically, the validationof the instru- The resultwas a parsimonious15-item instru-
ment across two groups as dissimilar as ment with four subscales tapping into dimen-
sions of individuals'concerns about organiza-
undergraduatestudents (who have, arguably,
a low level of understandingregardingactual tionalinformationprivacypractices.The instru-
ment was rigorously tested and validated
industry practices) and IS auditors (who,
across several heterogenous populations,pro-
arguably, should represent a populationwith
high on-the-job knowledge) stands as strong viding a high degree of confidence in the
evidence of the instrument's generalizability scales' validity,reliability,and generalizability.
(Gordon,et al., 1986). Before considering implications for
researchers and managers, two limitationsof
this study should be noted. First, all scale
Additional Findings development processes require a number of
"judgmentcalls"by researchers based on their
The relationshipsbetween the subscales and analysis of the literature;on inputfrom experi-
individuals'response patternsseem to provide ence surveys, focus groups, and expert
additionalinsights into the underlyingnatureof judges; and on levels of acceptabilityfor vari-
the informationprivacy concern construct. As ous statistical measures. In particular,based
can be seen in Table 9, there may be a hierar- on inputfrom various sources, we concluded
that one of the dimensions, CombiningData,
was actually represented by two of the other
22The ISACAsample was also utilizedfor some tests of
nomologicalvalidity;this student sample was also uti-
dimensions, Unauthorized Secondary Use
lized for the "test-retest"evaluationand for one test of (External)and Collection.We also concluded
nomological validity(correlationwith "cynicaldistrust") that Reduced Judgmentwas not a part of the
(see Tables 3a and 3b). major "individuals'concerns about organiza-
188 MISQuarterly/June
1996
Undergraduate Business
Students
Factor Item (n=186) IS Auditors (n=354)
SFL CR AVE SFL CR AVE
Collection A .675 .759
E .559 .772
J .941 .878
0 .689 .667
.81 .53 .86 .60
Errors B .647 .637
F .841 .864
H .698 .775
L .857 .890
.85 .59 .87 .64
UnauthorizedSecondary Use C .691 .
.733 r\ r
G .636 .726
K .671 .693
M .898 .838
.82 .54 .84 .56
ImproperAccess D .691 .785
.754 .598
N .877 .880
.82 .65 .80 .58
Chi-Square 139 (84) 330 (84)
NCNFI .96 .91
RMR's .063 .074
Coeff. Determ. .998 .998
Legend: SFL = StandardizedFactorLoading
CR = Composite Reliability
AVE= Average VarianceExtracted
NCNFI= Non-centralizedNormedFitIndex
RMR= Root Mean-squaredResidual
Table 9. Subscales
Mean (S.D.)
Mean (S.D.) for Mean (S.D.)
for MBAs Undergraduates for ISACAMembers
Subscale (n = 146) (n = 183) (n = 337)
Collection 5.28 (1.19) 5.11 (1.04) 5.45 (1.16)
Errors 5.36 (1.06) 5.57 (.99) 5.46(1.11)
Unauthorized
Secondary Use 5.77 (1.22) 5.74 (1.14) 6.15 (1.07)
ImproperAccess 6.10 (.89) 5.83 (1.01) 5.90 (1.01)
OVERALL 5.63 (.78) 5.56 (.83) 5.74 (.86)
Largermeans are associated withhigherlevels of concern (see Table 1.).
MISQuarterly/June1996 189
1996
190 MISQuarterly/June
of positivist and interpretive research (Lee, cal approaches are being adopted for tracking
1991).23 To the extent that researchers con- purposes. Itis acknowledgedthat IS managers
firm some of the theoretical linkages in posi- and executives willseldom be in a position to
tivist approaches (e.g., by showing that indi- unilaterallycorrect all the organizationalprob-
viduals exhibit higher levels of concern when lems in these domains since they are likelyto
stimulus materials promptthem to thinkabout involvesome degree of existing organizational
medical data ratherthan financialdata), these policy. Changing existing policy will demand
findings may then feed back to interpretive attention from general managers at a senior
studies (e.g., field studies that examine differ- level. However, IS professionals can be
ent approaches to managing medical data and aggressive in challenging organizationalpoli-
managers' perceptions of differingresponsibil- cies for sharing personal data with outside
ity levels). organizations, and they may insist on tighter
interpretations of the "need to know"when
As privacy increases in importance, it
organizational policies regarding access are
behooves the IS research communityto care- constructed.
fully consider the complexity of individuals'
concerns, the factors that may cause By taking a proactive stance in managing
increased levels of concern, and the outcomes these dimensions of concern, IS managers
of those concerns. The instrumentdeveloped and executives may reduce the probabilitythat
in this study should enable futurework in this onerous regulatory options will be pursued
importantarea. (see Milberg, et al., 1995; Smith, 1994).
Research has shown that increased concerns
about informationprivacyare associated with
formanagers increased levels of governmentalinvolvement
Implications in organizational privacy management
This study, which identified the most central (Milberg,et al., 1995), but so far, managers
have been primarilyreactive in addressing
dimensions of individuals' concerns about
informationprivacy concerns (Smith, 1994).
organizational informationprivacy practices,
can serve as the first step on a path of proac- Managers should be alert to the value-laden
tive management. By carefully considering choices that are made by systems designers
theirown organizations'approaches to the four and implementers (Kling, 1978; Mowshowitz,
major dimensions of concern-Collection, 1976), because these choices can ultimately
Errors, Unauthorized Secondary Use, and impactthe privacydomainand reactionsthere-
to. This study, along with future research
Improper Access-managers can identify
underlying problems and take corrective addressing the antecedents and conse-
actions as appropriate.Table 10 contains a set quences of various concerns, may allow man-
of possible recommendations that might be agers to evaluate specific situationalcontexts
embracedfor each of the dimensions. and manage responses to informationman-
agement practices, thus avoiding costly con-
As an example, IS professionals can address sumer and/orregulatorybacklashes.
secondary use issues by identifyingthe sec-
ondary uses of data withintheir organizations
and ensuring that the appropriatetechnologi-
Acknowledgements
23 f course, the choice of researchapproach(es)is
highly The three authors contributedequally on this
contextualand depends on the type of researchquestion research. We gratefullyacknowledge several
being asked (Yin,1988), the findingsfrompreviousstud- individualsfor their assistance in administering
ies (Bonoma, 1985), and the levels of understanding
regardingthe phenomenonof interest (Lee, 1.991).See
versions of the survey instrument:Tom Cooke,
Bonoma (1985), Lee (1991), Orlikowskiand Baroudi Elizabeth Cooper-Martin, Mary Culnan, Bill
(1991), and Yin (1988) for a broaddiscussionof the rela- DeLone, Mark Keil, Mike McCarthy, Keri
tionshipsbetween researchapproaches. Pearlson, Craig Smith, Bob Thomas, Suzie
MISQuarterly/June1996 191
1996
192 MISQuarterly/June
MISQuarterly/June
1996 193
1996
194 MISQuarterly/June
MISQuarterly/June
1996 195
Appendix
ConfirmatoryFactorAnalysis
Because an a priorihypothesis is tested, CFA has several advantages over traditionalmethods of
scale validation(Bagozzi, 1983). CFA(1) providesexplicitmeasures to assess constructvalidityand to
correct for the unreliabilityof measures that can contaminate theoretical relations, (2) represents
explicitlythe extent of measurementerror,and (3) overcomes the fundamentalindeterminacy(problem
of non-unique solutions) of exploratory factor analysis. To be more specific, in models where
sequences of relationshipsoccur, it is importantto explicitlyrepresent and controlfor systematic and
randomerrorsin measurement. Failureto do so can lead to biased and inconsistentestimates of para-
meters. Furthermore,most proceduresthat employthe measurementsobtainedfromscale administra-
tions (e.g., correlations,regression, ANOVA)implicitlyassume the absence of randomand systematic
errors in observations. Yet, when Cote and Buckley (1987) applied CFA techniques to 70 published
data sets, they found that measurementerror,on average, accounted for 32 percent of total variance.
CFA goes beyond traditionalvalidation methods, in that theoretical concepts, non-observational
hypotheses, and errorsare explicitlyassessed.
Furthermore,while obliqueor orthogonalexploratoryfactoranalyses are traditionallyused in scale vali-
dation, neitherprocedureyields a uniquesolutionin a statisticalsense. Once a set of factors is found,
an infinitenumberof other equallyacceptable factorscan be formedas non-singularlineartransforma-
tions of the firstset (Bagozzi, 1983). Again, if the researcherattemptsto interpretthe factors, use the
loadings for furtheranalysis, or compute scores to test hypotheses, this implicitnon-uniqueness can
cause problems.CFAyields a uniquesolutionon an a prioribasis. A researcherhypothesizes a model
and then tests the goodness-of-fitof the model on a particularset of data. In addition,CFA is used to
assess the overall fit of this model versus the fit with other models reflectingalternativeunderlying
structuresof this constructto assess validity.
1996
196 MISQuarterly/June