Article history:Received 3 December 2006Received in revised form 25 June 2008Accepted 30 June 2008Available online 9 July 2008
In the new era of a ubiquitously networked world, security measures are only as good as theirweakest link. Home computers with access to the Internet are one of the weaker links as theyare typically not as well protected as computers in the corporateworld. Malicious actors can notonly target such computers but also use them to launch attacks against other systemsconnected to the Internet, thus posing severe threats to data and infrastructure as well asdisrupting electronic commerce. This paper investigates the factors that affect the use ofsecurity protection strategies by home computer users in relation to a specific, but crucialsecurity technology for home – a software firewall. This paper proposes individuals' concern forprivacy, awareness of common security measures, attitude towards security and privacyprotection technologies, and computer anxiety as important antecedents that have an impacton the users' decision to adopt a software firewall. The results of our study suggest that attitudeplays a more important role than perceived usefulness in shaping users' intention to usefirewalls. We attribute this interesting finding to the non-functional nature of firewall systemsthat work best in the background with a complex relationship to users' productivity. Hence, theresults add to our current understanding of Technology Acceptance Model vis-à-vistechnologies that serve non-functional needs such as security. We then present a set ofguidelines to home computer users, Internet Service Providers, e-commerce companies, andthe government to increase home users' adoption rate of privacy and security protectiontechnologies.
The widespread use of personal computers and internetconnections in thehome todayhas profoundlychanged thewayindividuals and society share information and conduct busi-ness. Yet, with this increased power has come an increasingconcern for the security and privacy of information that isprocessed in the home computing environment. Even though amultitude of security and privacy protection technologies (suchas software firewalls, anti-virus protection and proper browsersettings) are available, a recent survey by America Online (AOL)
(N. Kumar),
ll rights reserved.
has shown that a majority of individuals with a home internetconnection do not use even simple protection strategies [3].
This apparent general lack of concern for computersecurity on the home front has big implications beyond thehomes of the affected computer users. Compromised com-puters can be further employed by unscrupulous elements tonot only steal sensitive information of the affected users, butalso to launch attacks against legitimate business interests(e.g., distributed denial of service attacks) thus disruptingelectronic commerce. Such computer crimes result in differ-ent types of losses. According to the Carnegie MellonUniversity's CERT Coordination Center, in 2004, 83% oforganizations faced some type of loss due to electroniccrimes, 56% experienced operational losses, and 25% experi-enced financial losses [9]. Due to the significance of theseimplications, protecting the security and privacy of home
255N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
computers is of direct importance to both individuals andorganizations.
Anti-virus protection, firewall and patches to coversecurity holes in critical software are perhaps among thetop security mechanisms that a consumer can use to protectone's home computing environment. Of these securitymechanisms, a firewall is considered the most effective inprotecting computers and is the most widely used form ofprotection in businesses [9]. The aforementioned AOL survey[3] specifically indicated that among these security technol-ogies, firewall is the least understood and least used in homecomputing environments. According to this survey, whilemore than 80% of respondents had anti-virus programsinstalled in their computers, only 37% had firewall solutionsinstalled. One of the possible reasons for the low use offirewalls is the difficulty faced by individuals using andmaintaining firewall applications when compared to keepingtheir critical software (such as operating systems and internetbrowser) and anti-virus protection up-to date. The relativedifficulty of using the firewall and the low installed base inhome environments provides themotivation for this research.Hence, this paper will specifically investigate factors thatimpact the adoption of firewalls by home computer users.
The next section briefly reviews the relevant antecedentsthat impact home firewall adoption. Section 3 develops theresearch model and presents the hypotheses. Section 4describes researchmethodswhile Section 5 reports the resultsof the study. Section 6 discusses the significance of the resultsand explores further avenues of research. Finally Section 7provides a summary of contributions to theory and practice.
2. Background
2.1. Online threats to networked computers
As computers around the world are increasingly boundtogether by the Internet and the World Wide Web, the role ofcomputers in every day life has evolved from that of primarilya business tool to an entertainment device used in homes byeverymember of the household. Computers have increasinglyassumed a significant role in homes where they are used for amyriad of tasks ranging from word-processing to watching amovie. According to a January 2008 Leichtman Researchsurvey, over 87% of US internet users now employ broadbandconnections. This percentage is even higher in severalEuropean and Asian countries. Such connections tend to be“always on” and enable home users to access a range of high-speed services over the internet.
Unfortunately, this sudden explosion in the number ofinterconnected computers posesmajor security challenges forboth businesses and home users. The last few years have seena huge spike in the level of computer crimes especiallybecause of the internet and the connectivity it affords. Thegrowing frequency and severity of these security breaches,aided in part by the ready availability of tool-boxes allowingeven novices to hack, underscore the importance of homeuser awareness of the numerous security threats that they arefacing. Some of the common threats are posed by:
1. Computer viruses and self-propagating worms causing awide range of disruptions
2. Spyware that collects and reports user information with-out the knowledge of the user; adware that bombards thecompromised computer with unsolicited, annoyingadvertisements
3. Phishing and other related scams that attempt to gleanpersonal information through deceptive emails andweb sites
Home computers are typically targeted by these onlinethreats largely through a combination of unpatched criticalsoftware (with security holes), open ports in systemsresulting in vulnerability, and social engineering.
2.2. Need for institutional strategies to improve home computersecurity
The home computers' susceptibility to malicious attackscan be attributed partly to the users' lack of awareness ofthreats and technology solutions available to protect againstthese threats; yet another reason could be that users areaware of the threats and the common solutions such asfirewalls, but are unwilling or unable to use these protectionmeasures. In today's globally networked world, securitymeasures are only as good as their weakest link. Homecomputers with access to the Internet are one of the weakerlinks as they are typically not as well protected as computersin the corporate world.
The impact of security breaches in home computers hasmuchwider ramifications due to the interconnected nature ofthe computer systems. At the individual level, securitybreaches in home computers can result in loss or destructionof information stored in these computers as well as theft ofpersonal information by malicious hackers who couldeventually use this information for identity theft. Apartfrom affecting the individuals using the computer, vulner-abilities in home computers also increase the threat tobusiness systems by providing an unprotected broadbandinfrastructure that can be used to execute denial of serviceattacks and spread malicious software programs [16]. Also,when employees use their home computers to performbusiness tasks, vulnerabilities in these computers can leadto disclosure of intellectual property and possibly provide avector for attacking their businesses.
Even worse, these computers could used by terrorists toattack critical infrastructure of a country resulting incatastrophic financial and human losses [7]. Hence, thevarious stakeholders involved – government, and corporateentities, especially the ISPs, B2C companies and computerhardware/software vendors – need to devise strategies toincrease home computer users' awareness of commonsecurity threats, the computer security measures availableto protect against these threats as well as step up efforts tofacilitate home computer users' adoption of these securitymeasures. While past research has focused on examiningusers' concern over web security in using specific servicesover the Internet that demand increased security (such asInternet banking) [10], there has been limited attentionfocused on understanding users' awareness of protectionmechanisms for their home computers. This research con-tributes to this effort by empirically investigating the factorsthat impact the adoption of a firewall – one of the crucialsecurity protection technologies – by home computer users.
256 N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
2.3. Users' awareness of computer protection technologies
Awareness is an important concept that has been usedheavily in health and epidemiology research studying risky/risk-avoidance behavior and yet has had very little traction inIS research. Users need to be aware of security technologiesbefore they can be meaningfully asked whether are likely toadopt one of those technologies. Past research has shown thatusers lack awareness of such protection technologies andhence understanding the impact of “awareness” on adoptionhas both theoretical and practical implications. For example,should the government conduct ad campaigns to increaseawareness; should governments push ISPs to do more toincrease awareness; should ISPs provide a free firewall andrestrict internet use if the firewall is turned off? Thesemeasures may be appropriate given the threat of compro-mised home computers to general infrastructure and in caseswhere users have been made aware of the security protectiontechnologies to protect against common threats.
Hence, we believe that adding “awareness” in the contextof studying a risk avoidance behavior using the TAM model isa significant contribution. Specifically studying firewalladoption in this context is another contribution given theimportance of firewall as one of the most effective tools toprevent privacy and security lapses. Unlike anti-virus, firewalltechnologies are more complex, less transparent and moredifficult to use due to the need for periodic maintenance.
Poor adoption of computer protection strategies by homecomputer users can be due to several reasons including thelack of experience of these users in handling security issuesand the true cost involved in addressing these challenges [3].Gainingmore insights into the reasons behind the low level ofadoption of protection strategies employed by individualhome computer users, despite the availability of severalsolutions, can lead us to the development of critical policiesguiding the implementation of effective protection strategies.Recent attempts to address security issues have been movingaway from holding individuals responsible for protectingtheir own systems and towards increasing the role of Internetservice providers in protecting their consumers. Some of thecommon solutions that address several security issues aresummarized in Table 1.
This list is intended to be illustrative rather thanexhaustive. Some of the protection strategies can be used toaddress a wider range of issues than are listed in the table.Among the solutions listed in Table 1, firewall and anti-virusprograms are the most commonly used solutions to address
Table 1Computer security issues and protection strategies
Security issue Protection strategy
Unauthorizedaccess
Access control through firewalls, additional layers of securitythrough password protection, biometrics, etc.
Viruses andWorms
Anti-virus programs, firewalls
Spywareprograms
Anti-spyware, firewalls
Identity theft Credit monitoringPhishing Anti-phishing services, Spam filters, care in providing
personal information
security issues in organizations [22]. While firewalls are usedby about 98% of the companies polled by CSI [28], they areonly employed by about 37% of the households recentlysurveyed by AOL. Due to the relative importance of firewalls inaddressing a wide range of security issues and the lowadoption rate of this specific countermeasure in homes, werestrict our focus primarily to use of firewalls by home users.
2.3.1. Firewall protectionFirewalls can protect against incoming connections by
blocking requests originating from the internet (ingressfiltering) and against outgoing connections to the internetoriginating from the local PC (egress filtering). Some firewallsdo either one or both. Protecting incoming connectionsimposes very little burden on the user as most user activity(browsing the web and e-mail, IM, etc.) is not affected by theaddition of this protection. Blocking outgoing connectionstends to impose more of a burden on the user, as differentapplications will periodically cause the firewall software toissue alerts that require the user to take action to allow theoutgoing connection. Users may become annoyed at this andcould consequently disable the firewall.
Prior to the release of Microsoft Windows XP (we focus onMicrosoft Windows as it remains the dominant operatingsystem in use on home computers), most computers did notcome with firewall software installed. Windows XP initiallyshipped with a basic ingress-only firewall that was turned offby default and required a specific set of non-trivial tasks inorder to enable and configure it. With Windows XP ServicePack 2 (SP2) released in August of 2004 and with WindowsVista, the “Security Control Center” is now prominentlydisplayed and the ingress firewall is turned on by default.Another popular software firewall is ZoneAlarm distributedby Check Point that offers both ingress and egress filtering. Afree version for personal use is available at the ZoneAlarmweb site, while the commercial version costs $49.95 with oneyear of free updates. Comodo is a more recent entrant to thehome firewall software that is available for free and isconsidered effective.
Firewalls may also block legitimate services such as VirtualPrivate Network (VPN) connections and new softwareservices the user would like to enable. In such cases, firewallsmay require additional configuration that may be beyond theuser's capabilities. Again, the response is often to disable thefirewall. Users may also hear stories from acquaintancesabout the difficulties of working with firewall software andmay elect to avoid its use. Firewall software is becomingincreasingly easier to use with improved user interfaces thatfacilitate the configuration tasks and automated downloadingof updates as has become the norm for anti-virus software.However, users still find configuring and using firewalls to bemore difficult than configuring and using anti-virus softwaredue to the relative complexity of tasks that need to beperformed by the firewall software.
2.4. Concern for information privacy
Information privacy has been described as one of the fourmajor ethical issues that arise in the information age [27].Previous research has defined an individual's concern forinformation privacy as that individual's perception of control
257N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
over his/her personal information [12,13,17]. As companiesincreasingly use the Internet to conduct electronic commercewith individual users (B2C e-commerce), they have becomeaware of their customers' concern for privacy on theWeb andrealize that any negligence on this issue will affect theconsumer's willingness to conduct transactions online[20,30]. The inappropriate collection and use of informationfor marketing purposes and the recent public security break-ins of data aggregation firms such as Choicepoint and Lexis–Nexis have resulted in an increase in consumers' concern fortheir privacy [31].
Recognizing the importance of consumer concern forprivacy, past research has identified anonymity [20], eco-nomic incentives to disclose information [19] and relation-ships based on trust [13,33] as relevant antecedents. Whilesome of the past research has looked at an individual'sconcern for information privacy along only two dimensions—environmental control and secondary use of information[18,20], Smith et al. [29] proposed collection, unauthorizedsecondary use, improper access, and errors as four dimen-sions. Stewart and Segars [30] argued that these fourdimensions of an individual's concern for privacy are in factfirst order factors of a higher order construct called Concernfor Information Privacy (CFIP). This research uses Stewart andSegars' CFIP as one of the relevant antecedents to anindividual's intention to use home security technologiessuch as the firewall.
We believe the perceptual concern for privacy and securityare intertwined in the digital world as one is concerned withinformation security and privacy online. CFIP is appropriatetheoretically as it covers elements of information security (forexample, one of the dimensions of CFIP is unauthorizedaccess) and is a broader, previously validated construct (witha distinguished 15 year history beginning with Smith andCulnan's work in the 90s) that measures several dimensionsof information security and privacy. CFIP is particularly wellsuited given the context of the study— adoption of firewall. Afirewall is a versatile security technology that is often the firstline of defense and does many things that can prevent bothloss of data and loss of privacy. For example, a firewall canprotect against unauthorized access attempts to a computerby a remote attacker (the ingress firewall offers this protec-tion). An even more critical function that a firewall can carryout is to protect locally installed programs from commu-nicating out to the internet (the egress filtering features). It isthis latter feature that is especially important when attempt-ing to protect private information. Spyware and Virusscanners offer some protection but they must be constantlyupdated with new signatures to match existing spyware,keystroke logger and virus threats. An egress firewall canprotect private information from being transmitted out to theattacker by blocking all unregistered (or user restricted)applications from communicating.
In summary, individual awareness of computer securityand privacy threats and the technologies that can be used forprotection against these threats has become highly criticaldue to the increasing frequency and severity of incidents thatresult in significant economic losses. While such an aware-ness can be expected to lead to widespread use of protectiontechnologies, it is not so in practice. This leads us to thequestion: “What are the factors that predict an individual's
intention to use or not use security and privacy protectionstrategies?” In the above sections, we have highlighted theimportance of individual's awareness of security and privacyprotection technologies and concern for information privacyas key factors that are to be considered in understanding theuse of these protection technologies. In the following sections,we develop and test a researchmodel to gain insights into thefactors that influence the use of these protection technologies.
3. Research Model
The Technology Acceptance Model (TAM) has been usedwidely in predicting an individual's technology adoptionintention [11,24,35–37] and will be used as one of the maincomponents of our research model. Traditionally, intention toengage in a behavior has been an important construct thatpredicts actual behavior better than either attitude towards abehavior or a set of beliefs about that behavior [2,14,36].Intention to engage in a behavior has in turn been known tobe predicted either by attitude towards that behavior as in theTheory of Planned Behavior [2] or by a set of beliefs as in theTechnology Acceptance Model [14].
TAM is widely considered an important theory in the ISfield and the basic configuration of the model is well known(as enumerated at the end of this section through hypothesesH4a–H6). However, previous research has shown evidence forthe argument that “TAM's inherently parsimonious naturehas excluded other critical belief constructs that are necessaryto fully capture and mediate the influence of all externalvariables on user acceptance and subsequent usage behavior”[21]. Benbasat and Barki [6] in a recent research commentaryargue that future research intending to study adoptionbehavior should investigate the antecedents of the salientconstructs of TAM – such as perceived usefulness – in order toexplain the specific adoption behavior better and add to thetheory in context while still validating the cumulativeknowledge accumulated over the years. Specifically, theypropose that different adoption contexts should elicit differ-ent, specific beliefs as antecedents and that these specificbeliefs would provide more actionable suggestions to designand practice than simply argue for increased usefulness. Thisresearch agrees with the assessment and proposes threespecific beliefs as antecedents in the context of firewalladoption: individual's awareness of security technologies,CFIP and computer anxiety (Fig. 1).
While efforts to raise user's awareness of computersecurity issues is increasing (AOL's 2005 television adcampaign focusing on security is one example), an openquestion remains as to whether or not users fully appreciatethe connection between vulnerabilities, protections and whatis at stake in terms of the potential for financial loss and lossof privacy. Hence, this research posits that users' awareness ofsecurity technologies that address common vulnerabilities isone of the relevant antecedents. Users' awareness of securityand privacy protection technologies and thereby the use ofthese technologies may also be impacted by the extent towhich they are concerned about information security andprivacy. We argue that individual's who are aware of thesecurity features and their benefits [5] are more likely toperceive the firewall as useful and are likely to have positiveattitude towards using it. Thus, this paper posits that an
Fig. 1. General research model.
258 N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
individual's awareness of security measures and concern forprivacy will be the relevant antecedents to the TAMconstructs that can help explain that individual's decision touse firewalls at homes. Similarly, individuals who areconcerned for their privacy as exemplified by their beliefson four dimensions of CFIP are more likely to take steps toprotect their privacy. Evidence from recent research showsthat Internet users are often concerned about their informa-tion privacy [15]. This concern for information privacy oftenhas implications for user behavior, specifically their adoptionintention behavior [4,26]. As software firewalls are among themost important technologies that could be used to protect ahome computer, this research posits that users who areconcerned for their information privacy aremore likely to findthe firewall to be a useful technology and will have a positiveattitude towards using it. Hence, we hypothesize that:
H1a. Awareness of security measures has a positive impacton perceived usefulness of firewalls in protecting homecomputers.
H1b. Awareness of security measures has a positive impacton attitude towards using firewalls at home.
H2a. An individual's concern for information privacy (CFIP)has a positive impact on perceived usefulness of firewalls inprotecting home computers.
H2b. An individual's concern for information privacy (CFIP)has a positive impact on attitude towards using firewalls athome.
This research proposes Computer Anxiety – the fears usersfeel in working with computer based technologies [32] – asanother antecedent. This construct is especially relevant inthis context as the penetration of personal computers with
internet connections has reached high levels in the house-holds ofmost developed countries. This ubiquity of computershas resulted in the availability of awide variety of applicationsin home settings (online banking to music downloads), thusattracting evennovices to use the computer for relatively basictasks such as browsing the Internet. Unfortunately, thecomputer skill level that allows a user to browse the internetmay not be enough to perform other tasks such as protectingthe computer from online threats. Hence this research positsthat the construct computer anxiety may help explain theindividual adoption decision of a firewall by exerting aninfluence through perceived ease of use and awareness ofsecurity measures. Hence, we posit that:
H3a. Computer anxiety has a negative impact on perceivedease of use of firewalls.
H3b. Computer anxiety has a negative impact on an indivi-dual's awareness of security measures available to protectcomputers.
The Technology Acceptance Model (TAM) has been usedprimarily to predict an individual's adoption behavior at work-place settings. In these settings, perceivedusefulnesshas typicallybeen shown to be dominant over perceived ease of use andattitude in predicting an individual's intent to adopt a particulartechnology [36]. However, TAM has lately been used to predictadoption behaviors inwider contexts such as online shopping. Inthese settings, perceived usefulness was not the only dominantvariable in predicting an individual's adoption behavior [24,34].
In view of these recent developments and considering thecontext of our research – adoption of security technologies athome – we used the Technology Acceptance Model with thefollowing variables used in earlier research: perceived ease ofuse, usefulness and attitude. The original TAM as well as otherrecent research theorized perceived usefulness and perceived
259N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
ease of use as antecedents of attitude [14,37]. While perceivedenjoyment and flow have been shown to have an impact onadoption in hedonistic environments, we do not think thatthey are appropriate for the non-hedonistic task (adoption ofsecurity technologies at home) under investigation. Hence,we hypothesize that:
H4a. Perceived ease of use of firewalls will have a positiveimpact on perceived usefulness of firewalls.
H4b. Perceived ease of use will have a positive impact onattitude towards using the firewall.
H5a. Perceived usefulness of firewalls will have a positiveimpact on attitude towards using firewalls.
H5b. Perceived usefulness of firewalls will have a positiveimpact on intention to use firewalls.
H6. Attitude towards using firewalls will have a positiveimpact on individuals' intention to use firewalls.
4. Research design
A survey methodology was utilized to test the proposedresearch model. For this study, we recruited 130 studentsfrom a large public university in the United States of America.The participants were paid an honorarium of $5 each forparticipating in the study. They were also told that they had achance of winning one of the two $50 cash prizes if theycompleted the survey in its entirety as a part of the incentivescheme. Responses from 10 participants were dropped due tomissing information and were not used in further analysis.The participants have been using the internet for the last6.6 years, spent about 29 hours per week using the Internet,and had bought products online about 15 times in the lastyear (average figures). Please see the conclusions section for adiscussion of the implications and limitations of usingstudents as participants in this study.
This research used previously validated scales for theconstructs concern for information privacy and computeranxiety [30,32,36]. The items for constructs perceived useful-ness, perceived ease of use, attitude and intention to use wereadapted from previous TAM literature to refer to firewalls[1,36]. The items for security awareness measures werederived from the characterization of the commonly usedcomputer security protection strategies listed in major
consumer web sites. The original items used to measureeach construct in this research are listed in Appendix A.
5. Results
A Confirmatory Factor Analysis (CFA) was conducted usingPLS to determine the item-factor loadings (with the originallist of 42 items and 10 constructs). As a result of this analysis,three items – CA1, UA2 and SU3 – were dropped due to poorconvergent and discriminant validity. The results showed thatthe rest of the 39 items loaded higher on its correspondinglatent variable and lower on other latent constructs thusindicating good convergent and discriminant validity. Factorloading coefficients (Appendix 1) of all items were significantwith t-values exceeding 1.96. Table 2 presents the compositereliability. These estimates exceed the recommended valuesof 0.7 for reliability. Table 2 also shows the square root ofaverage variance extracted (AVE) on the diagonal and thecorrelation between the latent constructs on the off-diagonalposition of the matrix displayed. The square root of the AVE ofevery construct exceeds the correlation between that con-struct and all other constructs signifying good discriminantvalidity.
PLS was used to analyze the research model proposed(Fig. 2). The results show broad support for the researchmodel (with eight of the eleven hypotheses supported).
6. Discussion
The results of the PLS analysis show that computer anxietyhad a significant negative impact on both the users' aware-ness of security measures available to protect their homecomputers as well as the perceived ease of use of the firewall.Users' awareness of top security measures against vulner-abilities subsequently influenced the perceived usefulness offirewall technology and their attitude towards using thefirewall. However, users' concern for information privacy hada significant direct impact on perceived usefulness of firewalland not on attitudes towards using the firewall. In otherwords, perceived usefulness seemed to completely mediatethe impact of CFIP on attitude towards using the firewall,while it only partially mediated the impact of awareness ofsecurity measures on attitude.
Perceived ease of use influenced perceived usefulnesssignificantly, but did not have an impact on attitude. Even
260 N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
though the latter relationship results in rejection of one of ourhypotheses, there is evidence to suggest that perceived easeof use typically influences behavioral intention indirectlythrough perceived usefulness and not directly [36]. Users'attitude towards using a firewall had a significant impact onintention to use a firewall. Attitude also completely mediatedthe impact of perceived usefulness on behavioral intention,thus resulting in the rejection of one of our hypothesespositing a direct impact of perceived usefulness on intention.
Fig. 3. Results (exclud
The results of our study show that attitude towards usingfirewall is more dominant than perceived usefulness. Thisjustifies the inclusion of attitude in the research modeldespite evidence to the contrary in work settings [36]. Wefurther tested a variation of the research model by excludingattitude. The results in Fig. 3 show that while the generalpattern of the results is repeated, the R2 for behavioralintention is about half that of themodel that includes attitudetowards using the firewall.
ing attitude).
261N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
7. Conclusions
7.1. Theoretical contributions
The results of the study show that the three beliefs –
computer anxiety, an individual's awareness of top securitymeasures (to protect her from vulnerabilities) that could beused at homes and concern for information privacy – arerelevant antecedents that have an impact on that individual'sintention to use a firewall in a home environment. Heedingthe call by Benbasat et al. (2005) to add relevant antecedentsin specific contexts of adoption, this research adds these threespecific beliefs as relevant antecedents to TAM in the contextof firewall adoption. This research adds further empiricalevidence for the salience of attitude in a context that isneither hedonistic nor completely utilitarian (using a firewallto protect the home computer). While previous work hasshown that perceived usefulness is the dominant variable inpredicting intention to engage in a behavior in work settings,this dominance changes in hedonistic settings such as onlineshopping [34].
A firewall can be considered to be partly utilitarian as itsvalue lies in its usefulness in protecting the user's computerfrom unauthorized access, while it does not directly improvetask performance or productivity. It is an example of aninformation system that is different from systems such as MSOffice that could directly have an impact on an individual'sproductivity. On the contrary, firewall is an example of asystem that is supposed to be transparent for most of the timethe user works on his computer, requiring an occasionalresponse from the user as it works behind the scenes toprotect the user's computer at all times. In cases where afirewall prompts frequently for users' attention to confirm theauthenticity of ingress and egress access through the Internet,its operation could even be construed as an impediment totask performance or individual productivity in fulfilling tasksin users' work settings. This context can be considered as onewhere the technology is not fulfilling a set of functionalrequirements for the user, but satisfying a set of importantnon-functional requirements. Non-functional requirementstypically define how well functional requirements arefulfilled.
While past research on technology adoption focusing onutilitarian systems typically equate utilitarian systems tothose that fulfill functional requirements of users, those thatfocus on hedonistic systems equate these systems to thosethat fulfill the non-functional requirement of ‘usability’. In ourcontext, firewall systems fulfill users' non-functional require-ments of security and privacy. Interestingly, in this context,attitude towards using the technology plays amore importanta role than perceived usefulness of the technology as borneout by the results of our study. This result is even moreimportant given that the non-functional requirements of‘usability’ and ‘security’ can pose conflicting constraints onthe development of these systems.
7.2. Limitations
The study used university students as participants and theresults as such generalize to this target population. Care mustbe taken in attempting to generalize the results of the study to
the general population at large. When the intention is to testthe theory and the relationship among constructs (general-izability of theory), a student population is as good analternative to random sampling from the population ofinterest [8]. However, when one also desires generalizabilityat the effects level – that is covariances among the constructsof interest – it is desirable to use a sample that is asrepresentative as possible to the population of interest [8].One of the main objectives of this study is to test a particulartheory on the adoption of software firewalls and to that extentuse of convenient sampling of students is adequate.
Generalizability at the effects level is not possible to thelarger population of interest (those who possess a homecomputer with Internet access) and must be confined to thestudent population. However, we note that, the students inthis age group are typically one of the largest groups ofcomputer users from amongst the general population.Students are also likely to be more computer savvy andhence more aware of the computer protection technologiesthan the general population with Internet access at home.This lower awareness of computer protection technologiesamong the general population may in fact be a cause forconcern as this factor has a significant impact in this study onboth perceived usefulness of the software firewall andattitude towards using it and hence could become evenmore important.
7.3. Implications for institutional strategies to improve computersecurity
An insecure computer at home not only affects theindividual who owns the computer, but also the resourcesof networked entities around the world. These resourcescould either be information (e.g. launching an attack to stealcredit card numbers from a bank) or infrastructure (e.g.hacking into systems used to control dams, power grids, etc).Hence it is important that Institutional stakeholders –
government, private sector and ISPs – should take a moreactive role in educating the individual home computer userson critical security vulnerabilities as well as on the role ofcritical technologies in protecting the computers. We believethat, in the not too distant future, just as individuals areexpected to be responsible for taking reasonable steps toprotect their homes from harboring any illegal activity, theyshould also be held responsible for taking reasonable steps toprotect their home computers so that they cannot be used forillegal purposes. While individuals cannot be expected to beaware of all the threats to a networked computer, it is possibleto educate the users on reasonable steps they can take tosecure their home computers and encourage the use of thesesecurity measures.
For example, firewall software, acknowledged as one ofthe essential security measure in protecting computers, isbeing used by only 37% of the households as opposed to 98%of the organizations surveyed [3]. This is clearly an undesir-able situation. Hence, Institutional stakeholders should playan enabling role in educating home users on their responsi-bilities and facilitating the adoption of security measures athome to protect their computers. This research shows thatincreasing one's awareness of security technologies andconcern for one's information privacy through public service
262 N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
announcements from all stakeholders could educate usersand help in securing their home computers. The relativeimportance of computer anxiety also shows that softwarecompanies designing these security technologies in general,and firewalls in particular, must pay particular attention toease of use issues. Given the latent nature of securitytechnologies (staying in the background, protecting thecomputer), these systems should be designed to be astransparent to the users as possible. The default settingsshould also err on the side of caution by using reasonablesecurity standards. While this places more of the burden onthe home users in terms of permitting access to differentprograms, this is a reasonable tradeoff given the intercon-nected nature of the vulnerabilities and the implications forother entities.
We believe that the pattern of the results – the relativeimportance of usefulness, ease of use and attitude – willchange based on the security technology being studied.Further, depending on the security technology being studied,the mix of antecedents may even change. For example, anti-virus technology generally ships with the systems on a trialbasis, gets a lot of coverage in the press in terms of protectingagainst viruses and is more transparent to the users in itsworkings than a firewall. Future research should evaluate theimpact of availability and transparency of different securitytechnologies on the adoption of these technologies. Theresults of such a study will shed more light on whetherprotections using a software firewall should be mandatorywhen users decide to get an internet connection for theirhome. Investigating transparency of software would enabledesigners of security systems to pay more attention to theprovision of reasonable security standards as default. Futureresearch can focus on examining the differences in adoptionof general and system-specific protection measures [39]. Also,examining the integration of the model developed here withmodels developed for other contexts might prove to be useful.For example, perceived risk of various threats in differentcontexts [25], trust [23], and awareness of protectiontechnologies may be brought together to examine theintention of home computer users to use a variety of serviceson the Internet ranging from e-government to peer-to-peersharing. Further studies examining home computer users'adoption of various security and privacy protection mechan-isms can also distinguish between affective and cognitiveaspects of attitude [38].
In summary, this research has important implications forhome computer users, developers of security and privacysolutions, organizations that provide on-line services andpolicy makers in this area. Home computer users anddevelopers should consider the important tradeoffs betweensecurity and usability in using protection strategies in theircomputers. Policy makers should consider the share ofresponsibility to be taken by different stakeholders involvedin offering and using protection strategies. They should alsorecognize the importance of communicating the criticality ofusing security and privacy protection technologies to homeusers to increase their awareness and thereby the use of thesetechnologies. Implications for researchers include the relativeimportance of attitude towards protection strategies and itsfar-reaching impact on other types of technologies that fulfilldifferent types of requirements.
Acknowledgements
Wethank thePSC-CUNY for its supportof thisproject.Wealsoappreciate the valuable feedback provided by Dr.Marios Koufarisand Dr. Raquel Benbunan-Fich in improving this manuscript.
Appendix A. List of constructs and items used
Construct
Itemlabels
Items
Itemloadings
t -Values
Perceivedusefulness
PU1
Firewall system is useful inprotecting my home computer
0.79
17.18
PU2
Firewall system improves myperformance in protectingmy home computer
0.82
10.55
PU3
Firewall system enables me torespond to threats (e.g. hackers)to my home computer faster
0.85
15.47
PU4
Firewall system enhances myeffectiveness in protecting myhome computer
0.94
74.41
PU5
Firewall system makes it easierto protect my home computer
0.93
76.03
PerceivedEase of Use
EOU1
Learning to operate the Firewallsystem would be easy for me
0.90
37.93
EOU2
I would find it easy to get theFirewall system to do what Iwant it to do
0.93
59.10
EOU3
My interaction with the Firewallsystem would be clear andunderstandable
0.92
35.79
EOU4
It would be easy for me tobecome skillful at using theFirewall system
0.91
45.72
EOU5
I would find the Firewall systemeasy to use
0.92
42.89
Intention toUse Firewall
BI1
I intend to use the Firewallsystem in the next three months
0.97
65.01
BI2
I predict that I would use theFirewall system in the next threemonths
0.97
92.58
BI3
I plan to use the Firewall systemin the next three months
0.98
161.12
AttitudeTowardsUsingFirewall
ATT1
Using the Firewall system athome is a good idea
0.87
27.77
ATT2
Using the Firewall system is afoolish idea
0.84
23.49
ATT3
I like the idea of using theFirewall system
0.86
22.00
ATT4
Using the Firewall system ispleasant
0.67
5.78
ComputerAnxiety
CA1
I feel apprehensive aboutusing computers
⁎
⁎
CA2
It scares me to think that Icould cause the computerto destroy a largeamount of information byhitting the wrong key
0.63
5.72
CA3
I hesitate to use a computerfor fear of making mistakesthat I cannot correct
0.75
7.91
CA4
Computers are somewhatintimidating to me
0.91
18.31
Awarenessof SecurityMeasures
AWE1
Use software firewall 0.83 16.93
AWE2
Use hardware firewall 0.61 7.93
263N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
Appendix A (continued)Appendix A (continued)
Construct
Itemlabels
Items
Itemloadings
t -Values
Awarenessof SecurityMeasures
AWE3
Use anti-virus software 0.76 14.75
AWE4
Update anti-virus softwareregularly
0.70
11.82
AWE5
Use software to removeintrusive or malicious programs(adware/spyware) from mycomputer
0.81
23.32
AWE6
Update operating system(e.g. MS Windows XP) regularly
0.65
8.79
Collection(CFIP #1)
COL1
It usually bothers mewhen companies ask mefor personal information.
0.86
24.89
COL2
When companies ask me forpersonal information, I sometimesthink twice before providing it.
0.90
37.08
COL3
It bothers me to give personalinformation to so many people.
0.79
15.91
COL4
I am concerned that companiesare collecting too muchpersonal information about me.
0.87
29.36
Errors(CFIP #2)
ERR1
All the personal information incomputer databases should bedouble-checked for accuracy —
no matter how much this costs.
0.84
24.59
ERR2
Companies should take more stepsto make sure that the personalinformation in their files is accurate.
0.91
45.46
ERR3
Companies should have betterprocedures to correct errors inpersonal information.
0.91
34.32
ERR4
Companies should devote moretime and effort to verifying theaccuracy of the personalinformation in their databases.
0.92
55.17
UnauthorizedAccess(CFIP #3)
UA1
Companies should devote moretime and effort to preventingunauthorized access to personalinformation.
0.90
20.18
UA2
Computer databases thatcontain personal informationshould be protected fromunauthorized access — nomatter how much it costs
⁎
⁎
UA3
Companies should take moresteps to make sure thatunauthorized peoplecannot access personalinformation in their computers.
0.92
44.13
SecondaryUse(CFIP #4)
SU1
Companies should not usepersonal information for anypurposes unless it has beenauthorized by the individuals whoprovided the information.
0.84
16.42
SU2
When people give personalinformation to a companyfor some reason, the companyshould never use the informationfor any other person.
0.84
17.26
SU3
Companies should never sell thepersonal information in theircomputer databases to othercompanies.
⁎
⁎
SU4
Companies should never sharepersonal information with othercompanies unless it ahs beauthorized by the individuals whoprovided the information.
0.70
3.89
⁎ — Item dropped.
References
[1] R. Agarwal, V. Venkatesh, Assessing a firm's web presence: a heuristicevaluation procedure for the measurement of usability, InformationSystems Research 13 (2) (2002) 168–188.
[2] I. Ajzen, The theory of planned behavior, Organizational Behavior andHuman Decision Processes 50 (1) (1991) 179–211.
[3] AOL/NCSA, Online Safety Study, 2004, last accessed on, at: http://www.staysafeonline.info/news/safety_study_v04.pdf.
[4] M. Arami, H. Treiblmaier, A. Pinterits, M. Madlberger, Informationprivacy concerns and e–commerce: an empirical investigation, Proceed-ings of the Tenth Americas Conference on Information Systems, 2004,New York.
[5] F. Belanger, J.S. Hiller, W.J. Smith, Trustworthiness in electroniccommerce: the role of privacy, security, and site attributes, Journal ofStrategic Information Systems 11 (2002) 245–270.
[6] I. Benbasat, H. Barki, Quo Vadis Tam, Sauder School of Business, UBC,2005.
[7] M.R. Benioff, E.D. Lazowska, Cyber Security: A Crisis of Prioritization,President's Information Technology Advisory Committee, U.S.A., 2005.
[8] B.J. Calder, L.W. Phillips, A.M. Tybout, The concept of external validity,Journal of Consumer Research 9 (December 1982) 240–244.
[9] CERT/CC, 2004 E-Crime Watch Survey: Summary of Findings, CSOMagazine and Computer Emergency Response Team/CoordinationCenter, Carnegie Mellon Software Engineering Institute, 2004.
[10] T.C.E. Cheng, D.Y.C. Lam, A.C.L. Yeung, Adoption of Internet banking: anempirical study in Hong Kong, Decision Support Systems 42 (3) (2006)1558–1572.
[11] D. Compeau, Social cognitive theory and individual reactions tocomputing technology: a longitudinal study, MIS Quarterly 23 (2)(1999) 145–158.
[12] M.J. Culnan, “How did they get my name?”: an exploratory investigationof consumer attitudes toward secondary information use, MIS Quarterly17 (3) (1993) 341.
[13] M.J. Culnan, P.K. Armstrong, Information privacy concerns, proceduralfairness, and impersonal trust: an empirical investigation, OrganizationScience 10 (1) (1999).
[14] F.D. Davis, Perceived usefulness, perceived ease of use, and useracceptance of information technology, MIS Quarterly 13 (3) (1989)319–339.
[15] J.B. Earp, A.I. Antón, Addressing end-user privacy concerns, Proceedings ofthe Tenth Americas Conference on Information Systems, 2004, New York.
[16] S.M. Furnell, Hacking begins at home: are company networks at riskfrom home computers? Computer Fraud & Security (1) (2004) 4–7.
[17] M.R. Fusilier, W.D. Hoyer, Variables affecting perception of invasion ofprivacy in personnel selection situation, Journal of Applied Psychology65 (5) (1980) 623.
[18] C. Goodwin, Privacy: recognition of a consumer right, Journal of PublicPolicy & Marketing 10 (1) (1991) 149–166.
[19] I.-H. Hann, K.-L. Hui, T.S. Lee, I.P.L. Png, Online information privacy:measuring the cost-benefit trade-off, Twenty-Third International Con-ference on Information Systems, 2002.
[20] D.L. Hoffman, T.P. Novak, M.A. Peralta, Building consumer trust online,Communications of the ACM 42 (4) (1999) 80–85.
[21] G.S. Hubona, A. Burton-Jones, Modeling the user acceptance of e-mail,Proceedings of the 36th Hawaii International Conference on SystemSciences, IEEE Computer Society, Hawaii, 2003.
[22] J. Johnston, J.H.P. Eloff, L. Labuschagne, Security and human computerinterfaces, Computers & Security 22 (8) (2003) 675–684.
[23] D.J. Kim, D.L. Ferrin, H.R. Rao, A trust-based consumer decision-makingmodel in electronic commerce: the role of trust, perceived risk, andtheir antecedents, Decision Support Systems 44 (2) (2008) 544–564.
[24] M. Koufaris, Applying the technology acceptancemodel and flow theoryto online consumer behavior, Information Systems Research 13 (2)(2002) 205–223.
[25] J. Lee, H.R. Rao, Perceived risks, counter-beliefs, and intentions to useanti-/counter-terrorism websites: an exploratory study of government-citizens online interactions in a turbulent environment, DecisionSupport Systems 43 (4) (2007) 1431–1449.
[26] C. Liua, J.T. Marchewkaa, J. Lub, C.-S. Yub, Beyond concern: a privacy–trust–behavioral intention model of electronic commerce, Information& Management 42 (1) (2004) 127–142.
[27] R.O.Mason, Four ethical issues of the information age,MIS Quarterly 10 (1)(1986) 5–12.
[28] R. Richardson, 2003 Csi/Fbi Computer Crime and Security Survey,Computer Security Institute, 2003.
[29] H.J. Smith, S.J. Milberg, S.J. Burke, Information privacy: measuringindividuals' concerns about organizational practices, MIS Quarterly 20 (2)(1996) 167.
264 N. Kumar et al. / Decision Support Systems 46 (2008) 254–264
[30] K.A. Stewart, A.H. Segars, An empirical examination of the concern forinformation privacy instrument, Information Systems Research 13 (1)(2002) 36–49.
[31] B. Tedeschi, Poll Says Identity Theft Concerns Rose after High-ProfileBreaches, in: The New York Times, New York, 2005.
[32] J.B. Thatcher, P.L. Perrewé, An empirical examination of individual traitsas antecedents to computer anxiety and computer self-efficacy, MISQuarterly 26 (4) (2002) 381–396.
[33] E.C. Turner, S. Dasgupta, Privacy on the web: an examination of userconcerns, technology, and implications for business organizations andindividuals, Information Systems Management 20 (1) (2003) 8–18.
[34] H. van der Heijden, User acceptance of hedonic information systems,MIS Quarterly 28 (4) (2004) 695–704.
[35] V. Venkatesh, F. Davis, A theoretical extension of the technologyacceptance model: four longitudinal field studies, Management Science46 (2) (2000) 186–204.
[36] V. Venkatesh, M.G. Morris, G.B. Davis, F.D. Davis, User acceptance ofinformation technology: toward a unified view, MIS Quarterly 27 (3)(2003) 425–478.
[37] B. Wixom, P. Todd, A theoretical integration of user satisfaction andtechnologyacceptance, Information SystemsResearch 16 (1) (2005) 85–102.
[38] H.-d. Yang, Y. Yoo, It's all about attitude: revisiting the technologyacceptance model, Decision Support Systems 38 (1) (2004) 19–31.
[39] W.T. Yue, M. Cakanyildirim, Y.U. Ryu, D. Liu, Network externalities,layered protection and it security risk management, Decision SupportSystems 44 (1) (2007) 1–16.
Nanda Kumar is an assistant professor in theComputer Information Systems department atBaruch College, City University of New York. Hereceived his Ph.D. in Management InformationSystems from the University of British Columbia in2003. His current research interests include hu-man-computer interaction, behavioral aspects ofB2C e-commerce, digital government, impact of ITon the organization of work and leisure. His workhas appeared in journals such as InformationSystems Research, MIS Quarterly, Communica-tions of the ACM, and Decision Support Systems.
Kannan Mohan is an Assistant Professor of
Computer Information Systems at Baruch College.Dr. Mohan received his Ph.D. degree in ComputerInformation Systems from Georgia State Univer-sity. His research interests include managingsoftware product family development, providingtraceability support for systems development,knowledge integration, and agile developmentmethodologies. His work has appeared in journalssuch as Communications of the ACM, DecisionSupport Systems, Information and Management,and Communications of the AIS.
Richard D. Holowczak is presently an Associate
Professor of Computer Information Systems and isDirector of the Bert W. and Sandra WassermanTrading Floor/ Subotnick Financial Services Centerin the Zicklin School of Business, Baruch College,City University of New York. He holds M.B.A. andPh.D. degrees from Rutgers University. His re-search focuses on digital libraries, electroniccommerce and networked information systems.He has published articles in IEEE ComputerJournal, IEEE Transactions on Knowledge and DataEngineering, Communications of the ACM, OnlineInformation Review and ACM Computing Surveys.
