of electronic commerce. Our paper proposes that in addition to known factors of
trust such a vendor's reputation, consumers' perception of privacy and security ...
Consumers’ Trust in Electronic Commerce Transactions: The Role of Perceived Privacy and Perceived Security
Ramnath K. Chellappa Goizueta Business School, Emory University Atlanta, GA 30322-2710
[email protected]
Acknowledgement I am greatly indebted to Omar El Sawy and Ann Majchrzak for their guidance and suggestion, and I would like to thank Ricky Lim and Raymond for their help with the data analysis.
Consumers’ Trust in Electronic Commerce Transactions: The Role of Perceived Privacy and Perceived Security Abstract Consumers’ trust in their online transactions is vital for the sustained progress and development of electronic commerce. Our paper proposes that in addition to known factors of trust such a vendor’s reputation, consumers’ perception of privacy and security influence their trust in online transactions.
Our research shows that consumers exhibit variability in their perceptions of
privacy, security and trust between online and offline transactions even if it is conducted with the same store.
We build upon this finding to develop and validate measures of consumers'
perceived privacy and perceived security of their online transactions which are then theorized to influence their trust in EC transactions. We propose that the perceptions of privacy and security are factors that affect the consumers’ trust in the institutional governance mechanisms underlying the Internet. We conduct two distinct empirical studies and through successive refinement and analysis using the Partial Least Squares technique, we test our hypothesized relationships while verifying the excellent measurement properties associated with our instrument. Our study finds that the consumers’ perceived privacy and perceived security are indeed distinct constructs but the effect of perceived privacy on trust in EC transactions is strongly mediated by perceived security.
A major implication of our findings is that while the much studied determinants of
trust such as reputation of the transacting firm should not be neglected, vendors should also engage in efforts to positively influence consumer perceptions of privacy and security. We discuss the significance of this observation in the context of increasing importance in acquiring customer information for personalization and other online strategies. Keywords: electronic commerce, perceived security, perceived privacy, online trust, PLS ISRL Categories: AA01, AI0104, AI0401, AI0610 2
Consumers’ Trust in Electronic Commerce Transactions: The Role of Perceived Privacy and Perceived Security 1 Introduction There is overwhelming evidence that trust in the online environment is an important element of electronic commerce (EC) relationships and the importance of studying online trust is underscored by many recent studies [Hoffman, 1999 #51;Jarvenpaa, 2000 #56].
In any
consumer transaction online there are two interacting elements, namely the entity with whom the consumer is transacting with, i.e. the online vendor and the medium on which the transaction is taking place, i.e. the Internet. This paper proposes that in addition to a consumer’s trust in a vendor [Mayer, 1995 #69;McKnight, 2002 #184], the overall trust in a EC transaction is also influenced by a consumer’s perception of risk to the EC transaction due to the nature of supporting infrastructure. We identify this consumer perception of risk in the EC transaction as being caused by the consumer’s perception of risk to the privacy of her EC transaction and the consumer’s perception of risk to the security of her transaction.
We then formalize two
constructs namely a consumer’s perceived privacy of her EC transaction and her perceived security of the EC transaction and through the development of theoretically grounded scales to measure these perceptions we hypothesize their effect on the consumer’s trust in the EC transaction.
While the explanations provided by constructs developed for trust in offline
environments hold good in the online context as well, characteristics of the online medium i.e., the Internet itself, can influence a consumer’s trust [Keen, 2000 #192] and given that trust itself is a context dependent construct [Gulati, 1995 #191] it is imperative that the characteristics of the transacting medium is accounted for.
3
Security and privacy concerns of transactions are not new concepts [Westin, 1967 #106]. Consumers have always been concerned about using debit cards at not-so-reputable merchants, and have often had their privacy invaded in the form of direct marketers who somehow obtained their telephone numbers. However, with the advent of electronic commerce, the scale, scope and immediacy of security and privacy issues have compounded many times over [Clarke, 1988 #24;Mason, 1986 #68]. The importance of studying the constructs of security and privacy has been underscored by research in marketing as well. It has been argued that enhancing favorable security and privacy perceptions [Friedman, 2000 #41;Shneiderman, 2000 #91] and building trust [Hoffman, 1996 #50;Keen, 2000 #60] are very important for sustained activity in the electronic business frontier. Numerous academic, governmental, and managerial articles also suggest that there is an increased consumer concern for the privacy and security of EC transactions [FTC, 1998 #26;Gilbert, 2001 #45]. Issues involving security and privacy have made many consumers hesitant to transact online [FTC, 1998 #27;Meeks, 2000 #70] and in fact, over half of the respondents in a sample of Americans nationwide said that privacy and security are their biggest concerns about EC [Cox, 1999 #112]. According to a study in Business Week [BusinessWeek, 2000 #19], 61% of the survey respondents would conduct transactions on the Internet if the security and privacy of their personal information could be adequately protected. However there is no academic research that has explored if these privacy and security concerns online are any different from their offline counterpart and if the online concerns affect a consumer’s decision to engage in an EC transaction.
4
In order to compare consumer perceptions of privacy and security of online and offline transactions, it is first important to understand how consumers develop these perceptions. Hence we incorporate theories from information systems, marketing and public policy, and we develop and refine scales to measure consumer perceptions of privacy and security. Subsequently we test the two primary hypotheses of this research that 1. Consumers perceive that the security and privacy of their transactions are higher offline than online and that 2. Online consumers’ perceptions of privacy and security influence their trust in electronic commerce transactions. This paper proceeds as follows: Section 2 provides the conceptual development of consumer perceptions of trust, security and privacy in the online environment through a review of relevant literature and hypothesizes the relationship between the constructs. Following this, in section 3, we present the development and testing of our scales through an analysis of two empirical studies. Section 4 provides a discussion of our results and outlines the study's theoretical and managerial implications. A series of recommendations are also made for future EC research and practice.
2. Theory and hypotheses In any consumer-vendor context it is important to study trust as it reflects consumer perceptions of uncertainty and risk and their willingness to engage in trust related behavior [McKnight, 2002 #184].
Now consider a consumer who buys a DVD player from BestBuy (the physical store)
and a television from BestBuy.com (the online store), and has hence provided the stores with his/her (for simplicity sake, from here-on we shall use the pronoun “she” to refer to the consumer) financial and other personal information. Given that the consumer has transacted with both the online and offline form of the same store, would it be correct to assume that consumer has the same level of trust in both transactions? This question is motivated by the fact 5
that while the BestBuy physical store does not send an employee along with every customer to monitor what they are looking at; BestBuy.com indeed does that through cookies and other tracking mechanisms. If the level of trust varies in the two transactions, then what are the factors that contribute to this difference?
Literature on consumers’ use of the Internet argues that consumers are concerned about the risk involved in conducting online transactions [Jarvenpaa, 2000 #56;Hoffman, 1999 #51;Miyazaki, 2000 #72]. While there are many definitions and operationalization of risk in marketing [Mayer, 1995 #69] and IS literature [Grazioli, 2001 #193], our goal in this paper is to identify the factors that contribute to the risk perceptions involved in online transactions. Keeping in mind that the inherent risk in electronic commerce transactions is compounded by the spatial and temporal separation of the transacting entities [Brynjolfsson, 2000 #18;Hoffman, 1999 #51], and given that prior research finds that consumer's perception of risk is related to trust [Koller, 1988 #61;Gambetta, 1988 #166], we first provide the intuitions behind the development of trust in online transactions. 2.1 Trust in EC transactions Trust has been studied by researchers in a variety of different fields from sociology [Shapiro, 1987 #88] to marketing [Doney, 1997 #38;Ganesan, 1994 #43] to information systems [Jarvenpaa, 1999 #140;Jarvenpaa, 2000 #56;McKnight, 2002 #184].
In this paper we are
interested in studying consumer trust in EC transactions that falls into the category of trust in consumer-vendor relationships which has largely been studied in marketing literature [Schurr, 1985 #87], albeit in offline interactions.
More recently both IS and marketing literature has
suggested that trust assumes great significance in EC transactions as well as they are conducted
6
in uncertain environments [Fung, 1999 #42], and the development of trust between consumers and marketers is critical for the continued growth of EC [Jarvenpaa, 2000 #56;Palmer, 2000 #144;Fontenot, 1998 #39].
Along these lines McKnight et al [, 2002 #184], develop trust
measures for EC by integrating literature from a wide variety of fields including sociology, organization theory, marketing and information systems.
In any consumer transaction online or offline, there are two interacting elements, namely the entity with whom the consumer is transacting with, i.e. the merchant and the medium or the infrastructure that supports the transaction. This paper takes position that while an individual’s (consumer’s) disposition to trust [McKnight, 2002 #184], trusting intentions [Currall, 1995 #194] and other trust-related behaviors [Anderson, 1990 #195] have been studied in the context of EC along with the consumer perceptions of a vendor’s trustworthiness [McKnight, 2002 #184], the nature of trust specifically with regards to medium of transaction has been some-what less understood. Even the research that studies trust in the EC context it should be noted here that trust itself has been studied in the EC context, but primarily from the perspective of trust in the transacting online store [Jarvenpaa, 1999 #140;Jarvenpaa, 2000 #56]. A recent research finds that trust in Internet shopping may indeed be affected by infrastructural contextual factors such as security [McKnight, 2002 #184] and this is supported by earlier work in sociology and marketing that has maintained that trust is a context dependent construct [Luhmann, 1988 #167;Zucker, 1986 #169] and is also a function of the institutional environment where the trustee and trustor interact [Zucker, 1986 #169].
Along these lines our paper argues that even if a
consumer transacts with the same entity (e.g., a BestBuy physical store and a BestBuy.com
7
online store), she may display differences in the level of trust in the transaction due to differences in the platform or institutional setup that supports these transactions.
The notion of institution-based trust has its origin in sociology [Barber, 1983 #196;Zucker, 1986 #169] and deals with structures that make an environment trustworthy [Garfinkel, 1963 #197;Shapiro, 1987 #88;Zucker, 1986 #169].
McKnight et al, [, 1998 #199] integrate various
sources of institution-based trust and identify two dimensions namely, structural assurance and situational normality. Structural assurances include contextual conditions that act as promises, contracts, regulations and guarantees while situational normality may involve a properly ordered setting that appears likely to facilitate a successful interaction [McKnight, 1998 #199].. In this regard, McKnight et al [, 2002 #184] liken the Web to be the 21st century equivalent of the lawless “wild wild west” of the 19th century. Such a perception is supported by numerous media reports of break-ins and instances of credit-card and other personal information being stolen [Judge, 1998 #58]. Thus, when a consumer conducts a transaction with an online store that is characterized to be operating in an uncertain environment [Fung, 1999 #42] such as the Internet, she is less likely to trust that everything about her transaction is assured and normal as compared to her transactions with an offline store. Therefore, we propose that: Hypothesis 1: A consumer’s trust in her online transaction is lesser than her trust in an offline transaction.
Now it is important to examine the factors that contribute to perceptions regarding structural assurance and situational normality.
Any commercial transaction involves sharing of
information between the transacting parties and hence the total trust exhibited by the consumer in
8
conducting a transaction can be considered to be a combination of trust in the trustee or the vendor and trust that the environment will guarantee the integrity of the transaction. We propose that this guarantee and belief that every aspect of the transaction will be as expected to be determined by the consumers’ perception of risk to their privacy and security of information. Thus the overall trust in EC transactions is a consumer's subjective evaluation of both the entity's characteristics [Beccera, 1999 #8] and risk created by security and privacy perceptions. Consumers who provide personal information during transactions assume the risk of having this information endangered. Risk has been defined 'the possibility of an adverse outcome, and uncertainty over the occurrence, timing or magnitude of that adverse outcome' [Covello, 1994 #30]. In addition to any risk associated with transacting with a particular vendor, risk in EC transactions is essentially created by threats to transfer of information; specifically, threats to information privacy and security. Prior research has defined trust in terms of acceptance of risk [Sheppard, 1998 #186], and hence it could be argued that the degree of trust a consumer develops in the EC transaction is indicative of the degree of risk to the security and privacy of the transaction that the consumer has accepted. In the following sub-sections we develop the constructs of perceived privacy and perceived security as a manifest of this acceptance of risk. 2.2 Perceived Privacy Research in IS and marketing has argued that information privacy and consumer concerns thereof is one of the most important issues in today’s technology based environment [Stewart #198;Miyazaki, 2000 #72;Miyazaki, 2001 #185]. The concept of privacy is in itself not new and it has generally been defined as an individual's ability to control the terms by which their personal information is acquired and used [Westin, 1967 #106]. Prior research on privacy found that consumers might be willing to disclose personal information in exchange for some apparent
9
benefits [Culnan, 1999 #34]. According to the authors, consumers are also likely to provide personal information if they believe they have control over this information, the information requested is relevant, and it is likely to create valid inferences about their preferences. Privacy has also been discussed in much detail from an individual’s viewpoint and as organizational practices [Culnan, 1995 #33;Culnan, 2000 #35;Smith, 1996 #93]. Loss of privacy includes (a) sharing personal information with others that were not part of the original transaction without the consumer’s consent, and (b) merging transaction and demographic data to create consumer profiles without the consumer’s knowledge [Foxman, 1993 #40;Godwin, 1991 #48].
In measuring the concern for information privacy (albeit of individual’s concern of organization practices), the instrument (Concern for Information Privacy - CFIP) developed by Smith, et al. [, 1996 #93] is the first, and it identifies four factors namely collection, errors, secondary use and unauthorized access as the dimensions of an individual’s concern for privacy. Later research has argued that “CFIP needs to reinvestigated in light of emerging technology, practice and research,” [Stewart, 2002 #198], who also suggest that “CFIP itself maybe more parsimoniously represented as a higher-order factor rather than a set of correlated first-order factors.” This view is supported by others who suggest that privacy measurement itself needs re-examination in varying consumer contexts, and argue that in addition to CFIP, a validated scale to measure overall privacy attitudes is needed [Culnan, 1999 #34].
Subsequently an individual’s concern
for privacy has been shown to be a higher-order factor that can be used in conjunction with other variables such the computer anxiety of an individual in a CFIP nomological network [Stewart, 2002 #198].
On the other hand it has also been argued that organizations can employ
“procedural fairness,” to reduce consumers’ privacy concerns leading to trust building [Culnan,
10
1999 #34]. Similarly other marketing research observes that consumers’ privacy concern is governed by environment control and secondary use of information control [Hoffman, 1999 #52].
The former refers to a consumer’s ability to controls actions of other parties in a
transactional environment while the latter implies that ability to control the subsequent use of any information provided during a transaction.
As individual consumers may not be able fully exercise their beliefs regarding privacy and given its importance in sustained commercial activities, the safeguard of information privacy in commercial transactions has fallen into the domain of governmental entities such as the United States Information Infrastructure Task Force (IITF) which first came up with a recommended set of principles for providing and using personal information [IITF, 1995 #54]. Subsequently, the Clinton Administration underscored the importance of privacy for the successful emergence of EC [Clinton, 1997 #25]. Since then the Federal Trade Commission's Bureau of Consumer Protection, which is the de facto governmental body in charge of privacy initiatives, has submitted various reports to the US Congress resulting in governmental guidelines for what constitutes adequate privacy in EC [FTC, 2000 #28;FTC, 2000 #127]. These guidelines known as the Fair Information Practices [Gillin, 2000 #46] are built upon testimonials of researchers in this field and prior findings. For example, consistent with the CFIP scale developed by Smith, et al, [, 1996 #93], the guidelines incorporate rules that define how vendors should collect information, how they should fix any errors regarding personal information, how they should inform consumers regarding subsequent use of the information and how the vendors should prevent any unauthorized access to information. Similarly consistent with findings of Culnan and Armstrong [, 1999 #34] and Hoffman, et al, [, 1999 #52], the guidelines require that vendors
11
should provide the consumer control over all aspects of information collection and usage. The guidelines can be summed up into five principle actions namely, notice, choice, access, integrity, and enforcement. First, notice requires that disclosure notices inform online consumers about how their information will be collected. Second, choice requires that online consumers have a choice about how their information will be used and to which parties it will be disclosed. Third, access requires that online consumers have the opportunity to exercise control over their information. Fourth, integrity requires adequate mechanisms are employed to protect of online consumer information from unauthorized use. Finally, enforcement requires that there is an effective authority to enforce and impose sanctions for potential violations.
Given that the above principles incorporate all elements pointed out by both IS [Smith, 1996 #93] and marketing [Hoffman, 1999 #52;Miyazaki, 2000 #72] research, it would suggest that if a vendor complied with these principles and if a consumer conducts a transaction with the vendor, then the consumer has no more concern for her information privacy vis-à-vis her transaction with that particular vendor.
However our research argues that this is indeed not the case as
consumers may still hold subjective beliefs regarding how their information provided during a transaction is handled. We refer to this subjective belief as perceived privacy of a transaction that is defined as the “the subjective probability with which consumers believe that the collection and subsequent access, use, and disclosure of their private and personal information is consistent with their expectations.”
Note that our intention is not to re-validate the concern for privacy
instrument as it pertains to an individual, rather our goal is to understand perceptions of privacy in commercial relationships (e.g., consumer-vendor relationships) where it is required that all individual concerns of privacy are fully addressed through disclosure. Our definition points out
12
that perceived privacy reflects the amount of consumers’ belief that the institutional setup allows for the privacy of their transaction to maintained as promised.
As opposed to an offline transaction, in any EC transaction, not only is personal information about a consumer acquired but information about her browsing and shopping preferences can also be collected even if no financial transaction takes place. For example, in the example of BestBuy.com, the online store can construct a reasonably accurate consumer profile that is only possible if the physical store BestBuy attached a camera and processor to every customer who steps into the store following them into every aisle they visit and every product they lift from the shelves [Chellappa, 2002 #187]. While the offline store may have access only to the financial transaction information, the information collected online broadly falls into three categories: a. Anonymous information, that refers to information gathered about page visits, without the use of any invasive technologies, typically the standard information sent with any Web or Internet request. Such information includes a machine's IP address, domain type, browser version and type, operating system, browser language, and local time.
b. Personally non-identifying
information, that refers to "information that, taken alone, cannot be used to identify or locate an individual.” It mainly refers to information such as age, date of birth, gender, occupation, education, income, ZIP Code with no address, interest and hobbies. The consumer through radio buttons, menus or check boxes on a Web page has to explicitly disclose most of this information. In addition to solicited information, this category also often involves the use of sophisticated tracking technologies, e.g., cookies, clear gifs, etc. Such technologies, though not identifying a customer individually, enable the information collecting entity to sketch an effective customer profile.
c. Personally identifying information that refers to information that can be used to
13
identify or locate an individual. These include email addresses, name, address, phone number, fax number, credit card number, social security number, etc. Invariably, such information is almost always gathered explicitly from the customer and is typically collected when consumers register with Web sites [Chellappa, 2002 #187]. The cumulative effect of these information types can be more telling on the privacy of the consumer as information across categories can be combined, allowing for use of information in ways that were not feasible or practical before [Culnan, 1999 #34].
Given that consumers part with minimal information in the offline
environment as opposed to the online one, it is reasonable to expect that their perception of risk to their privacy offline is lesser than its online counterpart, i.e. consumers’ perceived privacy of offline transaction is greater than privacy perceptions of offline transaction. Hence we have: Hypothesis 2: A consumer’s perceived privacy of her online transaction is lesser than her perceived privacy of her offline transaction
From a practical perspective, it is now important to question the role of this perceived privacy, i.e. what element of a commercial transaction does this influence? In this regard, we find that prior research indicates that factors such as “procedural fairness” builds impersonal trust and finds that when vendors act on behalf of consumer concerns and incorporates fair practices, then consumers become more trusting of that vendor [Culnan, 1999 #34]. Similarly Hoffman et al. [, 1999 #51] point that consumers’ ability to control information collection and usage can reduce the risk associated with Internet usage. Given that during any transaction, the degree of trust an individual forms toward the interacting entity is a function of the degree of risk that is involved in the situation [Koller, 1988 #61], it can be argued that the perceptions of risk to the privacy of their information in an online transaction is related to the trust in that online environment. This
14
view also finds support in other findings that suggest that privacy is a major factor in EC trust [Friedman, 2000 #41;Shneiderman, 2000 #91].
McKnight et al, [, 2002 #184] also suggest that
factors such as trusted-third parties (e.g., third party icons like Truste) may not affect beliefs about a specific vendor rather they may influence the trust perceptions about the Internet. Hypothesis 3: A consumer’s perceived privacy of her online transaction positively contributes to her trust in her online transaction 2.3 Perceived Security The open nature of the Internet and its unregulated global nature have heightened concerns about transaction security [Fung, 1999 #42]. From the perspective of the online institutional infrastructure, i.e., the Internet, structural assurances regarding privacy and security and security of a transaction are distinct constructs. While privacy enforcement is largely through legal mechanisms such as alliances with monitoring agencies (e.g., Truste, WEBcpa, BBBonline), fines stipulated by the FTC and legal disclosure notices, enforcement of security is largely a function of technological actions undertaken. In fact the US government has enacted two separate acts namely the E-Privacy act (S. 2067) and the Secure Public Networks act (S. 909) to regulate privacy and security in electronic commerce. From a consumer’s perspective perceived security of an electronic commerce transaction may be defined as “the subjective probability with which consumers believe that their personal information (private and monetary) will not be viewed, stored, and manipulated during transit and storage by inappropriate parties in a manner consistent with their confident expectations.”
Just as consumers may have various beliefs
regarding the privacy of their online transactions even if vendors provide assurance regarding all aspects of an individual’s concern for privacy, consumers may also possess different beliefs regarding the security of their online transaction even if all security enforcements are in place.
15
The real security of an EC transaction itself can be scientifically guaranteed with adequate encryption, digital signatures and third party authentication, and such methods [Bhimani, 1996 #180] have been addressed in great detail by trade and computer science literature [Varadharajan, 1997 #103;US Congress, 1997 #161;US Congress, 1997 #160].
However
consumer perception of security online is altogether a different matter, and at present there is relatively little research on this subject [Lee, 2001 #190]. The perceptions or concerns of security by users of electronic systems was first addressed by IS research [Carr, 1987 #154;Benson, 1983 #155;White, 1987 #156;Goodhue, 1991 #157], specifically in the context of organizational systems [Goodhue, 1991 #157]. With regards to security concerns of online consumers recent research points out that consumer perceptions of unsatisfactory security on the Internet continues to exist even when vendors undertake security enforcement mechanisms [Zellweger, 1997 #189;Miyazaki, 2001 #185]. For instance, a 128-bit encryption objectively gives the odds of a hacker decrypting a message as one in 2128. Clearly it is unlikely that an average consumer would exactly perceive this probability or its role. Also consumers implicitly accept certain elements such as the identity of the entities they are transacting with in traditional environments; hence, conventional assumptions are can rightfully be questioned by a consumer in electronic transactions. For example, the familiarity of a ‘Sears’ logo is often satisfactory enough for consumers to assure that they are indeed at the actual ‘Sears’ department store. In cases where the consumer is not familiar with the store location, a yellow pages reference often suffices. In contrast, this experiential aspect of the transaction is clearly not present in the online world. It is not only easy for someone to create a phony Web page, but it is also equally possible for a malicious operator to create entirely spurious Web site. Do all consumers to know that
16
Citibank is housed at ‘www.citibank.com’ and not at ‘www.citibank.net’ or even that Citibank is spelt with an “i” and not a “y” as in Citybank? Indeed there are many examples of sites that have actually benefited from typographical errors [Sullivan, 2000 #114]. Hence we propose that: Hypothesis 4: A consumer’s perceived security of her online transaction is lesser than her perceived security of her offline transaction
Similar to the fair information practices principle, in the EC context, all online vendors today are required to employ online security enforcement principles of encryption, protection, verification and authentication [Chellappa, 2002 #188].
These mechanisms protect consumer data from
being viewed or modified and ensure that only the appropriate entities (e.g., vendor, credit card authorizer – visa, bank) have access to consumer data. The enforcement principles contribute to ensuring that typical guarantees regarding financial and other transactions are met, and expectations consistent with normal commercial transactions are maintained. In other words consumer perceptions of these security enforcement principles lead to their beliefs regarding situational normality and structural assurance, and hence contribute to their trust perceptions regarding EC transactions. Hence we propose: Hypothesis 5: A consumer’s perceived security of her online transaction positively contributes to her trust in her online transaction.
Even if privacy and security of a transaction are enforced through distinct principles, it is possible that consumers may perceive security and privacy to be somewhat related concepts [Jones, 1991 #57].
Such a view merits attention as even researchers in marketing have
considered consumer perceptions of risk to security and privacy of their transaction as being
17
somewhat equivalent [Miyazaki, 2001 #185].
An average consumer may believe that all
structural assurances can be guaranteed if the security of the transaction can be guaranteed. This implies that only perceptions of security influences trust in EC transaction and any role of privacy perceptions on trust in EC transactions is mediated by the consumer’s perceived security. Our research proposes that perceived privacy and perceived security are indeed distinct constructs but we need to consider the possibility of mediated effect on trust in EC. Hypothesis 6: The influence of a consumer’s perceived privacy of her online transaction on trust is mediated by her perceived security. 2.4 Controlling for trust in the transacting entity Trust in the online merchant is the element of online trust that has been most studied and found to be a significant factor in the overall trust towards online shopping [Jarvenpaa, 2000 #56;Lee, 2001 #190]. However, as discussed earlier, our paper is interested in isolating the factors responsible for institution-based trust, i.e. trust in EC transactions themselves as separated with trust in the transacting entity or the vendor. Hence we need to control for factors that lead to trust in the vendors themselves rather than the EC transaction. Such a trust has been shown to be developed due to consumer beliefs regarding the reputation of the vendor [McAllister, 1995 #168] and the customer's satisfaction with previous interactions with the etailer [Ganesan #43]. Reputation is defined as the extent to which consumers view a marketer to be reliable, honest, and trustworthy and this is known to be a source of trust [Zucker, 1986 #169;Doney, 1997 #38]. In a process-based mechanism of trust building, repeated exchanges influence future relationships [Gefen, 2000 #138], and empirical evidence clearly points out that trust follows satisfaction with a service provider [Singh, 2000 #174]. Thus in any buyer-seller relationship it
18
has been argued that satisfaction with previous outcomes has a significant impact on trust [Ganesan, 1994 #43] and hence it needs to be controlled for in our study. Hypothesis 7: A consumer’s overall trust in her online transaction is positively related to the reputation of the online vendor whom she transacting and her satisfaction with her past interactions with the online vendor.
Figure 1 provides a representation of our model of trust in EC transactions. The potential for a relationship between the constructs of perceived privacy and perceived security also implies that a second generation data analysis tool [Bagozzi, 1982 #6] tool such as LISREL or PLS needs to be employed rather than simple linear regression.
Perceived Security of EC Transactions
+v e
Trust in EC Transactions
Perceived Privacy of EC Transactions
+v e
Reputation
e +v
+v e
+ve
Satisfaction
Control Variables (Trust in Vendor)
Figure 1: Hypothesized relationships
19
3. Methodology We developed a survey to test our hypotheses but first we set about validating our survey instrument.
Prior research has argued heavily in favor of adopting rigorous validation of
instruments in MIS research, to bring clarity to the formulation and interpretation of research questions [Straub, 1989 #99].
Our study follows the 3-stage procedure following
recommendations of prior research in information systems [Smith, 1996 #93;Straub, 1989 #99] for developing and validating measurement instruments. The first stage is devoted to the domain and dimensionality of the purported metrics through a review of relevant literature and corresponding scales. Following this, for stage 2 a set of sample items was generated for each new construct and assessed for reliability and content validity.
This was followed by
streamlining of the metrics, in order to fit our context of perceived privacy and security in Internet based EC and a first version of the instrument was created. We present two studies; in the first study, we administer the first version of the multi-time scales to a sample of consumers who have purchased an item from both the online and offline form of a single store. In this study we measure the consumer perceptions of privacy and security with regards to offline transactions as well, we also use this study to eliminate any redundancy in items, and ensure good measurement properties with regards to constructs related to the EC environment. Following this, in stage 3 we proceed with an extensive confirmatory analysis for online transactions only (study 2) that test and validate the refined scales for their reliability and construct validity. We also verify the convergent, discriminant and factorial validity of our study involving a sum total of 217 subjects.
20
3.1 Pretest Measures for perceived privacy and perceived security were developed following standard psychometric scale development procedures [Bagozzi, 1982 #6;Anderson, 1988 #3]. Note that while Smith et al (1996), have developed instruments for an individual’s concern for privacy, our interest is in measure consumer perceptions of privacy given that the online vendors provide a government mandated assurance of satisfying individual’s concern of privacy. In other words we are interested in measuring how consumers perceive structural assurances given in the EC environment. Similarly, we are interested in measuring how consumers perceive procedural fairness [Culnan, 1999 #34] will be upheld in the EC environment, given that vendors promise procedural fairness online. We need to measure how a consumer believes her information is handled in response to claims and other technological investments for privacy protection employed by online sellers. Similarly in order to measure consumer perceptions of security we rely both on the consumer perceptions of the antecedents of security [Chellappa, 2002 #188] and Goodhue and Straub’s [, 1991 #157] measures of perceptions of security in an organizational context. Our construct of perceived security of EC transactions can be thought of as being related to organizational user's concern of security that is measured through user assessment of security effectiveness [Goodhue, 1991 #157, p.20]. The survey instrument itself is presented in Appendix I.
Before we conduct the study, we tested both constructs in the context of Internet based EC transactions through a series of informal interviews with faculty and doctoral students in a business school to ensure that they were properly operationalized. This resulted in13 candidate items for each construct, where each item had a corresponding domain of content [Nunnaly,
21
1978 #73]. This was followed with selection of items [Anastasi, 1986 #2], to choose ones that best fit the proposed definition. Out of the 13 candidate items, 7 items for perceived privacy and 6 items for perceived security were incorporated into the first instrument, which was again tested by faculty and doctoral students for comprehensiveness, clarity and appropriateness. Given extant research on trust, reputation and satisfaction measures for them were easily available from literature and suitably modified or adapted for our study. Each of the 23 items were followed by a seven point Likert scale anchored by ‘1 = strongly disagree’ to ‘7 = strongly agree’. 3.2 Reliability and validity tests used For each of the 2 studies, construct, convergent and discriminant validities were always tested, followed by reliability analysis, in order to provide good measurement properties [Straub, 1989 #99]. First, indicators for the hypothesized principal constructs were identified through an exploratory factor analysis, and each item was subjected to item-to-total examination. Construct validity was ascertained through inter-item correlation and factor-loading matrices of the principal constructs. All items tapping the same construct should have high correlations, whereas items tapping different constructs should have significantly lower correlations. Convergent validity refers to whether the items comprising a scale behave as if they are measuring a common underlying construct. In this sense, all items measuring the same construct should correlate with the items in the same scale [Bagozzi, 1988 #7].
Discriminant validity is concerned with the
ability of a measurement item to differentiate among different measure items [Davis, 1989 #37;Davis, 1989 #36]. The basic test for discriminant validity is to show that an item should correlate more highly with other items intended to measure the same attribute than with items used to measure a different attribute.
22
For this research we had first analyzed our data using linear regression, however due to possible correlation between our constructs of perceived security and perceived privacy, we proceeded to use a second generation data analysis technique [Bagozzi, 1982 #6] using Partial Least Squares (PLS). This allows for a combined analysis of measurement and structural models, where factor analysis can be combined with hypotheses testing [Gefen, 2000 #175].
Thus from the
perspective of validity testing, instead of factors from principal component analysis, we will present a table of latent constructs. For reliability analysis, no reliability statistic such as Cronbach's alpha is produced automatically by PLS.
However other construct reliability
measures AVE1 (Average Variance Extracted) and CREL2 (Composite Reliability) can be used [Gefen, 2000 #175]. To perform confirmatory factor analysis, a factor score for each construct is calculated based on the weighted sum of that factor’s standardized and normalized indicators: prior to running PLS, the “data matrix” output option in PLS-Graph is selected. After PLS execution, the latent construct scores will appear as “eta latent variable scores” in the output file. The factor scores are correlated with individual items (likewise standardized and normalized, and provided by PLS-Graph in the “rescaled data matrix” section of output) to calculate cross loadings. See note in Agarwal and Karahanna [, 2000 #132]. Boldface item loadings in the tables below should be greater than cross-loadings, and should likewise, as a rule of thumb, exceed 0.70 [Thompson, 1995 #177;Hair, 1998 #176].
AVE = (Σλi2 / Σλi2 + ΣΘii), where λi are factor loadings and Θii are unique error variance = 1-λi2. Gefen [Gefen, 2000 #175] recommend the diagonals to be = AVE. Agarwal & Karahanna, 2000 and Compeau & Higgins, 1995 are more generous and use the square root of AVE on the diagonal. 2 CREL = composite reliability = (Σλi)2 / (Σλi)2 + ΣΘii, where λi are factor loadings and Θii are unique error variance = 1-λi2. These reliabilities are functionally equivalent to a Cronbach’s reliability alpha. Factor loadings are provided by PLS-Graph. 1
23
3.3 Study 1 Study 1 was conducted with graduate business students in a large private West Coast University as subjects, who rated their perceptions of privacy, security, and trust in EC transactions through the 23-item online questionnaire. There were two goals to this study; the first goal of this study was to empirically verify if indeed consumers exhibited different levels of trust in their online and offline transactions even if they interacted with the same entity, i.e., the online and offline version of the same store. This would serve to isolate the trust towards the EC element and not the trustworthiness of the vendors themselves. The second goal of the study was to do scale validation of the perceived privacy and perceived security measures for the online store to conduct the subsequent study focused solely on understanding the nature of trust building online. Therefore even if we do not measure the reputation and past satisfaction in this study it serves the purpose of isolating the differences between online and offline transactions independent of the stores and it serves as a platform to refine the scales for the subsequent study.
The survey was administered to 64 subjects of whom we had 40 respondents giving us a response rate 62.5%. The 64 subjects were selected carefully so as represent a sample of users who have purchased items both from the online and offline form of the same store. Our collection of stores included Barnes&Noble/Barnes&Noble.com, BestBuy/BestBuy.com, Borders/Borders.com, CompUSA/CompUSA.com, Macy's/Macy's.com, Virgin Music/Virgin .com, WalMart/WalMart.com. The subjects were then asked about perceived privacy, perceived security and trust in their transactions for each store type (online and offline) based upon their past experiences. Clearly this study does not account for self-selection and social desirability bias, but the variance in the responses for the principal constructs gives us adequate information
24
for a first study. Since university rules prohibit collection of demographic information from students, it was not possible to collect specific information from these students about their own characteristics. The use of students as a sample does not appear to pose any significant problems and the student population has been commonly studied in many studies related to consumer behavior [Calder, 1981 #200]. Even specifically in the context of information privacy the original Smith et al [, 1996 #93] paper includes a sample of students and there were no significant differences reported when Stewart and Segars [Stewart, 2002 #198] employ a nonstudent sample. 3.4 Results and discussion of study 1 We first analyzed the data to observe any differences in consumer perceptions of privacy and security between their online and offline transactions. We employed the paired t-test to test to verify these differences. Our analysis (given in table 1) shows consumers indeed differ on their security and privacy perceptions. The analysis of means also shows that consumers’ perceptions of security online, privacy online and trust online is lower than their counterparts in the offline transaction. This lends support to our hypotheses 1, 2, and 4, and substantiates the claim that even if they have conducted transactions with the online and offline counterpart of the same store, their perceptions of trust may vary. This finding implies that trust in the transaction may have a greater role to play than just as an indicator of intention to shop from the store. We discuss this implication in greater detail in the final sections of this paper. Paired Differences
Construct
Store
Mean
95%
Std. Dev.
Mean
Std.
Confidence
t
p
Dev.
Interval
value
value
Lower 25
Upper
Perceived
Offline
5.8600
.8242
Security
Online
5.3300
.8742
Perceived
Offline
5.5228
.9168
Privacy
Online
4.8875
.8838
Offline
4.7407
.9251
Trust Online
3.9786
.5300
.7786
.2810
.7790
4.305
.000
.6353
.8052
.3778
.8928
4.990
.000
.7621
.9444
.4601
1.0641
5.104
.000
1.0233
Table 1: Study 1 - Online vs. Offline stores In this first study, we did not control for reputation of the stores and satisfaction with past outcome as we test perceptions regarding the same store. Their buying decision itself may have been dependent on the trust in the stores themselves.
However the data collected on the
perceptions of privacy and security provides us a good basis to refines scales for the later study. Generally items with high loadings on the intended factor and no substantial cross-loadings were retained. Based on this it was decided that PRIV3, SEC6, TRUST3 and TRUST5 variables in the online store data, could be eliminated to provide for better measurement properties. For construct validity, the path findings and the loadings in PLS analysis are presented below in table 2.
While the diagonals (bolded) are consistently greater than the off-diagonals, indicating
acceptable construct validity, some items have loadings below 0.7, suggesting further revision of some of the items. Construct
Items
Latent constructs SEC
PRIV
TRUST
Perceived SEC1
0.762
0.471
0.753
SEC2
0.839
0.568
0.436
SEC3
0.803
0.450
0.486
SEC4
0.614
0.320
0.191
SEC6
0.558
0.291
0.158
Security
26
SEC7
0.930
0.651
0.394
Perceived PRIV1
0.551
0.654
0.206
PRIV2
0.233
0.445
-0.092
PRIV4
0.452
0.691
0.113
PRIV5
0.315
0.550
0.311
PRIV6
0.511
0.837
0.369
PRIV7
0.151
0.566
0.351
TRUST1 0.436
0.240
0.870
TRUST2 0.344
0.272
0.810
TRUST4 0.579
0.407
0.774
TRUST5 0.401
0.187
0.651
Privacy
Trust
Table 2: Study 1 - Loadings in PLS Analysis for online stores Table 3 shows the inter-construct correlations, AVE and CREL for this study. As observed, the bold diagonals are larger than the off-diagonals, ensuring reliability. Inter-construct correlations Construct
AVE
CREL
SEC
PRIV
SEC
0.580
0.890
PRIV
0.404
0.797 0.626**
0.636
TRUST
0.609
0.861 0.588**
0.372*
TRUST
0.762
0.781
Table 3: Study 1 - Correlation between constructs for online stores Although the goal of the first study was not to establish any causal paths, even without controlling for reputation and satisfaction with past outcomes, the results still support our conceptual model. While our results show that perceived privacy and perceived security of online transactions are indeed distinct constructs, it also appears that while perceived security is well correlated with trust (table 4), perceived privacy influences trust primarily through perceived security that acts a mediating variable. 27
This implies that consumers’ perceive the
items in the construct of perceived privacy to be important determinants of trust but they may see it as being operationalized through their perceptions of security in the online transaction. Link
Path coefficient (t-stat)
Privacy Æ Security
0.626 (8.574**)
Privacy Æ Trust
0.007 (0.032)
Security Æ Trust
0.584 (3.334**)
R-square 0.392 0.346
* sig @ .05 ** sig @ .01 n=40 Table 4: Study 1 - Path findings via PLS analysis for online stores
3.5 Study 2 Based on study 1, the scales were refined to finally come up with a set of 7 questions for perceived privacy, 6 questions for perceived security, and 3 questions for measuring trust. Participants were asked to rate the perceived privacy and perceived security they would expect from a prospective transaction with specified online store. To increase generalizability a sample was chosen to consist of two groups, consisting of both graduate (3 MBA cores – a total of 198 students) and undergraduate business students (2 senior electives – 114 students), and thus increasing the heterogeneity of the sample. A $200 reward was announced as a raffle prize for completing the survey, 128 graduate (response rate – 64.6%) and 51 undergraduate (response rate – 44.7%) students (total 179) responded to this online questionnaire. Study 2 was designed to control for the effect of store reputation and satisfaction with past outcomes that are discussed earlier as important antecedents of trust in buyer-seller relationships [Ganesan, 1994 #43;Jarvenpaa, 2000 #56]. While satisfaction with past outcomes was expected to vary adequately among the study participants, store reputation was manipulated by presenting two different online stores to the respondents. A concern was to choose stores with reputations such 28
that a high level of variance was possible for this control variable. Therefore a pilot study was conducted to identify familiar and known stores versus unfamiliar and unknown stores based on two items adapted by the standard scales found in the Marketing Scales Handbook [Bruner, 1992 #16]. A sample of 150 graduate students from the same business school rated 5 different online stores for the two familiarity items. From this pilot study, two stores emerged that had high variance and significantly different familiarity scores. Buy.com (www.buy.com) had a mean value of 4.7 on a 7-point scale (STD=2.1), while PCNation.com (www.pcnation.com) had a mean of 2.1 (STD=2.0). Therefore, half of the respondents were presented a hypothetical scenario where the target store was Buy.com, and the other half was given PCNation.com. Manipulation check showed a significant difference (p
