Understanding compliance with internet use policy ... - Semantic Scholar

Decision Support Systems 48 (2010) 635–645

Contents lists available at ScienceDirect

Decision Support Systems j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / d s s

Understanding compliance with internet use policy from the perspective of rational choice theory Han Li a,⁎, Jie Zhang b, Rathindra Sarathy c a b c

Minnesota State University Moorhead, USA Virginia State University, USA Oklahoma State University, USA

a r t i c l e

i n f o

Article history: Received 19 March 2009 Received in revised form 10 October 2009 Accepted 10 December 2009 Available online 16 December 2009 Keywords: Internet abuses Internet use policy Rational choice Cost benefit analysis

a b s t r a c t Current studies on compliance with security policies have largely ignored the impact of the perceived benefits of deviant behavior, personal norms, and organizational context. Drawing on the literature in criminology, this paper applies rational choice theory to examine how employees' intention to comply with Internet use policy is driven by cost–benefit assessments, personal norms and organizational context factors. The results indicate that employees' compliance intention is the result of competing influences of perceived benefits, formal sanctions, and security risks. Furthermore, the effect of sanction severity is found to be moderated by personal norms. © 2009 Elsevier B.V. All rights reserved.

1. Introduction In recent decades, companies have increasingly leveraged the Internet to enhance their internal and external connectivity. Accompanying the well-known benefits of the use of Internet technology in the workplace are new threats such as increased security risks and improper use. Internet abuses by employees at the workplace are a real concern to nearly all companies and include various non-workrelated Internet activities such as checking personal e-mails, browsing non-work-related Web sites, chatting online, gaming, investing, shopping, or even getting involved in cybercrimes “The International Data Corp. estimated that 30% to 40% of employee Internet use isn't work related” [39]. Eighty-seven percent of employees have used the Internet for personal purposes while at work and, of this proportion, 53% browse the Internet for personal purposes on a daily basis [44]. It is estimated that companies lose $54 billion annually as a result of lost productivity from Web surfing [1]. These non-work-related Internet activities not only reduce the productivity of employees but also open the door to a wide spectrum of security breaches such as viruses and spywares. According to Sophos, in 2007, the Web became the primary route for the spread of malicious codes [42]. Sophos discovered one new infected webpage every 14 s, or 6000 a day in 2007. It has become critically important for companies to safeguard their Internet communications and regulate the Internet usage of their employees.

⁎ Corresponding author. E-mail address: [email protected] (H. Li). 0167-9236/$ – see front matter © 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.dss.2009.12.005

An Internet use policy (IUP), an important type of security policy, is adopted by most companies to reduce Internet use for non-workrelated purposes [51]. For example, Websense, Inc., an Internet access management company, surveyed 224 companies in 2001 and found that 83% of them have adopted Internet use policies [51]. Despite the wide deployment of IUP in companies, the scope of Internet misuse is still on the rise [19]; more than 50% of the companies deemed their Internet use policy to be ineffective [51]. Non-compliance is a major issue. The purpose of the current study is to apply one of the leading sociological explanations of deviant behaviors, namely rational choice theory [3,32], to Internet abuses in the workplace. The current undertaking can make an important contribution to understanding compliance with IUPs. In this study, we employ the rational choice perspective to examine the factors influencing IUP compliance. In particular, our research questions center on 1) major costs and benefits that factor into employees' intention to comply with the IUP (compliance intention), 2) the relationships among these factors, and 3) mechanisms that could facilitate IUP compliance. Part of our motivation is to better understand the efficacy and potential limitations of formal sanctions on IUP compliance. We are particularly interested in whether the effect of formal sanctions depends on personal moral norms about non-work-related Internet usage in organizations. The results of our study suggest that employees' IUP compliance intention is affected by both the perceived benefits of Internet abuses and the perceived costs of non-compliance, including formal sanction risks and potential Internet security risks. Despite support for the deterrent effect of those two cost factors, our research shows that

636

H. Li et al. / Decision Support Systems 48 (2010) 635–645

their effect is not as strong as the effect of perceived benefits and personal norms against Internet abuses. We also found that the effect of formal sanctions is conditioned upon personal norms. Sanction severity only exhibits a deterrence effect for those with very low personal norms and could erode the compliance intention of those with moderate to high personal norms against Internet abuses at the workplace. Our study has important implications for organizations that seek to reduce Internet abuses in the workplace. It suggests that companies can rely on three approaches to increase IUP compliance. First, organizations can nurture voluntary compliance through enhancing personal norms against Internet abuses. Second, they can rely on Internet security awareness campaigns and make employees aware of the growing threats from using the Internet. Third, organizations can resort to the deterrence effect of sanction probability by making employees aware of the implementation of surveillance measures for detecting Internet abuses. This study also provides direction for future research by emphasizing the importance of moral factors and the context of the organization in which security policies are enforced. The remainder of the document is structured as follows: in the next section, we review the literature and use the rational choice framework to understand the IUP compliance decision as a cost– benefit analysis bounded by personal moral factors and organizational context. In the following section, we propose our research model, its theoretical underpinnings and hypotheses. Next, we describe our research methodology, followed by a discussion of the findings of this study. Finally, we conclude with major findings, limitations, contributions, implications, and future research directions. 2. Prior research and theoretical foundation 2.1. Prior research on individual security policy compliance Various theories have been applied to examine individual security policy compliance in the workplace, for example general deterrence theory [31], protection motivation theory [31], and agency theory [22] among others. Table 1 compares existing studies on individual policy compliance. As Table 1 shows, there are a limited number of theorybased empirical studies on security policy compliance by individual employees, suggesting the early research stage of individual security policy compliance [22]. Most of these studies are based on general deterrence theory and/or protection motivation theory, focusing on fear-based mechanisms, i.e. the fear of formal sanctions and threats to the organization's security [22,23,31,40]. General deterrence theory emphasizes the effect of formal sanctions in motivating employees to follow organizational policies. Herath and Rao [22] found that formal sanctions increase security policy compliance. Protection motivation theory focuses on the effect of threat appraisals and coping appraisals. In the context of security policy compliance, threat appraisals are an

individual's assessment of the level of security risks and coping appraisals refer to one's assessment as to whether one is capable of complying with security policies and whether such compliance is effective in reducing security risks [40]. Siponen et al. [40] extended protection motivation theory to explain IS security policy compliance and suggested that perceived threats to the organization's security influence employees' intention to comply with security policies. However, Pahnila et al. [31] integrated general deterrence theory and protection motivation theory and found that formal sanctions fail to have a significant impact on security policy compliance intention. Moreover, the effectiveness of formal sanctions is arguable. Studies in criminology have challenged the efficacy of formal sanctions [29,32,43,49]. First, formal sanctions increase the cost of policy enforcement [30,43]. The implementation of formal sanctions requires considerable investment in surveillance technology or personnel to detect deviant behaviors. Second, formal sanctions and monitoring may negatively influence trust and morale [29]. Third, recent findings in criminology suggest that moral norms may more strongly influence deviance behavior than formal sanctions and the effect of formal sanctions may be moderated by personal moral norms and social influences [32,49]. Formal sanctions and the fear of security risks to the organization have provided only a partial explanation of why non-compliance with security policies occurs. Research that applies various socialorganizational perspectives to this phenomenon is particularly limited [13,22]. Herath and Rao [22] used agency theory to explain compliance with information security policy and considered not only penalties but also the social pressure of relevant others and the perceived effectiveness of one's security behaviors. Chan et al. [7] adopted organizational climate theory and examined the effect of the organization's information security climate on security policy compliance. From the above, we see that prior studies have provided significant but partial insights as to why non-compliance with security policies occurs. They have largely ignored the effect of the perceived benefits of deviant behaviors, moral values, and the conditions for formal sanctions to be effective. Potential benefits from deviant behaviors could be the major reason for poor compliance with security policies, as recognized by findings in recent research in criminology [32]. In this study we will apply one such theory from criminology, rational choice theory, refined by Paternoster and Simpson [32] to deviant behaviors in the workplace. The theory provides a comprehensive perspective on corporate deviant behaviors by considering the cost– benefit analysis of individual offenders, the effect of moral beliefs, and the organizational context. In the subsections below, we first give an overview of the rational choice theory of corporate crime developed by Paternoster and Simpson [32]. Then, we elaborate on the cost–benefit factors

Table 1 Theory-based empirical studies in individual security policy compliance. Literature

Theories used

Research focus

Potential research gap or opportunities

Chan et al. [7]

Organizational climate

Herath and Rao [22]

General deterrence theory Agency theory

Limited theory-based empirical studies; inconsistent results regarding the impact of sanction [22,31]; Some of the fundamental set of constructs have been overlooked such as perceived benefits of deviant behaviors, and personal moral beliefs.

Herath and Rao [23]

General deterrence theory Protection motivation theory

Pahnila et al. [31]

General deterrence theory Protection motivation theory

Siponen et al. [40]

Protection motivation theory

Impact of organizational information security climate on employee's compliance behavior Impact of intrinsic and extrinsic motivations on employee's policy compliance intention; penalty/sanction is considered an extrinsic motivation; sanction supported The impact of protection motivation, deterrence, and organization commitment on employee's policy compliance intention The impact of positive enforcement and negative enforcement on employee's compliance intention and behavior; sanction, coping appraisal, and threat appraisal are considered negative enforcement; sanction not supported The impact of coping appraisal and threat appraisal on employee's compliance intention and behavior

H. Li et al. / Decision Support Systems 48 (2010) 635–645

influencing security policy compliance and further discuss the impact of personal moral beliefs and organizational context factors on decisions to comply with security policies.

2.2. IUP compliance and rational choice theory Rational choice theory was originally developed by Becker [5] with the central proposition that offenders weigh the costs and benefits of deviant behaviors in deciding whether to offend. It has been adapted to various contexts to explain deviant behaviors such as income tax evasion, juvenile delinquency, theft, and drunk driving [32]. Paternoster and Simpson [32] further refined the theory to explain corporate crimes. The theory has two basic premises: “(1) that decisions to offend are based on a balancing of both the costs and benefits of offending and (2) that what are important are the decision maker's perceived or subjective expectations reward and cost” [32]. The first premise suggests that individuals evaluate the expected consequences of multiple alternatives and choose the one with the best outcome. The second premise emphasizes that deviant behaviors are choices by individuals based on perceived rewards and costs. End users are often the weakest link in information security management. It is the deviant behaviors of individual employees that have the biggest impact on the information security of a company. For example, employees can greatly increase a company's exposure to security threats by visiting non-work-related websites, downloading non-work-related software, etc. In this context, individual assessment of the costs and benefits of deviant behaviors and their personal moral beliefs are critical determinants of their policy compliance intention. Therefore, in this study, we look at the Internet abuse issue from an end user's perspective, i.e. how costs and benefits perceived by individual employees and their moral beliefs drive their IUP compliance intention. The rational choice model by Paternoster and Simpson [32] also provides valuable insights into the effect of the organizational context. Internet abuses in the workplace occur in specific organizational contexts. Until now, only a few studies on computer security and abuses examined the organizational context in which deviant behaviors occur. Chan et al. [8], drawing upon the safety climate literature, found that a strong perception of the organizational security climate helps to curb non-compliant behaviors. Lim [26] focused on organizational justice, suggesting that perceived injustice in the employment relationship will cause employees to rationalize their subsequent engagement in Internet abuses. In this study, we consider two constructs that are tied to the organizational context, including organizational norms and organizational identification. As shown above, deviant behaviors and security policy compliance are driven by assessments of costs and benefits pertinent to individual employees and are further circumscribed by their personal norms and organizational context factors. A general model is presented in Fig. 1 to illustrate these three types of forces influencing individual employees' intention to comply with information security policies. The specific form of the cost–benefit analysis varies with different types of deviant behaviors [32] and is elaborated in detail in the following subsections in the context of IUP compliance intention.

Fig. 1. General conceptual model.

637

2.3. Cost–benefit analysis Rational choice theory suggests that cost–benefit analyses should inhibit or drive employees' IUP compliance. Employees are likely to abuse the Internet access if the risks can be justified by the perceived benefits of the Internet abuses. The risks of Internet abuses to individual employees include the possibility of formal and/or informal sanctions, or social censure from important others such as family members, friends, and colleagues. Also, Internet abuses can expose employees' computers and data to additional security risks. The benefits of Internet abuses could be the savings in cost and time over using private Internet access, convenience, or emotional benefits such as making the work life more interesting [35]. 2.4. Personal norms In addition to cost–benefit analyses such as above, the decision to commit Internet abuses can be influenced by an employee's personal norms regarding the deviant act. Personal norms are not part of the cost–benefit analysis and can exert an independent role in eliciting compliant behaviors [32]. At the same time, they may restrict the effect of factors that enter into the cost–benefit analysis [32]. Some employees may refrain from Internet abuses simply because they believe it is wrong to use the Internet access provided by the organization for personal purposes. Therefore, under strong personal norms against Internet abuses, the cost–benefit analysis will have minimal impact on compliant behavior. Conversely, in the presence of weak personal norms against Internet abuses, sanctions and security threats may need to be emphasized to ensure policy compliance. 2.5. Organizational context factors We also considered two organizational factors that may indirectly or directly influence employees' IUP compliance intention: organizational norms and organizational identification. Organizational norms and organizational identification may play an important role in formulating the personal norms of individual employees. Organizational norms about Internet abuses are defined here as moral standards related to using the organization's Internet access for personal purposes. Organizational norms are shared by most of the people in an organization. Previous studies suggest that internalization of external normative beliefs [24,49] leads to personal moral standards or personal norms. Organizational norms, as external normative beliefs, are likely to become part of an employee's internal personal norms when the employee identifies himself or herself as a member of the organization. 3. Research model In this study, IUP compliance is examined as a cost–benefit-based behavior influenced by personal norms and organizational context factors. The following subsections propose the research model (Fig. 2) and hypothesize the relationships between constructs. The research model depicts how employees' intention to comply with the Internet use policy is driven by a tradeoff assessment of the risks and benefits of Internet abuses and how the cost–benefit analysis competes with and/or is bounded by the effect of personal moral norms and organizational context factors. The model suggests that employees' IUP compliance intention will increase when 1) employees perceive high threats from formal or informal sanctions or high security risks to their computer or data and 2) employees have high personal norms against Internet abuses. IUP compliance intention may be reduced when employees hold strong benefit beliefs about Internet abuses. The model also suggests that personal norms against Internet abuses can be enhanced by the joint effect of organizational norms and organizational identification. The following subsections illustrate each

638

H. Li et al. / Decision Support Systems 48 (2010) 635–645

Fig. 2. Research model. Positive effect

of the approaches and its impact on behavioral intention to comply with the Internet use policy. 3.1. Formal sanctions The role of formal sanctions has been widely examined using deterrence theory and has received some support in several IS studies. Deterrence has been suggested as the primary mechanism for reducing computer abuses and combating software piracy [34] in organizations. Rational choice theory also affirms formal sanctions as important instruments for deterring deviant behaviors [32,49]. Deterrence mechanisms consist of two dimensions: detection probability (or sanction certainty) and sanction severity [49]. These two dimensions are both related to an individual's perception rather than the actual detection probability and sanction severity level. In our research context, detection probability is employees' perception of the probability that they will be caught if they use the Internet access provided by the organization for personal purposes. It is a type of perceived risk of being caught committing Internet abuses. Prior studies have found that a low level of detection probability is related to increased frequency of employee theft [25] and software piracy [34]. High perceived detection probability tends to decrease the attractiveness of Internet abuses. Employees are more likely to abide by the IUP when they perceive a high likelihood of being caught for committing Internet abuses. Therefore, H1. Perceived detection probability has a positive impact on IUP compliance intention. According to rational choice theory, perceived sanction severity also plays an important role in deterring deviant behaviors. A high level of perceived severity of formal sanctions tends to increase the perceived cost of deviant behaviors and counteracts the attractiveness or benefits of deviant behaviors. So, a high level of perceived severity of formal sanctions may drive the net effect of the cost–benefit analysis in favor of IUP compliance. In other words, when employees perceive a severe level of punishment for Internet abuses, they are likely to have a high IUP compliance intention. Therefore, H2. Perceived sanction severity has a positive impact on IUP compliance intention.

, negative effect

.

censure from friends, family, and other people who are important to the employee. Informal sanctions reflect the extent of social influence from those who are important to potential offenders. Subjective norms, one form of social influence, have received considerable attention in the IS literature on technology acceptance [45]. Subjective norms, as perceived pressure to meet the expectations of important others, were found to have a direct compliance effect on technology acceptance intention when the use of the computer system was mandatory [45]. In the context of this study, subjective norms are defined as an employee's subjective beliefs about the extent of disapproval for deviant behaviors among those who are important to the employee. These norms are expected to directly influence employees' decisions to comply with the IUP, as policy compliance is mandatory. If an employee believes that important others disapprove of Internet abuses and will look down on him or her for abusing the Internet, s/he is more likely to follow the Internet use policy. Therefore, H3. Subjective norms against Internet abuses have a positive impact on IUP compliance intention. 3.3. Perceived security risks Perceived security risks are defined as the perceived level of Internet security risks in the workplace. In recent years, the Internet has been embraced as the primary platform for virus attacks. Accessing non-work-related Web sites in the workplace increases the chance of an individual employee's computer or data falling victim to Internet security breaches. So, perceived security risks may act as another fear-based mechanism that increases the cost of committing Internet abuse. Woon et al. [50] found that users of home PC wireless networks tend to turn on security features when they perceive a severe level of security risk. In the context of security policy compliance, employees who perceive high security threats from the Internet to their computer or data should be more likely to take precaution in Internet usage at the workplace and more inclined to follow the Internet use policy. Therefore, H4. Perceived security risks have a positive impact on IUP compliance intention. 3.4. Perceived benefits of Internet abuses

3.2. Informal sanctions Besides formal sanctions, the rational choice theory of corporate crime also emphasizes the effect of informal sanctions, i.e. social

According to rational choice theory, potential offenders perform a cost–benefit analysis. Benefits act as intrinsic or extrinsic motivation for employees to commit Internet abuse. For example, Websense, Inc.

H. Li et al. / Decision Support Systems 48 (2010) 635–645

[47] reported high employee traffic to Web shopping sites on the Monday after Thanksgiving holiday as it “saves employees the time and hassle of having to visit a shopping mall, while allowing them to make convenient purchases directly from their desktop.” Convenience was perceived to be a significant benefit of non-work-related Internet use [35]. Some employees also visit non-work-related Web sites for entertainment purposes such as downloading music and gaming. These perceived benefits of Internet abuses may override the effect of sanctions and security threats, and lead to the non-compliance with the Internet use policy. Therefore, H5. Perceived benefits of Internet abuses have a negative impact on IUP compliance intention. 3.5. Personal norms

639

climate of an organization for approval or disapproval of Internet abuses. Many studies have found that organizational norms influence employees' involvement in deviant behaviors such as theft and absenteeism [25]. Organizational norms may have a primarily indirect impact on policy compliance intention through personal norms. Organizational norms, as one type of social norms, can be incorporated into one's own belief structure through the process of internalization [24,48]. That is, organizational norms can be an important information source for individuals in shaping their personal moral views and be internalized as part of an individual's personal norms. If most people in an organization are not tolerant of Internet abuses, an individual employee in the organization is more likely to form personal norms against Internet abuses. Conversely, when most people in the organization approve Internet abuses, an employee tends to have weak personal norms against such abuses. Therefore,

In addition to the cost–benefit analysis, rational choice theory places strong emphasis on the effect of personal norms; that is, decisions to commit deviant behaviors are also subject to moral considerations. Examining policy compliance using only a cost– benefit analysis is unlikely to provide an accurate picture. Criminology research has shown that personal norms or moral standards are strong determinants of an individual's intention to commit deviant behaviors such as corporate crimes [32] and tax evasion [49]. In this study, personal norms refer to an employee's own moral standards about Internet abuse. If an individual believes that it is morally wrong for him or her to commit Internet abuses, s/he tends to form a positive intention toward following the Internet use policy. Therefore,

H9. Organizational norms against Internet abuses have a positive impact on personal norms against Internet abuses.

H6. Personal norms against Internet abuses have a positive impact on IUP compliance intention.

H10. Organizational identification has a positive impact on personal norms against Internet abuses.

To a certain extent, personal norms define what behaviors are permissible and what behaviors are taboos. Behaviors that are deemed permissible are also subject to further cost–benefit assessments while taboos are “strongly inhibited by notions of morality,” leaving minimal room for cost and benefit factors to take effect [32]. This implies that the effect of formal sanctions is conditioned on personal norms. Strong personal norms against deviant behaviors could make the effect of deterrence superfluous. Formal sanctions are only effective for people who do not have strong ethical objections to deviant behaviors. This potential moderating effect of personal norms on formal sanctions has been supported by the criminology literature [32,41,49]. For example, perceived probability of detection was found to have a stronger inhibitory effect on tax evasion for individuals who regard tax evasion as acceptable and exert a weaker effect for those with strong personal norms against tax evasion [41]. Similar results were found in the context of corporate crimes by Paternoster and Simpson [32]. In this study, we expect that personal norms against Internet abuses delimit or interact with the effect of formal sanctions. Therefore,

3.7. Control variables

H7. Under strong personal norms against Internet abuses, perceived detection probability has no (or weaker) effects on IUP compliance intention; but under weak personal norms, perceived detection probability will strongly increase IUP compliance intention. H8. Under strong personal norms against Internet abuses, perceived sanction severity has no (or weaker) effects on IUP compliance intention; but under weak personal norms, perceived sanction severity will strongly increase IUP compliance intention. 3.6. Organizational norms and organizational identification Rational choice theory also notes the influence of organizational context factors on an employee's intention to commit deviant behaviors. Organizational norms and organizational identification are two such factors. Organizational norms pertain to the moral

Organizational identification is “one form of psychological attachment that occurs when members adopt the defining characteristics of the organization as defining characteristics for themselves” [16]. Organizational identification leads to a sense of attachment, belonging, and pride in being an organizational member. Individuals who identify strongly with an organization tend to think from an organization's perspective [16]. To this end, employees with high organizational identification are likely to view Internet abuses as unethical. Therefore,

In addition to the core constructs mentioned above, we also controlled for four variables that might influence employees' intention to comply with Internet use policy: gender, Internet experience, the existence of Internet monitoring practices in the company, and awareness of any employees being disciplined for violating Internet use policy. Internet experience is related to one's ability to use the Internet and may influence one's tendency to abuse Internet access in the workplace as well. The existence of Internet monitoring practices and the awareness of disciplined employees are likely to increase one's intention to follow the Internet use policy. 4. Methodology 4.1. Study design and procedure The research model was examined using an online survey sent out to an industrial panel consisting of organizational employees. All survey respondents in the panel are anonymous to researchers and were contacted through Zoomerang.com. Subjects were notified of the purpose of the study and the voluntary nature of their participation. As the focus of our study is on IUP compliance we included only employees in organizations with an Internet use policy. So, all participants were required to answer two filter questions about whether they use the Internet in the workplace and whether they are aware of any IUP in their organization. Only those who answered “Yes” to both filter questions proceeded to answer the rest of the questions in the survey. There were a total of 246 usable responses. 4.2. Variable measurement Most of the instruments were drawn from previous research and re-worded slightly for our research context, i.e. IUP compliance.

640

H. Li et al. / Decision Support Systems 48 (2010) 635–645

Detection probability, sanction severity, and subjective norms were measured using items from Peace et al. [34]. Perceived security risks from Internet breaches consisted of four items from Rhee et al. [38]. The instrument measuring perceived benefits was adapted from the perceived consequence scale developed by Pee et al. [35]. The perceived consequence scale in Pee et al. [35] consists of seven items measuring perceived negative consequences and five items measuring perceived benefits (advantages) of using the Internet for non-work-related purposes. Among the five perceived benefit items, only convenience was found to be significant in the study by Pee et al. [35]. To assess the content validity of items measuring perceived benefits, we interviewed seven experienced observers of non-workrelated Internet usage in the workplace. Each of them commented on the appropriateness of the five items for measuring perceived benefits and answered a belief elicitation question to identify potential missing items to ensure measuring the full domain of the construct. The belief elicitation question was “What do you see as other benefits of using the Internet access provided by the organization for nonwork-related purposes?” At the end of the interview and belief elicitation process, four perceived benefits items were retained in this study: 1) saving personal time; 2) saving personal expense; 3) convenience; and 4) a more interesting work life. No other benefits were suggested and/or agreed upon by two or more interviewees. Personal norms and organizational norms were modified after those developed by Wenzel [49]. Organizational identification was measured using items developed by Gautam et al. [20] and Wenzel [49]. IUP compliance intention was measured using scales developed by Limayem et al. [27] and Peace et al. [34]. The perceived benefit scale was implemented as a formative instrument, as an increase in one item is not necessarily associated with an increase in the rest of items in the instrument. For example, in the perceived benefit scale, an increase in convenience does not necessarily go together with an increase in other types of perceived benefits such as more interesting work life and saving money. The other eight scales were operationalized as reflective ones. All constructs were measured using five-point Likert scales. The detailed measures for each construct are listed in the Appendix. 5. Data analysis Partial least squares (PLS) analysis, a component-based structural equation modeling (SEM) technique, was used to analyze our measurement model and test the research hypotheses. There are two reasons for using PLS. First, PLS has minimal demands for sample size and residual distributions [10]. Second, PLS is more amenable for handling formative constructs, such as the perceived benefit construct in our model, than covariance-based SEM techniques such as LISREL. 5.1. Demographic characteristics Table 2 shows that 56% of the survey respondents are male and 44% are female. Their average age is in the range of 30–49 years. The

majority of them (97%) have used the Internet for more than 6 years. These employees hold different types of job positions including managerial, professional, technical, sales, and clerical. The firm sizes show a good coverage of small, medium-sized and large firms. These demographic characteristics suggest that our sample is quite heterogeneous, which helps to increase the external validity of our study. 5.2. Measurement model We examined the measurement quality of the two types of constructs, formative and reflective, separately by following different procedures. In this section, we will first report the measurement quality of the formative construct and then the reliability and validity of the other eight reflective constructs. The measurement quality of perceived benefits was assessed following the suggestions by Chin [9] and Diamantopoulos et al. [14]. We first examined the correlations among measurement items for this formative construct. The absolute correlations vary from 0.18 to 0.57 among the four items measuring perceived benefits. These relatively low correlations suggest that the perceived benefit construct is better represented as a formative construct; a reflective construct would show extremely high correlations among its measurement items (often above 0.8) [33]. We further assessed the strength of the relationship between the formative construct and its measurement items. For perceived benefits, “interesting work life” has a significant path coefficient (or PLS weight) (Fig. 3) while the other three items do not. The variance inflation factor (VIF) was then computed to assess multicollinearity among the four measurement items. VIF values above 10 would suggest the existence of excessive multicollinearity and raise doubts about the validity of the formative measurement [14]. The VIF values varied from 1.4 to 2.0 for the four items measuring perceived benefits. Therefore, multicollinearity is not a concern in this study. According to Mathieson et al. [28], formative constructs may contain non-significant indicators, especially in the absence of multicollinearity. Retaining insignificant indicators is also recommended by Bollen et al. [6] to sustain the content validity of constructs. Therefore, to maintain the content domain of perceived benefits, we decided to keep all items including non-significant ones in the following data analysis. The measurement quality of the eight reflective scales was assessed based on their convergent validity, reliability, and discriminant validity. Convergent validity is suggested if factor loadings are 0.60 or higher [4] and each item loads significantly on its latent construct [21]. All items loaded with significant t-values on their respective latent constructs and have loading values above 0.60; therefore, all these reflective scales exhibit sound convergent validity (Table 3). We then examined the reliabilities of these constructs using composite reliability (CR) and average variance extracted (AVE). A scale is considered reliable if it has CR above 0.7 and AVE above 0.5 [4]. As shown in Table 3, all the reflective scales were reliable. To establish discriminant validity, we examined both the loading and cross-

Table 2 Demographic characteristics. Employee characteristics Gender

Age (year)

Male 56%