impact of cultural differences on privacy and security ... · 5.3.3. the research conclusion 72...
TRANSCRIPT
Impact of Cultural Differences
on
Privacy and Security Concerns of Internet Users
M.Sc. Thesis in Accounting
Swedish School of Economics and Business Administration
2001
The Swedish School of Economics and Business Administration
Department: Accounting
Type of document: Thesis
Title: Impact of Cultural Differences on Privacy and Security
Concerns of Internet Users
Written by: Jiriya Rattanapongpaisan
Abstract:
In the globalization era, information technology and understanding of cross-
cultural differences are considered the key for business accomplishment. While
people are getting more familiar with information technology, their concerns
regarding privacy and security of personal information given to the Web have risen.
Udo’s survey research revealed that the privacy and security concerns are the major
barriers for e-commerce. I use his study as a foundation for my research and I
extended the scope to examine the impact of cultures. The objective of my study is to
examine how cultural differences affect one’s awareness of the privacy and security
when using Internet. The research method involves distributing the questionnaires to
ask participants to express their views regarding online privacy and security issues.
Many questions in the questionnaire are based on Udo’s, and I develop additional
questions to examine the participants’ characteristics and culture. The target groups of
participants are university students who are familiar with the Net. Also, the selected
countries for this study are Finland and Thailand.
As for the research result, it is interesting and somewhat varies from what I
expected. I anticipated seeing the differences of the participants’ characteristics, but
the actual responses showed that the cultures of the two studied countries, Finland and
Thailand, are not significantly different. One possible reason is that due to the global
use of the Internet, today’s online consumers share many common characteristics and
their attitudes are not obviously different. In addition, based on the linear regression
analysis, I found that the cultural influences are not strong enough to perfectly
describe the online consumer behavior. However, it is worth noting that the cultural
differences seem to have a certain impact on Internet consumers’ attitudes.
Searchwords: Computer security, Privacy, Cultural differences, Online consumer
behavior
Table of contents
1. Introduction 1
1.1. The research background 1
1.2. The research objective 2
1.3. The structure of study 2
2. Analysis of threat to security on Internet and control 4
2.1. Chapter structure 4
2.2. Types of Internet uses 4
2.2.1. Electronic messaging 4
2.2.1.1. Electronic mail (e-mail) 4
2.2.1.2. Public messaging 5
2.2.2. Browsing 5
2.2.3. Trading transactions 6
2.2.3.1. Electronic order 6
2.2.3.2. Electronic payment 6
2.2.3.3. Electronic product delivery 7
2.3. Current state of the art in computer security technology 7
2.3.1. Cryptography 7
2.3.2. Digital signature 8
2.4. Computer security attributes 9
2.4.1. Confidentiality 9
2.4.2. Integrity 9
2.4.3. Privacy 9
2.4.4. Availability 9
2.5. Analysis of threats to confidentiality and controls 10
2.5.1. Possible threats to confidentiality 10
2.5.1.1. Eavesdropping 11
2.5.1.2. Interference 11
2.5.1.3. Hacking 11
2.5.2. Security controls for confidentiality 12
2.5.2.1. Security controls for confidentiality of electronic
messaging 12
2.5.2.2. Security controls for confidentiality of trading
transaction 13
2.6. Analysis of threats to integrity and controls 15
2.6.1. Possible threats to integrity 15
2.6.1.1. Code modification 16
2.6.2. Security controls for integrity 16
2.6.2.1. Security controls for integrity of electronic messaging 16
2.6.2.2. Security controls for integrity of browsing 17
2.6.2.3. Security controls for integrity of trading transaction 17
2.7. Analysis of threats to privacy and controls 17
2.7.1. Possible threats to privacy 18
2.7.1.1. Unsolicited commercial e-mail 19
2.7.1.2. Conversation record 20
2.7.1.3. Cookies 20
2.7.2. Security controls for privacy 20
2.7.2.1. Security controls for privacy of electronic messaging 20
2.7.2.2. Security controls for privacy of browsing 21
2.7.2.3. Security controls for privacy of trading transaction 23
2.7.3. Related law and regulations 24
2.8. Analysis of threats to availability and controls 27
2.8.1. Possible threats to availability 28
2.8.1.1. Interruption 28
2.8.2. Security controls for availability 28
2.9. Summary 30
3. Influence of culture on privacy and security concern 33
3.1. Chapter structure 33
3.2. Definition of culture 33
3.3. Cultural dimensions 34
3.3.1. External adaptation 36
3.3.1.1. Uncertainty avoidance dimension 37
3.3.2. Internal integration 41
3.3.2.1. Human nature dimension 42
3.3.2.2. Individualism versus Collectivism dimension 42
3.3.3. Linking assumption 46
3.3.3.1. Physical and personal space dimension 47
3.4. Summary 47
4. Internet security and culture influence in studied countries 56
4.1. Chapter structure 56
4.2. Basic background of studied countries 56
4.2.1. Finland 56
4.2.1.1. Brief history of the nation 56
4.2.1.2. Religion 57
4.2.1.3. Population and other interesting facts 57
4.2.2. Thailand 58
4.2.2.1. Brief history of the nation 58
4.2.2.2. Religion 58
4.2.2.3. Population and other interesting facts 59
4.2.3. The United States of America 59
4.2.3.1. Brief history of the nation 59
4.2.3.2. Religion 60
4.2.3.3. Population and other interesting facts 60
4.3. Uncertainty avoidance analysis 61
4.4. Human nature analysis 62
4.5. Individualism versus Collectivism analysis 63
4.6. Physical and personal space analysis 64
4.7. Summary 65
5. Previous research 68
5.1. Chapter structure 68
5.2. Previous study about barriers to electronic commerce 69
5.2.1. The research framework 69
5.2.2. The research result 69
5.2.3. The research conclusion 70
5.3. Previous study about online privacy concerns 70
5.3.1. The research framework 70
5.3.2. The research result 71
5.3.3. The research conclusion 72
5.4. Previous study about privacy concerns as barriers for e-commerce 72
5.4.1. The research objective 73
5.4.2. The research method 73
5.4.3. The research result 73
5.4.4. The research conclusion 74
5.5. Summary 74
6. The research study 75
6.1. Chapter structure 75
6.2. Hypotheses 75
6.3. The research methodology 75
6.3.1. The research variable 75
6.3.2. The sampling population 76
6.3.2.1. Defining population 76
6.3.2.2. The implications for validity and generalization 77
6.3.3. The sample size 78
6.3.4. The sampling method 78
6.3.5. The questionnaire 78
6.3.6. The score measurement 83
6.4. The result of research and interpretation 84
6.4.1. The basic statistic 85
6.4.2. The analysis of cultural differences 88
6.4.2.1. The source of data 88
6.4.2.2. The statistical method 89
6.4.2.3. The statistical result and analysis 89
6.4.2.4. Conclusion 93
6.4.3. The analysis of consumers’ concerns 93
6.4.3.1. The source of data 93
6.4.3.2. The statistical method 94
6.4.3.3. The statistical results and analysis 94
6.4.3.4. Conclusion 98
6.4.4. The analysis of association between cultures and
consumers’ concerns 98
6.4.4.1. The source of data 98
6.4.4.2. The statistical method 98
6.4.4.3. The statistical results and analysis 100
6.4.4.3.1. The association between individual cultural dimension
and consumers’ concerns 101
6.4.4.3.2. The association between all cultural dimensions and
consumers’ concerns 104
6.4.4.4. Conclusion 107
6.4.5. Other results 108
6.5. Summary 111
List of tables
2.1. Summary of Internet security threat and control analysis 32
3.1. Range of uncertainty avoidance index 39
3.2. Range of individualism index 44
3.3. Abbreviations for the countries and regions studied 45
3.4. Summary cultural influences on privacy and security concern 48
3.5. Integrated computer security attributes with cultural dimensions 51
4.1. Summary cultural dimensions effect on security and privacy concern in
studies of different countries 66
5.1. Survey studies conducted by Hanrick Associates and AT&T Lab-Research 71
6.1. Internet security and privacy concern questions and their implications 81
6.2. Cultural differences questions and their implications 82
6.3. The score ranges 83
6.4. Percentage of persons who have e-mail accounts 85
6.5. Cultures mean score and t-test value 90
6.6. Comparing actual uncertainty avoidance results with expectations 91
6.7. Comparing actual human nature results with expectations 91
6.8. Comparing actual individualism results with expectations 92
6.9. Comparing actual space results with expectations 92
6.10. Consumers’ concerns mean scores and t-test value 94
6.11. Comparing actual confidentiality/integrity concerns results with
expectations 96
6.12. Comparing actual privacy concern results with expectations 97
6.13. Linear regression of each cultural dimension and overall concerns 101
6.14. Linear regression of each cultural dimension and C&I concerns 102
6.15. Linear regression of each cultural dimension and privacy concern 103
6.16. Linear regression of all cultural dimensions and overall concerns 105
6.17. Linear regression of all cultural dimensions and C&I concerns 106
6.18. Linear regression of all cultural dimensions and privacy concerns 106
6.19. A rank of the most important concern 110
6.20. The research study conclusion 113
List of figures
3.1. Key dimensions of culture 35
3.2. Underlying cultural dimensions 36
3.3. Country clusters 39
3.4. Individualism score versus 1987 GNP/capita 45
6.1. Set of selected population 77
6.2. Occupations of the participants 85
6.3. Types of e-mail accounts 86
6.4. Online shopping experience 86
6.5. Frequency of shopping online 87
6.6. Consumers’ concerns about personal information security 87
6.7. Opinions about online shopping when concerns are reduced 88
6.8. Opinions about the e-mail policy establishment 108
6.9. Opinions about the e-mail usage monitoring 108
6.10. Opinions about the types of e-mail usage monitoring 109
6.11. Opinions about using work e-mail for personal purpose 109
References
Appendices
Appendix A: Example of questionnaire
Appendix B: Example of Udo’s questionnaire
Appendix C: Opinions on cultural dimensions
Appendix D: Opinions on Internet security concern
Appendix E: Ranked number of concern types
1
1. Introduction
1.1. The research background
To conduct business these days, one considers Internet as a powerful tool to capture
consumers and market segment. Without any doubt, online business is gaining
popularity among businesspersons in terms of promotion and selling goods using a
direct business-to-customer strategy. While online business is remarkably expanding at
a high growth rate, the important issues, which should not be overlooked, arise. The first
issue is customer diversification. Although one can enjoy benefits of using Internet as a
marketing tool in globalization age, one should bear in mind that Internet could not
guarantee that online consumers possess common behavior. The fact is that online
consumers are people in different countries and they tend to have distinct behavior.
Consumers in one country may differ from other countries and this is potentially
because of cultural differences. Culture determines many factors that affect the way of
doing business across countries. That is why there have been the extensive studies about
consumer behavior in different regions or countries, human resource management in
multinational organizations, and how to succeed in cross-culture business.
The second issue involves trust in the net. Consumers may feel more comfortable to
go shopping in the mall than they do when they shop online. This is because they are
concerned about confidentiality and privacy of their personal information, which is
required by the Web sites during ordering and payment processes. As the number of
computer crimes keeps increasing everyday, people become more concerned about the
threats to security of their personal information. The consumers are losing the
confidence to give personal information to Web sites.
Combinations of these two issues together lead to an interesting point. The culture,
which reflects the patterns of values, ideas and behavior of members of a particular
society, tends to have strong influences over the people’s concerns about their privacy
and security. Yet there have been a number of reports and surveys about how online
consumers care about their safety when using the net such as in e-mail, browsing and
shopping. No obvious research about impact of cultural differences on consumers’
concerns for privacy and security issues has been studied so far. However, I shall draw
attention to Godwin J. Udo’s survey study in the U.S., which confirmed that the privacy
2
and security concerns are major barriers to e-commerce. My research was built from his
study. I would like to extend his research and further investigate the relationship
between the cultural issues and consumer concerns. In my opinion, security issues on
the Net are becoming more important and businesspersons should take it more seriously
than they previously have. Knowing effects on cultures will be helpful to
businesspersons to know what customers want and design security policies, which are
appropriate for target countries.
1.2. The research objective
The objective of this study is to examine how cultural differences affect the
awareness of the privacy and security when using Internet.
1.3. The structure of study
To serve the research objective, the structure of this research are divided into two
main parts; theoretical and empirical parts. The theoretical part is presented in chapter
two to five based on the review of related literature; the empirical part is presented in
chapter six.
In chapter two, the current network security knowledge, types of security attributes,
analysis of threat and control for each type of Internet usage including the present
Internet security problems and related law and regulations are presented. This is to
understand the security vulnerabilities and how consumers could protect themselves
against possible threats.
As I aim to study the impact of cultural differences between studied countries on
privacy and security concerns of Internet users, chapter three provides culture theories,
including cultural dimensions that potentially affect privacy and security concern of
people. The expectation of how involving cultural dimensions relate to consumer
behaviors is included as well.
Then I select two countries including Finland and Thailand as examples to determine
cultural differences. I introduce backgrounds of studied countries and how they affect
consumer behavior uniqueness in chapter four. In addition, the United States’ culture is
included as I would like to compare my result with Udo’s which was done in the U.S..
3
In chapter five, I review the previous research, in which the survey result shows that
privacy and security issues are the main barriers to e-commerce. The Udo’s study is
included, since his work inspires me to do further study about the correlation of cultural
influences and Internet users’ awareness of their privacy and security.
Finally, I develop hypotheses based on the literature and previous research, examine
it by using a questionnaire as a survey instrument, and summarize and interpret the
survey result in chapter six.
4
2. Analysis of threat to security on Internet and control
2.1. Chapter Structure
This chapter is dedicated to the important issues about risk and security when using
Internet. I start by providing an overview of different types of how Internet can be used
by online consumers such as e-mail, and Web surfing in section 2.2. I shall note that the
content of this chapter is mainly written in Internet consumer perspective not business
organization perspective. In section 2.3, I present current security technology like
cryptography and digital signature, which are playing important roles in security
engineering nowadays. Basic knowledge of such technology is needed because it will be
mentioned quite often in the latter sections as a foundation of various security
techniques. Next, I analyze threats and how to protect against such threats. In order to
organize the structure of the analysis, the four computer security attributes are presented
and I would provide the further analysis of threats and security procedures for each
attribute. The four computer security attributes consist of confidentiality, integrity,
privacy and availability described in section 2.4 and the analysis for each attribute is
provided in section 2.5, 2.6, 2.7, and 2.8, respectively. In each analysis I describe how
the security attribute is important to Internet consumers, possible threats and control
techniques. Summary of this chapter is also provided in section 2.9.
2.2. Types of Internet uses
The Internet applications provide users with various abilities. Based on how people
use the Internet nowadays, I shall categorize the use of the Internet applications into
three main types as follow;
2.2.1. Electronic messaging
2.2.1.1. Electronic mail (e-mail)
E-mail is an Internet application that provides the ability to write, store,
read, send and forward an electronic message from one system to another. With
today’s technology, people can also attach text files, audio files, graphical
images or video clips with the e-mail. E-mail is asynchronous which means one
can send a message to another, though a receiver is not currently available.
5
Nowadays, E-mail plays an important role in personal, educational and business
usage. In many organizations, especially multinational companies, e-mail
simply replaces the letter and fax since it offers many advantages, such as faster
speed and inexpensive costs.
2.2.1.2. Public messaging
A public board provides users with the ability to create discussion among
predefined groups. The members can post, read and write comments on the
public board of their groups. Thus the confidentiality of a message is less
important as every member can view every message on the board. One can
create his own community or group, and one can be a member of more than one
group as well.
Another obvious use of public messaging is online conversation.
Interactive conversation programs can be classified into two types. First, a
program called ‘Talk’, similar to conversation on the telephone, provides users
with interactive links to others and communicating by typing messages. Second,
a conference program called ‘Chat’ provides users with the ability to choose a
conversation that is currently happening and join in, and one can create his own
conversation as well. Today, many Web sites offer chat rooms for their
customers. The chat room can be classified based on mutual interest, emotion or
career of customers. Some Web sites provide transcript services after the chat is
over. The transcript covers the conversation in particular session. Before it will
be available for people who are interested in the chat, the transcript is edited or
checked for spelling and inappropriate sentences are deleted. In this way, a
conversation is recorded and people, who want to download it, need to contact
the copyright holder to ask for permission to transmit it.
2.2.2. Browsing
Browsing means the ability to locate and access information on the Web, which
is stored in other servers. Information available on the Web can be in text, graphic or
even multimedia. Many organizations extensively provide their data about
themselves, advertisements, customer services and e-mail contacts on the Webs.
There are many popular search engines nowadays such as Yahoo, Lycos, Alta Vista,
6
and Google. Browsing the Web is undoubtedly a timesaving and cost efficient way
to gather information for education and entertainment purposes.
2.2.3. Trading transactions
Business-to-Customer (B2C) and Business-to-Business (B2B) are very common
terms in the Internet world. Both of them hold the similar concept that by using
Internet infrastructure, clients must be able to easily and quickly order products or
make payment online. The Web server is responsible for communicating sales orders
or payments with a real company server, so that delivery of products and receipt of
payment can be instantly processed. I shall note that the B2B transactions are
omitted here because this study focuses on B2C and the scope of work is established
for a practical purpose.
2.2.3.1. Electronic order
In B2C, a vendor advertises price lists, product catalogs, after sales
services, sales discounts and other information in the Web, so that a customer
can check the offers and submit an electronic sales order form. A customer can
search and browse as many commercial Web sites as he wants to find the most
attractive offer. After receiving an order, a vendor checks authenticity of the
customer and sends an electronic invoice back to the customer as a confirmation
of order.
2.2.3.2. Electronic payment
After placing an order and receiving an invoice, the next step is to make
payment. In this process, security procedures are crucial for both the buyer and
seller because it involves sensitive data such as credit card number, and
payment instructions. The occurrence, completeness, accuracy, and timing of
payment are very important in payment processing. Electronic payment can be
categorized into two types. First, the seller receives payment instructions and a
bank card number from the buyer and processes it in a non-Internet-based
payment system on a secured seller’s server. In the second type, payment
instruction is received by the seller and processed by a payment processing
service provider. In this case, a buyer is able to use a bank card, electronic
check or automated clearing house to make payment as a payment service
7
provider is responsible for arranging various processors for different types of
payment.
2.2.3.3. Electronic product delivery
Nowadays, the product delivery is not limited to only a physical
transportation. With e-business model, the goods can also be transmitted to
online consumers via the network. The emerging digital-goods business will
provide software, music, photos, video, and documents that can be produced,
delivered, consumed, and licensed electronically (Kalakota, R, 2001, 94).
2.3. Current state of the art in computer security technology
In this section, I provide the basic concept of cryptography and digital signature as
they are prevalent technologies for computer security control at the present time. The
content of this section is needed as it is useful for skim the basic idea before
investigating in more details of security controls in the later sections. Cryptography has
been an infrastructure of many protocols and software packages, which aim to cover risk
exposure during transmission of a message. Underlying on the art of cryptography,
digital signature was developed to perform the similar task as a traditional hand written
signature but in electronic form rather than in paper.
2.3.1. Cryptography
Cryptography originally denotes the art of keeping information secret by the use
of codes and ciphers (Andrew, H, 2000, 141). It is a prevalent tool for security
engineering today since one can notice that the computer industry has extensively
utilized cryptography as a basic standard in secure software development. The main
process of cryptography is to encrypt or scramble an input message called ‘plain
text’ with cryptography algorithm, which results in an output message called ‘cipher
text or cryptogram’. At the receiver side, in order to change cipher text into a
readable format, a cryptographic key must be used for decryption. A cryptographic
key is created from a string of digits. If the same key is used for both encryption and
decryption, it is called a symmetric key. Another kind of key is an asymmetric key,
which simply means the encryption key differs from the decryption key.
8
At the present time, a strong cryptography is considerably powerful security
technology. The strong cryptography algorithm is based on reliability of
mathematical calculation. The calculation of cryptographic key is so complicated
that it could not be cracked within a short time. Anyone, who wants to crack it, is
supposed to take several years to achieve his goal. As long as people rely on
mathematical complexity, the strong cryptography is still the most efficient tool to
safeguard the computer security. The immediate or significant arguments against
this idea have not yet come forward.
2.3.2. Digital signature
Digital signature applies an asymmetric key from cryptography science. The idea
is that one can create a pair of keys called a private key and a public key. A private
key is secretly kept with the originator of the keys and is used whenever he wants to
encrypt a message before sending out. The originator gives his public key to other
people so that they can use this key to decrypt his message. Persons who do not hold
a public key will not be able to decrypt a message, hence confidentiality of the
message is maintained to some extent. If receivers successfully decrypt a message
with a public key, it also implies that the originator, who is the only one who holds
the other key, creates this message. This leads to the term digital signature, as it
seems like a sender really signs the message by his key.
In reality, encrypting a big message is expensive and not cost-efficient.
Consequently, hash function is applied in combination with digital signature to
reduce the cost. Hash function generates a unique random number of message or
file. When data in the files or messages changes, hash value is subsequently changed
so any modification of message during transmission will be detected. To reduce
costs of expensive encryption, one can generate hash value from plain text, encrypt
hash value with a private key, and send plain text attached with hash value to a
receiver. A receiver then decrypts hash value with a public key, opens a message,
calculates hash value from the received message, and checks his hash value against
hash value from a sender. If two hash values are identical, that means integrity of a
message is proved.
9
2.4. Computer security attributes
In this section, the four main computer security attributes, including confidentiality,
integrity, privacy, and availability, are introduced. Understanding the security attributes
is crucial in order to conduct risk analysis and find the suitable control for each attribute
in the next section.
2.4.1. Confidentiality
Confidentiality can be considered as secrecy. The unauthorized persons should
not gain access to others’ data or other computing assets. Different degrees of
confidentiality are possible in electronic transmissions, as confidentiality can depend
on simple passwords, secure connections, or more advanced technologies (Camp, L,
2000, 69).
2.4.2. Integrity
Integrity involves accuracy of data. To achieve integrity, only authorized persons
are able to create, edit, and delete data in an approved manner. One should ensure
that the prevention of tampering is included when considering this attribute as well.
2.4.3. Privacy
Privacy is the ability and/or right to protect your personal secrets; it extends to
the ability and/or right to prevent invasions of your personal space (Anderson, R,
2001, 10). It simply means that the subject of information should be able to control
the information.
2.4.4. Availability
The computer assets should be available for and accessible to authorized persons
when they need them and should not be interrupted or discontinued.
In the next sections, I provide the reader with my analysis. I would like to clarify the
structure of the following sections in the first place. The analysis in section 2.5, 2.6, 2.7,
and 2.8 is presented in a sequence of security attributes consisting of confidentiality,
10
integrity, privacy and availability. For each analysis section, I will begin with an
explanation of why a particular attribute is important, how much it will affect Internet
users, and how much the users will be concerned about a particular security attribute
when using Internet for different purposes, such as browsing and e-mailing. This part is
based on my experience and knowledge.
Subsequently, possible threats and appropriated controls are proposed based on
various kinds of literature reviews. The main sources of literature information are
contributed to three books; Andrew, H, Ford, W, and Pfleeger, C. Other literature
including information from Web sites are considered as well. The analysis for individual
security attribute has the same structure throughout the chapter.
2.5. Analysis of threats to confidentiality and controls
Confidentiality of message is very important for e-mail and electronic payment.
Compared with other Internet usage. This is because e-mail is used for communication
both in personal subjects and business subjects. Today, it is common to use e-mail to
inform other parties about various kinds of information. The sensitive information
passing through e-mail can be credit card numbers, bank account numbers, business
deals and contracts. Regarding electronic payment, it undoubtedly includes sensitive
information about payment instruction, payee personal information and payer account.
Thus confidentiality for a sensitive message or information in e-mail and electronic
payment is a key concern for users. On the other hand, information in public messaging,
and Web sites seems to be more publicized as it is read, browsed or written by many
people, hence confidentiality of message is not necessary in this case. As for electronic
orders and electronic goods delivery, the information in a document is normally about
specification of products or services, quantity, date, buyer name, and buyer address,
which is not so serious in terms of confidentiality.
Consequently, I shall propose that confidentiality of information is more important
for e-mail and electronic payment than for electronic orders, while that of public
messaging and Web sites are not really applicable.
2.5.1. Possible threats to confidentiality
Eavesdropping, interference and hacking are the basic threats to all types of
Internet uses. Each threat is discussed in more detail below.
11
2.5.1.1. Eavesdropping
Eavesdropping involves with interception or gaining access to the
communications by unauthorized party. Mostly, it happens during data
transmission. Passive eavesdropping happens when an unauthorized person
listens secretly to the networked messages. On the other hand, active
eavesdropping means that an intruder not only listens to but also injects
something into the communication to distort or create bogus messages for
example by changing partly or all content of the messages, reusing the old
messages, deleting the messages or modifying the source of messages.
Thus messages sending back and forth in communication line are exposed
to interception or eavesdropping. Once a criminal breaks into the network, he
can silently examine message during transmission and steal sensitive
information that he wants. The messages need protection to maintain the
secrecy that no unauthorized person is able to scan them. It is vulnerable
liability for companies as customers may claim or sue the companies if
eavesdropper succeeds in his job and discloses customers’ personal data.
2.5.1.2. Interference
Interference with the network routing mechanisms means a criminal
modifies a destination address, consequently a message is delivered not to
intended recipient but others. This way, a criminal can change a recipient’s
address to his address so that he can open and read the important messages. If
skillfully done, he can also conduct eavesdropping more easily or even generate
forged messages (Andrew, H, 2000, 138). In addition, only acknowledgement
of volume of messages, message existence, and routing of messages are crucial,
especially for sensitive messages, and enough for an attacker to speculate what
the communication is all about. The number of interference or intrusion of
computer system is remarkable. The latest Computer Crime and Security
surveys show that 40 percent of 538 corporate respondents had their computer
network penetrated by outsiders (Treadwell, T, 2001, 28).
2.5.1.3. Hacking
Hackers can be people who are career criminal. They are competent and
high skilled at using computers. Once they analyze and discover a leak point of
12
target system, they will find the appropriated and quick ways to access and
attack the system. They can use various kinds of attacks or even develop their
own ways to attack the computer system. For example, they may access a
system, which they are not authorized to access, and create bogus information
or try to create an information flood. They can also break through Web servers
to access or steal information. According to Treadwell, T, 2001, 28, Internet
banking firm ‘S1 corp’. was hacked and recent IDC (www.idc.com) report
indicates that 57 percent of computer hacks are initiated in the financial services
sector. The companies are becoming more aware about rising incidents of
hacking supported by the fact that the implementation of intrusion detection
system and security auditing plays significant roles nowadays.
2.5.2. Security controls for confidentiality
2.5.2.1. Security controls for confidentiality of electronic messaging
• Privacy Enhanced Electronic Mail protocols (PEM)
Inferred by its name, PEM is an encryption mechanism used to protect
end-to-end security for e-mail messages. It was first developed by the Internet
Society. PEM efficiently provides solutions for e-mail security problems. PEM
processing is to apply asymmetric or symmetric encryption to a whole e-mail
message including heading and body to secure it while transferring through a
network. Only authorized persons are able to read an authentic message as they
hold a secret encryption key and a digital signature can also prove authenticity
of a sender. Hash function is used in PEM process as well. Hence, using PEM
can ensure confidentiality and integrity of message and authenticity of origin.
• Secure/Multipurpose Internet Mail Extensions protocol (S/MIME)
The Multipurpose Internet Mail Extension (MIME) is a specification that
enables users to store various types of message components such as image,
unstructured text or a combination of text and image. S/MIME protocol was
developed by RSA Security Inc., and is now considered to be a standard
protocol. The mechanism of S/MIME protocol is based on Public-Key
Cryptography Standards (PKCS) and encapsulation. It uses various data
structures providing security services for electronic messaging applications
including authentication, message integrity and non-repudiation of origin. It
utilizes digital signatures, privacy and data security, and using encryption. The
13
message receiver needs to have S/MIME facilities to verify a signature, to
ensure integrity of message, and then to read such a message.
S/MIME is based on end-to-end structure, providing the users with the
capability to store, send, receive, digitally sign, and decrypt messages on their
mail client software in their system. The main processes involve encryption of
the body part of MIME message, transformation to a standard form, adding
digital signature and encryption again with a public key from recipient. These
processes can be described as signing and enveloping the messages to protect
against intrusion during electronic message transmission.
• Pretty Good Privacy program (PGP)
PGP was developed by Phil Zimmerman, and is appropriate to use in
small Internet communities. Though it has a similar mechanism as S/MIME,
PGP is different in the way that users can exchange public keys to others in
small group to create connection of trust. The users hold some public keys
collectively called a key ring, which will enable the holders to decrypt a
message with a proper key from a key ring. The users can sign each other’s
keys to build a certificate chain so that one can trace back the signature on the
key, until he finds a trustworthy person’s signature. However, when a user
group becomes bigger and everyone owns all public keys of others, trust in
connection tends to decline.
• Web-Based Secure Mail
Unlike S/MIME, a Web-based messaging service is not built on end-to-
end structure. It enables users to delegate many tasks, such as encryption,
decryption, and validation signatures of receiving messages to a main hub on a
Web server. As the users must communicate with the mail hub, TLS protocol,
which I will elaborate on later, is in place to secure the confidentiality and
integrity of message during transmission. The benefit of Web-based secure mail
is that the users can access the Web from different computer or application
systems, as they do not need to install mail client software beforehand.
However, the extent of delegation depends on how much the users trust in a
main hub security and whether or not they want a mail hub to be the
representative to perform such tasks for them.
2.5.2.2. Security controls for confidentiality of trading transaction
• Transport Layer Security protocol (TLS)
14
The Internet Engineering Task Force (IETF) established TLS as one of
Internet standard specification since TLS provides many advantages to the
Internet community. TLS is simply an additional protocol sitting between
application and transportation protocol to protect against eavesdropping and
interference. TLS mechanism, in user perspective, ensures authentication of
Web site servers. Both server and user have to create random numbers and
exchange them. Together with random numbers, the server also sends its
certificate issued by a faithful certification authority to user. Then, a user
develops a hash number, which will be used as a key (or so-called master
secret), mainly based on random numbers of both parties. The master secret is
used to decrypt messages, which are attached with Message Authentication
Code (MAC). By using MAC, both parties are able to detect if somebody
modifies the message or not.
In short, this mechanism can protect confidentiality and integrity of
message as well as authenticity of origin.
• Secure Electronic Transaction (SET)
SET was developed by cooperation between Master Card and Visa and is
a protocol for e-payment. Its aim is to protect against hacking of credit card
numbers, which is sensitive data in electronic payment transaction. Although it
is more complex and secure than TLS, it is not efficient when comparing costs
and benefits. That is the reason why it is not widely used in practice. SET
mechanism can be roughly described in four steps. First of all, a customer and a
vendor exchange each other’s public key and a vendor also gives the public key
of its bank to a customer. Secondly, when a customer wants to make a payment,
he encrypts order description with a vendor’s public key and encrypts his credit
card number with a bank’s public key. Thirdly, a customer signs the encrypted
message with his private key to prove his authenticity. Finally, a vendor passes
this message to the bank to authorize the payment by signing the message.
Encryption of a document with a private or symmetric key provides the
recipient with some certainty that the document was not altered (Camp, L, 2000,
75). SET also provides a certain extent of privacy for customers in a way that
customers can select pseudonymous account numbers, though the bank has
some part of purchased goods information.
Thus by using SET, confidentiality, authentication, integrity and a certain
level of privacy are ensured.
15
2.6. Analysis of threats to integrity and controls
I consider integrity as the crucial concern in all types of Internet usage including
electronic messaging, browsing content on Web sites, and electronic transaction.
Integrity is important because it means that accuracy and completeness of a message is
ensured and any modification of a message is detected. The Web sites and Internet users
should ensure that their messages maintain the same content during and after data
transmission, otherwise they may have to take responsibility for any mistake or
modified content in such messages. For browsing, it is also important to keep content of
the Web precise and complete. If malicious persons modify or replace the content of the
Web with fake information, the users will perceive the wrong information or have
unpleasant impressions with the Web. In addition, the Web’s customers or Internet users
may not trust in the Web site that is repeatedly attacked by cybercriminals, and finally
decide to use other substitute Web sites that are more sound. Consequently, the Web site
needs to establish suitable security procedures to keep its customer and preserve its good
reputation. Moreover, the integrity of sensitive e-mail or electronic trading transaction
must be protected by security controls to prevent any contingent liability or commitment
in the future.
2.6.1. Possible threats to integrity
The major threats to integrity are active eavesdropping and code modification.
The eavesdropper can intercept the message in conversation, which breaks the
confidentiality of conversation, and insert a forged message or modify some part of
the message, which deteriorates the integrity. E-mail, public messaging such as
chatting and electronic trading transaction are potentially exposed to eavesdropping.
This is because the messages are sent and received on and on over the network.
Moreover, particular Internet usage is also subject to code modification threat from
infecting viruses. For example, e-mail and the content of Web sites are the main
targets for viruses as they are extensively used and accessed by Internet users on a
daily basis, so it is easier to spread a virus or worm within a short time. The digital
products, such as software program, that are delivered electronically, are vulnerable
to code modification as well. The eavesdropping threat was explained in detail
earlier in section 2.5.1.1. Thus, in this section, I shall mention only about code
modification threat.
16
2.6.1.1. Code modification
This threat happens when an attacker modifies, deletes or replaces the
authentic code by using virus, worms and other malicious programs. For
example, the Code Red worm, a well-known worm which scared the
government and many online businesses, is generated to get into Web servers
and replace Web site content with the specific message. Virus infections can be
found often and easily nowadays. However, computer users can protect
themselves quite easily if there is the advanced warning from government or
media. In the Internet world, file downloading possibly leads to malicious
downloaded code because people are unaware of unreliable sources, lack of
computer security knowledge or file downloading occasionally executed
without permission from users in some Web sites.
2.6.2. Security controls for integrity
2.6.2.1. Security controls for integrity of electronic messaging
Electronic messaging in terms of e-mail can be protected by PEM,
S/MIME , PGP and Web-based secure mail, which are prevalent tools, against
integrity exposure. The concepts of these techniques were mentioned in section
2.5.2.1. As for public messaging, which is vulnerable to active eavesdropping
attack, the common way to protect against injecting or modifying message
during online chatting or discussion is by using TLS protocol. As mentioned
earlier, the unique code called MAC in TLS protocol is affixed to messages in
the conversation and this mechanism is to ensure integrity of messages.
In addition to such tools, online consumers should consider using
scanning software as a means of basic protection against threat to accuracy and
completeness of electronic messages. Viruses, worms and Trojans are harmful,
as they can destroy partly or all information in e-mail and infect files in users’
computer storage. Thus integrity of message is deteriorated. Scanning software
is easily found in markets nowadays. This software usually provides automatic
function of scanning viruses, warns users about infected files and kills viruses
that are found. Moreover, one should be aware of the new virus from public
media reports or internal IT departments in an organization, and always scan for
17
viruses on the received files especially the suspicious one, before opening them.
One should also report to the related parties if one finds a virus in the files.
2.6.2.2. Security controls for integrity of browsing
TLS protocol and virus scanning software can also applied to Web
browsing. The Web owner should utilize benefits from TLS protocol to
establish trust among online customers and ensure integrity of message sent and
received from a communication line. The Web administrator should constantly
screen for viruses as well so that he will discover a malicious code before it
spreads to more system files and causes more disaster.
In user perspective, all downloaded files from the Web should be
considered as suspicious objects. A user will never know whether a virus infects
such files or not, even if the files are from the reliable sources. Sometimes, file
downloading happens without acknowledgement from users. There are many
vendors developing systems to protect against downloading of programs
without the user’s permission. For example, the Authenticode system developed
by Microsoft allows users to check the source of a program, which should have
a digital signature of legitimate vendor, before downloading.
2.6.2.3. Security controls for integrity of trading transaction
TLS protocol is very effective and prevalent to maintain integrity of
information. TLS protocol is considered a standard tool used by many online
companies to ensure accuracy of information in electronic sales orders and
payments. Another tool for electronic payment transaction is SET, which is
developed to secure sensitive information and ensure integrity. More details
about TLS and SET were described in section 2.5.2.2.
2.7. Analysis of threats to privacy and controls
Privacy concern is currently becoming a more important issue. Consumers are aware
of their privacy rights and possible invasion risks. In the globalization world, where
information freely flows across organizations or countries via powerful network, many
online consumers doubt about how they can be sure that no one else except them have
access to their personal data. Followings are some facts, which can illustrate how online
consumers are aware of their privacy. According to Allen, C, 1998, 340, the “Internet
18
Privacy Study” by Boston Consulting Group (www.bcg.com), shows that over 70
percent of the respondents are more concerned about privacy and information
exchanged on the Internet versus phone or e-mail. More than 41 percent of the
respondents left Web sites that asked users to provide registration information. Twenty-
seven percent of these online users entered false information on Web site registration
forms. Nakra (2001, 273) summarized the interesting results from several studies that
showed signs of privacy concerns below:
The IBM Multi-National Consumer Privacy Study found that 40 percent of the consumers have decided not to purchase something online due to privacy concerns. People are cautious about putting correct personal information on these Web sites, because they do not know what is going to be done with it.
Forrester’s research found that online shoppers are most concerned about how much personal information they give and who sees it. Web users worry that the information they share online will produce unsolicited e-mail or telemarketing calls. As a result, 80 percent of Internet users support a policy that prohibits the sale of data to third parties, and half of online customers are willing to contact the government to regulate online privacy.
According to Cyber Dialogue’s American Internet User Survey (AIUS), women are reluctant to seek product information or place orders online mainly because of security concerns relating to stolen credit card transactions, personal privacy, and the lack of Net regulation. Nearly 90 percent of online women say that guaranteed transaction security influences their repeat visits to online shopping sites.
Due to rising numbers of computer crimes, overall consumers have become
increasingly concerned about how they can control their own sensitive information on
the Net. Consequently, in all types of Internet usage including electronic messaging,
browsing, and trading, I shall classify privacy attributes in highly important issue
concerned by Internet users.
2.7.1. Possible threats to privacy
Hacking is a common threat for all types of Internet usage. Once a hacker
breaks into the system or database, he is able to access and obtain personal
information of online consumers. Hackers can disclose or sell such information to
19
other people, breaking the privacy of users. Hacking process was described in detail
in section 2.5.1.3.
In addition to hacking, there are other threats to privacy, which I shall describe
by each category of Internet usage. The first category is e-mail. E-mail account
owners are more or less acquainted with unsolicited commercial mail, or “spam”.
Spam invades privacy of consumer by sending commercial mail to consumer
accounts without asking for permission. The second category is public messaging.
Online conversation is quite risky in a way that the counterparty can permanently
record the conversation. Blackmail and threatening are daunting risks of privacy if
the counterparty wants to make money by revealing sensitive information in the
conversation. The last group of categories are browsing and electronic trading. Both
browsing and electronic trading share a common process that consumers visit one or
more Web sites to search for or obtain information or to make a purchasing
transaction. Consumers may feel uncomfortable if their activities on the Net are
traced by the cookies file. Though cookies were invented to facilitate faster and
more efficient communication between users’ computers and Web servers, there are
some people who use cookies as a means to collect users’ information without
considering privacy intrusion.
2.7.1.1. Unsolicited commercial e-mail
Unsolicited commercial e-mail is also called ‘Spam’. It is commercial e-
mail sent to online consumers without asking if they want it or not. Spam can be
regarded as invasion to privacy of Internet users. There are two main steps of
sending spam. Firstly, the consumers’ e-mail addresses are collected from Web
sites or newsgroups. Secondly, a bulk of commercial e-mail is sent to
consumers without passing through a particular mail server so that a mail server
cannot claim that it causes dense traffic on the network. The Web marketer
views the use of e-mail marketing as a good opportunity to quickly spread new
campaigns or promotion to wide groups of consumers with low cost. However,
these commercial mails annoy the online consumers, as they are mostly
unwanted mail and the processes such as deleting, opening disguised mail, and
sorting commercial mail from wanted mail consume some time. The better
solution for online solicitation is that Web marketers should post advertisements
20
on the discussion board or offer options to receive or reject future solicitation to
online consumers.
2.7.1.2. Conversation record
One should keep in mind that when online conversation is happening,
other parties can keep record about who says what in such conversation. Similar
to conventional video tape recording, one can record or store the ongoing
conversation in a certain file. The fact is that it is likely to happen without
acknowledgement or asking for permission from the related persons. Though a
person, who records a conversation, may not intend to use it to harm
counterparties, it is still considered as privacy invasion unless he informs
stakeholders in advance about conversation recording.
2.7.1.3. Cookies
Technology called cookies is used to store information about Web site
navigation in an user’s computer and help memorizing a username or password
of a Web site that a user visits. The Web server can create a particular cookie
storing information about the user’s preferences and then transmit this cookie to
store in the user’s computer. The cookies also notify Web site operators about a
user’s visit. The cookie file is valuable to the Web marketer since it stores
information about user-visited Web sites, which can tell the marketer about
what a user is interested in. Though cookies are considered as powerful tools for
personalized marketing, the use of cookies can lead to privacy invasion as the
cookies keep track of user activity on Internet without appropriated permission
or acknowledgement from users.
2.7.2. Security controls for privacy
2.7.2.1. Security controls for privacy of electronic messaging
• Filter software
There are some kinds of software that act as filters trying to separate
advertising e-mail from favorable e-mail. To protect against unsolicited
commercial e-mail, such filter software is efficient in a certain extent, but not
enough to get rid of all commercial e-mail. Hoffman, P, mentioned that the
current state of filtering technology could not distinguish between legitimate,
21
personal e-mail and unsolicited bulk e-mail. However, it is considered as one
step and contribution to help consumers from overwhelming unwanted
advertising e-mails.
• Best practices
Based on privacy guideline of Center for Democracy and Technology
(CDT), there are many basic ways to protect one’s privacy as follow.
- Review privacy policy
To avoid privacy exposure, one should review privacy policies before
signing in the public mail services in Web sites. Some Web sites that provide
electronic messaging services have considered about consumers’ privacy rights
and established security policies to reduce serious issues about privacy concern.
- Separate e-mail account
One can have different e-mail accounts for different purposes such as a
working or a personal account using for sensitive and important mail, and an
entertainment account using for leisure purpose. Therefore one can put more
control on a sensitive account and refer to an insensitive account when a
commercial Web site asks for e-mail address.
- Avoid risky online conversations
One should avoid suspicious talk or chat and should exit from profanity,
defamation, or threatening conversation.
- Utilize secure technology
Software developers produce various security programs for protecting
privacy when using e-mail. For example, Anonymizer (www.anonymizer.com)
is the software that enable users to send private, anonymous, and untraceable
email from vendor’s Web sites. To increase their own security on the Net,
online consumers should try to take advantage from this advanced technology,
which is developing to improve efficiency all the time.
2.7.2.2. Security controls for privacy of browsing
• Platform for Privacy Preferences (P3P)
Developed by the World Wide Web Consortium (W3C), P3P is aimed to
provide online consumers with options to allow or not allow the Web to collect
their personal information. Some Web site administrators are aware of
consumer privacy concerns, therefore they establish privacy policies to make
22
customers feel safer. The privacy policies are in predefined format supplied by
P3P so that particular software called user agent can interpret them. By using
user agent, consumer is automatically informed about Web site policies of how
consumer data given to the Web will be kept or used, consequently he can
decide whether or not to give personal information to such Web site.
Unfortunately, P3P cannot ensure that the Web site really conforms to
established policies indicated on the Web.
• WebTrust 3.0
WebTrust is a software that offers different modules and privacy seals.
Similar to financial auditor’s work, the professional auditor will check, verify,
and detect privacy procedures and issue an opinion report. If a Web site meets
the audit criteria, a privacy seal will be given to a Web site. A WebTrust
privacy principle is such that an entity discloses its privacy practices, complies
with such privacy practices, and maintains effective controls to provide
reasonable assurance that personally identifiable information obtained as a
result of electronic commerce is protected in conformity with its disclosed
policy practices (Andrew, J, 2001, 49). WebTrust is now used in many
countries, such as the U.S., Sweden, Denmark, Germany and Hong Kong.
• Open Profile Standard (OPS)
Netscape, Firefly, and VeriSign created OPS, which is a standard
providing user with safe ways to share encrypted personal information in user
profiles with Web sites. With OPS, the user profile is kept in standard format,
online transaction and interchange of a user profile with Web sites are logged,
and restricted access to prevent unauthorized modification of user profiles is set
up. The user also has the right to know where his profile is kept and what
information is in his profile.
• Best practices
Similar to the best practices of electronic messaging usage, the first basic
thing for Web surfer to do to protect privacy online is looking for privacy
policies on Web sites and reading them carefully, if there is any. Additional best
practices based on CDT’s guideline are as follows:
- Clean up a memory cache after browsing
During browsing the Net, accessed Web sites and images are memorized
in a user’s computer, so that the speed of loading the Web will be faster in the
23
next visit. Thus, a user should delete the memory cache or clear the history after
browsing, so that no one else could trace Web sites that he has visited.
- Utilize security technology
Some new software offers special functions to inform users about Web
sites that send cookies to users and provide users with options to reject such
cookies. For example, Anonymizer (www.anonymizer.com) software enables
users to accept Cookies from Web sites that need to send Cookies to users such
as online shopping, signups, and personalized content. These Cookies are
normally kept for long periods. After making use of such Cookies, the software
will change long-term Cookies into short-term or session-only Cookies, which
then automatically expire after session terminates. This software also provides
users with the capability to encrypt or scramble the Web pages that users visit
so that other people with access to users’ Internet connections cannot see a trail.
AdSubtract™ PRO (www.adsubstract.com) is software that prevent unwanted
Web junk, such as advertisements, popup windows, animations, and music. It
can protect users from malicious codes and unwanted cookies.
- Choose to opt-out, if the Web offers a choice to do so.
Web surfer should choose ‘opt-out’, if the Web sites provide choices to
‘opt-in’ or ‘opt-out’. When a user chooses to opt-out, that means he does not
allow the Web to give or share his information with a third party. Some sites do
not present the customers with opt-out but ask for opt-in instead. Opt-in policy
means the Web asks for a user’s permission before they will share his personal
information with other parties.
- Watch out for children’s privacy
The final practice is about child privacy protection. There are some Web
sites that try to gather information from kids for marketing purposes. The kids
may be asked to give information about their families and themselves while
surfing on the Net. The basic method to maintain child privacy is to teach them
about it and tell them to ask for parents’ permission before giving out
information to the Web.
2.7.2.3. Security controls for privacy of trading transactions
There are useful practices applied to electronic transactions and goods
delivery. For example, a consumer should be conscious about privacy policies
on the Web as personal information given in payment or order forms is
24
somewhat sensitive. In addition, a consumer should beware of online forms. It
is safer if online forms are encrypted to make sure that no unauthorized persons
can read them. The current browsers are able to show the locked key symbol to
imply that the accessed site is secure and has an encryption mechanism for data
transmission. On the other hand, if a consumer notices an unlocked key in a
particular Web page, he should avoid transferring data as it is a sign of
insecurity. An additional control for electronic payment transaction is by using
SET protocol. As mentioned in section 2.5.2.2, SET is designed to protect the
privacy of online customers as well.
2.7.3. Related law and regulations
The use of Internet dominates business around the world, accordingly law,
regulation and standard practice are needed to control Internet community and
protect online consumer right. I shall describe the main privacy regulatory initiatives
in Europe, The U.S. and Asian below.
• The Organization for Economic Co-operation and Development (OECD)
The content in this subsection is mainly based on OECD Web site, and Andrew,
J, 2001.
The OECD is an international organization consisted of 30 member countries
and aims to establish international standard to govern fair business and economic
conduct. The member countries include all Scandinavia countries, some Europe
countries such as France, Italy, Switzerland, and two Asia countries which are Japan
and Korea. In 1980 just before emergence of Internet, the OECD produced
Guidelines for Consumer Protection and Transborder Flows of Personal Data to
protect risk exposure of free flow of personal data between member countries, and
its data protection principle is subsequently considered an inspiration of European
directives framework (Andrews, J, 2001, 46-47). In addition, a good practice to
conduct fair business and disclosure to all stakeholders, establish user friendly
electronic payment and secure personal data of consumers are given in the
Guidelines for Consumer Protection in the Context of Electronic Commerce.
• The European Union (EU)
The content in this subsection is mainly based on EU Web site and Rendleman,
J, 2001.
25
For several years, the EU, consisting of 15 Europe countries, has been
monitoring and regulating online companies concerning how personal data of
consumers is treated. In July 1995, EU established a stringent directive for
exchanging online consumer data to non-EU countries, but it actually went into
effect in October 1998 (Rendleman, J, 2001, 57-58). There are two significant EU
directives which directly impact e-business in Europe; the European Directive on
Protection of Individuals With Regard to the Processing of Personal Data and on the
Free Movement of Such Data, and a Directive on the Processing of Personal Data
and the Protection of Privacy in the Telecommunications Sector. Such directives
include data-protection, database registration ledgers, processes for pre-approval of
specified online activities, “opt in” choice to personal data collection, and disclosure
of consumer information upon individual request.
While Europeans tend to impose stringent regulation for data protection,
Americans prefer to have a self-regulatory system, as they believe that their privacy
depends on Web site policies rather than government regulation. EU and the U.S.
Department of Trade have reached an agreement called a “safe harbour”, which
became effective by November 2000 (Nakra, P, 2001, 273). Under this agreement,
EU allows the release of personal data on an individual basis to certain users in the
U.S. whom meet established requirement. However, sensitive personal information
such as medical conditions, race, political opinion or religion are not allowed to be
collected or exchanged without a consumer’s permission. On the other side, based
on Andrew, J, 2001, 47-48, U.S. online companies must provide European
customers with more privacy protection under this agreement. A company can
voluntarily take part in safe harbour by submitting its self-certification to a
committee. The self-certification requires a security system, which is actually in
place and can be verified. Also, there are fines and prosecution for violation of safe
harbour requirements.
• The U.S.
The content in the first and second paragraph is mainly based on Allen, C, 1998,
343-347. For the third paragraph, the information is based on Andrew, J, 2001, 48.
There are three main remarkable privacy initiatives and legislations in the U.S..
Firstly, the Consumer Internet Privacy Protection Act of 1997 is a bill aiming to
protect online consumers by disallowing the disclosure of consumers’ personal
information without their consent, providing consumers with the right to cancel
26
former consent and access to their information for verification and rectification of
any error.
Secondly, the Data Privacy Act of 1997 was generated from the concern over the
interactive market on the Net. This bill established some guidelines for Web
marketer in respect of consumer right; for example, guideline for unsolicited
commercial e-mail, guideline for limiting the collection and use of consumer
personal data, and guideline for forbidding presentation of sensitive personal data
without permission from customers.
Thirdly, Children's Online Privacy Protection Act, which became effective in
2000, is about the concern of children privacy on the Net. It provides some basic
requirements that Web marketers must recognize when they want to target at
children under 13 years old. For example, clearly announcing data collection and
disclosure, informing kids to ask for permission from their parents before
information collection, use, or disclosure; and providing parents with a option to
review collected information
• Regulatory initiatives in Asia
From the facts previously listed, Europe is significantly conservative about
privacy issues and is a leader in establishing strict directives. In contrast, most
countries in Asia have not yet established clear-cut online privacy regulations.
However, development of a formal data protection framework in Asia is expected in
the near future, due to a need to gather customer information in multinational
business. For example, Thailand and Japan are observing the EU directives for
creating their own comprehensive data protection regulatory (Andrews, J, 2001, 48).
In Hong Kong, some privacy issues are mentioned in laws, however, general data
protection regulation has not been established so far.
• Other privacy guidelines
There are some non-profit organizations or associations that try to establish
standards or best practices for Web marketer to acquire information from customers
while maintaining good relationships and trust between them. According to Allen, C,
1998, 347, the Direct Marketing Association established various online privacy
guidelines such as offering customers with opt-out notice, asking for permission
before sending unsolicited commercial e-mail, giving users the right to cancel such
permission, and presenting clear security policies about data collection from
children. Another example of these organizations based on Allen, C, 1998, 349-350
27
is Electronic Privacy Information Center (EPIC). EPIC suggested the ways for Web
marketers to build trust with online customers and assure them about data privacy
policy. For example, Web sites should educate privacy policies in obvious place and
unambiguous sentences. The Web should present customers about how and when the
personal data will be collected, used or distributed, and also encourage them to use
anonymous identification if they feel more comfortable.
2.8. Analysis of threats to availability and controls
Availability or denial of services is important to communication over the Net.
According to Treadwell (Treadwell, T, 2001, 28), the survey done by the Computer
Security Institute and Federal Bureau of Investigation revealed that 38 percent of
participated organizations experienced denial of service attacks. Hence, the sound
control must be in place to protect against such problems.
From different usage of Internet, I expect that availability of network system is more
important to browsing, electronic payment, and electronic goods delivery compared with
other usage. For example, if a user cannot send or receive electronic messaging or order
goods due to the system going down, he still has various alternatives to substitute online
communication, such as teleconference, wireless phones or even traditional methods,
such as fax, telephone, and letter writing. Of course, online communication failure can
harm an organization or make a user feel awkward. However, most users, such as e-mail
account owners, tend not to need real-time processing, implying that availability of
network is not taken seriously. In contrast, browsing, electronic payment, and electronic
goods delivery require the network to work continuously and smoothly. When people
browse Wed pages or wait for goods delivery, they need a quick loading process,
completed content, and easily irritate if transferring process is interrupted. And when
they download files from the Web, they do not anticipate or wish to have denial of
service problems. Regarding electronic payment, online payment forms normally
require customers to fill in personal information such as credit card numbers and social
security numbers. It is very important to quickly deliver such sensitive data to a
destination at once. If the system is not available or fails during submission, a customer
may have to resubmit payment forms and redundancy of payment transactions possibly
occurs. Some electronic payment systems are real-time processing which really needs
online service availability at all times. Thus, availability of network service is
significantly critical to the Web server and Internet users in browsing, electronic
payment, and electronic goods delivery categories.
28
2.8.1. Possible threats to availability
Threat to availability of computer system potentially arises from various
malicious activities. For example, an active eavesdropper may create a flooding
message. A hacker also can cause network failure, and viruses and worms may
destroy files and programs. All of these examples cause inconsistency or noise of
conversation, loss of data, and inability to reach a Web server. The results of such
threats can be defined as interruption of a network system described in more detail
below.
2.8.1.1. Interruption
Interruption can be described as lost, unavailable, or not working
hardware, software or data due to malicious destruction. Threat to continuity of
network system is resulted from various methods such as flooding and
unauthorized routing modification. By the term flooding, an intruder creates a
number of spurious messages just to increase the traffic on the network and
reduce service available to the real users. SYN flooding is one example of
network protocol flooding. It works by sending so many calls to a receiver that
the receiver’s software is not able to manage them. Smurfing attack is also
based on the idea of flooding to attack an online chatting session. Regarding
routing modification, an attacker ruins the network by modifying a routing table
to disable partly or all of a communication or delivering all messages to
himself, so that he can read, edit, delete or forward them. A denial of service
has been recently recognized as a network attack. This way, a malicious person
undermines computer system and affixes malicious software, which will attack
the system with overwhelming messages at a predefined time.
2.8.2. Security controls for availability
From a Web site manager perspective, availability of network is crucial to
business in the sense that the availability failure causes the operation
discontinuance, losing business opportunity, and loss from damaged system. I
would describe in brief in this perspective as I emphasize more on consumer
perspective. There are many tools that help preventing network attack such as
Firewall, Virtual Private Network (VPN), and IPSec. These tools share common
functions to control or filter messages coming in from and going out to external
29
parties or public network. They also provide services to trace original servers,
which send messages to internal systems and reject messages from suspicious
sources. Many Web site designers, who recognize hazards from network attack,
have installed one or combinations of these tools to reduce exposure of
inconsistency of network services.
From Internet user perspective, there are many controls introduced in
previous sections, which can protect availability as well. The common controls;
including network protection and best practices, can be used in all kinds of
Internet usage. For example, there is filter software that prevents flooding of
unsolicited commercial e-mail, TLS protocol that protects against intrusion, and
injection of bogus messages during data transmission, and signed download
software that helps ensure reliability of downloaded files. In addition to these
network protection controls, I believe that self-protection or best practices are
the most cost-efficient way to protect availability. For example;
- Backup files
The user should make backup files on a regular basis. The user should
also have backup of operating system files, so he will not lose all his valuable
data, and yet be able to run the computer system.
- Utilize secure technology
When browsing the Web or using e-mail, one can apply inexpensive
security software to maintain availability of stored data and continuity of
computer system without interruption from a virus or worm. For example,
Freedom® Anti-Virus software (www.freedom.net/products/anti-
virus/index.html) serves as a protection against viruses, worms and Trojans. It is
responsible for scanning users’ computers, identifying infected and disinfected
files and deleting viruses or suspicious files. The latest virus is also updated so
that a user does not need to worry about new attacks.
- Establish a personal firewall
There are different personal firewall packages in the market. The
personal firewall, based on a firewall mechanism, protects users against threats
like spyware and malicious scripts. The firewall also uses password control to
ensure that users’ security settings are not tampered. The firewall application
also provides service for monitoring outgoing messages enabling users to see if
there is a suspicious application trying to transfer sensitive data to outsiders.
The users can use customized functions to identify trust or distrust applications
30
by themselves. If users change networks, the network detection function in a
personal firewall will automatically check file sharing and printers for
reliability. Some personal firewall products enable users to be invisible on the
Net so that nobody is able to see them and attack them.
2.9. Summary
Due to an endless growth of Internet use, concerns regarding confidentiality,
integrity, and privacy of data and availability of network services are constantly rising
accordingly. Internet invasion occurs from many possible threats such as eavesdropping,
interference, interruption and code modification. Computer security experts generate
numerous protocols and techniques, such as firewall, TLS, P3P, PGP and PEM to
protect against security vulnerabilities in different purposes and situations. The most
powerful technology used in many computer security models is cryptography algorithm,
as it can efficiently solve confidentiality and integrity problems. Many people rely on
mathematical complexity in the strong cryptography. So far, the strong cryptography
algorithm is still considered ‘unbreakable’ and no arguments against this idea have yet
come forward. Hence, there is a bright future for encryption technology. However, one
should keep in mind that no tool can ensure perfect protection of data and computer
systems, as well as each tool, may be combined with others to effectively work under
certain circumstances. Though there are various techniques and regulations to protect
the Internet system and its consumers, the implementation and success of security
procedures is not possible without the cooperation of all involved parties, including Web
site owners, system administrators and online customers.
In this chapter, I conducted the analysis based on various kinds of literature about
computer security in the Internet world. I shall present the summary table of the analysis
in table 2.1. The table combined various uses of Internet and the security attributes
together. On the table head, the types of Internet uses were presented based on the
previous classification in section 2.2. In addition, the four computer security attributes
were shown according to the content in section 2.4. For each security attribute, I created
three subcategories including the importance of a particular attribute, the potential
threats, and the appropriate controls. I shall note that the content inside a matrix was the
result from my analysis in section 2.5, 2.6, 2.7, and 2.8. For the first subcategory, the
importance of security attributes, I already described the supporting reasons of how and
why I proposed different level of importance, including ‘low’ level, ‘high’ level, or ‘not
31
applicable’ for each type of Internet uses at the beginning of section 2.5, 2.6, 2.7. and
2.8. Identifying the level of importance of security attribute was a starting point of the
analysis. I subsequently proposed the possible threats, which were the source of the
second categories or ‘threats’. Then, the solutions for reducing the possible threats were
described and it brought up the third category or ‘controls’.
This table is important, as I will integrate it with the cultural dimensions table in the
next chapter. The integration is expected to bring up the important points about how
consumers are concerned about security when using the Internet. Based on a result from
the integration, I shall further develop my hypotheses in the empirical part.
32
Types of Internet use Electronic messaging Trading transactions
Computer Security
attributes E-mail Public messaging
Browsing E-order E-payment E-delivery
Confidentiality
• Importance
High
Not applicable
Not applicable
Low
High
Low
• Threats - Eavesdropping - Interference - Hacking
Not applicable Not applicable - Eavesdropping - Interference - Hacking
- Eavesdropping - Interference - Hacking
- Eavesdropping - Interference - Hacking
• Controls - PEM - S/MIME - PGP - Web Based
Secure Mail
Not applicable Not applicable - TLS
- TLS - SET
- TLS
Integrity
• Importance
High
High
High
High
High
High
• Threats - Eavesdropping - Code
modification
- Eavesdropping - Code modification
- Eavesdropping
- Eavesdropping - Eavesdropping - Code
modification
• Controls - PEM - S/MIME - PGP - Web Based
Secure Mail - Scanning
software
- TLS - TLS - Scanning
software - Signed
download object
- TLS - TLS - SET
- TLS
Privacy
• Importance
High
High
High
High
High
High
• Threats - Hacking - Unsolicited
commercial e-mail
- Hacking - Conversation
record
- Hacking - Cookies
- Hacking - Cookies
- Hacking - Cookies
- Hacking - Cookies
• Controls - Filter software - Best practices
- Best practices
- P3P - WebTrust 3.0 - OPS - Best practices
- Best practices - SET - Best practices
- Best Practices
Availability
• Importance
Low
Low
High
Low
High
High
• Threats - Interruption
- Interruption
- Interruption
- Interruption
- Interruption
- Interruption
• Controls
- Network protection
- Best practices
- Network protection
- Best practices
- Network protection
- Best practices
- Network protection
- Best practices
- Network protection
- Best practices
- Network protection
- Best practices.
Table 2.1. Summary of Internet security threat and control analysis.
33
3. Influence of culture on privacy and security concern
3.1. Chapter structure
As it was mentioned earlier in chapter one, the purpose of this study is to investigate
the cultural impact on Internet consumers’ concerns about the security threats by
extending Udo’s study. I already described about Internet threats and controls in the
previous chapter. In this chapter, I present the cultural theories, which explain why
people think, believe, and behave in different ways. The understanding of cultural
theories is needed because it helps to develop an expectation about people’
characteristics in different cultures. And a survey conducted in the empirical part will
confirm or reject my expectation.
As for chapter structure, I begin with introducing definition of culture in section 3.2.
The culture theories from several literatures and how they shape behaviors are described
later in section 3.3. In this section, some relevant cultural dimensions, which possibly
affect privacy and security concerns, are described in more detail. Subsequently, I
provide my expectation about how people in different cultural dimension are aware of
privacy and security of personal data in a brief summary in section 3.4.
3.2. Definition of culture
Many anthropologists have been studied about culture for decades. Knowing about
different cultures enables people to understand why people in other societies learn, act,
think, and feel in different ways. Culture can be described as people’s mentality which
most of the time cannot support by scientific reasons. Because of advanced information
technology emergence in globalization age, boundary of countries is not considered a
barrier to operating international business any more. However, the impact of culture on
international business and management strategy is overwhelming and should not be
overlooked. To understand more about culture, various definitions of culture are
provided below.
Culture is the collective programming of the mind, which distinguishes the members of one group or category of people from another (Hofstede, G, 1991, 5).
34
Culture is a set of assumptions – shared solutions to universal problems of external adaptation (how to survive) and internal integration (how to stay together) – which have evolved over time and are handed down from one generation to the next (Schneider, S, 1997, 20). Culture is the accumulation of shared meanings, rituals, norms and traditions among the members of an organization or society. It is what defines a human community, its individuals, its social organizations, as well as its economic and political system. It includes both abstract ideas, such as values, ethics, as well as objects and services that are produced or valued by a group of people (Solomon, M, 1999, 377). Culture is the transmitted and created content and patterns of values, ideas, and other symbolic-meaningful systems as factors in the shaping of human behavior and the artifacts produced through behavior (Schutte, H, 1998, 6).
Of various definitions of culture, it can be summarized that culture is distinct
knowledge, values, norms, ideas and other symbols shared and transmitted by people in
particular society. Culture is not static but it can either gradually or instantly change.
Due to culture diversity, perspective and reaction of people in different societies can be
predicted. Though one can notice that each individual in the same society can be
different, they are more alike when compared to people in other societies.
3.3. Cultural dimensions
In order to understand one particular society, first of all one has to know its cultural
context. Many famous scholars invented cultural models to classify cultural context into
different dimensions. These models are shown as a map in figure 3.1.
35
Figure 3.1. Key dimensions of culture (Schneider, S, 1997, 31)
Based on distinct models in figure 3.1, an overall framework for integrated cultural
dimensions is provided in figure 3.2. Among various cultural dimension models, I will
use Schneider’s as the groundwork in this study. Since this framework provides a broad
view of different generally accepted models, it will help to cover all dimensions that
should be further examined about their impacts on attitudes toward privacy and security.
Schneider, S, classified the key cultural dimensions into three categories; “external
adaptation” includes relationship with the environment, “internal integration” includes
relationships among people and “linking assumption” regards as dimensions that relate
to both relationships with nature and people.
Kluckholn and Strodtbeck
- Relationship with time- Human activity- Human nature- Relationships with people- Time
Schein
- Relationship with nature - Human activity - Human nature - Relationships with people - Time - Truth and reality
Trompenaars
- Relationship with nature - Relationship with people * Universalism/Particularism * Individulaism/Collectivism * Affectivity * Diffuse/Specific * Achievement/Ascription - Relationship with time
Hall
- Space : Personal/Physical - Time : Monochronic/ Polychronic - Language : High/Low context - Friendships
Hofstede
- Uncertainty avoidance - Power distance - Individualism/Collectivism - Masculinity/Femininity
Adler
- Human nature - Relationship with nature - Individualism/Collectivism - Human activity : Being/Doing - Space : Private/Public - Time : Past/Present/Future
36
Figure 3.2. Underlying cultural dimensions (Schneider, S, 1997, 32)
I shall briefly describe the cultural dimensions of each perspective in the following
subsections. There are some dimensions that I would extensively describe, as they
potentially demonstrate the important consumers’ behaviors. The consumers’ attitudes
that relate to this research involve the concern about threats, risk controls, and security.
The related concerns are expected to represent how online consumers in different
cultures feel about computer threats and security. These concerns include the need for
security and privacy, attitude toward unfamiliar situations, trust and dependency
between one another in a society. Such concerns are obviously indicated in some
cultural dimensions including uncertainty avoidance, human nature, individualism
versus collectivism, and space. More details of related cultural dimensions are
elaborated as follow.
3.3.1. External adaptation
Relationship between human and nature can be viewed in three main groups;
relationship with nature, nature of human activity and nature of reality and truth.
In the first group, there are two main dimensions; the control over nature, and
uncertainty avoidance. In some cultures, people believe that they can control nature
while in other cultures people just let things happen as they think events are caused
Linking assumptions- Space * Personal and physical- Language * High-Low context- Time * Monochronic and polychronic * Past, present, future
External adaptation- Relationship with nature * Control * Uncertainty avoidance- Nature of human activity * Doing vs. Being * Achievement vs. Ascription- Nature of reality and truth
Internal integration- Human nature * Basically good/Basically evil- Nature of human relationships * Social vs. Task orientation * Particularism vs. Universalism * Hierarchical * Individualism vs. Collectivism
37
by nature and are unchangeable. With different perspectives toward control over
nature, people tend to have different levels of uncertainty avoidance. For example,
people may be eager to learn by mistake or trial and error, and they prepare for
unexpected outcome and uncertainty. Uncertainty avoidance happens when people
try to avoid unpredictable or risky situations. I will further emphasize the uncertainty
avoidance dimension in subsection 3.3.1.1 as it could imply to an extent, in which
people feel threatened by computer crime.
The second group involves ‘doing versus being’, and ‘achievement versus
ascription’. In doing versus being dimension, people who like to take action belong
to a ‘doing’ culture, while others who like to plan, wait to see situation, and adapt
themselves to such situation belong to a ‘being’ culture. For ‘achievement versus
ascription’, it involves the concept of what is more important between who you are
and what you are able to accomplish.
The last group is ‘nature of reality and truth’. In some societies, truth and reality
mean facts and figures. However, in other societies, truth and reality include facts,
feeling and intuition. Truth does not mean the same in different societies and will
lead to different solutions to the same problem.
3.3.1.1. Uncertainty avoidance dimension
The content in this subsection is mainly based on Hofstede, G, 1991, 109-
137. Firstly, I describe the underlying concept in order to understand the main
idea of uncertainty avoidance. Secondly, I bring up the Hofstede’s study, which
shows how people in various countries are aware of uncertain circumstances.
Thirdly, I explain why people’ opinions differ from one country to another by
referring to his study. Moreover, his supporting reasons are important, as I will
use them to analyze characteristic of people in studied countries in the next
chapter. Finally, I provide a conclusion at the end.
(1) Uncertainty avoidance concept
Uncertainty avoidance can be defined as the extent to which the member
of a culture feels threatened by uncertainty or unknown situations. This feeling is
expressed through nervous stress and in a need for predictability and written or
unwritten rules. In a strong uncertainty avoidance society, many tools are needed
to protect against threats. For example, technology helps to avoid uncertainties
caused by nature. Laws and rules prevent uncertainties in the behavior of other
38
people, and religion helps in the acceptance of the uncertainties. In addition,
members in strong uncertainty avoidance cultures need the structure of
organizations, institutions, and relationships, which lead to interpretable and
predictable events. Though they can accept familiar risks as routine, they are still
afraid of unfamiliar risks or ambiguous situations. On the other hand, in low
uncertainty avoidance, members think of uncertainty as a normal situation,
which always happens in their lives and they try to take advantage of such
situations. They feel comfortable with or are curious about unfamiliar risks.
Consequently, they tend to be more flexible and accept new things faster than
people in strong uncertainty avoidance cultures do.
(2) Uncertainty avoidance index in different countries
Hofstede did a survey study about how people in different countries react
in each cultural dimension, which I will use as fundamental point in this
subsection. First, I shall give brief research methodology of his work since I
believe it is important to understand how he gathered information. Then I will
present his survey results.
Hofstede’s model of cultural dimensions includes power distance,
individualism versus collectivism, masculinity versus femininity and uncertainty
avoidance. He developed survey questionnaires aiming to study how people in
many regions and countries respond in each dimension. During 1980-1984, the
questionnaires were spread throughout IBM local subsidiaries around the world.
Employees of IBM in 50 countries and 3 regions participated in his study. Based
on the predefined score number for each answer, he calculated the mean score of
answers for each question in all countries and then gave rank numbers of the
countries. The score or index varies approximately from zero for the lowest to
one hundred for the highest. Hofstede also pointed out that the countries could be
classified into clusters such as Anglo, Nordic, Latin, and Asian in which they
share common characteristics. The clusters of countries are shown in figure 3.3.
39
Figure 3.3. Country clusters (Schneider, S, 1997, 51)
The summary of score range in uncertainty avoidance dimension based on
his finding is presented in table 3.1.
Region or country Uncertainty
avoidance index
Level of
uncertainty
avoidance
Latin America, Latin Europe, Mediterranean
countries
112-67 High
Japan, South Korea 92, 85 High
Germanic countries 70-58 Medium high
Asian countries
(Except Japan and South Korea)
69-8 Medium to low
African, Nordic, Anglo countries 52-23 Medium to low
Remark : Finland Thailand The U.S.
59 64 46
Medium
Medium high Low
Table 3.1. Range of uncertainty avoidance index
40
The more scores a country has, the stronger uncertainty avoidance a
society has. From the index in table 3.1, the clusters having high uncertainty
avoidance scores are Latin America, Latin Europe, and the Mediterranean
region. Particular countries such as Japan and South Korea have high scores as
well. Germanic-speaking countries such as Austria, German, and Switzerland
have moderately high scores. African, Anglo and Asians excluding Japanese and
Korean have medium to low scores. The Nordic-speaking countries and the
Netherlands possess medium to low scores as well.
(3) Possible reasons for differences between clusters
• Religions
Religions possibly affect uncertainty avoidance to some extent, as many
religions establish the belief of ultimate certainty of life after death and
acceptance of the uncertainties. For example, most Orthodox and Roman
Catholic Christian countries tend to have strong uncertainty avoidance supported
by the fact that confession of sins is needed to get rid of guilty feelings when one
breaks the rules. Some Western religions are concerned about ultimate truth,
which is necessary for salvation and personal achievement purposes. Hence,
people who possess other truths are wrong and they should be converted,
avoided or even killed. The more people believe in possession of absolute truth,
the more society tends to have strong uncertainty avoidance. However, some
Westerns in weak uncertainty avoidance cultures such as Protestant Christian
countries believe in absolute truth but are less likely to believe that they alone
possess it. In contrast, Eastern religion tends to be less concerned about absolute
truth. For example, Buddhism emphasizes more on meditation rather than on
truth. Consequently, they tend to have medium to low uncertainty avoidance
levels.
• Roman and Chinese empires
Let us examine the history of some nations. The Chinese Empire was a
root of Eastern Asian culture. The Chinese Empire in the past had a system to
govern people by general principles, thus codified laws were not given much
attention. Society that desires only a few and general laws possesses the patterns
of weak uncertainty avoidance. Most Germanic countries in which people speak
German, English, Dutch, Danish, Norwegian or Swedish were separated into
small communities governed by local rulers, hence people needed only a few
rules and tended to have low uncertainty avoidance. On the other hand, in the
41
Roman Empire, the particular codified laws were initiated to rule a country and
use with every single citizen with no exceptions. It implies that they were highly
concerned about uncertainty and needed clear-cut laws to protect themselves
against ambiguous situations.
In short, people in strong uncertainty avoidance societies tend to seek safety and
security in their lives more than those in weak uncertainty avoidance societies do.
Thus laws, regulations, and security policy are crucial in a strong uncertainty
avoidance society more than in a weak one.
3.3.2. Internal integration
Based on Schneider’s model, internal integration refers to relationship among
people. The first dimension in this part is human nature. It is about how people think
about nature of people, such as whether people are good or bad. This dimension
relates to this study because the concept of ‘basically good or basically evil’ results
in the level of trust among people in a particular community. I shall further examine
in subsection 3.3.2.1 about how this concept affects attitude toward trust and
security concerns.
Secondly, many dimensions consisting of social versus task orientation,
particularism versus universalism, and hierarchical and individual versus
collectivism are groups in the nature of human relationships. I shall briefly describe
about them according to Schneider, S, 1997, 36-39.
Social versus task orientation is about how people prefer focusing on task and
establishing relationships. If people are social oriented, the relationship should be
established before two parties can talk business.
Particularism versus universalism involves people being treated equally. In
universalism, everybody should be treated and governed by the same laws. In
particularism, people are not equal, thus some people should have privileges above
others.
Next, hierarchy can be described as the structure of society or organization. In
some organizations, supervisors encourage subordinators to take part in decision
making, or the boss joins his employees in sport games, holidays, celebrations, etc.
42
This makes employees feel more comfortable when working with supervisors, and
hierarchy is not so important.
The last dimension is individualism/collectivism. This dimension involves
interdependency and trust between group members, which affect trust and attitudes
toward strangers or unfamiliar things. I shall elaborate in subsection 3.3.2.2 since it
potentially affects individual’s acceptance of new things like Web sites and their
security policies.
3.3.2.1. Human nature dimension
The content of this subsection is primarily based on Schneider, S, 1997,
36, Adler, N, 1986, 13-16 and Schein, E, 1985, 98-101.
Human nature value is the feeling about the positive and negative sides of
people. There are two main assumptions about human nature; people are
basically good or basically evil. However, some cultures fall between these two
assumptions, which means people can be both good and evil, and they can
improve themselves as well. People absorb value of evil and good from children
onward. Some religions hold a belief in original sin. It implies that people
believe that human nature is basically evil, therefore confession and asking for
forgiveness are anticipated and rules and supervision are also needed. On the
other hand, other religions are founded on assumption that human nature is
basically good and they work hard to fulfill their personal achievements.
Undoubtedly, people in ‘basically good’ cultures tend to trust one another more
than those in ‘basically evil’ cultures.
3.3.2.2. Individualism versus Collectivism dimension
The content in this subsection is mainly based on Hofstede, G, 1991, 49-
77. Firstly, I describe the underlying concept in order to understand the main
idea of individualism versus collectivism. Secondly, I bring up the Hofstede’s
study, showing that some countries tend to be individualist while some countries
are obviously collectivist, and others are in the middle. Thirdly, I explain why
people differ from one country to another. His supporting reasons are important,
as I will use them to analyze characteristic of people in studied countries in the
next chapter. Finally, I provide a brief conclusion at the end.
43
(1) Individualism versus Collectivism concept
This dimension demonstrates measurement of dependency between one
another. Individualism can be illustrated by societies in which the relationships
between individuals are weak, which means everyone is expected to look after
oneself and one’s immediate family. On the other hand, collectivism can be
defined as societies in which people from birth onwards are integrated into
strong, cohesive ingroups, which throughout people’s lifetimes continue to
protect them in exchange for unquestioning loyalty (Hofstede, G, 1991, 51).
Collectivism regards importance of group interest more than that of individual
interest, while individualists think vice versa. Compared with collectivism,
individualists are more self-reliant, dependent and aware of privacy right to a
greater extent.
The concept of trust is affected by individualism versus collectivism as
well. Trust is the expectation that arises within a community of regularity,
honesty, and cooperative behavior, based on commonly shared norms, on the
part of other members of that society (Fukuyama, F, 1995, 26). In a strong
collectivism community, people rely so much on family, friends or co-workers,
that they tend to distrust unrelated people. Consequently, from an outsider’s
point of view, collectivism is observed in a low-trust society. In order to do
business with collectivists, one must first establish trust and get to know them to
generate strong relationships. Although it takes time for collectivists to be
familiar with a stranger, a businessman can smoothly and successfully conduct
business in a long run once he finds a good relationship with them. Collectivists
regard word of mouth among acquainted people as the most faithful, thus
marketers should consider this communication channel as an effective way to get
widespread acceptance of products from a collectivism society.
(2) Individualism index in different countries
Hofstede indicated that the cluster in individualism versus collectivism
dimensions can be based on a combination of demographics, economics and
history. The countries in a stronger individualism cluster tend to be more
wealthy and industrialized than those in collectivism cluster do. I shall
summarize about the range of individualism score in table 3.2 based on
Hofstede’s findings. The score varies from zero for the most collectivism, to one
hundred for the most individualism.
44
Region or country Individualism
index
Level of
individualism/collectivism
Anglo countries (Except Ireland
and South Africa)
91-79 Very high individualism
Ireland, South Africa 70, 65 High individualism
Nordic countries 79-63 High individualism
Germanic countries 68-55 High to medium individualism
Latin Europe (Except Portugal) 76-51 High to medium individualism
India, Japan 48, 46 Low collectivism
Latin America 46-12 Medium to high collectivism
Asia (Except India and Japan) 32-14 Medium to high collectivism
Portugal 27 Medium collectivism
Remark : Finland Thailand The U.S.
63 20 91
High individualism High collectivism Very high individualism
Table 3.2. Range of individualism index
(3) Possible reasons for differences between clusters
• Wealth of country
When a country’s wealth increases, its citizens have access to resources
which allow them to ‘do their own thing’ (Hofstede, G, 1991, 76). People
naturally share something with others unless they have enough well being to buy
their own things. Decrease in degrees of sharing things with others is the result
of increase in wealth, implying that collective characteristics are changing to be
more individualist. One spends more time with oneself as one can enjoy using
his own belongings and privacy becomes more important. One can see grouping
of developed countries and less developed or developing countries in figure 3.3.
It shows that the wealthier countries based on more GDP tend to be more
individualism. See table 3.3 for abbreviations of countries and regions shown in
figure 3.3.
45
Figure 3.4. Individualism score versus 1987 GNP/capita (Hofstede, G, 1991, 75)
Abbreviation Country or region Abbreviation Country or region ARA Arab-speaking countries (Egypt,
Iraq, Kuwait, Lebanon, Libya, Saudi Arabia, United Arab Emirates)
JAM Jamaica
ARG Argentina JPN Japan AUL Australia KOR South Korea AUT Austria MAL Malaysia BEL Belgium MEX Mexico BRA Brazil NET Netherlands CAN Canada NOR Norway CHL Chile NZL New Zealand COL Colombia PAK Pakistan COS Costa Rica PAN Panama DEN Denmark PER Peru EAF East Africa (Ethiopia, Kenya,
Tanzania, Zambia) PHI Philippines
EQA Equador POR Portugal FIN Finland SAF South Africa FRA France SAL Salvador GBR Great Britain SIN Singapore GER German F.R. SPA Spain GRE Greece SWE Sweden GUA Guatemala SWI Switzerland HOK Hong Kong TAI Taiwan IDO Indonesia THA Thailand IND India TUR Turkey IRA Iran URU Uruguay IRE Ireland (Republic of) USA United States ISR Israel VEN Venezuela ITA Italy WAF West Africa (Ghana, Nigeria,
Sierra Leone) YUG Yugoslavia
Table 3.3.Abbreviations for the countries and regions studied (Hofstede, G, 1991, 55)
46
• Population growth
Rate of population growth is strongly related to this dimension. As
mentioned earlier, individualist societies tend to have a small family while
collectivism prefers to live in a big family. Population growth indicates an
average number of children in a family. Thus in a country that has high growth
rate tends to have big families and be collectivist rather than individualist.
• National history
History is one factor that always affects the culture in a particular society.
In East Asia, believing in Confucius leads to collective characteristics. In the
West, many Europeans from England, Scotland, and the Netherlands immigrated
to the new land such as the U.S., Australia and New Zealand to seek better lives.
They had to fight for themselves to occupy land and be able to live in new
environments, therefore they tend to be independent and self-reliant, which is the
individualist type.
Individualism and collectivism seem to require different levels of privacy. I shall
conclude that the extent of privacy and security concern of collectivists depends
somewhat on word of mouth of other members. Once one member accepts a
particular thing, word of mouth is spread out, then other members subsequently
accept it and the degree of security concern decreases. However, collectivists tend to
distrust the unknown or new things, which other members have not accepted, thus
consequently security concerns remain relatively high. As for individualists, I shall
assume that they care about their privacy rights, due to their self-dependent
characteristics and rely less on word of mouth.
3.3.3. Linking assumption
The linking assumption involves the relationship between nature and people. It
includes three main dimensions; space, language and time. The content of this
subsection is primarily based on Schneider, S, 1997, 39-42, and Adler, N, 1986, 12-
25.
The space dimension determines how people need their physical and personal
spaces. The space-needed can imply level of privacy that people expect, and this
dimension is considered a related cultural issue to my research objective. I will
elaborate the space dimension in subsection 3.3.3.1.
47
The language dimension can be divided into high-context and low-context
cultures. In low-context communication, people tend to use direct and explicit
words. The high-context communication seems to be opposite.
The last dimension is about time. In some societies, time is limited and should
be efficiently spent; it is considered ‘monochronic’. Other societies, time could be
expanded and one can do many things at the same time. It is called ‘polychronic’.
The concentration on past, present, and future time varies in different cultures as
well.
3.3.3.1. Physical and personal space dimension
The space in this context can be classified into two types; physical space
and personal space. The physical space involves people managing to live in a
particular environment or in limited space. Physical space management reflects
harmony between people and their environment. One can easily observe the
physical space management in a particular culture by looking at architecture
styles and other object designs. In some countries where territories are so large
and population densities are low, physical space is somewhat carelessly
managed and the concept of living in harmony with the environment is less
important. For example, buildings are designed to have only a few stories and
unutilized space between each building is not concerned wasteful. People
living in plenty of physical space tend to put less emphasis on living in
harmony and personal distances. Regarding personal space, people need a
certain distance that is not too far or too near to make them feel comfortable.
Such distance varies from one culture to another. The need for personal space
determines the demand for privacy.
The needs for personal space and physical space interrelate to each other. I
shall conclude in brief that the more people are constrained by limited physical
space, the more people need personal space or privacy.
3.4. Summary
Culture can be briefly described as shared knowledge, values, norms, ideas and other
symbols by a group of people and transmitted to the younger generation in that society.
The cross-cultural psychology has been extensively studied for several decades to help
48
solve the question of how and why different social and cultural forces influence
behaviors of members in a particular society. Various anthropologists have made
different models of cultural dimensions. However, these models have some dimensions
in common and they were integrated to present a whole picture in section 3.3. Among
many cultural dimensions, I proposed that some dimensions have the potential
influences on one’s security and privacy awareness. Later on in this section, I will use
characteristics of people, showing in the selected dimensions, to form a prediction about
how consumers in different cultures respond to the privacy and security issues. The
related cultural dimensions and their implications to consumer behaviors were
summarized in table 3.4. As for the source of this table, in the first column, the related
cultural dimensions were presented. Based on various culture literatures, the culture
could be divided into many dimensions. After I reviewed all cultural dimensions and
provided the brief explanation for each of them, I basically chose some dimensions that
obviously influence the way people are aware of security and privacy. These dimensions
included uncertainty avoidance, human nature, individualism versus collectivism, and
space. In the second column, the implications to consumer behaviors were presented.
The consumer behaviors were deduced from many literatures that I reviewed. One could
also find the source of information in this column in the conclusion in subsection 3.3.1,
3.3.2, and 3.3.3.
Involving cultural
dimensions Implication to security concerns
1. Uncertainty avoidance • Stronger uncertainty
avoidance
• Weaker uncertainty avoidance
• People tend to possess risk aversion characteristics.
They try to avoid unclear situations. • People are flexible and feel quite comfortable to
accept security risks. 2. Human nature
• People are basically good.
• People are basically evil.
• Based on the idea that people are good and behave
properly to achieve the highest goals of lives, lower awareness of threats and crime is expected in this culture.
• Holding belief of original sin, people are expected to
make mistakes, break the laws and rules. Thus, people are concerned about vulnerability caused by bad people.
Table 3.4. Summary cultural influences on privacy and security concern
49
Involving cultural dimensions
Implication to security concerns
3. Individualism/Collectivism • Individualism • Collectivism
• People are self-reliant and aware of their rights. • People are interdependent between one another.
Sharing personal data within a group is acceptable but not with outsiders. People tend to rely on word of mouth. Consequently, an extent of safety concern and awareness of threats highly depends on whether a community accepts such threats or not. If some community members feel comfortable to encounter the computer threats, the concern about online security among other members is expected to reduce.
4. Physical and personal space • Stronger need for space • Lower need for space
• People who live in limited physical space tend to
need more privacy. They respect personal affairs, confidentiality and privacy rights.
• If people are not restrained by physical space, they
desire less personal space and consequently feel more comfortable to share personal data with others.
Table 3.4. Summary cultural influences on privacy and security concern (Continued)
Next, I will integrate this culture summary table with the Internet security analysis
table derived from the previous chapter. The objective of the integration is to analyze
the impact of cultures on different security attributes. It will also refer to threats and
controls of computer security.
For review, I provided a brief discussion about the Internet security analysis table,
which was presented at the end of chapter two. In the Internet security analysis, many
types of Internet uses, such as e-mailing and electronic trading, were presented. The
general computer security attributes, such as confidentiality and integrity, were
illustrated as well. Then, the analysis of threats and controls was conducted for each
combination of Internet usage types and the security attributes.
The result from an integration of culture and computer security was shown in table
3.5. I shall describe about the table in sequence of the creation steps as follow.
1) Determine the cultural dimensions
50
To form the integrated table, firstly, all interested cultural dimensions, which were
presented in table 3.4, were included. As I mentioned in the explanation of table 3.4,
these dimensions were expected to represent the security and privacy awareness of
consumers. They consisted of uncertainty avoidance, human nature, individualism
versus collectivism, and space dimensions.
2) Select the computer security attributes
I have selected some security attributes, which represent the most obvious cases. By
‘obvious cases’, I mean the situations that apparently or potentially show the influence
of cultures on online consumer concerns. Based on the table 2.1, four types of computer
security attributes were presented. They included
• confidentiality,
• integrity,
• privacy, and
• availability.
Based on the cultural influences summary in table 3.4, the confidentiality, integrity
and privacy were likely to be the obvious concerns that would be affected by cultures.
The supporting evidences will be presented in step four. However, the availability
attribute was not chosen because it was more likely related to technical issue than
cultural differences.
3) Determine types of Internet use
From table 2.1, there were three main types of Internet use, which are electronic
messaging (including to e-mail and public message), browsing and trading transaction
(including e-order, e-payment and e-delivery). According to the selected security
attributes in step two, I shall further select the types of Internet use in which the users
would take these attributes as serious concerns. The objective of the selection is to
depict the most obvious cases for this research. Based on table 2.1, the three selected
attributes including confidentiality, integrity and privacy were considered highly
important issues for the uses of e-mail and e-payment. Consequently, I will apply the
uses of e-mail and e-payment for an analysis in the integrated table.
51
Possible threats and controls when using
Impact of cultural differences on consumer concerns Important security
attributes E-mail E-payment Uncertainty avoidance Human nature Individualism versus Collectivism
Physical and personal space
Confidentiality Threats: - Eavesdropping - Interference - Hacking Controls: - PEM - S/MIME - PGP - Web Based
Secure Mail
Threats: - Eavesdropping - Interference - Hacking Controls: - TLS - SET
The degree of confidentiality concern is expected to be • Higher in a strong
uncertainty avoidance culture.
• Lower in a weak uncertainty avoidance culture.
Note that law and regulation for online consumer protection are crucial to people in strong uncertainty culture.
The degree of confidentiality concern is expected to be • Higher in a society,
which considers human nature ‘basically evil’
• Lower in a society, which considers human nature ‘basically good’.
• In an individualism culture, the high degree of confidentiality concern is expected.
• In a collectivism culture, the degree of confidentiality concern depends on the group acceptance of a particular Web page. Ø If they accept, the
lower concern is expected. Ø If they have not
accepted, the higher concern is expected.
Not directly applicable.
Integrity Threats: - Eavesdropping - Code
modification Controls: - PEM - S/MIME - PGP - Web Based
Secure Mail - Scanning
Software
Threats: - Eavesdropping Controls: - TLS - SET
The degree of integrity concern is expected to be • Higher in a strong
uncertainty avoidance culture.
• Lower in a weak uncertainty avoidance culture.
Note that law and regulation for online consumer protection are crucial to people in strong uncertainty culture.
The degree of integrity concern is expected to be • Higher in a society,
which considers human nature ‘basically evil’
• Lower in a society, which considers human nature ‘basically good’.
• In an individualism culture, the high degree of integrity concern is expected.
• In a collectivism culture, the degree of integrity concern depends on the group acceptance of a particular Web page. Ø If they accept, the
lower concern is expected. Ø If they have not
accepted, the higher concern is expected.
Not directly applicable.
Table 3.5. Integrated computer security attributes with cultural dimensions
52
Possible threats and controls when using
Impact of cultural differences on consumer concerns Important security
attributes E-mail E-payment Uncertainty avoidance Human nature Individualism versus Collectivism
Physical and personal space
Privacy Threats: - Hacking - Unsolicited
commercial e-mails
Controls: - Filter software - Best practices
Threats: - Hacking - Cookies Controls: - SET - Best practices
Not directly applicable. Not directly applicable. • In an individualism culture, the high degree of privacy concern is expected.
• In a collectivism culture, people are less concerned about privacy when sharing information between members in their group. However, the high degree of privacy concern is expected for sharing information with outsiders.
The degree of privacy concern is expected to be • Higher in a society, in
which people live in limited space.
• Lower in a society, in which people live in adequate or large space.
Table 3.5. Integrated computer security attributes with cultural dimensions (continued)
53
4) Determine impact of cultures on security attributes
I will analyze and develope expectations based on cultural literature reviewed in the
previous sections in this chapter. I used my expectations as a basis to apply the
information gathered from the studied countries and to conduct survey research. I shall
describe the cultural impact on security concerns in sequence of the cultural dimensions.
4.1) Uncertainty avoidance dimension
• Uncertainty avoidance with confidentiality and integrity attributes:
In a strong uncertainty avoidance society, it is expected that Internet users are
highly aware of threats to personal security. They need to ensure the security control
of data modification and disclosure. Otherwise they would avoid giving the sensitive
information in e-payment form, or submitting private information via e-mail. The
sound controls and consumer protection regulation are very crucial in the society.
In a weak uncertainty avoidance society, Internet users tend to accept possible
threats. Though they are aware of the confidentiality and integrity risk, they tend to
be more comfortable and acceptable to the exchange of sensitive data on the Net.
The establishment of controls and regulation to protect against confidentiality risk
are less important, as people think of risk as a normal situation.
• Uncertainty avoidance with privacy attribute:
The uncertainty avoidance could imply risk aversion characteristic and the need
for security, but it did not show the need for privacy. Hence, I shall omit an analysis
of impact of uncertainty avoidance dimension on privacy concern. However, an
analysis will be provided on other cultural dimensions that relate to privacy issue.
4.2) Human nature dimension
• Human nature with confidentiality and integrity attributes:
There are two main aspects of how people think of human nature. Human nature
could be ‘basically good’ or ‘basically evil’. It depends on religion and other factors
which was described in subsection 3.3.2.1. However, in some societies, the human
behavior can be in-between good and bad.
Internet users, who hold the belief of ‘basically good’ human nature, are not
likely to anticipate the harm caused by other people. The thought of hazardous
situations that may lead to the revealing or changing of messages does not affect
many people when they write e-mail or give sensitive information on online
payment form. This is because they believe that people possess the appropriate
behaviors and they tend to be less aware of cyber attacks. However, the awareness of
54
confidentiality and integrity risks tends to be high for Internet users who believe that
human nature is ‘basically evil’. The supporting reason is that they hold the idea that
people tend to break the rules or make mistakes either by accident or on purpose.
• Human nature with privacy attribute:
Based on the literature review in subsection 3.3.2.1, the human nature dimension
illustrates an expectation of good or bad behaviors of human beings. Although this
expectation implies the awareness of computer criminals, it does not clearly reveal
the need for privacy. Hence, I shall defer an analysis to other cultural dimensions
that directly relate to privacy issue.
4.3) Individualism versus collectivism
• Individualism versus Collectivism with confidentiality, integrity and privacy
attributes:
An individualist is considered a self-reliant person, while a collectivist depends
on others for support. Individualists seem to consider privacy rights and personal
security as the important issues. Although the collectivist tends to accept sharing
information between group members, the privacy invasion, occurred by exchanging
information with unfamiliar Web sites, remains a significant concern. It is worth
noting that a group acceptance is very crucial in collectivism environment. Since the
collectivists rely on each other so much, the group that they belong to has powerful
influence on group members’ behaviors. Internet users in collectivism culture could
easily accept using e-mail or making payment in a particular Web page if other
group members satisfy the Web sites’ security controls or accept the possible risks.
In conclusion, Internet users in individualism culture are highly aware of the
privacy and confidentiality invasion. They are concerned about threat to data
integrity as well. As for the collectivists, their concerns about security attributes
would be similar to those of individualist. However, the degree of concern would be
significantly reduced if the group acceptance is achieved.
4.4) Physical and personal space
• Physical/Personal space with confidentiality and integrity attributes:
The space dimension described in subsection 3.3.3.1 concretely related to
privacy needs. Thus, I will leave out an analysis here.
• Physical/Personal space with privacy attribute:
According to space dimension, the physical space had correlation to the need for
privacy or personal space. It implies that people, who live in limited space, tend to
need more privacy. On the other hand, people living in adequate space tend to feel
55
comfortable to share private information with others. Consequently, I propose that
Internet users, who live in a restrained space, have stronger desire for privacy.
5) Determine impact of security threats and controls on consumer concerns
This is an additional step, which involves a comment about how the security controls
would help reduce consumer concerns. According to the various kinds of threats
presented in table 3.5, they included eavesdropping, code modification, hacking,
unsolicited commercial e-mails, cookies and interference. Internet users tend to be
familiar with some or all of these threats. For example, Internet users may face a bulk of
commercial e-mails, which are sent to them without their demands every other day.
Media and government usually publicize warnings for new viruses or worms. Today,
one can find these threats as a common issue.
To protect against possible threats, many security tools have been created. Though in
table 3.5 I classified the controls by types of security attributes, it is easier in this place
to group them into two main categories. The first category of controls consists of the
filter software, the virus-scanning software, and the best practices. These are somewhat
common and widely used by Internet consumers. They are easy to use and require only
simple computer security knowledge. Above all, they could help reduce consumer
concern about computer security to a certain level. However, these controls may be not
enough for the protection of the very sensitive data. For more complicated protection,
the second category of controls may be applied. The second category includes controls
that are based on cryptography mechanism such as PEM, S/MIME, PGP, Web Based
Secure Mail, SET and TLS. These controls apply the private and public keys to encrypt
and decrypt messages. As mentioned in chapter two, the strong cryptography has been
considered the most powerful security technology and is difficult to crack. That is why
many security tools today rely so much on cryptography. The uses of encryption and
decryption sound familiar to most of Information Technology people such as system
designers, programmers, and computerize auditors. However, the cryptography requires
more advanced knowledge compared with the controls in the first category. Thus,
normal Internet users have not expansively used it. I believe that many online consumers
may not be aware of the usefulness of cryptography. Consequently, I suggest that the
security controls, which are based on cryptography infrastructure, have not affected the
consumers’ concerns yet.
56
4. Internet security and culture influence in studied countries
4.1. Chapter structure
In this research, I aim to analyze cultural impact on Internet consumers’ concerns
about privacy and security. According to my research objective, the knowledge about
the computer threats and security was provided in chapter two. Then, the cultural
dimensions that influence consumers’ concerns towards security and privacy issues were
presented in chapter three. The integration of the computer security and the cultural
impact was also presented in a summary of chapter three. Now, as I have acquired the
integrated knowledge of computer security and culture theories, I would further progress
by using such knowledge to generate the expectation for the selected countries including
Finland, the U.S., and Thailand. According to the conducted survey, which will be
presented later in empirical chapter, the populated samples from each country will be
used to examine my expectation. To begin creating expectation for the selected
countries, first of all, I shall provide brief backgrounds of each country. Basic
knowledge, such as history and religion is important as these factors commonly shape
the unique culture of a particular society. Thus in section 4.2, I present some
information about Finland, Thailand and the U.S., respectively. Next, I integrate the
cultural dimensions with unique characteristics of each country and make an analysis in
sections 4.3 to 4.6. Such analysis is classified by cultural dimensions, which have high
potential to affect the way people care about privacy and security according to the
knowledge from chapter three. Finally, I determine levels of privacy and security
concerns based on my expectations from previous chapter and present in section 4.7 as a
summary.
4.2. Basic background of studied countries
4.2.1. Finland
The content of this subsection is mainly based on a book called “Facts about
Finland” written by Elovainio, P, and the CIA-The World Factbook Web site.
4.2.1.1. Brief history of the nation
57
From the twelfth century to the early eighteenth century, Sweden, aiming
to spread the Christian religion, conquered others in the Crusades and occupied
Finland. Finland became a part of Swedish territory until Russia declared war on
Sweden in the early nineteenth century. Sweden defeated and ceded Finland to
Russia. Due to revolution in Russia after World War I and deposition of the
Russia monarchy, Finland announced its independence on December 6, 1917.
The Soviet Union attacked Finland again in the Winter War and the Continuation
War during 1939 to 1944. The long history of occupation and invasion ended
with a Treaty of Friendship between the Soviet Union and Finland in 1948.
4.2.1.2. Religion
The most dominant religion in Finland, like other Nordic countries, is the
Evangelical-Lutheran faith, having about 4,400,000 members or 85.2% of the
total population in 1998. The other religion is Orthodox, which has 54,000
members or 1.1% of the total population. The minority of people is Catholic,
Muslim, and other religion, and the rest of the population define themselves as
non-denominational. In reality, people do not frequently go to church, but half of
the population still consider themselves believers.
4.2.1.3. Population and other interesting facts
• Demographic facts
Finland has a population of 5,175,783. Of the whole population, people of
working-age (15 to 64) possess the highest proportion of 67%, while children
under 15 years old make up 18%, and senior citizens over 64 years old are over
15%. Population growth rate was 0.16% in 2001.
Finland is considered the third most sparsely populated country in Europe.
This is because about 25% of area is located in the North Pole, in which coldness
is a major constraint to life or building construction. Population is more dense in
the south, which is surrounded by Baltic Sea and warmer than the north. The
population density in 1998 was about 17 persons per square kilometer.
• Internet users
The number of Internet users in Finland was about 2.27 million or 44 % of
the total population in 2000.
• Other facts
58
In the early 1980s, Finland was ranked one of the world’s ten most
prosperous countries based on a clean, crime-free and low-poverty society
(Lewis, R, 2000, 269). Finland is highly industrialized and also famous for its
high technology products. GDP per capita in 2000 was about 22,900 U.S. dollar.
Being a member of EU, the Finnish government is aware of the protection
of personal data. According to “Status of legislative procedure” from Privacy.org
Web site, Finland has established The Finnish Personal Data Act (523/1999) on
April 1999. This is to comply with EU Directives.
4.2.2. Thailand
The content of this subsection is mainly based on El Kahal, S, 2001, 109-113,
Lewis, R, 2000, 363-368 and CIA-The World Factbook Web site.
4.2.2.1. Brief history of the nation
The ancestors of Thais were from the Yunan province of China. Similar to
other territories, Thailand had to go to war against neighbors to protect and
extend the colony. Thailand, unlike the rest of South East Asia, has never been
colonized by other countries. Thais are independent and that is why they define
the meaning of Thailand as ‘Land of the Free’. Although Thais loved freedom
and were proud of being independent, they did not neglect building relationships
with Western countries such as France, Britain, and the U.S.. In the past, Thais
were governed by the monarchy system. The king played an important role as
father of the nation who was responsible for taking care and ensuring the well
being of his people. Although a democracy system is in place today, people still
honor their beloved king and his speeches are significantly powerful to political
and general issues.
4.2.2.2. Religion
Most Thais, 95% of the total population, are Buddhist and the minority is
Muslim (4%). There is no restriction about religion, hence Thais can freely
choose to believe in other religions such as Christianity and Hindism as well.
Buddhism stresses that humans can be reincarnated into have many lives.
Buddhists believes that good or bad things happening in lives are the results of
‘karma’ from past lives. Once one did good karma, or good behavior, in a
59
previous life, one receives good things or good luck in present life. The lifestyles
of Buddhists affect a culture in the sense that a Buddhist tends to be flexible,
tolerant, patient, and easy to forgive, because he accepts his karma and believes
that he cannot change it.
4.2.2.3. Population and other interesting facts
• Demographic fact
The population of Thailand was 61,797,751 in 2001. The percentage of
children under 15 years old was about 23%, people in working age 70% and
senior citizens over 64 years old was 7%. Population growth rate was 0.91% in
2001.
Thailand possesses a land area of 511,770 square kilometers, with the
population density of 121 persons per square kilometer approximately.
Population below poverty line was about 12.5% in 1998 and the country still has
a problem of equality of income distribution.
• Internet users
A number of Thai Internet users were about one million or 1.6% of total
population.
• Other facts
Thailand is playing an important role in the Asian Pacific economy.
Though it has frequent changes in government, military intervention, and recent
economic recession, the foreign trade policy is still attractive and friendly to
foreign investors. Its GDP per capita was 6,700 U.S. dollar in 2000.
4.2.3. The United States of America
This subsection is based on three main sources; CIA – The World Factbook Web
site, Shippey, K, 1995, 221-245, and Crowther, J, 1999, 17,111, 450-451.
4.2.3.1. Brief history of the nation
The beginning of U.S. history started with occupation of land by native
people known as Indians. Later on during the sixteenth to seventeenth century,
there came a new group of pioneers and colonizers, mainly from Britain, France,
Spain, the Netherlands, Sweden, and Russia. After the Revolutionary War
between the U.S. and Great Britain, the mother country, Britain’s American
60
colonies declared independence in 1776. At that time, the United States of
America became a new nation and began to expand its region to neighboring
territories. In the nineteenth century, there was a Civil War between the northern
and southern states of the U.S.. Two main reasons of the war were problems of
African slavery, and power of states’ rights versus the U.S. federal government’s
rights. Then in the twentieth century, the U.S. showed its power and was a
successful force in World Wars I and II. Americans hold the pride of having a
strong and powerful country.
4.2.3.2. Religion
The U.S. does not have clear establishment of religion, which means
Americans can choose to believe in particular religions or not believe in any
religion. There are two most prevalent groups, which are Protestant (56% of total
population) and Catholic (28% of total population). Moreover, most Americans
have strong religious beliefs supported by the facts that 96% of Americans
believe in God, 90% pray and 41% go to church regularly. It is not surprising to
notice that the official U.S. motto is ‘In God we trust’. Like other countries, the
U.S. has a minority holding other religions such as Hinduism, Buddhism, and
Sikh, and some are considered non-religious.
4.2.3.3. Population and other interesting facts
• Demographic fact
The U.S. is ranked the world’s third largest country by population and by
size. America possesses a land area of approximately 9 million square kilometers
and the population was about 278 million in 2001. Population density was about
30 persons per square kilometer. People between 15 and 64 years old dominate
the highest portion of the whole population (66.27% or 184 million). A
proportion of children under 14 years old was 21.12% or 59 million and that of
senior citizen over 64 years old was about 12.61% or 35 million.
Similar to Thais, Americans have quite a high percentage of population
below the poverty line (12.7% in 1999). And the population growth rate was
about 0.9% in 2001.
• Internet users
61
Born in the U.S., the Internet is extensively used by Americans. The
number of Internet users was about 148 million or 53% of total population in
2000.
• Other facts
The U.S., as one of a leading industrialized country, has the largest and
most technologically powerful economy in the world. It had a very high GDP per
capita of 36,200 U.S. dollar in 2000.
By the end of this section, the objective to understanding the history and background
of the selected countries has achieved. Subsequently, I would analyze the cultural
differences based on national backgrounds. The analysis would be classified into four
interesting cultural dimensions including uncertainty avoidance, human nature,
individualism versus collectivism, and space dimensions. These cultural dimensions are
derived from the analysis of potential related cultural dimensions in table 3.4 in chapter
three.
4.3. Uncertainty avoidance analysis
Among three studied countries in this thesis, Thailand and Finland had medium to
high scores about 59-64, and the U.S. had the lowest score of 46, based on Hofstede
index in table 3.1. There are two main reasons supporting different levels of uncertainty
avoidance. The first reason concerns religion. Most of Americans are either Catholic or
Protestant, while majority of Thais is Buddhists and Lutheranism is strongly hold by
Finns. As mentioned earlier in subsection 3.3.1.1 in chapter three, uncertainty avoidance
of Protestant Christian and Buddhism tends to be weak but that of Catholic tend to be
strong. This sounds reasonable with Thais and Finns uncertainty avoidance index.
However, Americans seems to be in between due to the strong belief in both Catholic
and Protestant.
The second reason is about the history of each country. Based on a strong Chinese
cultural influence, Thailand in the past had a governing system based upon general
principles, thus codified laws were not given much attention. Society that desires only a
few general laws possesses the patterns of weak uncertainty avoidance. Finland belongs
to the Germanic cluster, which tends to have low uncertainty avoidance. However,
Finland has relatively high uncertainty avoidance compared with other Germanic
62
countries, partly due to long history of occupations and government by Sweden and
Russia. As for the U.S., though the nation was once a colony of Britain and had gone
through many big wars, Americans hold a very strong belief in democracy and freedom.
The fact that the U.S. established the first constitutional democracy in the world
confirms this belief. Freedom and independence underlie the concept that the U.S. is a
land of opportunity where risk-taking is admired (Shippey, K, 1995, 223). Americans
are not afraid of challenge. Consequently, the U.S., with the perspective of taking
opportunity from the risk, is considered a weak uncertainty avoidance society.
However, I shall point out an issue of law and regulation presented in subsection
2.7.3 in chapter two , which can also demonstrate a degree of uncertainty avoidance. In
Finland, EU Directive is imposed and it is very strict about online consumer data
protection topic. So, it implies that people are concerned about their security of personal
data to a great extent. In the U.S., though there are many regulations to ensure protection
of privacy rights, there seems to be less restriction compared with EU. Americans
emphasize on private sector responsibility more than on a strict law issued by the
government. That means they believe that the Web sites should be responsible for
providing security policy thus no need for stringent law to be established. In contrast,
Thailand, like other Asia Pacific countries, has not yet developed clear rules and
regulations for online data protection. It seems that Thailand has the weakest rules
compared with others, and that reflects low concern about online security and privacy
issues.
4.4. Human nature analysis
Based on subsection 3.3.2.1, it is pointed out that when people believe that a human
is basically good, they tend to have a high-trust society. But in low-trust societies,
humans are seen as basically evil. The basis of how people think about human nature,
whether humanity is basically good or basically evil, lies in religious belief to some
extent. As I mentioned earlier in section 4.2, about 85% of Finns being Lutheran, 95%
of Thais are Buddhists, while Americans are both mostly Protestant and Catholic.
Protestant belief was founded on the idea that human is basically good. Protestants are
taught to live and work to maximize their human potential because they believe that
hard work and task mastery are the ways of achieving human goals (Schneider, S, 1997,
36). Due to Lutheran dominance in Finland, I expect that Finns see humans as basically
good in nature.
63
Buddhist belief was also founded on perception of basically-good human nature.
Buddhists believe they should behave and help weaker persons so that good things will
return to them in the future or next lives. They focus on getting rid of desire and
selfishness to achieve the highest stage of life or so called nirvana. Thais, in the old
days, tended to have a high-trust society. Nowadays, Thailand, unlike Finland, has
problems about poverty, unequal distribution of income and a high crime rate.
Consequently, people tend to be more careful and alert to potentially dangerous
situations (Pornpitakpan, C, 2000, 69-70).
In the U.S., both the Protestant and Catholic faith are strongly held. Humans are
traditionally seen as a mixture of good and evil, capable of choosing one over the other
(Adler, N, 1986, 13). American society is in the middle between high-trust society and
low-trust society, hence Americans can be described as cautious people. Americans also
believe that people can change to improve themselves and people can be good if they
behave and do the right thing such as working hard. However, because of the changing
world and increasing crime rate in the U.S., some Americans view that people today
cannot be trusted as much as in old day (Pornpitakpan, C, 2000, 69-70).
4.5. Individualism versus Collectivism analysis
The Hofstede’s list of rank numbers in individualism versus collectivism dimension
is presented in table 3.2. Based on individualism index, Thailand has individualism
score of 20, Finland has 63 and the U.S. has 91. It implies that Thailand is a strongly
collectivist country, Finland tends to be individualist one, and the U.S. is an extremely
individualist society.
Thais are taught to depend on one another and to help others so that in the event that
they might need help, they will be helped in return (Pornpitakpan, C, 2000, 62-63).
People are traditionally supposed to live with their parents until they get married. This is
because they can take care of parents and old family members more easily. So, Thais
believe in preserving good interpersonal relationships with family, friends, colleagues,
and other familiar persons. Due to a highly collective characteristic, they trust in
acquaintances to a great extent, but they tend to distrust strangers or unfamiliar people.
According to a table 3.4 about cultural analysis in chapter three, the collectivists are
aware of security threats caused by outsiders. However, the degree of concern would be
significantly reduced if the society accepts or is familiar to a particular threat.
64
In Finland, like most of European countries, children are taught to be self-reliant.
Within certain social confinements, the individual is encouraged to act independently
without necessarily considering the family (Worm, V, 1997, 76). Finns prefer
demonstrating their ability in individual tasks to acquire support from a team (Lewis, R,
2000, 278-279). They are individualistic and independent but they still care about
others’ feelings and want to listen to different opinions. Accordingly, Finland is
considered moderately individualism when compared to strong collectivism in Thailand
and extreme individualism in the U.S..
Americans are ranked as the most individualist in Hofstede’s study. The supporting
reason can be traced back to U.S. history. American society consisted of immigrants,
who were seeking new lives in new environment, from Britain and other European
countries, thus people used to fight for land and for themselves. When trying to survive
in an unfamiliar land, they needed to depend on themselves. In addition, young children
in the U.S. are encouraged to demonstrate their ability, give opinion, and count on
themselves. In contrast with Thais, Americans are supposed to live separately from their
parents when they consider themselves as adults who are mature enough to take care of
themselves. Americans believe that the individual is responsible for what he does, thus
he takes care of himself but should not expect a society or a government to look after
him (Crowther, J, 1999, 500). In short, Americans are self-reliant, individualist, and
independent rather than group-oriented and they put less emphasis on the idea of
sacrifice for the community and cooperation (Shippey, K, 1995, 221).
Hofstede’s assumption in subsection 3.3.2.2 in chapter three that industrialized
countries and the countries with low population growth rate tend to be individualist
sounds reasonable, as the U.S. has the most GDP per capita (36,200 USD), Finland’s is
in a second place (22,900 USD)and Thailand’s is the lowest (6,700 USD). The
population growth rates in Thailand and the U.S. are quite equal (0.91% and 0.90%,
respectively), while in Finland it is pretty low (0.16%). Thus, based on his assumption,
economics and demographics could also be factors that make Thailand the most
collectivist, Finland individualist, and the U.S. extremely individualist.
4.6. Physical and personal space analysis
I shall begin with the need for physical space, which then links to levels of personal
space or privacy concerns. According to demographic facts in section 4.2, Thailand has
the greatest population density (121 persons per square kilometer), the U.S. ranks
65
second with 30 persons per square kilometer, and Finland is the most sparse one with 17
persons per square kilometer. The population density is a significant factor that affects
to what extent people have to adapt themselves in order to live in harmony within
limited space. In Thailand, where there is quite limited space for people, people learn
how to balance their need for physical space and environmental preservation. In a
traditional Thai office, one habitually closes his room’s door, which implies that privacy
is given high priority. Thais are not supposed to ask about personal information from
others, which they consider improper or rude manner, except inquiring from familiar
friends or close acquaintances.
Schneider claimed that the U.S. occupies great physical space of country, therefore
the concepts of living in harmony or respecting each other’s privacy are less important,
and Americans feel comfortable to share personal information with others or ask others
to share information with them (Schneider, S, 1997, 39-40). Schneider also mentioned
that Europeans are more reserved compared with Americans, due to the long history of
invasion and occupations, which lead to a suspicion of strangers and a need to keep
distance. Though Finland has the most sparse population density compared with the
other two countries, the privacy concern is somewhat similar to other Europeans, as in
the past, the countries were subjected to foreign denomination.
4.7. Summary
The cultures of each country I examined vary to some extents. There were four main
cultural dimensions that I used as a basis for analysis; uncertainty avoidance, human
nature, individualism versus collectivism, and space. Many factors such as war history,
religion, law enforcement and interdependency between one another had significant
influence on each dimension.
Now, to provide the concrete illustration, I proceeded by integrating the related
consumer patterns with national characteristics. A table 3.5 in chapter three was
considered the crucial foundation, as it provided the expectation of cultural impacts on
security concerns. It described how a particular cultural dimension would affect
consumer opinions. It also illustrated that some dimensions had strong influence on
privacy concerns, while others tended to be directly involved with confidentiality and
integrity concerns. By merging cultural differences in each country with this
66
expectation, the basic hypothesis for this research is derived. The result of integration
was presented in table 4.1.
To formulate a table 4.1, firstly, I used the national background in section 4.2 as
basic information for the analysis in section 4.3 to 4.6. Secondly, I concluded significant
characteristics from the analysis to present in the table. This is to show how each
cultural dimension is shaped in an individual society, and has impacted on consumers’
concerns. In this integrated table, the expected degree of security concerns varied from
the weakest degree =1, medium degree = 2 and the strongest degree =3. I shall separate
the table into two parts. The first part will present the expectation of confidentiality and
integrity concerns. The second part will present the privacy concern.
In the first part of table 4.1, one can see that Finland and the U.S. had the maximum
score, which meant their concerns about confidentiality and integrity on the Net were
among the highest compared to Thailand. For Thailand, though the score depended on
whether or not society accepted the Web sites and their security policies, it was ranked
number two, anyway. Thais had a minimum level of concern compared with the others.
Analysis of Confidentiality and integrity concerns
Finland Thailand The U.S. Involving cultural
dimensions Analysis
result
Expected
degree of
concern
Analysis
result
Expected
degree of
concern
Analysis
result
Expected
degree of
concern
Uncertainty avoidance
• Law and regulation
Medium - High
Stricted by EU
Directive
2
3
Medium –High
No clearly
established
law.
2
1
Low
Less strict law
compared with
EU Directive.
1
2
Human nature :
Basically good or evil Basically good. 1 Basically good. 1 Mixed 2
Individualism versus
Collectivism
Individualism 2 Strongly
collectivism.
Society
accepts
Web site?
Yes = 1
No = 3
Extreme
individualism.
3
Total score 8 5-7 8
Confidentiality and
integrity concern by
total score
Rank 1 Rank 2 Rank 1
Table 4.1. Summary cultural dimensions effect on security and privacy concern in studies of different countries. (Part 1)
67
In the second part of table 4.1, one can see that all studied countries had similar
scores. Their concerns about privacy invasion on the Net were among the medium high
degree. However, Thailand’s score ranged from four to six, and influenced the ranking
number. If Thai society does not accept the Web sites and their privacy protection
policies, its score would be the highest among other studied countries. Its score also
implied that the country had the strongest concern about privacy. On the other hand, if
Thai society accepts the risk or trusts in the Web sites’ security, its score would be the
same as those of the other two countries. That means that privacy concern in every
studied country would have no significant differences.
Analysis of Privacy concerns
Finland Thailand The U.S. Involving cultural
dimensions Analysis
result
Expected
degree of
concern
Analysis
result
Expected
degree of
concern
Analysis
result
Expected
degree of
concern
Individualism versus
Collectivism
Individualism 2 Strong
collectivism.
Society is
familiar
with Web
site?
Yes = 1
No = 3
Extreme
individualism.
3
Need for personal space Medium 2 Strong 3 Low 1
Total score 4 4-6 4
Privacy concern by
total score Rank 1 or 2 Rank 1 or 2 Rank 1 or 2
Table 4.1. Summary cultural dimensions effect on security and privacy concern in studies of different countries. (Part 2)
68
5. Previous research
5.1. Chapter Structure
The objective of this chapter is to provide the previous empirical evidences on
online consumers’ concern about data privacy and security. I shall note that though there
is a number of interesting previous studies, none of them provided the obvious evidence
of impact of cultures on online privacy concern.
In my opinion, computer technology in the information age is consistently improved
and new tools are rapidly developed. The technology changes more or less affect Net
consumer behavior, knowledge and awareness. There are various study researches about
how consumers are aware of their personal data protection; however, many of them are
somewhat out of date. For example, Wang’s paper in 1998 mentioned consumer privacy
concerns about Internet marketing. He and his colleagues analyzed why consumers need
privacy, the relationship between the Internet marketing activities and the privacy
concerns, the principles for protecting privacy, and the relationship between privacy
enhancing technologies and privacy concern. Briones’s article in 1998 described how
online privacy issues would challenge direct marketers. Screeton wrote a topic about
how the online privacy legislation and self-regulation in protecting consumer privacy
would affect the business in the U.S. and EU countries. Sanderson wrote a journal about
Information security in business environments, which presented today’s threats to
security and the protections of sensitive information.
According to the potential impact of rapid technology changes on consumer
behavior, I would highlight four of the most recent studies as they possibly demonstrate
more accurate and up to date results. For each of them, a brief background, objective,
research method, result and conclusion are included. In section 5.2, I shall provide a
survey about barriers to electronic commerce conducted by CommerceNet. In section
5.3, two surveys about consumer concern towards security and privacy issues are
provided. One was conducted by Hanrick Associates and another was done by AT & T
Labs-Research. In section 5.4, I present Godwin J.Udo survey study about privacy and
security concerns as major barriers for e-commerce in the U.S. His study methodology
and brief survey results are included as my empirical study is considered a further
extension of his work. I would provide his findings in more detail and compare them
69
with responses from Finn and Thai in the next chapter. A summary of this chapter is
provided in section 5.5.
5.2. Previous study about barriers to electronic commerce
The content of this section is mainly based on a survey of CommerceNet 2000. A
study framework, survey result and conclusion can be summarized as follow.
5.2.1. The research framework
CommerceNet conducted a survey about barriers to electronic commerce in
2000. The objective of a survey was to identify barriers to electronic commerce from
three perspectives; Business-to-Business electronic commerce in large companies,
Business-to-Business electronic commerce in small and medium companies and
Business-to-Consumer electronic commerce. CommerceNet developed
questionnaires asking about possible barriers which were partly based on the barriers
in a previous year survey. A target group of participants consisted of members and
visitors to the CommerceNet web site. Total respondents were more than one
thousand from six countries including the U.S. and many Asian countries.
5.2.2. The research result
As the study provided three perspectives of electronic commerce, I shall present
here only B2C perspective as it closely relates to my study. There were many
potential issues listed in top ten barriers; for instance, slow speed of Internet
connection, difficulty of making business transaction, fraud and risk of loss, legal
issues, lack of qualified personnel, difficulty of cost justification, and lack of public
key infrastructure. According to global top ten barriers to B2C e-commerce in 2000,
security and encryption were ranked the most important barrier, trust and risk were
ranked the second, and culture was ranked the ninth. The first and second issues
remained unchanged from a previous survey in 1999. However, importance of the
culture issue was radically reduced in 2000 as it used to be in the fourth place in
1999. Overall, the top ten barriers to B2C e-commerce in 1999 and 2000 did not
differ; however, some of them were changed in ranking number though.
Another interesting finding is that there were some differences of perception of
barriers to B2C e-commerce between companies in the U.S. and those in other
70
countries. For American companies, the biggest barriers seemed to be the difficulty
of operating international business and online transaction security. For example,
from the top ten barriers, the issues ranking number one, two and three were
international trade barrier, security and encryption, and lack of qualified personnel.
On the other hand, non-U.S. companies viewed security issue as a main barrier to e-
commerce. This was supported by the survey result that the top three barriers were
security and encryption problem, trust and risk problem, and difficulty to control
user authentication and lack of public key infrastructure. It is obvious that both U.S.
and non-U.S. companies viewed the security issue as a crucial factor in doing
business. They also shared similar ideas about other barriers that affected B2C
business; for example, incapable employees, and difficulty in customers searching
for vendors. In addition, the survey result showed that slow speed and unreliability
of Internet communication was considered a barrier in non-U.S. companies, but this
issue was not raised by U.S. companies. The research group of this survey believed
that this difference implied a lack of efficient Internet connectivity in non-U.S.
countries.
5.2.3. The research conclusion
The major barrier to B2C e-commerce for companies in the U.S. and other
countries was online security problems. It involved how to make use of security
technology such as encryption and public key infrastructure to ensure validity of
online transactions and help build trust between vendors and customers. Unless the
communication facility in non-U.S. countries is improved, the concern about
inefficient and unreliable Internet connectivity is expected to increase as online
business expands and gains more popularity among households.
5.3. Previous study about online privacy concerns
The content of this section is mainly based on Han, P, 2002, 35-38 (Hanrick
Associates study) and Cranor, L, 1999, 1-19 (AT&T Labs-Research). Their study
framework, survey result and conclusion can be summarized as follow.
5.3.1. The research framework
As for the first survey, Hanrick Associates developed questionnaires and
distributed them in the U.S.. The survey objective was to understand consumer
71
attitudes toward online privacy. The survey was conducted in May 2001, and there
were more than 350 participants. The second survey is similar to the first one.
AT&T Labs-Research conducted a survey in November 1998, and received 381
responses. The target respondent was heavy Internet users or possibly leading
innovators in the U.S. since AT&T anticipated this group to reflect the picture of the
future Internet user population.
5.3.2. The research result
Due to similarities in both studies, I shall summarize the important findings from
both studies and group them by type of concerns in table 5.1.
Types of concerns Survey findings Sources
1. General privacy of online shopping and surfing
- 62% and 49% of respondents said that privacy concerns affected their surfing and online shopping, respectively, only on a selective basis.
- 34% of respondents said that negative perceptions
about their privacy and lack of control on the Web prevent them from purchasing online; however, under particular circumstances, most of these respondents would purchase things online. This was supported by their previous online shopping records.
Hanrick
Hanrick
2. Giving out identifiable information to Web sites
- When personal data is required by predefined scenarios such as banking, news, sports Web sites, more than half of respondents would provide their information to receive personalized services. However, this number decreased if they were required to give identifiable information such as name and address.
AT&T
3. Transferring user information to Web sites
- 86% of respondents were not willing to use features or tools that would automatically transfer their information to Web sites, though such tools would make Net surfing more convenient for them.
AT&T
- 76% of respondents were uncomfortable or very uncomfortable with a company connecting user patterns to e-mail addresses for a targeted e-mail campaign.
Hanrick
4. Receiving unsolicited commercial e-mails
- 61% of respondents who said they would provide their information to receive pamphlets and coupons said they would be less likely to provide that information if it would be shared for future marketing.
AT&T
Table 5.1. Survey studies conducted by Hanrick Associates and AT&T Lab-Research
72
Types of concerns Survey findings Sources
- Over 30% of respondents agreed or strongly agreed that the benefits of personalized Web content offset privacy concerns.
- Almost 45% of respondents were comfortable with
Web sites using cookies to help track returning users and other useful statistics.
- 33% of respondents were uncomfortable with the
general use of cookies on Web sites.
Hanrick Hanrick Hanrick
5. Tracing online activities by personalized marketing tools such as cookies
- 52% of respondents were concerned about cookies. Of those who knew what cookies were, 56% stated that they had changed their cookie setting so that they would be warned before accepting cookies.
AT&T
- 86% of respondents disagreed or strongly disagreed that Web sites should be allowed to share information with other businesses or partners.
Hanrick 6. Disclosure of personal data or sharing it among organizations
- 96% of respondents were concerned about the
sharing of their information with other organizations as a very or somewhat important issue.
AT&T
Table 5.1. Survey studies conducted by Hanrick Associates and AT&T Lab-Research
(continued)
5.3.3. The research conclusion
Basically, online consumers were significantly concerned about protection of
personal information. They were uncomfortable to share identifiable and sensitive
information with web sites. They did not want to receive overwhelming spam e-
mails. Some consumers believed that cookies were dangerous tools, which kept
record about their activities on the Net. However, others viewed cookies in a
positive way because they enjoyed personalize services provided by web sites that
used customer information from cookies. Finally, most consumers were concerned
about sharing of their personal information between organizations without their
consent.
5.4. Previous study about privacy concerns as barriers for e-commerce
The content of this section is mainly based on Udo, Godwin J, 2001, 165-174. He
studied the privacy and security concerns as major barriers for e-commerce. Summary
of his study is provided below.
73
5.4.1. The research objective
The objective of the study was to investigate the concerns of online IT users in
order to confirm or disprove the widely reported concerns in the press and trade
journals.
5.4.2. The research method
First, Udo classified several concerns based on various literatures related to the
topic and built them into questions. He used questionnaires as a survey instrument to
observe privacy and security concerns based on participants’ views. Each question
required the answer in a scale of “strongly agree to strongly disagree”. The
participants were also asked to rank the concerns in order to identify the severity and
importance of many types of concerns. The target group of participants was people
who had used e-mail or shopped on the Internet. He ran pilot tests with some
experience online shoppers who were familiar with the survey topic. Next, the
questionnaire was revised according to comments from the test group. Subsequently,
the questionnaires were mailed to 250 online IT users in a major city in the
Southeastern USA.
5.4.3. The research result
The majority of the online IT users had serious concerns about the safety and
confidentiality of their e-mails. They also needed government protection against
privacy invasion. Also, they believed that advanced security technology such as
encryption was not sufficient to reduce their concerns.
In addition, the majority of participants who were employees wanted their
organizations to establish and notify privacy and security policy for e-mail and
Internet. They believed that policy establishment and their rising awareness could
reduce risks and liability. Hence, organizations should be responsible for educating
their employees and implementing the essential hardware and software that could
protect against privacy and security intrusion.
There was a majority of participants who were very concerned about shopping
online. They pointed out that they would certainly shop online only if privacy and
security policies on the web were in place.
74
5.4.4. The research conclusion
In short, the issues in news and journals, which indicated that today’s online IT
users are extremely concerned with the privacy and security invasion, were assured
by this research. The privacy and security concern was a main barrier for online
shopping. Thus web sites should consider adequacy of data protection policy in
order to reduce consumers’ fear and be successful in business.
5.5. Summary
Based on previous studies, Internet users were materially concerned about how to
secure their personal information. They preferred to be anonymous and to release
insensitive or unidentified information on the Net rather than confidential one. They
were also well aware of the use of cookies, although many of them allowed the web site
to use cookies in exchange of receiving personalize content or services. Unsolicited
commercial e-mails and disclosure of consumer information among organizations were
critical issues to online consumers as well.
From the business perspective, the security and privacy concerns were among the
top ten barriers to B2C e-commerce. These concerns involved security technology as
much as foundation of trust between web site and customers. Customers were afraid that
web sites would use their personal information without their consent, while web
marketers were moving towards customer-centric strategy, trying to use cookies to
provide one-to-one services. To come up with a better business solution, both parties
must compromise different needs. For example, web sites should create trust by
providing data protection policy, offering choices for customers to share or not to share
their personal information, and customers should learn how to protect themselves and
carefully read security policy on the sites. In addition, a third party like one’s
government must take part in the solution by enacting consumer right protection law or
promoting the use of self-protection tools like firewall when using the Net.
75
6. The research study
6.1. Chapter structure
The empirical chapter begins with section 6.2, the hypotheses, which were based on
the various literatures from previous chapters. Next in section 6.3, the research
methodology consists of research variables, sample population, sample size, sample
method, questionnaires used in the survey, and the score measurement for the
participants’ answers in each question. In section 6.4, I shall present the survey results
and their interpretations. The statistical results and the analysis will be divided into four
main groups; the basic statistic, the analysis of cultural differences, the analysis of
consumers’ concerns, and the analysis of association between cultures and consumers’
concerns. I shall include the results from Udo’s survey in order to represent American
attitudes as well. Finally, the conclusion and some suggestions for further research will
be provided in section 6.5.
6.2. Hypotheses
The hypothesis is based on the fact that cultures are different from one country to
another and the various cultural dimensions represent special characteristics of people.
Consequently, some particular cultural dimensions have high potential to influence the
variation of Internet users’ attitudes toward privacy and security issues. I would like to
use the observed data to support or oppose these two hypotheses;
Ha = The characteristics of people in studied cultural dimensions differ from one
country to another.
Hb = There is an association between the studied cultural dimensions and Internet
consumers’ concern.
6.3. The research methodology
6.3.1. The research variable
In compliance to the research objective, the survey result is expected to present
the differences between participants’ attitudes in selected cultures. Cultures
primarily vary by countries or nationalities. Consequently, among many background
variables of the participants such as age, gender, occupation, income and education,
76
I will emphasize in the nationality variable, which I regard as a main influence in
this study.
6.3.2. The sampling population
6.3.2.1. Defining population
Based on the objective of the study, a sampling population was primarily
defined as all people in studied countries. Among the whole population, some
people were well acquainted with the Internet, some used the Net from time to
time, some heard about it but have never used it, while some do not even know
what the Internet is. People were different in terms of technological skills and
knowledge. People who never experienced browsing the Net were unlikely to
recognize about their online safety. On the other hand, it is likely that people,
who were familiar with the Internet, would utilize various usage of the Net such
as e-mail, chatting, and online shopping and were aware of privacy rights and
security on the Net. Therefore, I shall reconsider the primary sampling
population and confine it to a group of people who were acquainted with the
Internet. However, defining sampling population as Internet users was still too
broad and impractical to conduct the survey.
Consequently, I restrained a target population from ordinary Internet users
to Internet users who were university students. I conducted questionnaire survey
with the students in Swedish School of Economics and Business Administration
in Finland, and in Chulalongkorn University, Faculty of Commerce and
Accountancy in Thailand. In my opinion, the survey in two student groups was
practical and plausible due to four main supporting reasons; comparability,
competency, accessibility and cost efficiency. Firstly, the respondents in studied
countries were fairly comparable since they shared similar background for
example, age, education and familiarity with the Internet. Secondly, the students
were competent in reading and writing skills and capable in English
communication. As the questionnaire survey was a kind of self-administered
approach, the participants needed such skills, which helped reduce errors when
completing the questionnaires. Thirdly, the target group was accessible. Due to
the general fact that people’ living area were geographically dispersed, it is
acknowledged that some residents live in an area that was difficult to reach.
Accessibility was a crucial concern that led this study to focus on students who
77
could be easily approached under limitation of time. Finally, cost efficiency was
an important consideration as well. Though the dispersed and large sample
would definitely present better representatives of population in studied countries
and lead to more accurate survey result, the costs of the surveys were likely to be
uneconomical.
6.3.2.2. The implications for validity and generalization
According to a process of defining population mentioned above, there
were some groups of people in the studied societies, which had no chance to be
selected. The selected and non-selected population are depicted in figure 6.1.
Figure 6.1. Set of selected population.
The first group were people who were not Internet users. I shall separate
this group into two classifications. The first classification were people who knew
about the Net but were too afraid to use due to safety concern. It was an extreme
case and rarely found. As the Internet provides many useful applications to
facilitate worldwide communication, the benefits of using the Net tend to
outweigh the costs that might arise from privacy invasion. Thus I believed that
only a minority of people would be concerned about online privacy so much that
they avoided the risk arising from the Internet use. In short, I assumed that this
subgroup was unlikely to significantly affect the validity and generalization of
survey result. The second classification were people who did not need or did not
have a chance to use the Net, for example less educated people, people who had
occupations which hardly involved the use of the Internet such as doctors, and
small merchants, and people living in remote areas. Some of them may know
about the Internet and be aware of online security, while some may not. This
classification may affect the validity of result to a certain extent.
All people in individual country
Internet users
Student Internet
users
78
The second group that was excluded in this study was other Internet users
who were not students. Most of the Internet users such as marketers, economists,
businessmen, kids and teachers were common users. They used the Net for
working and entertainment purposes and possibly possessed a similar level of the
Internet familiarity and online security knowledge. The business school students
could be included in the ordinary user category as well. Thus the students were
expected to represent the common Internet user population.
I shall draw attention that though the sample population would not
represent all people in studied countries, it was expected to provide a reasonable
approximation to further analyze and generalize the result.
6.3.3. The sample size
According to subsection 6.3.1, nationality difference was one main variable
which significantly affected the survey result. To determine the impact of one
variable on attitude toward online security, a reasonable sample size would be thirty
respondents for each studied country. Though using a larger sample size could
reduce a sampling error, enlarging sample size would undoubtedly increase costs of
the study. Hence, the approximate number of thirty resulted from an economical
factor and a common response rate consideration.
6.3.4. The sampling method
The type of survey was a self-administered questionnaire. The survey was
conducted during April 2002. The appropriate place to conduct the survey with
students was where they gather. Thus, the questionnaires were distributed to them in
the cafeteria, which had a high turnover of incoming and outgoing students. The
method could be considered as a haphazard sampling and a convenient sampling
because students were randomly selected and they could choose whether to
cooperate or not.
6.3.5. The questionnaire
An example questionnaire used in this survey study is shown in appendix A, in
which I will describe a structure and a source of questions that were presented in the
questionnaire. At the beginning, the participants were required to identify basic
personal information, including nationality and status. Then, they were asked to
79
answer the questions that were divided into three main parts. The questions in part
one and two were based on Udo’s questionnaire (see an example of his questionnaire
in appendix B). As for part three, I developed the questions about culture according
to the cultural dimensions that potentially influence consumer concerns.
In part one, there were eleven questions, aiming to examine Internet usage
including e-mail and online shopping. For example, what kind of e-mail account a
participant had, how often a participant bought things online, and whether or not a
participant was aware of security threats. A question that asked the participants to
rank the various kinds of concerns in order of importance was included as well.
In part two, the participants were asked to express their opinions about
predetermined statements. The seventeen statements in this part were listed in table
6.1 and they involved internet security awareness when using the Net. The main
purpose of these statements was to ask about the concerns of confidentiality,
integrity and privacy when using e-mail or shopping on the Net. Some statements
involved with organizations’ security policies, while others asked about security
technology and consumer protection law. Overall, all statements demonstrated
general Internet security concerns. However, there were some statements that tended
to clearly present specific concerns over computer security attributes such as
confidentiality, integrity and privacy. Based on a summary table in chapter three,
these three basic computer security attributes were considered important for Internet
users and were suitable for using in the study cases as well. I shall categorize the
statements that were potentially relevant to such three attributes and present them in
summary table 6.1. The predefined categories would be fruitful when conducting the
statistical analysis. Regarding the participants’ answers, the respondents expressed
their attitudes in form of ‘strongly disagree’, ‘disagree’, ‘neutral’, ‘agree’, and
‘strongly agree’ with the given statements. Their attitudes implied the level of
concern about the online security. For example, when a participant strongly agreed
with the first statement that ‘E-mail safety is becoming an increasingly important
issue’, his opinion showed that he was significantly concerned about Internet
security problems.
In part three, there were nine statements about cultures presented in table 6.2.
Similar to part two, the participants could choose one of five levels of agreement. An
aim of this part was to clarify the cultural differences in the studied countries.
80
According to a former analysis, the interesting cultural dimensions, including
uncertainty avoidance, human nature, individualism versus collectivism, and space,
tended to represent different consumers’ attitudes about security and privacy. Thus,
the statements in this part were generated based on people’s attitudes in the related
cultural dimensions, in which were already described in detail in chapter three. In
the table, I identified which question related to which cultural dimension. In
addition, I linked participants’ opinions to their potential characteristics that would
show in the individual cultural dimension. For example, if a participant agreed with
the first statement that said ‘I feel nervous when I give my personal information to a
Web site.’, it implied that he felt uncomfortable to rely on the security on the Net or
to take risks. Thus, his opinion could imply that he possessed a strong uncertainty
avoidance level. The participants’ answers were anticipated to verify the expectation
about national characteristics as stated in chapter four.
81
Implication toInternet security attributes Part II: Online privacy and security concerns questions
Implication of participants’ opinion Strongly disagree --> Strongly agree All security
attributes Confidentiality
attribute Integrity attribute
Privacy attribute
1.) E-mail safety is becoming an increasingly important issue. Weak concern -----> Strong concern 4 4 4 4 2.) E-mails are less safe than regular mails. Weak concern -----> Strong concern 4 4 4 4 3.) Most e-mails are accessed by people other than the
owners. Weak concern -----> Strong concern 4 4 4 -
4.) Some e-mails do not come from the people that appear to send them.
Weak concern -----> Strong concern 4 4 4 -
5.) Employers have the right to access e-mail and Internet sites used by their employees.
Strong concern -----> Weak concern 4 - - 4
6.) To reduce the risk of liability, organizations should institute an e-mail policy and distribute it to all employees.
Weak concern -----> Strong concern 4 - - -
7.) Companies can disclose employees’ personal information if they deem it necessary.
Strong concern -----> Weak concern 4 - - 4
8.) Internet shopping is less secured than mail order. Weak concern -----> Strong concern 4 4 4 - 9.) I feel safe when I release my credit card information on
the Internet. Strong concern -----> Weak concern 4 4 4 -
10.) Security and privacy concerns are barriers for my shopping online.
Weak concern -----> Strong concern 4 4 4 4
11.) Only limited amount of personal information should be requested from children on the Internet.
Weak concern -----> Strong concern 4 - - -
12.) Children should not be asked to provide information about their parents on the Internet.
Weak concern -----> Strong concern 4 - - -
13.) The privacy of Internet users is greatly violated. Weak concern -----> Strong concern 4 - - 4 14.) Despite all the safety precautions in place today, Internet
and e-mails are not safeguarded enough. Weak concern -----> Strong concern 4 - - -
15.) Stalking and impersonation (including forged identity) are common on the Internet.
Weak concern -----> Strong concern 4 - - -
16.) The current laws and regulations are sufficient for protecting information system users.
Strong concern -----> Weak concern 4 - - -
17.) The current security features such as encryption and passwords are sufficient to provide security and safety when on the Internet.
Strong concern -----> Weak concern 4 - - -
Table 6.1. Internet security and privacy concern questions and their implications.
82
Part III: Cultural differences questions Related cultural dimensions Participants’ opinions
Strongly disagree --------------------------> Strongly agree
1.) I feel nervous when I give my personal information to a Web site.
Uncertainty avoidance Weak uncertainty avoidance -----> Strong uncertainty avoidance
2.) The regulations for personal information protection are needed and should not be broken in any circumstances.
Uncertainty avoidance Weak uncertainty avoidance -----> Strong uncertainty avoidance
3.) People are naturally good and they do not want to harm others.
Human nature People are basically ‘evil’ ---------> People are basically ‘good’
4.) People basically wish to do the right things and abide by the laws or regulations.
Human nature People are basically ‘evil’ ---------> People are basically ‘good’
5.) I am dependent on others; for example, when I need to make a decision, I prefer to consulting my friends or family first.
Individualism versus Collectivism Strong individualism -------------------> Strong collectivism
6.) The Web site’s security policy could be reliable if my acquaintances confirm me by words.
Individualism versus Collectivism Strong individualism ------------------> Strong collectivism
7.) I feel safe when I give personal information to a Web site in which many people in my community already tried and accepted its security policy.
Individualism versus Collectivism Strong individualism ------------------> Strong collectivism
8.) My physical space such as my house area or my office room area is large.
Physical and personal space Strong need for space -------------------> Low need for space
9.) My privacy or private space is adequate and comfortable. Physical and personal space Strong need for space -------------------> Low need for space
Table 6.2. Cultural differences questions and their implications.
83
After all the questions were formed, I conducted a pilot test to ensure that the
questions and language were understandable and unambiguous. A test was launched
on April 4, 2002 at Department of Accounting, Swedish School of Economics and
Business Administration and was done by five students who had experience in using
the Internet. According to the feedback, I made some language corrections, gave
more concrete examples for dubious questions, and rearranged the format and
sequence of questions. I shall note here that there was no crucial necessity to find
many participants for a pilot test. This was because two out of three main parts of the
questions were based on Udo’s study in which he ran a pretest already.
6.3.6. The score measurement
Based on the previous subsection, I derived information from the participants’
opinions expressed in the questionnaires and their implications to level of security
concerns and to cultural differences. To simplify the statistical interpretation, I shall
define these descriptive implications as specific scores ranging from 1 to 5 as follow:
Subjects Descriptive ranges Score ranges
Internet security concern Weak concern -------------------> Strong concern 1 ------->5
Uncertainty avoidance (UA) Weak UA ------------------------> Strong UA 1 ------->5
Human nature People are good. ----------------> People are evil. 1 ------->5
Individualism/Collectivism Strong individualism ------> Strong collectivism 5-4-3-4-5
Physical/Personal space Low need for space -----> Strong need for space 1 ------->5
Table 6.3. The score ranges.
The first subject was the security concern when using the Net and it involved the
responses in part two of questionnaires. The participants who possessed the stronger
concern would have a higher score. In contrast, the lower score means a lower
awareness of threats to online security.
As for other subjects, they were results from responses in part three of the
questionnaires. Based on an analysis in chapter three, people’ behaviors were
different depending on the variation of cultural dimensions. People who possessed
one or many of following characteristics tended to have very high concern about
their security and privacy: having a strong uncertainty avoidance level, holding a
belief that human nature is basically ‘evil’, being extremely individualist or
collectivist, or feeling like they were restrained by space. Thus, the participants who
84
had such characteristics got the highest score ‘5’ which demonstrated their high
security and privacy concern level. On the other end of spectrum, the participants,
who had weak uncertainty avoidance level, believed that human nature is basically
‘good’, or feel comfortable with their space, would get the lowest score ‘1’. The
participants whose characteristics showed the concern level that were in between the
highest and the lowest level received the score of 4, 3, 2, respectively. I shall note
that for the individualism versus collectivism subject, based on my analysis in
chapter three, both strong individualism and collectivism cultures tended to have
high concern about privacy right and low trust in unfamiliar Web sites.
Consequently, the ‘5’ scores were given to those who were extreme individualists or
collectivists. The participants who were somewhat strong individualists or
collectivists received ‘4’ as they were expected to show medium-high concern level.
In addition, the participants who were in the middle received ‘3’ – medium concern
level, since they did not show clear characteristics of individualism or collectivism.
6.4. The result of research and interpretation
The analysis in this section is based on the answers from the questionnaires. The
results from Finland and Thailand rely on my survey, while American’s responses were
based on Udo’s study. It is worth noting that there are some limitations of comparing my
results with Udo’s. For example, the time frames are different and the participant groups
are not completely the same. My survey study was conducted in 2002 while his was
done one year earlier. I targeted the student group, while he had diversified participants
whomever he considered online IT users.
Regarding a structure of this section, it begins with subsection 6.4.1, which is the
basic statistic about sample population such as numbers of responses, types of e-mails
used by the participants, and frequency of online shopping. Next, from subsection 6.4.2
to 6.4.4, the analysis of the main results is provided. It includes the examination of
important questions and answers which directly relate to the hypotheses. There were
some questions and answers left over. Subsequently, in subsection 6.4.5, the rest of the
questions and answers are inspected. At the end, I shall provide a conclusion based upon
the analysis and raise some points for further research.
85
6.4.1. The basic statistic
Of 60 distributed questionnaires in Finland and Thailand, the usable responses
were 30 from Finland and 29 from Thailand, respectively. According to Udo’s
survey, in the U.S., the number of usable responses was 158 out of 250
questionnaires. The majority of the participants were students, while the rest were
both students and employees.
The following statistic was based on two parts of the questionnaires: the
participants’ information and some questions from part one. From part one, the
selected questions included question number 1, 2, 7, 8, 9 and 10. These were the
general questions about Internet usage including a number of participants who used
e-mail, types of e-mail account, and online shopping behaviors.
The percentage of participants who had e-mail accounts was significantly high.
Thus the information implies that the participants met the target group of this
research. The percentages can be presented as follow.
Country % of participants who have e-mail accounts
Finland 100% Thailand 86.21% The U.S. 90.50%
Table 6.4. Percentage of persons who have e-mail accounts
Additional basic information about occupations, types of e-mail accounts and
whether the participants had ever bought something online are presented in figures
6.2, 6.3 and 6.4.
Figure 6.2. Occupations of the participants
Occupations of participants
3934
18
4 4
27
100 100
0
25
50
75
100
Students Employees Supervisors /Managers
Facultymember
Others
Per
cent
(%)
Finn Thai American
86
Figure 6.3. Types of e-mail accounts
Figure 6.4. Online shopping experience
About half or more of overall participants indicated that they had purchased
things on the Net. The percentage of American participants who had experienced
buying things online was somewhat higher than that of Finn or Thai. The possible
reason might be that among three countries the U.S. is considered the most advanced
in Internet technology. In fact, America is the initiator of the Internet. Hence it is
possible that they have been familiar with the Net for a longer time and online
shopping is not something new for them.
Among the participants who had experienced online shopping, figure 6.5 shows
how often they purchased goods or services. Note that Udo did not present a
frequency of online shopping; hence I would omit the U.S. result here.
Types of e-mail
59
1017
45 44
32
97
4043
17
0102030405060708090
100
Home e-mail Workinge-mail
School e-mail
Other
Per
cent
(%)
Finn Thai American
Has a participant ever purchased anything online?
50 5052 48
67
33
0
20
40
60
80
100
Yes No
Per
cent
(%)
Finn Thai American
87
Figure 6.5. Frequency of shopping online
From figure 6.5, it is evident that Thai participants purchased things on the Net
much more often than Finn’s; though the number of experienced online shoppers in
these two countries was about the same. Finn’s might have o40%40%ther
considerations or probably an awareness of Internet security that reduces or affects
the frequency of their shopping online.
The participants, who used to shop online, were asked whether they were
concerned about threats to sensitive information such as credit card number. Over
70% of American participants showed that they were concerned. Compared to
Americans, Thai’s and Finn’s tended to be less concerned about this issue. Figure
6.6 shows that about 60% of Finn and 40% of Thai were aware of the abuse of
personal information.
Figure 6.6. Consumers’ concerns about personal information security
How frequently does a participant purchase things online?
3
2317
10
24
737
10
0
10
20
30
40
50
More thanonce a month
Once amonth
At least oncein 6 months
At least oncea year
Less thanonce a year
Per
cent
(%)
Finn Thai
Has a participant concerned about abuse of personal information when purchasing things online?
59
4141
55
0
20
40
60
80
100
Yes No
Per
cent
(%)
Finn Thai
88
All participants, including those who had never bought anything online, were
asked if they would shop online if their concerns were eliminated. The result from
the U.S. showed that over 70% said ‘yes’. In Finland, the answers were similar to
those in the U.S., as over 60% of Finns also said ‘yes’. However, Thais may have
other hidden concerns or supporting reasons because 57% of Thai participants still
did not want to purchase goods online, though their concerns were diminished.
Figure 6.7. Opinions about online shopping when concerns are reduced.
6.4.2. The analysis of cultural differences
I have analyzed the respondents’ opinions about cultures. This is to examine the
cultural differences in the studied countries. This subsection is composed of three
main components. Firstly, the source of data using in an analysis is defined.
Secondly, a statistical method is used in the final calculation. Finally, an analysis for
each cultural dimension is provided.
6.4.2.1. The source of data
The main source of raw data was from the participants’ answers from part
three of the questionnaires, which involved a set of cultural questions. As a
cultural part of my questionnaire is an extension from Udo’s work, this resulted
in a lack of cultural opinions from the U.S. to be used in statistical analysis.
Would a participant shop on the Net if his/her concerns are addressed or eliminated?
63
3743
57
0
20
40
60
80
100
Yes No
Per
cent
(%)
Finn Thai
89
6.4.2.2. The statistical method
From part three of the questionnaires, the participants’ opinions about
cultures were obtained. The descriptive implications of respondents’ opinions
were translated into the scores ranging from 1 to 5 based on the score
measurement defined in subsection 6.3.6. I recorded the frequency of opinions
and the mean scores were calculated to determine the central tendency. The
supporting figures of frequency and scores were presented in appendix C.
The first hypothesis is reintroduced below:
Ha = The characteristics of people in studied cultural dimensions differ
from one country to another.
To examine the first hypothesis, it is needed to determine whether there
were significant differences between the mean scores of Finn and Thai. I shall
apply the basic statistic ‘t-test’. According to Moore, D, 1989, 538, ‘t-test’ is
used to solve two-sample problems. The basic idea of t-test is that it can be used
to compare the responses in two groups which are considered to be the sample
from two distinct populations, and the responses in each group are independent
of those in other groups. To enhance the efficiency when performing t-test
analysis, I used ‘t-test function’ in Microsoft Excel program to help calculate t-
test value. The t-test function would return the probability to determine whether
two samples are likely to have come from the same two underlying populations
that have the same mean. Thus, if the probability turns out to be high, two
sampling populations are considered having the similar mean scores and no
significant differences are found. I shall establish the cut-off point at 0.10 or 10%
which means that the t-test value if less than 10% will prove that there are
significant differences between two sampling groups.
6.4.2.3. The statistical result and analysis
Below, I present a summary of mean scores for each cultural dimension
and t-test results.
90
Mean scores Ttest results
Cultural dimensions Finn Thai Ttest value %
Uncertainty avoidance 3.65 3.57 0.6715 67.15%
Human nature 3.00 2.66 0.1072 10.72%
Individualism/Collectivism 3.82 3.71 0.3449 34.49%
Physical/personal space 2.50 2.38 0.5323 53.23%
Table 6.5. Cultures mean scores and t-test value.
In general, there were no significant differences between cultures of Finn
and Thai because t-test values of all cultural dimensions were above 10%.
Regarding human nature dimension, the t-test result showed a weak comparison
between the two samples. However, this may be the result of a small sample.
Next, I shall further investigate the differences between my expectations
and actual results by cultural dimension.
In the summary table of chapter four (column ‘Analysis result’), I analyzed
the potential characteristics of each country presenting in the four cultural
dimensions. Here I shall compare such expectations with the actual results. I
created four comparison tables, table 6.6 to 6.9, that are classified by cultural
dimensions. The structure of these tables was alike. Firstly, the mean scores for
individual cultural dimensions are listed. Secondly, the implication of the mean
score is provided based on an interpretation of scores in table 6.3. Thirdly, the
expectation from chapter four is presented. The comparison tables and
descriptions are demonstrated in a sequence of cultural dimensions as follow.
• Uncertainty avoidance comparison
The participants were asked two questions about their nervousness when
giving personal information to the Web, and the opinion about the need for strict
rules and regulations. The questions imply the participants’ feelings under stress
and the rule-orientation.
Based on the actual average score, both countries had medium to high
scores. According to t-test, 67% showed no significant differences between the
mean scores of two countries. These participants tended to avoid uncertain
91
circumstances. They seemed to feel uncomfortable when releasing important
information on the Net.
To sum up, the actual and expected results of Finn and Thai were similar.
Uncertainty avoidance Country Mean Score
Implication of the average score Expectation from the analysis
Finland 3.65 Medium to high uncertainty avoidance. Medium to high uncertainty avoidance.
Thailand 3.57 Medium to high uncertainty avoidance. Medium to high uncertainty avoidance.
Table 6.6. Comparing actual uncertainty avoidance results with expectations.
• Human nature comparison
There were two statements involved with human nature dimension. The
participants responded with the statements that ‘people are naturally good’, and
‘they do not want to harm others, and they want to abide by the rules and
regulations’. These statements were formed based on the idea that ‘human nature
is basically good and people behave properly.’. If the respondent disagreed with
the statements, he tended to believe that people were expected to make mistakes
or break the rules and one should be aware of the effects caused by bad people.
According to religious foundations in Finland and Thailand, I anticipated
that both Finn and Thai would believe that human nature was basically ‘good’.
However, it turned out that they tended to have mixed attitudes that human
beings could be good or bad. The participants in both countries were aware of
rule breaking but were still comfortable in giving a chance to other people to
improve their behavior or fix their mistakes. According to the t-test value, the
10% shows minor significance differences between Finn’s and Thai’s mean
score.
Human nature Country Mean score
Implication of the mean score Expectation from the analysis
Finland 3.00 Sampling group believed that human was mixed between good and evil.
People were basically good.
Thailand 2.66 Sampling group believed that human was mixed between good and evil.
People were basically good.
Table 6.7. Comparing actual human nature results with expectations.
92
• Individualism versus collectivism comparison
The actual results and my expectations for Finn’s culture were somewhat
different. My assumption was based on Hofstede’s study which indicated that
Thai people tended to be very strong collectivist while Finn were more likely to
be individualist. However, the results of opinions from both Finn and Thai
participants showed that their characteristics were likely to be considered strong
collectivists. They were likely to depend on families or friends. They were likely
to trust the Web sites that their acquaintances recommended without strong
needs to prove the reliability of the Web sites by themselves. There were no
significant differences between two countries as t-test percentage was about
34%.
Individualism versus Collectivism Country Mean score
Implication of the mean score Expectation from the analysis
Finland 3.82 Strong collectivism. Individualism
Thailand 3.71 Strong collectivism. Strong collectivism
Table 6.8. Comparing actual individualism results with expectations.
• Physical and personal space comparison
Finn’s actual result was somewhat similar to my anticipation. However, the
Thai result needed less space than I expected. Both Finn and Thai respondents
seemed to need moderate physical and personal space. They felt that their room
spaces or other physical spaces were adequate or large enough. They were
comfortable with their privacy. They did not greatly desire to seek more private
space. According to 53% of t-test, there were no material differences between
the two studied countries.
Physical/Personal space Country Mean score
Implication of the mean score Expectation from the analysis
Finland 2.50 Medium low need for space Moderate need for space.
Thailand 2.38 Medium low need for space High need for space
Table 6.9. Comparing actual space results with expectations.
93
6.4.2.4. Conclusion
Based on the results from t-test, the hypothesis states ‘the characteristics of
people in studied cultural dimensions differ from one country to another’ for the
chosen countries could, possibly, be rejected. T-test percentages were so high for
all cultural dimension results that there was high probability that the two
sampling groups shared the same mean. As there were no important variations
between Finland and Thailand, their cultures were unlikely to differ from each
other.
My predictions about uncertainty avoidance characteristics of two
populations were supported by the actual results. The observed Finn and Thai
characteristics in some dimensions partly conform to my expectations. However,
in the human nature dimension, it turned out that my expectation that people in
both countries tended to believe that ‘human nature are basically good’,
completely differed from the actual results as both Finn and Thai thought that
‘human nature are mixed between good and evil’.
6.4.3. The analysis of consumers’ concerns
A purpose of an analysis is to determine the differences of degree of security
concerns between the studied countries. Though an analysis may not directly verify
the hypothesis, it provides the general idea of how Finn and Thai Internet users are
concerned about their personal online safety and how large the variation of
awareness degree between the two countries is.
6.4.3.1. The source of data
An analysis of the consumers’ concerns in the studied countries basically
relied on the participants’ opinions expressed in part two of the questionnaires.
Their expressions reveal how much they were aware of possible risks that
occurred from inadequate computer security. The respondents’ concerns about
safety when sharing personal information and online privacy were stated as well.
After reviewing an explanation about the questionnaires in subsection
6.3.5, I classified the questions into three main types of concerns: overall
concerns, confidentiality and integrity concerns, and privacy concern. This was
because some questions implied specific concerns such as attitudes towards
94
violation of privacy, while some were more likely to present the general concern
such as asking about adequacy of laws and regulation to protect online
consumers. Here, I shall use all questions in part two of the questionnaires to
analyze overall or general concerns. As for confidentiality, integrity and privacy
concerns, I chose particular questions based on my former judgment in
subsection 6.3.5 table 6.1.
6.4.3.2. The statistical method
Similar to the statistical method for cultural differences analysis, the
descriptive implications of respondents’ opinions were translated into the scores
ranging from 1 to 5 based on the score measurement defined in subsection 6.3.6.
I calculated the mean scores based on the frequency of opinions. The record of
frequency and scores are presented in appendix D.
I use the basic statistic ‘t-test’ to determine any material variances between
the mean scores of two sampling groups. I applied ‘t-test function’ in Microsoft
Excel program to help calculate t-test value. Again, I established the cut-off
point at 0.10 or 10% which means t-test value when less than 10% proves that
there are significant differences between two sampling groups.
6.4.3.3. The statistical results and analysis
I present a summary of mean scores for concerns about computer security
and t-test results as follow:
Mean score Ttest results
Internet security concerns Finn Thai American Ttest
value %
Overall concerns 3.54 3.30 3.58 0.0068 0.68%
Confidentiality and integrity
concerns
3.48 3.35 3.54 0.2190 21.90%
Privacy concern 3.58 3.31 3.50 0.0044 0.44%
Table 6.10. Consumers’ concerns mean scores and t-test value
One should note that t-test results in this place showed the differences
between mean scores of Finn and Thai. Due to the limitation of data presented in
Udo’s research, I calculated only the mean score of the U.S. but not the t-test
95
value. In addition, I added the related previous research that I mentioned in
chapter five in comparison with my observed data.
• Overall security attributes
The participants in three studied countries tended to be aware of the online
safety. Their mean scores were above 3 but did not reach 4, which implied that
the participants’ attitudes varied from neutral to moderately high concern about
consumers’ safety.
According to t-test results, Finn’s mean score was materially higher than
Thai’s. The Finn’s participants were likely to be more concerned about potential
security risk. One possible reason is that Finland is well known for the advanced
technology, communication and wide use of the Internet (Internet users were
44% of total population) thus Finn is likely to keep pace with today’s threats to
security. In contrast, the computer security technology in Thailand may be
considered behind that of Finland. Thai Internet users are only 1.6% of the total
population and they may not be knowledgeable about possible computer security
threats or how to protect themselves. In addition, Thai have comfortable styles of
living and the invasion of personal security may not be taken as a big issue
except for the really serious cases.
• Confidentiality and integrity attributes
Similar to overall concerns about security attributes, the participants in all
studied countries tended to be aware of the confidentiality and integrity of their
personal data. Their mean scores were around 3.3 to 3.5, which implied that the
participants’ attitudes were ranged from disinteresting in confidentiality and
integrity attributes to moderately high concern about these subjects. They agreed
that e-mail safety was becoming an increasingly important issue, but they did not
think that e-mails were less safe that normal mail. They were aware of the
statements that most e-mails were accessed by people other than the owners or
some e-mails did not come from the people that appeared to send them. They
were slightly concerned that online shopping was less secure than mail order.
They were likely to feel unsafe when releasing the credit card number on the
Net. They somewhat agreed that security issues were barriers for shopping
online.
96
In chapter four table 4.1, I proposed the degree of confidentiality and
integrity concerns for each studied countries. Based on my assumption about
cultural differences between Finland and Thailand, I presumed that Finland and
Thailand would be respectively ranked first and second regarding degree of
confidentiality and integrity concerns. That means the Finn’s participants had a
higher concern about confidentiality and integrity attributes than Thai’s.
However, the actual results revealed that participants in both countries had
neutral attitudes or moderately high concerns about these two attributes. In
addition, by checking t-test value, there were no significant variations between
Finn’s and Thai’s opinions. One reason of why the actual awareness degree
differed from my expectation was that my underlying assumptions about cultures
were partly invalid after checked against the real responses. A concise
comparison table is provided below.
Confidentiality and integrity concerns
Expectation from the analysis
Country Mean score
Implication of the mean score
Rank Expectation
Finland 3.48 Ranging from neutral attitudes to moderately high concerns
1 Higher concerns
Thailand 3.35 Ranging from neutral attitudes to moderately high concerns
2 Lower concerns
Table 6.11. Comparing actual confidentiality/integrity concerns results with expectations.
The trend of participants’ attitudes in my study somewhat resembles those
of other researches. Based on previous researches mentioned in chapter five,
today’s online consumers were concerned about identifiable information. Most
people disagreed or strongly disagreed that the Web sites should be allowed to
share information with other organizations. The majority of people believed that
sharing information without the consent from owners was of a somewhat or very
important issue. The implication from previous researches was that online
consumers were greatly aware of the confidentiality of their personal data.
• Privacy attribute
Similar to the previous analysis, the participants in all studied countries
tended to be aware of their privacy. Their mean scores were around 3.3 to 3.6,
which implied that the participants’ attitudes were ranged from neutral to
97
moderately high concern. In general, they realized the importance of e-mail
safety. They somewhat disagreed that employers should have the right to access
e-mail and Internet sites used by employees and disclose employees’ personal
information. They somewhat agreed that privacy of Internet users is greatly
violated and this issue creates barriers for shopping online.
Now, I compare the actual results with my expectation from chapter four.
A summary table is provided below.
Privacy concern
Expectation from the analysis
Country Mean score
Implication of the mean score
Rank Expectation
Finland 3.58 • Ranging from neutral attitudes to moderately high concern
• Higher concern
1or2 Higher or Lower concern
Thailand 3.31 • Ranging from neutral attitudes to moderately high concern
• Lower concern
1or2 Higher or Lower concern
Table 6.12. Comparing actual privacy concern results with expectations.
Comparing Finn’s and Thai’s actual responses, the t-test value indicated
that Finn’s mean score was significantly higher than Thai’s. That means Finn
seemed to have higher privacy awareness level than Thai had. My expectations
based on cultural analysis showed that Finland and Thailand could be ranked
first or second regarding the degree of privacy awareness. The ranking number
depended on whether or not Thai was familiar with particular Web sites. I
emphasized again that my underlying assumptions about cultures were partly
invalid after checking with the real responses. Hence, I could not completely rely
on my assumption to conclude that Thai’s privacy concern was lower than Finn’s
because Thai felt familiar with and trust in the Web site.
The related researches from previous chapter also presented consumers’
concern about privacy invasion. The majority of their respondents stated that
they were uncomfortable to receive unsolicited commercial e-mails. Though
many of them loved to receive free coupons or special discount when giving
some personal information to the Web, they were less likely to provide
information if it is to be shared for future marketing. Some respondents accepted
98
the usefulness of cookies so that they could receive personalized contents, while
others thought that the risk from using cookies overweighed the benefits. Based
on previous researches and the result from my study, it is obvious that Internet
consumers were somewhat or very worried about their privacy.
6.4.3.4. Conclusion
According to t-test results, Finn’s and Thai’s responses about ‘overall
Internet security concern’ and ‘privacy concern’ material differed. Their
opinions ranged from the neutral attitudes to moderately high concerns. Finn’s
mean scores were materially higher than Thai’s. Thus Finn was likely to be more
concerned about the overall potential security risk and privacy invasion.
6.4.4. The analysis of association between cultures and consumers’ concerns
6.4.4.1. The source of data
Like in the previous sections, in this association analysis I used cultural
opinions and consumers’ concerns attitudes from part three and two of the
questionnaires, respectively. The basic idea is consistent. The part three
questions had been classified into four cultural dimensions consisting of
uncertainty avoidance, human nature, individualism versus collectivism, and
space. And from part two, the Internet security concerns were classified into
overall concerns, confidentiality and integrity concerns and privacy concern.
Unlike the previous parts where I had to separate Finn’s and Thai’s scores in
order to determine the differences between two countries, now I used the Finn’s
and Thai’s scores together to analyze correlation between cultures and
consumers’ attitudes as a whole.
6.4.4.2. The statistical method
First of all, I shall reintroduce the hypothesis with the observed data and
statistical analysis tool which is examined in this part.
Hb = There is an association between the studied cultural dimensions and
Internet consumers’ concern.
To examine the association between two variables or more, one usually
applies the linear regression statistical model. The linear regression model helps
99
analyze the effect of the values of one or more independent variables on a single
dependent variable. Based on Moore, D, 1989, 697, the model for linear
regression with one response variable y and p explanatory variables x1, x2, ..., xp
is
Yi = βo + β1xi1 + β2xi2 + ...+ βpxip + εi
where i = 1, 2, ..., n. The εi are assumed to be independent and normally
distributed with mean 0 and standard deviation σ. The parameters of the model
are βo, β1, β2, ..., βp, and σ.
To increase efficiency and reduce errors during the statistical calculation
process, I applied the ‘Data Analysis’ tool of Microsoft Excel to calculate the
regression based on the observed values of y and x at the confidence level of
95%. The program provided me with the ‘Summary Output’ which showed the
linear regression model and various statistical values. Of many statistical results,
some were truly useful and crucial for the associations’ investigation, while
some were less likely to influence my interpretation. The statistical values that
would be emphasized in this place were described primarily based on Moore, D,
as follow;
• R Square :
R Square is the square the correlation coefficient and always reported along
with the regression results. r2 is the fraction of the variation in the values of y
that is explained by the least squares regression of y on x. The roles of x and y in
this interpretation can be interchanged. r2 ranges in value from 0 to 1. When the
model demonstrates a perfect correlation showing no difference between the
estimated y-value and the observed y-value, r2 equals 1. However, the model
could not be used to efficiently estimate a y-value if r2 is 0. r2 is normally
multiplied by 100 and presented as a percent. In short, r2 is a direct measure of
the success of the regression. One shall note that a high r2 value does present the
successful prediction of the model but does not imply the cause and effect
relationship.
100
• P-Value :
P-Value involves a test of significance that assesses the evidence against
the null hypothesis. P-Value calculation is done assuming that null hypothesis is
true. From the calculation, one would get P-Value or the probability that the test
statistic will take a value at least as extreme as that actually observed. P-Value
also demonstrates probability of the incorrect regression model. The smaller the
P-Value is, the stronger is the evidence against the null hypothesis provided by
the data. One could also present P-Value as a percent.
I used the significance level of P-Value at 5%, which is commonly used in
the research study. Thus, the models that have P-Value less than 5% indicate that
the observed data are strongly against the null hypothesis but support the
alternative hypothesis.
• Significance F:
The significance F concept is similar to the P-Value. In a simple regression
model that has only one independent variable, the significance F is equal to P-
Value. However, if the model has many independent variables, the significance F
would present the significance value of variables as a whole so it would differ
from P-Value which shows the significance value of each variable.
Again, I established the cut-off significance F value at 5%, which is
normally accepted in statistical research. Thus, the multiple linear regression
models that have significance F value less than 5% indicate that the observed
data are strongly against the null hypothesis but support the alternative
hypothesis.
6.4.4.3. The statistical results and analysis
I presented the linear regression models and their statistical values that
resulted from applying Microsoft Excel Data Analysis Tool. I divided the
analysis into two main parts. In the first part, I examined the association between
each individual cultural dimension and consumers’ concern by using the simple
linear regression. In the second part, I further examined the effect of a
combination of cultural dimensions on consumers’ attitudes. The correlation was
investigated by using the multiple linear regression.
101
6.4.4.3.1. The association between individual cultural dimension and
consumers’ concerns
The following statistical results were illustrated in an order of
consumers’ attitude classifications including ‘overall concern’,
‘confidentiality and integrity concerns’ and ‘privacy concern’ as usual. For
each classification, each cultural dimension was used as an independent
variable and the consumers’ attitudes toward Internet security were a
dependent variable.
• Each cultural dimension and overall concern
The uncertainty avoidance dimension and overall Internet security concerns
Variables Definitions X Uncertainty avoidance degree Y Degree of Internet security concern
Linear regression equation Y = 60.37 - 0.37X R Square 0.88% P-Value 48.04%
The human nature dimension and overall Internet security concerns
Variables Definitions X Belief in 'evil' or 'good' human nature Y Degree of Internet security concern
Linear regression equation Y = 55.92 + 0.37X R Square 0.88% P-Value 48.04%
The individualism/collectivism dimension and overall Internet security concerns
Variables Definitions X Individualism or collectivism degree Y Degree of Internet security concern
Linear regression equation Y = 43.88 + 1.25X R Square 6.37% P-Value 5.38%
The physical/personal space dimension and overall Internet security concerns
Variables Definitions X Need for physical and personal space Y Degree of Internet security concern
Linear regression equation Y = 56.16 + 0.38X R Square 0.74% P-Value 51.60%
Table 6.13. Linear regression of each cultural dimension and overall concerns.
For each linear regression result showing in the above table, the
computed value of the R square was very low and P-Value was over 5%.
102
That means of the individual cultural dimension was not a significant
predictor of a degree of overall Internet security concerns. And evidences
supported by the observed data were too weak to reject the null hypothesis.
I conclude that the correlation between the individual cultural
dimension and the degree of general consumers’ concern is seriously weak.
• Each cultural dimension and confidentiality and integrity (C&I)
concerns
The uncertainty avoidance dimension and C&I concerns
Variables Definitions X Uncertainty avoidance degree Y Degree of C&I concern
Linear regression equation Y = 19.44 + 0.60X R Square 6.65% P-Value 4.86%
The human nature dimension and C&I concerns
Variables Definitions X Belief in 'evil' or 'good' human nature Y Degree of C&I concern
Linear regression equation Y = 24.23 - 0.08X R Square 0.14% P-Value 77.94%
The individualism/collectivism dimension and C&I concerns
Variables Definitions X Individualism or collectivism degree Y Degree of C&I concern
Linear regression equation Y = 22.37 + 0.13X R Square 0.24% P-Value 71.31%
The physical/personal space dimension and C&I concerns
Variables Definitions X Need for physical and personal space Y Degree of C&I concern
Linear regression equation Y = 22.61 + 0.24X R Square 1.11% P-Value 42.71%
Table 6.14. Linear regression of each cultural dimension and C&I concerns.
For each linear regression result showing in the above table, the
computed value of the R square was very low and not over 10%. That
means the individual cultural dimension was not a significant predictor of a
degree of confidentiality and integrity concerns. Most of P-Value results
103
were over 5% except for a P-Value in an examination of association
between the uncertainty avoidance dimension and C&I concern which was
4.86%. When the P-value was over or nearly 5%, the evidences against the
null hypothesis were not strong.
In short, there was materially weak association between the
individual cultural dimension and the degree of confidentiality and
integrity concern.
• Each cultural dimension and privacy concern
The uncertainty avoidance dimension and privacy concern
Variables Definitions X Uncertainty avoidance degree Y Degree of privacy concern
Linear regression equation Y = 17.53 + 0.40X R Square 4.14% P-Value 12.24%
The human nature dimension and privacy concern
Variables Definitions X Belief in 'evil' or 'good' human nature Y Degree of privacy concern
Linear regression equation Y = 20.92 - 0.08X R Square 0.23% P-Value 71.82%
The individualism/collectivism dimension and privacy concern Variables Definitions
X Individualism or collectivism degree Y Degree of privacy concern
Linear regression equation Y = 13 + 0.66X R Square 9.04% P-Value 2.07%
The physical/personal space dimension and privacy concern
Variables Definitions X Need for physical and personal space Y Degree of privacy concern
Linear regression equation Y = 20.79 - 0.07X R Square 0.13% P-Value 78.54%
Table 6.15. Linear regression of each cultural dimension and privacy concern.
One could see that the computed values of the R square were very
low. Most of P-Value results were over 5%.
104
However, an association between individualism versus collectivism
dimension and privacy concern was quite obvious as the statistical results
showed 9.04% of R square and 2.07% of P-Value. Though 9% of R square
was not high enough, it still implied that this cultural dimension was not a
perfect explanation for a degree of privacy concerns. However, it did
indicate a certain level of their association. With the P-value about 2%, the
evidences supported by the observed data against the null hypothesis were
considered strong. From the linear regression, the individualism or
collectivism degree had a positive impact on a degree of privacy concern.
When people seemed to be the stronger individualist or collectivist, a
degree of privacy concern tended to be higher. This is similar to my
expectation from chapter three about impact of the individualism versus
collectivism dimension on privacy concern.
In short, there was a weak association between the individualism
versus collectivism cultural dimension and the degree of privacy concern.
Other cultural dimensions seemed to have no material effect on consumers’
privacy concern.
6.4.4.3.2. The association between all cultural dimensions and
consumers’ concerns
Here I further investigated the impact of all cultural dimensions on
Internet consumer’s attitudes. I reported the statistical results in an order of
consumers’ attitude classifications including ‘overall concern’,
‘confidentiality and integrity concerns’ and ‘privacy concern’. For each
classification, all cultural dimensions were used as the independent
variables and the consumers’ attitudes toward Internet security as the
dependent variable.
105
• All cultural dimensions and overall concerns
All cultural dimensions and overall Internet security concerns Variables Definitions
X1 Uncertainty avoidance degree X2 Belief in 'evil' or 'good' human nature X3 Individualism or collectivism degree X4 Need for physical and personal space Y Degree of Internet security concern
Linear regression equation Y = 25.17 + 1.51X1 + 0.52X2 + 1.40X3 + 0.65X4 R Square 20.80% Significance F 1.22% P-Value :
X1 0.82% X2 29.71% X3 2.84% X4 25.15%
Table 6.16. Linear regression of all cultural dimensions and overall concerns.
The value of R square was about 20% meaning that a multiple linear
regression explained 20% of the observed variation in degree of overall
concern. Although an R square percentage was not very high and did not
indicate the successful explanation between the variables, it assured a
certain level of relationship and predictability of y-value.
Considering all the variables as a whole, the statistic analysis turned a
result of significance F at approximate 1%. That means this multiple linear
regression models had the overall observed data that were strongly against
the null hypothesis. Thus the alternative hypothesis could be accepted.
Regarding the significance of each independent variable, I found that
the P-Values of the uncertainty avoidance degree and the
individualism/collectivism degree were lower than 5%. Hence, the
observed data in these two dimensions had strong evidence against the null
hypothesis. In addition, based on a linear regression, it showed that these
two dimensions had positive effect on overall Internet security concern. If
people tend to greatly avoid ambiguous situations or tend to be strong
individualists or collectivists, they are likely to be strongly concerned about
Internet security as a whole.
106
• All cultural dimensions and confidentiality and integrity concerns
All cultural dimensions and C&I concerns
Variables Definitions X1 Uncertainty avoidance degree X2 Belief in 'evil' or 'good' human nature X3 Individualism or collectivism degree X4 Need for physical and personal space Y Degree of C&I concern
Linear regression equation Y = 16.32 + 0.59X1 - 0.05X2 + 0.18X3 + 0.30X4 R Square 8.37% Significance F 30.76% P-Value :
X1 5.81% X2 85.40% X3 61.62% X4 33.65%
Table 6.17. Linear regression of all cultural dimensions and C&I concerns.
Based on the results shown in a table, the R Square was very low, the
significance F was higher than 5%, and the P-Value for each independent
variable was over 5%. Thus, I concluded from the statistical results that this
multiple linear regression could not explain the observed variation in the
degree of confidentiality and integrity concern very well, as there was no
significant association between a whole of cultural dimensions and the
degree of C&I concern.
• All cultural dimensions and privacy concern
All cultural dimensions and privacy concern
Variables Definitions X1 Uncertainty avoidance degree X2 Belief in 'evil' or 'good' human nature X3 Individualism or collectivism degree X4 Need for physical and personal space Y Degree of privacy concern
Linear regression equation Y = 9.92 + 0.37X1 - 0.02X2 + 0.66X3 + 0.10X4 R Square 12.77% Significance F 11.12% P-Value :
X1 15.08% X2 93.21% X3 2.58% X4 71.14%
Table 6.18. Linear regression of all cultural dimension and privacy concern.
107
The R Square was low, the significance of F was higher than 5%, and
the P-Value for each independent variable was over 5% except for the
individualism/collectivism variable. Although at a detail level the observed
data about individualism/collectivism degree was likely to provide the
strong evidence against the null hypothesis, the overall picture of this
multiple linear regression was that it could not explain the observed
variation in the degree of privacy concern very well. There was no
significant association between the whole cultural dimensions and the
degree of privacy awareness.
6.4.4.4. Conclusion
Firstly, in the linear regression analysis, I provided the statistical results
about the association between the individual cultural dimension and the degree
of consumers’ concern. However, I found only a weak association between the
individualism versus collectivism cultural dimension and the degree of ‘privacy
concern’. In addition, based on the linear regression, the individualism or
collectivism degree had a positive impact on a degree of privacy concern. Other
cultural dimensions seemed to have no material effect on overall Internet
security concern, confidentiality and integrity concerns, and privacy concern.
Secondly, I conducted a statistical analysis to determine whether or not the
‘whole cultural dimensions’, including uncertainty avoidance, human nature,
individualism/collectivism, and space dimension, had significant correlation with
the Internet security awareness. Based on the statistical results, I found the point
informative about the relationship between ‘all cultural dimensions’ and ‘general
Internet security concern’. The linear regression model was considered
successful when using to predict the degree of overall consumers’ concern. The
observed data provided strong evidence to help reject the null hypothesis that
‘the cultural dimensions has no effect on Internet consumers’. It was likely that
all four cultural dimensions somewhat associated with the consumers are aware
of their security when using the Net. In addition, two cultural dimensions
including the uncertainty avoidance and the individualism versus collectivism
dimension strongly support the alternative hypothesis and showed a positive
effect on the degree of overall Internet security concern.
108
6.4.5. Other results
This subsection contributed to the rest of questions from the questionnaires that
were not included in the previous subsections. The questions were from part one of
the questionnaires and included the statements asking about Internet security policy
and the ranked number of concerns.
Figure 6.8. Opinions about the e-mail policy establishment.
Based on figure 6.8, most of the participants, who were students or employers,
indicated that their schools or companies had e-mail usage policy. About 20% of
Finn and Thai participants showed that no e-mail policies were established in their
organizations, while only 6% of American participants revealed this fact. The rest of
the participants possessed about 15-20% of the sampling population were not sure
whether their organizations had e-mail usage policy or not.
Figure 6.9. Opinions about the e-mail usage monitoring.
Does the participant's organization have e-mail policy?
53
20 23
48
1424
70
176
0
20
40
60
80
100
Yes Not sure No
Per
cent
(%)
Finn Thai American
Does employer or school monitor participant's e-mail usage?
17
40 43
2821
3131 3526
0102030405060708090
100
Yes Not sure No
Per
cent
(%)
Finn Thai American
109
Although I found that most organizations had e-mail usage policy based on the
previous question, figure 6.9, the majority of participants were either not sure if their
organizations really monitored their e-mail usage or were sure that the e-mail
monitoring policy was not applied in practice.
Figure 6.10. Opinions about the types of e-mail usage monitoring.
The response to the question shown in figure 6.10 was not mentioned in Udo’s
study. Thus I presented only Finn’s and Thai’s opinions. About 30% of Thai
respondents said their schools or employers monitored their e-mail usage by
interception and reading their e-mail. About 10-20% of Finn and Thai participants
indicated that their organizations filtered out or blocked certain mails. No
participants indicated that their organization monitored them by checking usage time
or using other monitoring methods.
Figure 6.11. Opinions about using work e-mail for personal purpose.
How does your employer of school monitor your e-mail usage?
17
34
10
0
10
20
30
40
50
Interception Monitoringusage time
Filtering outmails
Other
Per
cent
(%)
Finn Thai
Is participant allowed to use work e-mail for personal use?
80
13
62
21
3844
0
20
40
60
80
100
Yes No
Per
cent
(%)
Finn Thai American
110
From figure 6.11, for Finn and Thai, it was obvious that the participants were
allowed to use their work e-mail account for personal purposes. In contrast, about
half of American respondents indicated that they were not allowed to use work e-
mail for personal purposes. It should be noted that all of Finn and Thai participants
were students and some of them were both students and employees, while 40% and
30% of American respondents were students and employees, respectively. A
probable assumption for this difference may be that the business organizations have
stringent restrictions about personal e-mail usage, while the academic institutions
seem to provide their students with Internet facility including school e-mail accounts
for educational and leisure purposes. This might be the reason why most Finn and
Thai participants, who were students, indicated that they could use work e-mail as
personal e-mail as well.
Finally, the last question in part one of the questionnaires asked the participants
to give the ranked number for the five main types of Internet consumers’ concerns in
order of importance. They included privacy concern, security and preventing threats
concern, children protection concern, censorship concern, and impersonation or
forged identity concern. The participants could also give additional consideration in
the ‘others’ bracket. The results from the participants’ opinions are presented in
more detail in appendix E. Here I shall shortly illustrate the types of concerns and
the percentage of the participants who believed that the particular concern type was
the most important.
Nationality Types of concerns that the participants ranked
the most important % of the
participants Finn
Privacy concern 50% Security and preventing threats concern 17% Children protection 0% Censorship 0% Preventing impersonation and forged identity 33% Other concern 0%
Thai Privacy concern 3% Security and preventing threats concern 38% Children protection 3% Censorship 7% Preventing impersonation and forged identity 7% Other concern 0%
Table 6.19. A rank of the most important concern.
111
Nationality Types of concerns that the participants ranked
the most important % of the
participants American
Privacy concern 55% Security and preventing threats concern 15% Children protection 9% Censorship 2% Preventing impersonation and forged identity 11% Other e-mail concern 4%
Table 6.19. A rank of the most important concern. (Continued)
From table 6.19, about half of the Finn and American participants ranked the
‘privacy concern’ as the most important issue. About one third of Finn participants
and 11% of American participants indicated that the impersonation and forged
identity was the most important concern. About 15-20% of Finn and American
participants thought security and preventing threats were the most important issues.
On the other hand, Thai tended to believe that security and preventing threats
concern was the most crucial problem. Only 3% of Thai considered the privacy
invasion as the most important. Additional concerns including children protection,
censorship and other concerns were not considered the most crucial issue by most of
the participants in all three countries.
6.5. Summary
At this time, I would like to reintroduce my research process from the beginning up
until this point. As I mentioned before, Udo’s study was an inspiration for my research
objective. His study revealed that most Internet users were extremely concerned about
their privacy and security while shopping on the Internet or using e-mail. Online
businesses should be aware of establishing security systems and trust among consumers
in order to eliminate or reduce the consumers’ concerns. I found the result from his
survey interesting, so I aimed to extend his research to examine whether the cultural
differences could influence the consumers’ attitudes or not. Firstly, I acquired computer
security and cultural knowledge to develop the expectations. Secondly, I conducted the
questionnaire survey in two countries; Finland and Thailand, to find out whether the
actual responses were similar to my expectations or not. Although I anticipated to see
the cultural variation between Finn and Thai, the actual results were quite astonishing as
they did not significantly differ from each other in overall picture. Some of my cultural
expectations are similar to the observed data, while some differ. Though I found an
112
interesting point from the survey, that cultures seem to have a certain impact on Internet
consumer attitudes, the cultural influences are not strong enough to perfectly describe
the online consumer behaviors. One possible reason may be because of the globalization
of the Internet. Based on the fact that the Net is so common and is available almost
everywhere in the world, the Internet consumers probably share common behaviors and
create within this spectrum a new special norm or value in their community.
Consequently, the national characteristics or cultures may not have significant effect on
Internet consumers’ attitudes.
I shall summarize the actual results and expectations in table 6.20 and present
whether my hypotheses are confirmed or rejected.
Last but not least, I shall provide some suggestions for future study. In this study,
my questionnaires were conducted with approximately 30 student participants from each
country, including Finland and Thailand. The possible errors in my analysis and the
statistical results may occur from the small size and the group of sampling population.
For further research, I suggest expanding the size of population and diversifying the
target group to provide stronger evidence when examining the hypotheses.
113
Hypothesis Expected versus Actual results Conclusion
Ha = The characteristics of people in
studied cultural dimensions
differ from one country to
another.
• Comparing cultural difference:
Based on the results from t-test, the t-test percentages were so high for all
cultural dimension results, meaning that there was high probability that two
sampling groups, Finn and Thai, shared the same mean. As there were no
important variations between Finland and Thailand means, their cultures, as
related to this analysis, were unlikely to differ from each other.
• At the individual cultural dimension level:
My predictions about uncertainty avoidance characteristics of two
populations were supported by the actual results. The observed Finn and Thai
characteristics in other dimensions including the individualism versus
collectivism dimension and space dimension partly conform to my
expectations. However, in the human nature dimension, it turned out that my
expectation that people in both countries tended to believe that ‘human nature
is basically good’, completely differed from the actual results as both Finn and
Thai thought that ‘human nature is mixed between good and evil’.
The actual results did not strongly support
my expectation. Thus the hypothesis is
rejected
Table 6.20. The research study conclusion
114
Hypothesis Expected versus Actual results Conclusion
Hb = There is an association between
the studied cultural dimensions
and Internet consumers’
concern.
• At the individual cultural dimension level:
There was a weak association between the individualism versus
collectivism cultural dimension and the degree of ‘privacy concern’. The
individualism or collectivism degree had a positive impact on a degree of
privacy concern, which conformed my expectation from chapter three. Other
cultural dimensions seemed to have no material effect on overall Internet
security concern, confidentiality and integrity concerns, and privacy concern.
• At an aggregate cultural dimension level:
Based on the statistical results of multiple linear regression, I found the
relationship interesting between ‘all cultural dimensions’ and ‘overall Internet
security concern’. This multiple linear regression model is considered
successful in that all four cultural dimensions are somewhat associated with
the degree of Internet safety awareness. Moreover, two cultural dimensions,
the uncertainty avoidance and the individualism versus collectivism
dimension, strongly support my hypothesis and showed positive effect on the
degree of overall Internet security concern.
At an aggregate cultural dimension level,
all cultural dimensions show notable
association with the degree of overall
Internet safety awareness, although in the
individual cultural dimension level I did
not find a strong association. I shall
confirm my hypothesis with the observed
data in my survey, which provided strong
evidence to help reject the null hypothesis
in that ‘the cultural dimensions has no
effect on Internet consumers’.
Table 6.20. The research study conclusion (continued).
Reference list
Books and journals:
1. Allen, Cliff (1998), Internet world: guide to one-to-one Web marketing, New York:
Wiley and Sons.
2. Adler, Nancy J.(1986), International dimensions of organizational behavior, the
U.S.: PWS-Kent Publishing Company.
3. Anderson, Ross J. (2001), Security Engineering: A guide to building dependable
distributed systems, New York: Wiley Computer Publishing.
4. Andrew, Hawker (2000), Security and control in information systems: A guide for
business and accounting, London and New York: Routledge.
5. Andrew, Jonathan D.(2001), Erosion of trust - E-Commerce and the loss of
privacy, Information Systems Control Journal, volume 3, 46-49.
6. Briones, Maricris G.(1998), IT, Privacy issues will challenge direct marketers,
Marketing News, Chicago, December 7, volume 32, 8.
7. Camp, L., Jean (2000), Trust and risk in Internet commerce, the U.S.: The MIT
Press.
8. Crowther, Jonathan and others (1999), Guide to British and American culture,
China: Oxford University Press.
9. El Kahal, Sonia (2001), Business in Asia pacific: Text and cases, Oxford: Oxford
University Press.
10. Elovainio, Paivi and others (2000), Facts about Finland, Keuruu: Otava Publishing.
11. Ford, Warwick and Baum, Michael S. (2001), Secure electronic commerce:
Building the infrastructure for digital signature and encryption, Upper Saddle River,
New Jersey: Prentice hall.
12. Fukuyama, Francis (1995), Trust – The social virtues and the creation of
prosperity, London: Hamish Hamilton.
13. Han, Peter and Maclaurin, Angus (2002), Do consumers really care about online
privacy?, Marketing Management, Chicago, January/February, 35-38.
14. Hofstede, Geert (1991), Cultures and organizations: Software of the mind,
Cambridge: McGraw-Hill.
15. Kalakota, Ravi, and Marcia Robinson (2001), e-Business 2.0: Roadmap for
success, Upper Saddle River, New Jersey: Addison-Wesley.
16. Lewis, Richard D. (2000), When cultures collide: Managing successfully across
cultures, Illinois: Nicholas Brealey Publishing.
17. Moore, David S, and McCabe, George P (1989), Introduction to the practice of
statistics, the U.S.: W.H. Freeman and company.
18. Nakra, Prema (2001), Consumer privacy right: CPR and the age of the Internet,
Management Decision, volume 39, number 4, 272-279.
19. Pfleeger, Charles P (1997), Security in computing, Upper Saddle River, New
Jersey: Prentice hall.
20. Pornpitakpan, Chanthika (2000), Trade in Thailand: A three-way cultural
comparison, Business horizons, March/April, volume 43, issue 2, 61-70.
21. Rendleman, John (2001), Europe's eye on privacy, Information week, Manhasset,
June 25, issue 843, 53-58.
22. Schein, Edgar (1985), Organizational culture and leadership – A dynamic view, the
U.S.: Jossey-Bass.
23. Schneider, Susan, and Barsoux, Jean-Louis (1997), Managing across cultures,
Great Britain: Prentice Hall Europe.
24. Schutte, Hellmut, and Deanna Ciarlante (1998), Consumer behavior in Asia, New
York: New York University Press.
25. Screeton, Lisa Scott (1998), There’s no business like your business: Protecting
consumer privacy online, Business America, Washington, August, volume 119, 29-
30.
26. Shippey, Karla C. and others (1995), USA business: The portable encyclopedia for
doing business with the United States, California: World Trade Press.
27. Solomon, Michael R., Bamossy, Gary and Askegaard, Soren (1999), Consumer
behavior: A European perspective, Upper Saddle River, New Jersey: Prentice Hall.
28. Treadwell, Terry (2001), Seven security suggestions, Credit Union Management,
Madison, December, volume 24, issue 12, 28.
29. Udo, Godwin J. (2001), Privacy and security concerns as major barriers for e-
commerce: A survey study, Information management and computer security, volume
9, number 4, 165-174.
30. Wang, Huaiqing, Lee, Matthew K.O. and Wang, Chen (1998), Consumer privacy
concerns about Internet Marketing, Association for Computing Machinery
Communications of the ACM, New York, March, volume 41, 63-70.
31. Worm, Verner (1997), Vikings and Mandarins: Sino-Scandinavian Business
Cooperation in Cross-Cultural Settings, Arhus: Handelshojskolens Forlag.
Webpages:
1. Center of Democracy and Technology (CDT), Top ten ways to protect your
privacy online, www.cdt.org/privacy/guide/basic/topten.html, accessed on April 2,
2002.
2. Central Intelligence Agency (CIA), CIA – The World Factbook,
www.cia.gov/cia//publications/factbook, accessed on February 11, 2002.
3. CommerceNet 2000, Barriers to electronic commerce,
www.commerce.net/research/barriers-inhibitors/2000/Barriers2000study.html,
accessed on April 5, 2002.
4. Cranor, L., and others (1999), Beyond concern - Understanding Net users’
attitudes about online privacy (AT &T Labs-Research Technical Report TR 99.4.3),
www.research.att.com/library/trs/TRs/99/99.4/, accessed on April 5, 2002.
5. EU, http://europa.eu.int, accessed on April 2, 2002.
6. EU, Community legislation in force – Directive 97/66/EC of the European
Parliament and of the Council of 15 December 1997 concerning the procession of
personal data and the protection of privacy on the telecommunications sector,
http://europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html, accessed on April 2,
2002.
7. Hoffman, Paul (1997), Unsolicited Bulk E-Mail: Definition and problems, Internet
Mail Consortium Report, www.imc.org/ube-def.html, accessed on February 2, 2002.
8. OECD, www.oecd.org, accessed on April 2, 2002.
9. OECD, Guidelines on the protection of privacy and transborder flows of personal
data, www1.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTML, accessed on April 2,
2002.
Appendix A : Example of questionnaire
Impact of cultural differences on privacy and security concerns of Internet users Objective of the survey: To study how people in different countries are aware of online privacy and security. Structure of questions: Part I is to examine frequency of Internet usage and how the participant ranks the concerns. Part II is to examine privacy and security awareness when using the Net. Part III is to clarify cultural differences in studied countries. Participant information: 1. What is your nationality? ____Finn ____Thai ____Other(please specify____________) 2. Please check the blank that closely identifies your current status: ____Supervisor/Manager ____Employee ____Student ____Other (please specify_____________)
(If you have more than one current status, for example you are working and studying, please check both employee and student.)
Part I: Internet usage and rank of concerns Please check the answer that best describes you or is closest to your position. 1. Do you have an e-mail account/address? ____Yes ____No (If you answered “Yes” continue with question no 2; if you answered “No” skip to question
no.7) 2. What kind of e-mail account do you have? ____Home ____Work ____School ____Other 3. Does your company/university have an Internet-use policy? ____Yes ____No ____Don’t know 4. Does your employer or school monitor your e-mail usage? ____Yes ____No ____Don’t know
(If you answered “Yes” continue with question no.5; if you answered “No” or “Don’t know” skip to question no.6)
5. How does your employer or school monitor your e-mail usage? ____Interception and reading e-mail ____By monitoring your usage time ____By filtering out or blocking certain mails ____Other (please specify_____________________________) 6. Are you allowed to use your work e-mail account for personal use? ____Yes ____No 7. Have you ever purchased anything online? ____Yes ____No (If you answered “No” skip to no.10; if you answered “Yes” continue to question no.8) 8. How frequently do you purchase things online? ____More than once a month ____Once a month ____At least once in six months ____At least once a year ____Less than once a year
Appendix A : Example of questionnaire (Continued)
Part I: Internet usage and rank of concerns (Continued) 9. Have you ever been concerned about abuse of your credit card and other personal
information when you purchase things online? ____Yes ____No 10. Would you purchase anything online if your concerns are addressed or eliminated? ____Yes ____No 11. Please rank the following concerns about the use of e-mail and Internet in order of
importance, 1 being the most important ____Privacy ____Security and preventing threats (For example, protecting e-mail account against
malicious hackers.) ____Children protection on the Internet (Protect the kids from giving their or their parents’
information without awareness of privacy risk.) ____Censorship (For example, an employer monitors employees’ e-mail usage by filtering
incoming or outgoing mails.) ____Preventing impersonation and forged identity (For example, protecting attacker from
using your credit card number to make payment fraud.) ____Others (please specify__________________________)
In part II and III, please respond to the following statements by circling the number that most reflects your opinion.
1. = Strongly disagree 2. = Disagree 3.= Neutral 4. = Agree 5. = Strongly agree Part II: Online privacy and security concerns 1.) 1 2 3 4 5 E-mail safety is becoming an increasingly important issue. 2.) 1 2 3 4 5 E-mails are less safe than regular mails. 3.) 1 2 3 4 5 Most e-mails are accessed by people other than the owners. 4.) 1 2 3 4 5 Some e-mails do not come from the people that appear to send them. 5.) 1 2 3 4 5 Employers have the right to access e-mail and Internet sites used by their
employees. 6.) 1 2 3 4 5 To reduce the risk of liability, organizations should institute an e-mail policy
and distribute it to all employees. 7.) 1 2 3 4 5 Companies can disclose employees’ personal information if they deem it
necessary. 8.) 1 2 3 4 5 Internet shopping is less secured than mail order. 9.) 1 2 3 4 5 I feel safe when I release my credit card information on the Internet. 10.) 1 2 3 4 5 Security and privacy concerns are barriers for my shopping online. 11.) 1 2 3 4 5 Only limited amount of personal information should be requested from
children on the Internet. 12.) 1 2 3 4 5 Children should not be asked to provide information about their parents on
the Internet. 13.) 1 2 3 4 5 The privacy of Internet users is greatly violated. 14.) 1 2 3 4 5 Despite all the safety precautions in place today, Internet and e-mails are not
safeguarded enough. 15.) 1 2 3 4 5 Stalking and impersonation (including forged identity) are common on the
Internet. 16.) 1 2 3 4 5 The current laws and regulations are sufficient for protecting information
system users. 17.) 1 2 3 4 5 The current security features such as encryption and passwords are sufficient
to provide security and safety when on the Internet.
Appendix A : Example of questionnaire (Continued)
Part III: Cultural differences 1.) 1 2 3 4 5 I feel nervous when I give my personal information to a Web site. 2. ) 1 2 3 4 5 The regulations for personal information protection are needed and should
not be broken in any circumstances. 3.) 1 2 3 4 5 People are naturally good and they do not want to harm others. 4.) 1 2 3 4 5 People basically wish to do the right things and abide by the laws or
regulations. 5.) 1 2 3 4 5 I am dependent on others; for example, when I need to make a decision, I
prefer to consulting my friends or family first. 6.) 1 2 3 4 5 The Web site’s security policy could be reliable if my acquaintances confirm
me by words. 7.) 1 2 3 4 5 I feel safe when I give personal information to a Web site in which many
people in my community already tried and accepted its security policy. 8.) 1 2 3 4 5 My physical space such as my house area or my office room area is large. 9.) 1 2 3 4 5 My privacy or private space is adequate and comfortable.
Appendix B : Example of Udo’s questionnaire
Kindly complete this questionnaire as candidly as possible. 1. Check the blank that closely identifies your current status: ____Supervisor/Manager ____Employee ____Faculty ____Student ____Other (please specify_____________) 2. Do you have an e-mail account/address? ____Yes ____No (If you answered “Yes” continue with question no 3; if you answered “No” skip to question
no.8) 3. What kind of e-mail account do you have? ____Home ____Work ____School ____Other 4. Does your company/university have an Internet-use policy? ____Yes ____No ____Don’t know 5. Does your employer or school monitor your e-mail usage? ____Yes ____No ____Don’t know
(If you answered “Yes” continue with question no.6; if you answered “No” or “Don’t know” skip to question no.7)
6. How does your employer or school monitor your e-mail usage? ____Interception and reading e-mail ____By monitoring your usage time ____By filtering out or blocking certain mails ____Other (please specify_____________________________) 7. Are you allowed to use your work e-mail account for personal use? ____Yes ____No 8. Have you ever purchased anything online? ____Yes ____No (If you answered “No” skip to no.10; if you answered “Yes” continue to question no.9) 9. How frequently do you purchase things online? ____More than once a month ____Once a month ____At least once in six months ____At least once a year ____Never 10. Have you ever been concerned about abuse of your credit card and other personal
information when you purchase things online? ____Yes ____No 11. Would you purchase anything online if your concerns are addressed or eliminated? ____Yes ____No 12. Please rank the following concerns about the use of e-mail and Internet in order of
importance, 1 being the most important ____Privacy ____Security and threats ____Children protection on the Internet ____E-mail safety ____Censorship ____Impersonation and forged identity ____Others (please specify__________________________)
Appendix B : Example of Udo’s questionnaire (Continued)
Please respond to the following statements by circling the number that most reflects your opinion. Strongly agree = 1 Agree = 2 Neutral = 3 Disagree = 4 Strongly disagree = 5 1 2 3 4 5 E-mail safety is becoming an increasingly important issue. 1 2 3 4 5 Employers have the right to access e-mail and Internet sites used by their
employees.
1 2 3 4 5 The privacy of Internet users is greatly violated. 1 2 3 4 5 To reduce the risk of liability, organizations should institute an e-mail policy and
distribute it to all employees. 1 2 3 4 5 Despite all the safety precautions in place today, Internet and e-mails are not
safeguarded enough. 1 2 3 4 5 Companies can disclose employees’ personal information if they deem it
necessary.
1 2 3 4 5 The current laws and regulations are sufficient for protecting information system users.
1 2 3 4 5 The current security features such as encryption and passwords are sufficient to
provide security and safety when on the Internet.
1 2 3 4 5 E-mails are less safe than regular mails. 1 2 3 4 5 Internet shopping is less secured than mail order. 1 2 3 4 5 I feel safe when I release my credit card information on the Internet. 1 2 3 4 5 Most e-mails are accessed by people other than the owners. 1 2 3 4 5 Only limited amount of personal information should be requested from children on
the Internet. 1 2 3 4 5 Children should not be asked to provide information about their parents on the
Internet.
1 2 3 4 5 Stalking and impersonation (including forged identity) are common on the Internet.
1 2 3 4 5 Some e-mails do not come from the people that appear to send them. 1 2 3 4 5 Security and privacy concerns are barriers for my shopping online.
Appendix C : Opinions on cultural dimensions
Finn Thai Uncertainty avoidance questions F S F*S Mean F S F*S Mean
1. I feel nervous when I give my personal
information to a Web site
• Strongly disagree 1 1 1 3 1 3
• Disagree 9 2 18 4 2 8
• Neutral 6 3 18 5 3 15
• Agree 12 4 48 13 4 52
• Strongly agree 2 5 10 4 5 20
Subtotal 30 95 3.17 29 98 3.38
2. The regulations for personal information
protection are needed and should not be
broken in any circumstances.
• Strongly disagree 0 1 0 0 1 0
• Disagree 1 2 2 2 2 4
• Neutral 5 3 15 8 3 24
• Agree 13 4 52 14 4 56
• Strongly agree 11 5 55 5 5 25
Subtotal 30 124 4.13 29 109 3.76
Total 60 219 3.65 58 207 3.57
Remark: F = Frequency, S = Score
Appendix C : Opinions on cultural dimensions (Continued)
Finn Thai Human nature questions
F S F*S Mean F S F*S Mean 3. People are naturally good and they do not
want to harm others.
• Strongly disagree 4 5 20 2 5 10
• Disagree 9 4 36 5 4 20
• Neutral 8 3 24 11 3 33
• Agree 8 2 16 11 2 22
• Strongly agree 1 1 1 0 1 0
Subtotal 30 97 3.23 29 85 2.93
4. People basically wish to do the right
things and abide by the laws and
regulations.
• Strongly disagree 1 5 5 0 5 0
• Disagree 5 4 20 2 4 8
• Neutral 11 3 33 10 3 30
• Agree 12 2 24 14 2 28
• Strongly agree 1 1 1 3 1 3
Subtotal 30 83 2.77 29 69 2.38
Total 60 180 3 58 154 2.66
Appendix C : Opinions on cultural dimensions (Continued)
Finn Thai Individualism versus Collectivism questions
F S F*S Mean F S F*S Mean 5. I am dependent on others.
• Strongly disagree 5 5 25 2 5 10
• Disagree 5 4 20 2 4 8
• Neutral 5 3 15 11 3 33
• Agree 11 4 44 11 4 44
• Strongly agree 4 5 20 3 5 15
Subtotal 30 124 4.13 29 110 3.79
6. The Web site’s security policy could be
reliable if my acquaintances confirm me
by words.
• Strongly disagree 0 5 0 1 5 5
• Disagree 6 4 24 3 4 12
• Neutral 16 3 48 14 3 42
• Agree 7 4 28 9 4 36
• Strongly agree 1 5 5 2 5 10
Subtotal 30 105 3.5 29 105 3.62
7. I feel safe when I give personal
information to a Web site in which many
people in my community already tried and
accepted its security policy.
• Strongly disagree 0 5 0 0 5 0
• Disagree 5 4 20 9 4 36
• Neutral 7 3 21 11 3 33
• Agree 16 4 64 6 4 24
• Strongly agree 2 5 10 3 5 15
Subtotal 30 115 3.83 29 108 3.72
Total 90 344 3.82 87 323 3.71
Appendix C : Opinions on cultural dimensions (Continued)
Finn Thai Physical and personal space questions
F S F*S Mean F S F*S Mean 8. My physical space such as my house area
or my office room area is large.
• Strongly disagree 0 5 0 0 5 0
• Disagree 13 4 52 0 4 0
• Neutral 6 3 18 14 3 42
• Agree 8 2 16 11 2 22
• Strongly agree 3 1 3 4 1 4
Subtotal 30 89 2.97 29 68 2.34
9. My privacy or private space is adequate
and comfortable.
• Strongly disagree 0 5 0 0 5 0
• Disagree 2 4 8 2 4 8
• Neutral 6 3 18 11 3 33
• Agree 13 2 26 13 2 26
• Strongly agree 9 1 9 3 1 3
Subtotal 30 61 2.03 29 70 2.41
Total 60 150 2.50 58 138 2.38
Appendix D : Opinions on Internet security concern
Finn Thai American Online privacy and security questions
F S F*S Mean F S F*S Mean F S F*S Mean 1. E-mail safety is becoming an increasingly important issue.
• Strongly disagree 0 1 0 0 1 0 1 1 1 • Disagree 0 2 0 0 2 0 8 2 16 • Neutral 3 3 9 9 3 27 20 3 60 • Agree 16 4 64 12 4 48 50 4 200 • Strongly agree 11 5 55 8 5 40 75 5 375
Subtotal 30 128 4.27 29 115 3.97 154 652 4.23 2. E-mails are less safe than regular mails.
• Strongly disagree 0 1 0 0 1 0 9 1 9 • Disagree 8 2 16 7 2 14 37 2 74 • Neutral 8 3 24 14 3 42 53 3 159 • Agree 11 4 44 7 4 28 45 4 180 • Strongly agree 3 5 15 1 5 5 11 5 55
Subtotal 30 99 3.30 29 89 3.07 155 477 3.08 3. Most e-mails are accessed by people other than the owners.
• Strongly disagree 4 1 4 1 1 1 5 1 5 • Disagree 14 2 28 1 2 2 38 2 76 • Neutral 8 3 24 17 3 51 62 3 186 • Agree 4 4 16 8 4 32 37 4 148 • Strongly agree 0 5 0 2 5 10 12 5 60
Subtotal 30 72 2.40 29 96 3.31 154 475 3.08 Remark: F = Frequency, S = Score
Appendix D : Opinions on Internet security concern (Continued)
Finn Thai American Online privacy and security questions
F S F*S Mean F S F*S Mean F S F*S Mean
4. Some e-mails do not come from the people that appear to send them.
• Strongly disagree 0 1 0 0 1 0 3 1 3 • Disagree 7 2 14 7 2 14 9 2 18 • Neutral 7 3 21 10 3 30 68 3 204 • Agree 9 4 36 8 4 32 55 4 220 • Strongly agree 7 5 35 4 5 20 20 5 100
Subtotal 30 106 3.53 29 96 3.31 155 545 3.52 5. Employers have the right to access e-mail and Internet sites used by their employees.
• Strongly disagree 11 5 55 4 5 20 26 5 130 • Disagree 12 4 48 7 4 28 25 4 100 • Neutral 3 3 9 8 3 24 41 3 123 • Agree 3 2 6 9 2 18 44 2 88 • Strongly agree 1 1 1 0 1 0 19 1 19
Subtotal 30 119 3.97 28 90 3.21 155 460 2.97 6. To reduce the risk of liability, organisations should institute an e-mail policy and distribute it to all employees.
• Strongly disagree 0 1 0 0 1 0 1 1 1 • Disagree 2 2 4 3 2 6 4 2 8 • Neutral 9 3 27 11 3 33 28 3 84 • Agree 13 4 52 12 4 48 67 4 268 • Strongly agree 6 5 30 3 5 15 54 5 270
Subtotal 30 113 3.77 29 102 3.52 154 631 4.10
Appendix D : Opinions on Internet security concern (Continued)
Finn Thai American Online privacy and security questions
F S F*S Mean F S F*S Mean F S F*S Mean
7. Companies can disclose employees’ personal information if they deem it necessary.
• Strongly disagree 4 5 20 0 5 0 53 5 265 • Disagree 7 4 28 9 4 36 32 4 128 • Neutral 16 3 48 10 3 30 24 3 72 • Agree 3 2 6 9 2 18 34 2 68 • Strongly agree 0 1 0 1 1 1 11 1 11
Subtotal 30 102 3.40 29 85 2.93 154 544 3.53 8. Internet shopping is less secured than mail order.
• Strongly disagree 1 1 1 0 1 0 9 1 9 • Disagree 7 2 14 7 2 14 31 2 62 • Neutral 7 3 21 11 3 33 51 3 153 • Agree 14 4 56 9 4 36 51 4 204 • Strongly agree 1 5 5 2 5 10 12 5 60
Subtotal 30 97 3.23 29 93 3.21 154 488 3.17 9. I feel safe when I release my credit card information on the Internet.
• Strongly disagree 12 5 60 5 5 25 60 5 300 • Disagree 13 4 52 8 4 32 47 4 188 • Neutral 3 3 9 11 3 33 24 3 72 • Agree 2 2 4 5 2 10 18 2 36 • Strongly agree 0 1 0 0 1 0 5 1 5
Subtotal 30 125 4.17 29 100 3.45 154 601 3.90
Appendix D : Opinions on Internet security concern (Continued)
Finn Thai American Online privacy and security questions
F S F*S Mean F S F*S Mean F S F*S Mean
10. Security and privacy concerns are barriers for my shopping online.
• Strongly disagree 2 1 2 2 1 2 7 1 7 • Disagree 7 2 14 6 2 12 15 2 30 • Neutral 2 3 6 7 3 21 33 3 99 • Agree 14 4 56 10 4 40 50 4 200 • Strongly agree 5 5 25 2 5 10 50 5 250
Subtotal 30 103 3.43 27 85 3.15 155 3.78 11. Only limited amount of personal information should be requested from children on the Internet.
• Strongly disagree 1 1 1 1 1 1 13 1 13 • Disagree 1 2 2 2 2 4 11 2 22 • Neutral 6 3 18 15 3 45 18 3 54 • Agree 11 4 44 10 4 40 46 4 184 • Strongly agree 11 5 55 1 5 5 66 5 330
Subtotal 30 120 4 29 95 3.28 154 603 3.92 12. Children should not be asked to provide information about their parents on the Internet.
• Strongly disagree 0 1 0 0 1 0 3 1 3 • Disagree 1 2 2 4 2 8 9 2 18 • Neutral 5 3 15 10 3 30 17 3 51 • Agree 6 4 24 9 4 36 34 4 136 • Strongly agree 18 5 90 6 5 30 92 5 460
Subtotal 30 131 4.37 29 104 3.59 155 668 4.31
Appendix D : Opinions on Internet security concern (Continued)
Finn Thai American Online privacy and security questions
F S F*S Mean F S F*S Mean F S F*S Mean
13. The privacy of Internet users is greatly violated. • Strongly disagree 0 1 0 0 1 0 3 1 3 • Disagree 7 2 14 5 2 10 15 2 30 • Neutral 14 3 42 8 3 24 66 3 198 • Agree 8 4 32 11 4 44 53 4 212 • Strongly agree 1 5 5 4 5 20 18 5 90
Subtotal 30 93 3.10 28 98 3.50 155 533 3.44 14. Despite all the safety precautions in place today, Internet and e-mails are not safeguarded enough.
• Strongly disagree 0 1 0 0 1 0 4 1 4 • Disagree 2 2 4 1 2 2 7 2 14 • Neutral 11 3 33 14 3 42 45 3 135 • Agree 14 4 56 12 4 48 64 4 256 • Strongly agree 3 5 15 2 5 10 35 5 175
Subtotal 30 108 3.60 29 102 3.52 155 584 3.77 15. Stalking and impersonation (including forged identity) are common on the Internet.
• Strongly disagree 1 1 1 0 1 0 4 1 4 • Disagree 4 2 8 7 2 14 11 2 22 • Neutral 16 3 48 5 3 15 67 3 201 • Agree 6 4 24 17 4 68 51 4 204 • Strongly agree 3 5 15 0 5 0 22 5 110
Subtotal 30 96 3.20 29 97 3.34 155 541 3.49
Appendix D : Opinions on Internet security concern (Continued)
Finn Thai American Online privacy and security questions
F S F*S Mean F S F*S Mean F S F*S Mean
16. The current laws and regulations ar sufficient for protecting information system users.
• Strongly disagree 3 5 15 3 5 15 16 5 80 • Disagree 11 4 44 8 4 32 56 4 224 • Neutral 14 3 42 9 3 27 55 3 165 • Agree 2 2 4 8 2 16 22 2 44 • Strongly agree 0 1 0 1 1 1 5 1 5
Subtotal 30 15 105 3.50 29 91 3.14 154 518 3.36 17.The current security features such as encryption and passwords are sufficient to provide security and safety when on the Internet.
• Strongly disagree 1 5 5 2 5 10 10 5 50 • Disagree 10 4 40 2 4 8 60 4 240 • Neutral 9 3 27 13 3 39 41 3 123 • Agree 8 2 16 9 2 18 33 2 66 • Strongly agree 2 1 2 3 1 3 7 1 7
Subtotal 30 15 90 3 29 78 2.69 151 486 3.22 Total 510 1807 3.54 489 1616 3.30 2623 9392 3.58
Appendix E : Ranked number of concern types
Each graph shows one of the five main types of Internet security concerns; including privacy
concern, security and preventing threats, children protection, censorhip, and preventing
impersonation and forged identity. Other concerns could be added if the participant indicated. The
graph presents the participants’ perspectives about how important the particular type of concern
was. The participants were asked to give the ranked number from 1 to 6 in order of importance. The
number one is the most important concern while number five or six (if the participants identified
any other concerns) are the least important one.
Ranked number of privacy concern
50
17 20
1033 7
14 17
55
23
81
10 10
0102030405060708090
100
1 2 3 4 5
Per
cent
(%)
Finn Thai American
Ranked number of security and threats concern
17
47
30
7
38
1017
3
13
2
24
8
31
15
25
0102030405060708090
100
1 2 3 4 5 6
Per
cent
(%)
Finn Thai American
Appendix E : Ranked number of concern types (Continued)
Ranked number of children protection concern
3
2112
10
30
20
40
2831
1015
20
9
18 18
0102030405060708090
100
1 2 3 4 5 6
Per
cent
(%)
Finn Thai American
Ranked number of censorship concern
7
21
2 27
17
39
3
53
10
27
7 3
38
24 24
0
10
20
30
40
50
60
70
80
90
100
1 2 3 4 5 6
Per
cent
(%)
Finn Thai American
Ranked number of preventing impersonation and forged identity concern
7
31
11 1418 17
1120
2023
20
33
3
28
3
24
0
10
20
30
40
50
60
70
80
90
100
1 2 3 4 5 6
Per
cent
(%)
Finn Thai American
Ranked number of other concern
48
12
2229
1817
3
10
0
10
20
30
40
50
60
70
80
90
100
1 2 3 4 5 6
Per
cent
(%)
Finn Thai American