"Privacy by Design" implementation: Information system engineers' perspective

Abstract In privacy information security literature, Privacy by Design (PbD) is recognized as a positive protection paradigm capable of providing higher privacy protection throughout information products’ entire lifetime. It is becoming the dominant privacy protection pattern. Considered to be a promising development tendency towards the information industry, it is garnering interest among researchers and professionals. However, PbD still lacks specific implementation instructions, and it is not popularized among information system engineers. Weighing the pros and cons leads to information system engineers’ uncertainty regarding PbD adoption, since existing research on the linkage between PbD implementation and information system engineers’ individual factors is inconclusive. Through the lenses of information system engineers, this study aims to advance implementation of PbD by exploring the influence factors of individual and organizational contexts. Real data from 253 practitioners in China’s IT industry were used to understand the antecedent of PbD implementation and interaction effects among different dimensions of engineers’ adopting behaviors. The findings have demonstrated that appropriate incentive mechanism is a critical factor in PbD implementation by promoting engineer’s social influence regarding PbD usage and further affecting both their intentions about adopting PbD and implementing action. This study reveals, for the first time, the role of incentive mechanism in advancing PbD implementation from the information system engineer perspective, and contributes to a deeper understanding of the determinants of PbD adoption by providing a holistic theoretical lens. The findings provide theoretical guidance to IT organizations with guidelines on PbD implementation for higher privacy information protection performance of products.

[1]  Russell L. Purvis,et al.  Controlling Information Systems Development Projects: The View from the Client , 2002, Manag. Sci..

[2]  John Hulland,et al.  Use of partial least squares (PLS) in strategic management research: a review of four recent studies , 1999 .

[3]  Tiago Oliveira,et al.  International Journal of Information Management , 2014 .

[4]  Ann Cavoukian,et al.  Advances in Biometric Encryption: Taking Privacy by Design from Academic Research to Deployment , 2012 .

[5]  Ann Cavoukian,et al.  Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D , 2010 .

[6]  Viswanath Venkatesh,et al.  Consumer Acceptance and Use of Information Technology: Extending the Unified Theory of Acceptance and Use of Technology , 2012, MIS Q..

[7]  Yogesh Kumar Dwivedi,et al.  Citizens’ adoption of an electronic government system: towards a unified view , 2015, Information Systems Frontiers.

[8]  Noorminshah A. Iahad,et al.  The history of UTAUT model and its impact on ICT acceptance and usage by academicians , 2012, Education and Information Technologies.

[9]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[10]  Chang E. Koh,et al.  Social media enablers and inhibitors: Understanding their relationships in a social networking site context , 2019, Int. J. Inf. Manag..

[11]  A. Cavoukian,et al.  Privacy by Design: essential for organizational accountability and strong business practices , 2010 .

[12]  Golam Sorwar,et al.  Understanding factors influencing the adoption of mHealth by the elderly: An extension of the UTAUT model , 2017, Int. J. Medical Informatics.

[13]  I. Ajzen,et al.  Prediction of goal directed behaviour: Attitudes, intentions and perceived behavioural control , 1986 .

[14]  W. Ouchi,et al.  Organizational Control: Two Functions. , 1975 .

[15]  Yogesh Kumar Dwivedi,et al.  The unified theory of acceptance and use of technology (UTAUT): a literature review , 2015, J. Enterp. Inf. Manag..

[16]  Cecil Eng Huang Chua,et al.  Enacting Clan Control in Complex IT Projects: A Social Capital Perspective , 2012, MIS Q..

[17]  Eran Toch,et al.  How Developers Make Design Decisions about Users' Privacy: The Place of Professional Communities and Organizational Climate , 2017, CSCW Companion.

[18]  Yogesh Kumar Dwivedi,et al.  Content design of advertisement for consumer exposure: Mobile marketing through short messaging service , 2017, Int. J. Inf. Manag..

[19]  Deborah E. Rupp,et al.  The Role of Organizational Control Systems in Employees’ Organizational Trust and Performance Outcomes , 2017, Group & organization management.

[20]  Markus Kreutzer,et al.  Formal and Informal Control as Complement or Substitute? The Role of the Task Environment , 2016 .

[21]  Viswanath Venkatesh,et al.  Going beyond intention: Integrating behavioral expectation into the unified theory of acceptance and use of technology , 2017, J. Assoc. Inf. Sci. Technol..

[22]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[23]  David A. Hoffman,et al.  Remote home health care technologies: how to ensure privacy? Build it in: Privacy by Design , 2010 .

[24]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[25]  Bill C. Hardgrave,et al.  Toward an information systems development acceptance model: the case of object-oriented systems development , 2003, IEEE Trans. Engineering Management.

[26]  Jeffrey J. Johnson,et al.  Examining the Impact of Training in the Unified Theory of Acceptance and Use of Technology , 2018, J. Comput. Inf. Syst..

[27]  A. Cavoukian Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices , 2012 .

[28]  David Wright,et al.  A Strategy for Operationalizing Privacy by Design , 2014, Inf. Soc..

[29]  Sri Hartati,et al.  Development of user acceptance model for electronic medical record system , 2015, 2015 International Conference on Information Technology Systems and Innovation (ICITSI).

[30]  Ann Cavoukian,et al.  A pragmatic approach to privacy risk optimization: privacy by design for business practices , 2010 .

[31]  Abhik Chaudhuri,et al.  The Proactive and Preventive Privacy (3P) Framework for IoT Privacy by Design , 2018 .

[32]  Peter Schaar,et al.  Privacy by Design , 2010 .

[33]  Mun Y. Yi,et al.  Understanding information technology acceptance by individual professionals: Toward an integrative view , 2006, Inf. Manag..

[34]  J. C. Henderson,et al.  Managing I/S Design Teams: A Control Theories Perspective , 1992 .

[35]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[36]  Sevda Helpap,et al.  Employees’ emotions in change: advancing the sensemaking approach , 2016 .

[37]  William H. Bommer,et al.  Relationships between leader reward and punishment behavior and subordinate attitudes, perceptions, and behaviors: A meta-analytic review of existing and new research , 2006 .

[38]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[39]  Bob Frisch,et al.  Cuando los equipos no pueden decidir , 2008 .

[40]  Fred D. Davis,et al.  Explaining Software Developer Acceptance of Methodologies: A Comparison of Five Theoretical Models , 2002, IEEE Trans. Software Eng..

[41]  Yogesh Kumar Dwivedi,et al.  An empirical validation of a unified model of electronic government adoption (UMEGA) , 2017, Gov. Inf. Q..

[42]  Laurie J. Kirsch,et al.  Deploying Common Systems Globally: The Dynamics of Control , 2004, Inf. Syst. Res..

[43]  Nalin Asanka Gamagedara Arachchilage,et al.  Why developers cannot embed privacy into software systems?: An empirical investigation , 2018, EASE.

[44]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[45]  I. Ajzen The theory of planned behavior , 1991 .

[46]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[47]  M. Diamond,et al.  RESISTANCE TO CHANGE: A PSYCHOANALYTIC CRITIQUE OF ARGYRIS AND SCHON'S CONTRIBUTIONS TO ORGANIZATION THEORY AND INTERVENTION , 1986 .

[48]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[49]  Paul Jen-Hwa Hu,et al.  Information Technology Acceptance by Individual Professionals: A Model Comparison Approach , 2001, Decis. Sci..

[50]  Bettina Berendt,et al.  Privacy by Design: From Research and Policy to Practice - the Challenge of Multi-disciplinarity , 2015, APF.

[51]  Coye Cheshire,et al.  Risky Business: Social Trust and Community in the Practice of Cybersecurity for Internet Infrastructure , 2017, HICSS.

[52]  Laura B. Cardinal,et al.  An Aspirational View of Organizational Control Research: Re-invigorating Empirical Work to Better Meet the Challenges of 21st Century Organizations , 2017 .

[53]  Ann Cavoukian,et al.  Start with Privacy by Design in All Big Data Applications , 2018 .

[54]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[55]  Viswanath Venkatesh,et al.  Model of Acceptance with Peer Support: A Social Network Perspective to Understand Employees' System Use , 2009, MIS Q..

[56]  P. Hustinx Privacy by design: delivering the promises , 2010 .

[57]  P. C. Lai,et al.  The literature review of technology adoption models and theories for the novelty technology , 2017 .

[58]  I. Ajzen,et al.  Accessibility and stability of predictors in the theory of planned behavior. , 1992 .

[59]  Sarah Spiekermann,et al.  The challenges of privacy by design , 2012, Commun. ACM.

[60]  Stephen G. Green,et al.  Cybernetics and Dependence: Reframing the Control Concept , 1988 .

[61]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[62]  Viswanath Venkatesh,et al.  Unified Theory of Acceptance and Use of Technology: A Synthesis and the Road Ahead , 2016, J. Assoc. Inf. Syst..

[63]  Habibur Rahman,et al.  Investigating factors influencing the physicians' adoption of electronic health record (EHR) in healthcare system of Bangladesh: An empirical study , 2019, Int. J. Inf. Manag..

[64]  Arjen van Witteloostuijn,et al.  From the Editors: Common method variance in international business research , 2010 .

[65]  Hans Stubbe Solgaard,et al.  Predicting online grocery buying intention: a comparison of the theory of reasoned action and the theory of planned behavior , 2004, Int. J. Inf. Manag..

[66]  Rajiv Kohli,et al.  Informating the Clan: Controlling Physicians' Costs and Outcomes , 2004, MIS Q..

[67]  Jane M. Howell,et al.  Personal Computing: Toward a Conceptual Model of Utilization , 1991, MIS Q..

[68]  Viswanath Venkatesh,et al.  Predicting Different Conceptualizations of System Use: The Competing Roles of Behavioral Intention, Facilitating Conditions, and Behavioral Expectation , 2008, MIS Q..

[69]  Marc Langheinrich,et al.  Engineering Privacy by Design: Are engineers ready to live up to the challenge? , 2018, Inf. Soc..

[70]  Julie Smith David,et al.  Extending the value chain to incorporate privacy by design principles , 2010 .

[71]  R. Bagozzi,et al.  On the evaluation of structural equation models , 1988 .

[72]  Eric Everson Privacy by Design: Taking Ctrl of Big Data , 2017 .

[73]  Richard Vidgen,et al.  A computational literature review of the technology acceptance model , 2016, Int. J. Inf. Manag..

[74]  Michael E. Bratman,et al.  Intention, Plans, and Practical Reason , 1991 .

[75]  John M. Ivancevich,et al.  Punishment in Organizations: A Review, Propositions, and Research Suggestions , 1980 .

[76]  W. Ouchi The Relationship Between Organizational Structure and Organizational Control. , 1977 .

[77]  Yogesh Kumar Dwivedi,et al.  Re-examining the Unified Theory of Acceptance and Use of Technology (UTAUT): Towards a Revised Theoretical Model , 2017, Information Systems Frontiers.

[78]  J. Kotter,et al.  Choosing strategies for change. , 1979, Harvard business review.

[79]  Yogesh Kumar Dwivedi,et al.  A generalised adoption model for services: A cross-country comparison of mobile health (m-health) , 2016, Gov. Inf. Q..

[80]  Anna Romanou,et al.  The necessity of the implementation of Privacy by Design in sectors where data protection concerns arise , 2017, Comput. Law Secur. Rev..

[81]  Ann Cavoukian,et al.  Privacy in the clouds , 2008 .

[82]  Jaap-Henk Hoepman,et al.  A Critical Analysis of Privacy Design Strategies , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[83]  Bernard J. Jaworski Toward a Theory of Marketing Control: Environmental Context, Control Types, and Consequences , 1988 .

[84]  L. Kirsch The Management of Complex Tasks in Organizations: Controlling the Systems Development Process , 1996 .

[85]  Jalayer Khalilzadeh,et al.  Security-related factors in extended UTAUT model for NFC based mobile payment in the restaurant industry , 2017, Comput. Hum. Behav..

[86]  Juin-Ming Tsai,et al.  Acceptance and resistance of telehealth: The perspective of dual-factor concepts in technology adoption , 2019, Int. J. Inf. Manag..

[87]  Mansour Naser Alraja,et al.  The Influence of Effort and Performance Expectancy on Employees to Adopt E-government: Evidence from Oman , 2016 .

[88]  Laura B. Cardinal,et al.  Balancing and Rebalancing in the Creation and Evolution of Organizational Control , 2004, Organ. Sci..

[89]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[90]  Kathleen M. Eisenhardt,et al.  Control: Organizational and Economic Approaches , 1985 .

[91]  B. Efron The jackknife, the bootstrap, and other resampling plans , 1987 .

[92]  Alina Șerban,et al.  Resistance to Change and Ways of Reducing Resistance in Educational Organizations , 2020 .

[93]  Alok Mishra,et al.  Theory of Reasoned Action application for Green Information Technology acceptance , 2014, Comput. Hum. Behav..

[94]  D. Coghlan A Person‐centred Approach to Dealing with Resistance to Change , 1993 .

[95]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[96]  T. Ramayah,et al.  Is Reward System and Leadership Important in Knowledge Sharing Among Academics , 2011 .

[97]  Andrina Granic,et al.  Technology acceptance model: a literature review from 1986 to 2013 , 2014, Universal Access in the Information Society.

[98]  Yogesh Kumar Dwivedi,et al.  Adoption of online public grievance redressal system in India: Toward developing a unified view , 2016, Comput. Hum. Behav..

[99]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[100]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[101]  B. Fisher Small Group Decision Making: Communication and the Group Process , 1980 .

[102]  Linda Klebe Trevino,et al.  The Social Effects of Punishment in Organizations: A Justice Perspective , 1992 .

[103]  Yogesh Kumar Dwivedi,et al.  Modeling Consumers’ Adoption Intentions of Remote Mobile Payments in the United Kingdom: Extending UTAUT with Innovativeness, Risk, and Trust , 2015 .

[104]  Hamed Jafarzadeh,et al.  Towards Understanding the Determinants of Employees' E -Learning Adoption in Workplace: A Unified Theory of Acceptance and Use of Technology (UTAUT) View , 2017, Int. J. Enterp. Inf. Syst..

[105]  B. Malle,et al.  The Folk Concept of Intentionality , 1997 .

[106]  J. Searle Intentionality: An Essay in the Philosophy of Mind , 1983 .