Impact of Cultural Differences on Privacy and Security ... · 5.3.3. The research conclusion 72 5.4. Previous study about privacy concerns as barriers for e-commerce 72 5.4.1. The

Impact of Cultural Differences

on

Privacy and Security Concerns of Internet Users

M.Sc. Thesis in Accounting

Swedish School of Economics and Business Administration

2001

The Swedish School of Economics and Business Administration

Department: Accounting

Type of document: Thesis

Title: Impact of Cultural Differences on Privacy and Security

Concerns of Internet Users

Written by: Jiriya Rattanapongpaisan

Abstract:

In the globalization era, information technology and understanding of cross-

cultural differences are considered the key for business accomplishment. While

people are getting more familiar with information technology, their concerns

regarding privacy and security of personal information given to the Web have risen.

Udo’s survey research revealed that the privacy and security concerns are the major

barriers for e-commerce. I use his study as a foundation for my research and I

extended the scope to examine the impact of cultures. The objective of my study is to

examine how cultural differences affect one’s awareness of the privacy and security

when using Internet. The research method involves distributing the questionnaires to

ask participants to express their views regarding online privacy and security issues.

Many questions in the questionnaire are based on Udo’s, and I develop additional

questions to examine the participants’ characteristics and culture. The target groups of

participants are university students who are familiar with the Net. Also, the selected

countries for this study are Finland and Thailand.

As for the research result, it is interesting and somewhat varies from what I

expected. I anticipated seeing the differences of the participants’ characteristics, but

the actual responses showed that the cultures of the two studied countries, Finland and

Thailand, are not significantly different. One possible reason is that due to the global

use of the Internet, today’s online consumers share many common characteristics and

their attitudes are not obviously different. In addition, based on the linear regression

analysis, I found that the cultural influences are not strong enough to perfectly

describe the online consumer behavior. However, it is worth noting that the cultural

differences seem to have a certain impact on Internet consumers’ attitudes.

Searchwords: Computer security, Privacy, Cultural differences, Online consumer

behavior

Table of contents

1. Introduction 1

1.1. The research background 1

1.2. The research objective 2

1.3. The structure of study 2

2. Analysis of threat to security on Internet and control 4

2.1. Chapter structure 4

2.2. Types of Internet uses 4

2.2.1. Electronic messaging 4

2.2.1.1. Electronic mail (e-mail) 4

2.2.1.2. Public messaging 5

2.2.2. Browsing 5

2.2.3. Trading transactions 6

2.2.3.1. Electronic order 6

2.2.3.2. Electronic payment 6

2.2.3.3. Electronic product delivery 7

2.3. Current state of the art in computer security technology 7

2.3.1. Cryptography 7

2.3.2. Digital signature 8

2.4. Computer security attributes 9

2.4.1. Confidentiality 9

2.4.2. Integrity 9

2.4.3. Privacy 9

2.4.4. Availability 9

2.5. Analysis of threats to confidentiality and controls 10

2.5.1. Possible threats to confidentiality 10

2.5.1.1. Eavesdropping 11

2.5.1.2. Interference 11

2.5.1.3. Hacking 11

2.5.2. Security controls for confidentiality 12

2.5.2.1. Security controls for confidentiality of electronic

messaging 12

2.5.2.2. Security controls for confidentiality of trading

transaction 13

2.6. Analysis of threats to integrity and controls 15

2.6.1. Possible threats to integrity 15

2.6.1.1. Code modification 16

2.6.2. Security controls for integrity 16

2.6.2.1. Security controls for integrity of electronic messaging 16

2.6.2.2. Security controls for integrity of browsing 17

2.6.2.3. Security controls for integrity of trading transaction 17

2.7. Analysis of threats to privacy and controls 17

2.7.1. Possible threats to privacy 18

2.7.1.1. Unsolicited commercial e-mail 19

2.7.1.2. Conversation record 20

2.7.1.3. Cookies 20

2.7.2. Security controls for privacy 20

2.7.2.1. Security controls for privacy of electronic messaging 20

2.7.2.2. Security controls for privacy of browsing 21

2.7.2.3. Security controls for privacy of trading transaction 23

2.7.3. Related law and regulations 24

2.8. Analysis of threats to availability and controls 27

2.8.1. Possible threats to availability 28

2.8.1.1. Interruption 28

2.8.2. Security controls for availability 28

2.9. Summary 30

3. Influence of culture on privacy and security concern 33


3.2. Definition of culture 33

3.3. Cultural dimensions 34

3.3.1. External adaptation 36

3.3.1.1. Uncertainty avoidance dimension 37

3.3.2. Internal integration 41

3.3.2.1. Human nature dimension 42

3.3.2.2. Individualism versus Collectivism dimension 42

3.3.3. Linking assumption 46

3.3.3.1. Physical and personal space dimension 47

3.4. Summary 47

4. Internet security and culture influence in studied countries 56


4.2. Basic background of studied countries 56

4.2.1. Finland 56

4.2.1.1. Brief history of the nation 56

4.2.1.2. Religion 57

4.2.1.3. Population and other interesting facts 57

4.2.2. Thailand 58




4.2.3. The United States of America 59




4.3. Uncertainty avoidance analysis 61

4.4. Human nature analysis 62

4.5. Individualism versus Collectivism analysis 63

4.6. Physical and personal space analysis 64

4.7. Summary 65

5. Previous research 68


5.2. Previous study about barriers to electronic commerce 69

5.2.1. The research framework 69

5.2.2. The research result 69

5.2.3. The research conclusion 70

5.3. Previous study about online privacy concerns 70

5.3.1. The research framework 70



5.4. Previous study about privacy concerns as barriers for e-commerce 72

5.4.1. The research objective 73

5.4.2. The research method 73



5.5. Summary 74

6. The research study 75


6.2. Hypotheses 75

6.3. The research methodology 75

6.3.1. The research variable 75

6.3.2. The sampling population 76

6.3.2.1. Defining population 76

6.3.2.2. The implications for validity and generalization 77

6.3.3. The sample size 78

6.3.4. The sampling method 78

6.3.5. The questionnaire 78

6.3.6. The score measurement 83

6.4. The result of research and interpretation 84

6.4.1. The basic statistic 85

6.4.2. The analysis of cultural differences 88

6.4.2.1. The source of data 88

6.4.2.2. The statistical method 89

6.4.2.3. The statistical result and analysis 89

6.4.2.4. Conclusion 93

6.4.3. The analysis of consumers’ concerns 93



6.4.3.3. The statistical results and analysis 94


6.4.4. The analysis of association between cultures and

consumers’ concerns 98



6.4.4.3. The statistical results and analysis 100

6.4.4.3.1. The association between individual cultural dimension

and consumers’ concerns 101

6.4.4.3.2. The association between all cultural dimensions and

consumers’ concerns 104


6.4.5. Other results 108

6.5. Summary 111

List of tables

2.1. Summary of Internet security threat and control analysis 32

3.1. Range of uncertainty avoidance index 39

3.2. Range of individualism index 44

3.3. Abbreviations for the countries and regions studied 45

3.4. Summary cultural influences on privacy and security concern 48

3.5. Integrated computer security attributes with cultural dimensions 51

4.1. Summary cultural dimensions effect on security and privacy concern in

studies of different countries 66

5.1. Survey studies conducted by Hanrick Associates and AT&T Lab-Research 71

6.1. Internet security and privacy concern questions and their implications 81

6.2. Cultural differences questions and their implications 82

6.3. The score ranges 83

6.4. Percentage of persons who have e-mail accounts 85

6.5. Cultures mean score and t-test value 90

6.6. Comparing actual uncertainty avoidance results with expectations 91

6.7. Comparing actual human nature results with expectations 91

6.8. Comparing actual individualism results with expectations 92

6.9. Comparing actual space results with expectations 92

6.10. Consumers’ concerns mean scores and t-test value 94

6.11. Comparing actual confidentiality/integrity concerns results with

expectations 96

6.12. Comparing actual privacy concern results with expectations 97

6.13. Linear regression of each cultural dimension and overall concerns 101

6.14. Linear regression of each cultural dimension and C&I concerns 102

6.15. Linear regression of each cultural dimension and privacy concern 103

6.16. Linear regression of all cultural dimensions and overall concerns 105

6.17. Linear regression of all cultural dimensions and C&I concerns 106

6.18. Linear regression of all cultural dimensions and privacy concerns 106

6.19. A rank of the most important concern 110

6.20. The research study conclusion 113

List of figures

3.1. Key dimensions of culture 35

3.2. Underlying cultural dimensions 36

3.3. Country clusters 39

3.4. Individualism score versus 1987 GNP/capita 45

6.1. Set of selected population 77

6.2. Occupations of the participants 85

6.3. Types of e-mail accounts 86

6.4. Online shopping experience 86

6.5. Frequency of shopping online 87

6.6. Consumers’ concerns about personal information security 87

6.7. Opinions about online shopping when concerns are reduced 88

6.8. Opinions about the e-mail policy establishment 108

6.9. Opinions about the e-mail usage monitoring 108

6.10. Opinions about the types of e-mail usage monitoring 109

6.11. Opinions about using work e-mail for personal purpose 109

References

Appendices

Appendix A: Example of questionnaire

Appendix B: Example of Udo’s questionnaire

Appendix C: Opinions on cultural dimensions

Appendix D: Opinions on Internet security concern

Appendix E: Ranked number of concern types

1

1. Introduction

1.1. The research background

To conduct business these days, one considers Internet as a powerful tool to capture

consumers and market segment. Without any doubt, online business is gaining

popularity among businesspersons in terms of promotion and selling goods using a

direct business-to-customer strategy. While online business is remarkably expanding at

a high growth rate, the important issues, which should not be overlooked, arise. The first

issue is customer diversification. Although one can enjoy benefits of using Internet as a

marketing tool in globalization age, one should bear in mind that Internet could not

guarantee that online consumers possess common behavior. The fact is that online

consumers are people in different countries and they tend to have distinct behavior.

Consumers in one country may differ from other countries and this is potentially

because of cultural differences. Culture determines many factors that affect the way of

doing business across countries. That is why there have been the extensive studies about

consumer behavior in different regions or countries, human resource management in

multinational organizations, and how to succeed in cross-culture business.

The second issue involves trust in the net. Consumers may feel more comfortable to

go shopping in the mall than they do when they shop online. This is because they are

concerned about confidentiality and privacy of their personal information, which is

required by the Web sites during ordering and payment processes. As the number of

computer crimes keeps increasing everyday, people become more concerned about the

threats to security of their personal information. The consumers are losing the

confidence to give personal information to Web sites.

Combinations of these two issues together lead to an interesting point. The culture,

which reflects the patterns of values, ideas and behavior of members of a particular

society, tends to have strong influences over the people’s concerns about their privacy

and security. Yet there have been a number of reports and surveys about how online

consumers care about their safety when using the net such as in e-mail, browsing and

shopping. No obvious research about impact of cultural differences on consumers’

concerns for privacy and security issues has been studied so far. However, I shall draw

attention to Godwin J. Udo’s survey study in the U.S., which confirmed that the privacy

2

and security concerns are major barriers to e-commerce. My research was built from his

study. I would like to extend his research and further investigate the relationship

between the cultural issues and consumer concerns. In my opinion, security issues on

the Net are becoming more important and businesspersons should take it more seriously

than they previously have. Knowing effects on cultures will be helpful to

businesspersons to know what customers want and design security policies, which are

appropriate for target countries.

1.2. The research objective

The objective of this study is to examine how cultural differences affect the

awareness of the privacy and security when using Internet.

1.3. The structure of study

To serve the research objective, the structure of this research are divided into two

main parts; theoretical and empirical parts. The theoretical part is presented in chapter

two to five based on the review of related literature; the empirical part is presented in

chapter six.

In chapter two, the current network security knowledge, types of security attributes,

analysis of threat and control for each type of Internet usage including the present

Internet security problems and related law and regulations are presented. This is to

understand the security vulnerabilities and how consumers could protect themselves

against possible threats.

As I aim to study the impact of cultural differences between studied countries on

privacy and security concerns of Internet users, chapter three provides culture theories,

including cultural dimensions that potentially affect privacy and security concern of

people. The expectation of how involving cultural dimensions relate to consumer

behaviors is included as well.

Then I select two countries including Finland and Thailand as examples to determine

cultural differences. I introduce backgrounds of studied countries and how they affect

consumer behavior uniqueness in chapter four. In addition, the United States’ culture is

included as I would like to compare my result with Udo’s which was done in the U.S..

3

In chapter five, I review the previous research, in which the survey result shows that

privacy and security issues are the main barriers to e-commerce. The Udo’s study is

included, since his work inspires me to do further study about the correlation of cultural

influences and Internet users’ awareness of their privacy and security.

Finally, I develop hypotheses based on the literature and previous research, examine

it by using a questionnaire as a survey instrument, and summarize and interpret the

survey result in chapter six.

4

2. Analysis of threat to security on Internet and control

2.1. Chapter Structure

This chapter is dedicated to the important issues about risk and security when using

Internet. I start by providing an overview of different types of how Internet can be used

by online consumers such as e-mail, and Web surfing in section 2.2. I shall note that the

content of this chapter is mainly written in Internet consumer perspective not business

organization perspective. In section 2.3, I present current security technology like

cryptography and digital signature, which are playing important roles in security

engineering nowadays. Basic knowledge of such technology is needed because it will be

mentioned quite often in the latter sections as a foundation of various security

techniques. Next, I analyze threats and how to protect against such threats. In order to

organize the structure of the analysis, the four computer security attributes are presented

and I would provide the further analysis of threats and security procedures for each

attribute. The four computer security attributes consist of confidentiality, integrity,

privacy and availability described in section 2.4 and the analysis for each attribute is

provided in section 2.5, 2.6, 2.7, and 2.8, respectively. In each analysis I describe how

the security attribute is important to Internet consumers, possible threats and control

techniques. Summary of this chapter is also provided in section 2.9.

2.2. Types of Internet uses

The Internet applications provide users with various abilities. Based on how people

use the Internet nowadays, I shall categorize the use of the Internet applications into

three main types as follow;

2.2.1. Electronic messaging

2.2.1.1. Electronic mail (e-mail)

E-mail is an Internet application that provides the ability to write, store,

read, send and forward an electronic message from one system to another. With

today’s technology, people can also attach text files, audio files, graphical

images or video clips with the e-mail. E-mail is asynchronous which means one

can send a message to another, though a receiver is not currently available.

5

Nowadays, E-mail plays an important role in personal, educational and business

usage. In many organizations, especially multinational companies, e-mail

simply replaces the letter and fax since it offers many advantages, such as faster

speed and inexpensive costs.

2.2.1.2. Public messaging

A public board provides users with the ability to create discussion among

predefined groups. The members can post, read and write comments on the

public board of their groups. Thus the confidentiality of a message is less

important as every member can view every message on the board. One can

create his own community or group, and one can be a member of more than one

group as well.

Another obvious use of public messaging is online conversation.

Interactive conversation programs can be classified into two types. First, a

program called ‘Talk’, similar to conversation on the telephone, provides users

with interactive links to others and communicating by typing messages. Second,

a conference program called ‘Chat’ provides users with the ability to choose a

conversation that is currently happening and join in, and one can create his own

conversation as well. Today, many Web sites offer chat rooms for their

customers. The chat room can be classified based on mutual interest, emotion or

career of customers. Some Web sites provide transcript services after the chat is

over. The transcript covers the conversation in particular session. Before it will

be available for people who are interested in the chat, the transcript is edited or

checked for spelling and inappropriate sentences are deleted. In this way, a

conversation is recorded and people, who want to download it, need to contact

the copyright holder to ask for permission to transmit it.

2.2.2. Browsing

Browsing means the ability to locate and access information on the Web, which

is stored in other servers. Information available on the Web can be in text, graphic or

even multimedia. Many organizations extensively provide their data about

themselves, advertisements, customer services and e-mail contacts on the Webs.

There are many popular search engines nowadays such as Yahoo, Lycos, Alta Vista,

6

and Google. Browsing the Web is undoubtedly a timesaving and cost efficient way

to gather information for education and entertainment purposes.

2.2.3. Trading transactions

Business-to-Customer (B2C) and Business-to-Business (B2B) are very common

terms in the Internet world. Both of them hold the similar concept that by using

Internet infrastructure, clients must be able to easily and quickly order products or

make payment online. The Web server is responsible for communicating sales orders

or payments with a real company server, so that delivery of products and receipt of

payment can be instantly processed. I shall note that the B2B transactions are

omitted here because this study focuses on B2C and the scope of work is established

for a practical purpose.

2.2.3.1. Electronic order

In B2C, a vendor advertises price lists, product catalogs, after sales

services, sales discounts and other information in the Web, so that a customer

can check the offers and submit an electronic sales order form. A customer can

search and browse as many commercial Web sites as he wants to find the most

attractive offer. After receiving an order, a vendor checks authenticity of the

customer and sends an electronic invoice back to the customer as a confirmation

of order.

2.2.3.2. Electronic payment

After placing an order and receiving an invoice, the next step is to make

payment. In this process, security procedures are crucial for both the buyer and

seller because it involves sensitive data such as credit card number, and

payment instructions. The occurrence, completeness, accuracy, and timing of

payment are very important in payment processing. Electronic payment can be

categorized into two types. First, the seller receives payment instructions and a

bank card number from the buyer and processes it in a non-Internet-based

payment system on a secured seller’s server. In the second type, payment

instruction is received by the seller and processed by a payment processing

service provider. In this case, a buyer is able to use a bank card, electronic

check or automated clearing house to make payment as a payment service

7

provider is responsible for arranging various processors for different types of

payment.

2.2.3.3. Electronic product delivery

Nowadays, the product delivery is not limited to only a physical

transportation. With e-business model, the goods can also be transmitted to

online consumers via the network. The emerging digital-goods business will

provide software, music, photos, video, and documents that can be produced,

delivered, consumed, and licensed electronically (Kalakota, R, 2001, 94).

2.3. Current state of the art in computer security technology

In this section, I provide the basic concept of cryptography and digital signature as

they are prevalent technologies for computer security control at the present time. The

content of this section is needed as it is useful for skim the basic idea before

investigating in more details of security controls in the later sections. Cryptography has

been an infrastructure of many protocols and software packages, which aim to cover risk

exposure during transmission of a message. Underlying on the art of cryptography,

digital signature was developed to perform the similar task as a traditional hand written

signature but in electronic form rather than in paper.

2.3.1. Cryptography

Cryptography originally denotes the art of keeping information secret by the use

of codes and ciphers (Andrew, H, 2000, 141). It is a prevalent tool for security

engineering today since one can notice that the computer industry has extensively

utilized cryptography as a basic standard in secure software development. The main

process of cryptography is to encrypt or scramble an input message called ‘plain

text’ with cryptography algorithm, which results in an output message called ‘cipher

text or cryptogram’. At the receiver side, in order to change cipher text into a

readable format, a cryptographic key must be used for decryption. A cryptographic

key is created from a string of digits. If the same key is used for both encryption and

decryption, it is called a symmetric key. Another kind of key is an asymmetric key,

which simply means the encryption key differs from the decryption key.

8

At the present time, a strong cryptography is considerably powerful security

technology. The strong cryptography algorithm is based on reliability of

mathematical calculation. The calculation of cryptographic key is so complicated

that it could not be cracked within a short time. Anyone, who wants to crack it, is

supposed to take several years to achieve his goal. As long as people rely on

mathematical complexity, the strong cryptography is still the most efficient tool to

safeguard the computer security. The immediate or significant arguments against

this idea have not yet come forward.

2.3.2. Digital signature

Digital signature applies an asymmetric key from cryptography science. The idea

is that one can create a pair of keys called a private key and a public key. A private

key is secretly kept with the originator of the keys and is used whenever he wants to

encrypt a message before sending out. The originator gives his public key to other

people so that they can use this key to decrypt his message. Persons who do not hold

a public key will not be able to decrypt a message, hence confidentiality of the

message is maintained to some extent. If receivers successfully decrypt a message

with a public key, it also implies that the originator, who is the only one who holds

the other key, creates this message. This leads to the term digital signature, as it

seems like a sender really signs the message by his key.

In reality, encrypting a big message is expensive and not cost-efficient.

Consequently, hash function is applied in combination with digital signature to

reduce the cost. Hash function generates a unique random number of message or

file. When data in the files or messages changes, hash value is subsequently changed

so any modification of message during transmission will be detected. To reduce

costs of expensive encryption, one can generate hash value from plain text, encrypt

hash value with a private key, and send plain text attached with hash value to a

receiver. A receiver then decrypts hash value with a public key, opens a message,

calculates hash value from the received message, and checks his hash value against

hash value from a sender. If two hash values are identical, that means integrity of a

message is proved.

9

2.4. Computer security attributes

In this section, the four main computer security attributes, including confidentiality,

integrity, privacy, and availability, are introduced. Understanding the security attributes

is crucial in order to conduct risk analysis and find the suitable control for each attribute

in the next section.

2.4.1. Confidentiality

Confidentiality can be considered as secrecy. The unauthorized persons should

not gain access to others’ data or other computing assets. Different degrees of

confidentiality are possible in electronic transmissions, as confidentiality can depend

on simple passwords, secure connections, or more advanced technologies (Camp, L,

2000, 69).

2.4.2. Integrity

Integrity involves accuracy of data. To achieve integrity, only authorized persons

are able to create, edit, and delete data in an approved manner. One should ensure

that the prevention of tampering is included when considering this attribute as well.

2.4.3. Privacy

Privacy is the ability and/or right to protect your personal secrets; it extends to

the ability and/or right to prevent invasions of your personal space (Anderson, R,

2001, 10). It simply means that the subject of information should be able to control

the information.

2.4.4. Availability

The computer assets should be available for and accessible to authorized persons

when they need them and should not be interrupted or discontinued.

In the next sections, I provide the reader with my analysis. I would like to clarify the

structure of the following sections in the first place. The analysis in section 2.5, 2.6, 2.7,

and 2.8 is presented in a sequence of security attributes consisting of confidentiality,

10

integrity, privacy and availability. For each analysis section, I will begin with an

explanation of why a particular attribute is important, how much it will affect Internet

users, and how much the users will be concerned about a particular security attribute

when using Internet for different purposes, such as browsing and e-mailing. This part is

based on my experience and knowledge.

Subsequently, possible threats and appropriated controls are proposed based on

various kinds of literature reviews. The main sources of literature information are

contributed to three books; Andrew, H, Ford, W, and Pfleeger, C. Other literature

including information from Web sites are considered as well. The analysis for individual

security attribute has the same structure throughout the chapter.

2.5. Analysis of threats to confidentiality and controls

Confidentiality of message is very important for e-mail and electronic payment.

Compared with other Internet usage. This is because e-mail is used for communication

both in personal subjects and business subjects. Today, it is common to use e-mail to

inform other parties about various kinds of information. The sensitive information

passing through e-mail can be credit card numbers, bank account numbers, business

deals and contracts. Regarding electronic payment, it undoubtedly includes sensitive

information about payment instruction, payee personal information and payer account.

Thus confidentiality for a sensitive message or information in e-mail and electronic

payment is a key concern for users. On the other hand, information in public messaging,

and Web sites seems to be more publicized as it is read, browsed or written by many

people, hence confidentiality of message is not necessary in this case. As for electronic

orders and electronic goods delivery, the information in a document is normally about

specification of products or services, quantity, date, buyer name, and buyer address,

which is not so serious in terms of confidentiality.

Consequently, I shall propose that confidentiality of information is more important

for e-mail and electronic payment than for electronic orders, while that of public

messaging and Web sites are not really applicable.

2.5.1. Possible threats to confidentiality

Eavesdropping, interference and hacking are the basic threats to all types of

Internet uses. Each threat is discussed in more detail below.

11

2.5.1.1. Eavesdropping

Eavesdropping involves with interception or gaining access to the

communications by unauthorized party. Mostly, it happens during data

transmission. Passive eavesdropping happens when an unauthorized person

listens secretly to the networked messages. On the other hand, active

eavesdropping means that an intruder not only listens to but also injects

something into the communication to distort or create bogus messages for

example by changing partly or all content of the messages, reusing the old

messages, deleting the messages or modifying the source of messages.

Thus messages sending back and forth in communication line are exposed

to interception or eavesdropping. Once a criminal breaks into the network, he

can silently examine message during transmission and steal sensitive

information that he wants. The messages need protection to maintain the

secrecy that no unauthorized person is able to scan them. It is vulnerable

liability for companies as customers may claim or sue the companies if

eavesdropper succeeds in his job and discloses customers’ personal data.

2.5.1.2. Interference

Interference with the network routing mechanisms means a criminal

modifies a destination address, consequently a message is delivered not to

intended recipient but others. This way, a criminal can change a recipient’s

address to his address so that he can open and read the important messages. If

skillfully done, he can also conduct eavesdropping more easily or even generate

forged messages (Andrew, H, 2000, 138). In addition, only acknowledgement

of volume of messages, message existence, and routing of messages are crucial,

especially for sensitive messages, and enough for an attacker to speculate what

the communication is all about. The number of interference or intrusion of

computer system is remarkable. The latest Computer Crime and Security

surveys show that 40 percent of 538 corporate respondents had their computer

network penetrated by outsiders (Treadwell, T, 2001, 28).

2.5.1.3. Hacking

Hackers can be people who are career criminal. They are competent and

high skilled at using computers. Once they analyze and discover a leak point of

12

target system, they will find the appropriated and quick ways to access and

attack the system. They can use various kinds of attacks or even develop their

own ways to attack the computer system. For example, they may access a

system, which they are not authorized to access, and create bogus information

or try to create an information flood. They can also break through Web servers

to access or steal information. According to Treadwell, T, 2001, 28, Internet

banking firm ‘S1 corp’. was hacked and recent IDC (www.idc.com) report

indicates that 57 percent of computer hacks are initiated in the financial services

sector. The companies are becoming more aware about rising incidents of

hacking supported by the fact that the implementation of intrusion detection

system and security auditing plays significant roles nowadays.

2.5.2. Security controls for confidentiality

2.5.2.1. Security controls for confidentiality of electronic messaging

• Privacy Enhanced Electronic Mail protocols (PEM)

Inferred by its name, PEM is an encryption mechanism used to protect

end-to-end security for e-mail messages. It was first developed by the Internet

Society. PEM efficiently provides solutions for e-mail security problems. PEM

processing is to apply asymmetric or symmetric encryption to a whole e-mail

message including heading and body to secure it while transferring through a

network. Only authorized persons are able to read an authentic message as they

hold a secret encryption key and a digital signature can also prove authenticity

of a sender. Hash function is used in PEM process as well. Hence, using PEM

can ensure confidentiality and integrity of message and authenticity of origin.

• Secure/Multipurpose Internet Mail Extensions protocol (S/MIME)

The Multipurpose Internet Mail Extension (MIME) is a specification that

enables users to store various types of message components such as image,

unstructured text or a combination of text and image. S/MIME protocol was

developed by RSA Security Inc., and is now considered to be a standard

protocol. The mechanism of S/MIME protocol is based on Public-Key

Cryptography Standards (PKCS) and encapsulation. It uses various data

structures providing security services for electronic messaging applications

including authentication, message integrity and non-repudiation of origin. It

utilizes digital signatures, privacy and data security, and using encryption. The

13

message receiver needs to have S/MIME facilities to verify a signature, to

ensure integrity of message, and then to read such a message.

S/MIME is based on end-to-end structure, providing the users with the

capability to store, send, receive, digitally sign, and decrypt messages on their

mail client software in their system. The main processes involve encryption of

the body part of MIME message, transformation to a standard form, adding

digital signature and encryption again with a public key from recipient. These

processes can be described as signing and enveloping the messages to protect

against intrusion during electronic message transmission.

• Pretty Good Privacy program (PGP)

PGP was developed by Phil Zimmerman, and is appropriate to use in

small Internet communities. Though it has a similar mechanism as S/MIME,

PGP is different in the way that users can exchange public keys to others in

small group to create connection of trust. The users hold some public keys

collectively called a key ring, which will enable the holders to decrypt a

message with a proper key from a key ring. The users can sign each other’s

keys to build a certificate chain so that one can trace back the signature on the

key, until he finds a trustworthy person’s signature. However, when a user

group becomes bigger and everyone owns all public keys of others, trust in

connection tends to decline.

• Web-Based Secure Mail

Unlike S/MIME, a Web-based messaging service is not built on end-to-

end structure. It enables users to delegate many tasks, such as encryption,

decryption, and validation signatures of receiving messages to a main hub on a

Web server. As the users must communicate with the mail hub, TLS protocol,

which I will elaborate on later, is in place to secure the confidentiality and

integrity of message during transmission. The benefit of Web-based secure mail

is that the users can access the Web from different computer or application

systems, as they do not need to install mail client software beforehand.

However, the extent of delegation depends on how much the users trust in a

main hub security and whether or not they want a mail hub to be the

representative to perform such tasks for them.

2.5.2.2. Security controls for confidentiality of trading transaction

• Transport Layer Security protocol (TLS)

14

The Internet Engineering Task Force (IETF) established TLS as one of

Internet standard specification since TLS provides many advantages to the

Internet community. TLS is simply an additional protocol sitting between

application and transportation protocol to protect against eavesdropping and

interference. TLS mechanism, in user perspective, ensures authentication of

Web site servers. Both server and user have to create random numbers and

exchange them. Together with random numbers, the server also sends its

certificate issued by a faithful certification authority to user. Then, a user

develops a hash number, which will be used as a key (or so-called master

secret), mainly based on random numbers of both parties. The master secret is

used to decrypt messages, which are attached with Message Authentication

Code (MAC). By using MAC, both parties are able to detect if somebody

modifies the message or not.

In short, this mechanism can protect confidentiality and integrity of

message as well as authenticity of origin.

• Secure Electronic Transaction (SET)

SET was developed by cooperation between Master Card and Visa and is

a protocol for e-payment. Its aim is to protect against hacking of credit card

numbers, which is sensitive data in electronic payment transaction. Although it

is more complex and secure than TLS, it is not efficient when comparing costs

and benefits. That is the reason why it is not widely used in practice. SET

mechanism can be roughly described in four steps. First of all, a customer and a

vendor exchange each other’s public key and a vendor also gives the public key

of its bank to a customer. Secondly, when a customer wants to make a payment,

he encrypts order description with a vendor’s public key and encrypts his credit

card number with a bank’s public key. Thirdly, a customer signs the encrypted

message with his private key to prove his authenticity. Finally, a vendor passes

this message to the bank to authorize the payment by signing the message.

Encryption of a document with a private or symmetric key provides the

recipient with some certainty that the document was not altered (Camp, L, 2000,

75). SET also provides a certain extent of privacy for customers in a way that

customers can select pseudonymous account numbers, though the bank has

some part of purchased goods information.

Thus by using SET, confidentiality, authentication, integrity and a certain

level of privacy are ensured.

15

2.6. Analysis of threats to integrity and controls

I consider integrity as the crucial concern in all types of Internet usage including

electronic messaging, browsing content on Web sites, and electronic transaction.

Integrity is important because it means that accuracy and completeness of a message is

ensured and any modification of a message is detected. The Web sites and Internet users

should ensure that their messages maintain the same content during and after data

transmission, otherwise they may have to take responsibility for any mistake or

modified content in such messages. For browsing, it is also important to keep content of

the Web precise and complete. If malicious persons modify or replace the content of the

Web with fake information, the users will perceive the wrong information or have

unpleasant impressions with the Web. In addition, the Web’s customers or Internet users

may not trust in the Web site that is repeatedly attacked by cybercriminals, and finally

decide to use other substitute Web sites that are more sound. Consequently, the Web site

needs to establish suitable security procedures to keep its customer and preserve its good

reputation. Moreover, the integrity of sensitive e-mail or electronic trading transaction

must be protected by security controls to prevent any contingent liability or commitment

in the future.

2.6.1. Possible threats to integrity

The major threats to integrity are active eavesdropping and code modification.

The eavesdropper can intercept the message in conversation, which breaks the

confidentiality of conversation, and insert a forged message or modify some part of

the message, which deteriorates the integrity. E-mail, public messaging such as

chatting and electronic trading transaction are potentially exposed to eavesdropping.

This is because the messages are sent and received on and on over the network.

Moreover, particular Internet usage is also subject to code modification threat from

infecting viruses. For example, e-mail and the content of Web sites are the main

targets for viruses as they are extensively used and accessed by Internet users on a

daily basis, so it is easier to spread a virus or worm within a short time. The digital

products, such as software program, that are delivered electronically, are vulnerable

to code modification as well. The eavesdropping threat was explained in detail

earlier in section 2.5.1.1. Thus, in this section, I shall mention only about code

modification threat.

16

2.6.1.1. Code modification

This threat happens when an attacker modifies, deletes or replaces the

authentic code by using virus, worms and other malicious programs. For

example, the Code Red worm, a well-known worm which scared the

government and many online businesses, is generated to get into Web servers

and replace Web site content with the specific message. Virus infections can be

found often and easily nowadays. However, computer users can protect

themselves quite easily if there is the advanced warning from government or

media. In the Internet world, file downloading possibly leads to malicious

downloaded code because people are unaware of unreliable sources, lack of

computer security knowledge or file downloading occasionally executed

without permission from users in some Web sites.

2.6.2. Security controls for integrity

2.6.2.1. Security controls for integrity of electronic messaging

Electronic messaging in terms of e-mail can be protected by PEM,

S/MIME , PGP and Web-based secure mail, which are prevalent tools, against

integrity exposure. The concepts of these techniques were mentioned in section

2.5.2.1. As for public messaging, which is vulnerable to active eavesdropping

attack, the common way to protect against injecting or modifying message

during online chatting or discussion is by using TLS protocol. As mentioned

earlier, the unique code called MAC in TLS protocol is affixed to messages in

the conversation and this mechanism is to ensure integrity of messages.

In addition to such tools, online consumers should consider using

scanning software as a means of basic protection against threat to accuracy and

completeness of electronic messages. Viruses, worms and Trojans are harmful,

as they can destroy partly or all information in e-mail and infect files in users’

computer storage. Thus integrity of message is deteriorated. Scanning software

is easily found in markets nowadays. This software usually provides automatic

function of scanning viruses, warns users about infected files and kills viruses

that are found. Moreover, one should be aware of the new virus from public

media reports or internal IT departments in an organization, and always scan for

17

viruses on the received files especially the suspicious one, before opening them.

One should also report to the related parties if one finds a virus in the files.

2.6.2.2. Security controls for integrity of browsing

TLS protocol and virus scanning software can also applied to Web

browsing. The Web owner should utilize benefits from TLS protocol to

establish trust among online customers and ensure integrity of message sent and

received from a communication line. The Web administrator should constantly

screen for viruses as well so that he will discover a malicious code before it

spreads to more system files and causes more disaster.

In user perspective, all downloaded files from the Web should be

considered as suspicious objects. A user will never know whether a virus infects

such files or not, even if the files are from the reliable sources. Sometimes, file

downloading happens without acknowledgement from users. There are many

vendors developing systems to protect against downloading of programs

without the user’s permission. For example, the Authenticode system developed

by Microsoft allows users to check the source of a program, which should have

a digital signature of legitimate vendor, before downloading.

2.6.2.3. Security controls for integrity of trading transaction

TLS protocol is very effective and prevalent to maintain integrity of

information. TLS protocol is considered a standard tool used by many online

companies to ensure accuracy of information in electronic sales orders and

payments. Another tool for electronic payment transaction is SET, which is

developed to secure sensitive information and ensure integrity. More details

about TLS and SET were described in section 2.5.2.2.

2.7. Analysis of threats to privacy and controls

Privacy concern is currently becoming a more important issue. Consumers are aware

of their privacy rights and possible invasion risks. In the globalization world, where

information freely flows across organizations or countries via powerful network, many

online consumers doubt about how they can be sure that no one else except them have

access to their personal data. Followings are some facts, which can illustrate how online

consumers are aware of their privacy. According to Allen, C, 1998, 340, the “Internet

18

Privacy Study” by Boston Consulting Group (www.bcg.com), shows that over 70

percent of the respondents are more concerned about privacy and information

exchanged on the Internet versus phone or e-mail. More than 41 percent of the

respondents left Web sites that asked users to provide registration information. Twenty-

seven percent of these online users entered false information on Web site registration

forms. Nakra (2001, 273) summarized the interesting results from several studies that

showed signs of privacy concerns below:

The IBM Multi-National Consumer Privacy Study found that 40 percent of the consumers have decided not to purchase something online due to privacy concerns. People are cautious about putting correct personal information on these Web sites, because they do not know what is going to be done with it.

Forrester’s research found that online shoppers are most concerned about how much personal information they give and who sees it. Web users worry that the information they share online will produce unsolicited e-mail or telemarketing calls. As a result, 80 percent of Internet users support a policy that prohibits the sale of data to third parties, and half of online customers are willing to contact the government to regulate online privacy.

According to Cyber Dialogue’s American Internet User Survey (AIUS), women are reluctant to seek product information or place orders online mainly because of security concerns relating to stolen credit card transactions, personal privacy, and the lack of Net regulation. Nearly 90 percent of online women say that guaranteed transaction security influences their repeat visits to online shopping sites.

Due to rising numbers of computer crimes, overall consumers have become

increasingly concerned about how they can control their own sensitive information on

the Net. Consequently, in all types of Internet usage including electronic messaging,

browsing, and trading, I shall classify privacy attributes in highly important issue

concerned by Internet users.

2.7.1. Possible threats to privacy

Hacking is a common threat for all types of Internet usage. Once a hacker

breaks into the system or database, he is able to access and obtain personal

information of online consumers. Hackers can disclose or sell such information to

19

other people, breaking the privacy of users. Hacking process was described in detail

in section 2.5.1.3.

In addition to hacking, there are other threats to privacy, which I shall describe

by each category of Internet usage. The first category is e-mail. E-mail account

owners are more or less acquainted with unsolicited commercial mail, or “spam”.

Spam invades privacy of consumer by sending commercial mail to consumer

accounts without asking for permission. The second category is public messaging.

Online conversation is quite risky in a way that the counterparty can permanently

record the conversation. Blackmail and threatening are daunting risks of privacy if

the counterparty wants to make money by revealing sensitive information in the

conversation. The last group of categories are browsing and electronic trading. Both

browsing and electronic trading share a common process that consumers visit one or

more Web sites to search for or obtain information or to make a purchasing

transaction. Consumers may feel uncomfortable if their activities on the Net are

traced by the cookies file. Though cookies were invented to facilitate faster and

more efficient communication between users’ computers and Web servers, there are

some people who use cookies as a means to collect users’ information without

considering privacy intrusion.

2.7.1.1. Unsolicited commercial e-mail

Unsolicited commercial e-mail is also called ‘Spam’. It is commercial e-

mail sent to online consumers without asking if they want it or not. Spam can be

regarded as invasion to privacy of Internet users. There are two main steps of

sending spam. Firstly, the consumers’ e-mail addresses are collected from Web

sites or newsgroups. Secondly, a bulk of commercial e-mail is sent to

consumers without passing through a particular mail server so that a mail server

cannot claim that it causes dense traffic on the network. The Web marketer

views the use of e-mail marketing as a good opportunity to quickly spread new

campaigns or promotion to wide groups of consumers with low cost. However,

these commercial mails annoy the online consumers, as they are mostly

unwanted mail and the processes such as deleting, opening disguised mail, and

sorting commercial mail from wanted mail consume some time. The better

solution for online solicitation is that Web marketers should post advertisements

20

on the discussion board or offer options to receive or reject future solicitation to

online consumers.

2.7.1.2. Conversation record

One should keep in mind that when online conversation is happening,

other parties can keep record about who says what in such conversation. Similar

to conventional video tape recording, one can record or store the ongoing

conversation in a certain file. The fact is that it is likely to happen without

acknowledgement or asking for permission from the related persons. Though a

person, who records a conversation, may not intend to use it to harm

counterparties, it is still considered as privacy invasion unless he informs

stakeholders in advance about conversation recording.

2.7.1.3. Cookies

Technology called cookies is used to store information about Web site

navigation in an user’s computer and help memorizing a username or password

of a Web site that a user visits. The Web server can create a particular cookie

storing information about the user’s preferences and then transmit this cookie to

store in the user’s computer. The cookies also notify Web site operators about a

user’s visit. The cookie file is valuable to the Web marketer since it stores

information about user-visited Web sites, which can tell the marketer about

what a user is interested in. Though cookies are considered as powerful tools for

personalized marketing, the use of cookies can lead to privacy invasion as the

cookies keep track of user activity on Internet without appropriated permission

or acknowledgement from users.

2.7.2. Security controls for privacy

2.7.2.1. Security controls for privacy of electronic messaging

• Filter software

There are some kinds of software that act as filters trying to separate

advertising e-mail from favorable e-mail. To protect against unsolicited

commercial e-mail, such filter software is efficient in a certain extent, but not

enough to get rid of all commercial e-mail. Hoffman, P, mentioned that the

current state of filtering technology could not distinguish between legitimate,

21

personal e-mail and unsolicited bulk e-mail. However, it is considered as one

step and contribution to help consumers from overwhelming unwanted

advertising e-mails.

• Best practices

Based on privacy guideline of Center for Democracy and Technology

(CDT), there are many basic ways to protect one’s privacy as follow.

- Review privacy policy

To avoid privacy exposure, one should review privacy policies before

signing in the public mail services in Web sites. Some Web sites that provide

electronic messaging services have considered about consumers’ privacy rights

and established security policies to reduce serious issues about privacy concern.

- Separate e-mail account

One can have different e-mail accounts for different purposes such as a

working or a personal account using for sensitive and important mail, and an

entertainment account using for leisure purpose. Therefore one can put more

control on a sensitive account and refer to an insensitive account when a

commercial Web site asks for e-mail address.

- Avoid risky online conversations

One should avoid suspicious talk or chat and should exit from profanity,

defamation, or threatening conversation.

- Utilize secure technology

Software developers produce various security programs for protecting

privacy when using e-mail. For example, Anonymizer (www.anonymizer.com)

is the software that enable users to send private, anonymous, and untraceable

email from vendor’s Web sites. To increase their own security on the Net,

online consumers should try to take advantage from this advanced technology,

which is developing to improve efficiency all the time.

2.7.2.2. Security controls for privacy of browsing

• Platform for Privacy Preferences (P3P)

Developed by the World Wide Web Consortium (W3C), P3P is aimed to

provide online consumers with options to allow or not allow the Web to collect

their personal information. Some Web site administrators are aware of

consumer privacy concerns, therefore they establish privacy policies to make

22

customers feel safer. The privacy policies are in predefined format supplied by

P3P so that particular software called user agent can interpret them. By using

user agent, consumer is automatically informed about Web site policies of how

consumer data given to the Web will be kept or used, consequently he can

decide whether or not to give personal information to such Web site.

Unfortunately, P3P cannot ensure that the Web site really conforms to

established policies indicated on the Web.

• WebTrust 3.0

WebTrust is a software that offers different modules and privacy seals.

Similar to financial auditor’s work, the professional auditor will check, verify,

and detect privacy procedures and issue an opinion report. If a Web site meets

the audit criteria, a privacy seal will be given to a Web site. A WebTrust

privacy principle is such that an entity discloses its privacy practices, complies

with such privacy practices, and maintains effective controls to provide

reasonable assurance that personally identifiable information obtained as a

result of electronic commerce is protected in conformity with its disclosed

policy practices (Andrew, J, 2001, 49). WebTrust is now used in many

countries, such as the U.S., Sweden, Denmark, Germany and Hong Kong.

• Open Profile Standard (OPS)

Netscape, Firefly, and VeriSign created OPS, which is a standard

providing user with safe ways to share encrypted personal information in user

profiles with Web sites. With OPS, the user profile is kept in standard format,

online transaction and interchange of a user profile with Web sites are logged,

and restricted access to prevent unauthorized modification of user profiles is set

up. The user also has the right to know where his profile is kept and what

information is in his profile.

• Best practices

Similar to the best practices of electronic messaging usage, the first basic

thing for Web surfer to do to protect privacy online is looking for privacy

policies on Web sites and reading them carefully, if there is any. Additional best

practices based on CDT’s guideline are as follows:

- Clean up a memory cache after browsing

During browsing the Net, accessed Web sites and images are memorized

in a user’s computer, so that the speed of loading the Web will be faster in the

23

next visit. Thus, a user should delete the memory cache or clear the history after

browsing, so that no one else could trace Web sites that he has visited.

- Utilize security technology

Some new software offers special functions to inform users about Web

sites that send cookies to users and provide users with options to reject such

cookies. For example, Anonymizer (www.anonymizer.com) software enables

users to accept Cookies from Web sites that need to send Cookies to users such

as online shopping, signups, and personalized content. These Cookies are

normally kept for long periods. After making use of such Cookies, the software

will change long-term Cookies into short-term or session-only Cookies, which

then automatically expire after session terminates. This software also provides

users with the capability to encrypt or scramble the Web pages that users visit

so that other people with access to users’ Internet connections cannot see a trail.

AdSubtract™ PRO (www.adsubstract.com) is software that prevent unwanted

Web junk, such as advertisements, popup windows, animations, and music. It

can protect users from malicious codes and unwanted cookies.

- Choose to opt-out, if the Web offers a choice to do so.

Web surfer should choose ‘opt-out’, if the Web sites provide choices to

‘opt-in’ or ‘opt-out’. When a user chooses to opt-out, that means he does not

allow the Web to give or share his information with a third party. Some sites do

not present the customers with opt-out but ask for opt-in instead. Opt-in policy

means the Web asks for a user’s permission before they will share his personal

information with other parties.

- Watch out for children’s privacy

The final practice is about child privacy protection. There are some Web

sites that try to gather information from kids for marketing purposes. The kids

may be asked to give information about their families and themselves while

surfing on the Net. The basic method to maintain child privacy is to teach them

about it and tell them to ask for parents’ permission before giving out

information to the Web.

2.7.2.3. Security controls for privacy of trading transactions

There are useful practices applied to electronic transactions and goods

delivery. For example, a consumer should be conscious about privacy policies

on the Web as personal information given in payment or order forms is

24

somewhat sensitive. In addition, a consumer should beware of online forms. It

is safer if online forms are encrypted to make sure that no unauthorized persons

can read them. The current browsers are able to show the locked key symbol to

imply that the accessed site is secure and has an encryption mechanism for data

transmission. On the other hand, if a consumer notices an unlocked key in a

particular Web page, he should avoid transferring data as it is a sign of

insecurity. An additional control for electronic payment transaction is by using

SET protocol. As mentioned in section 2.5.2.2, SET is designed to protect the

privacy of online customers as well.

2.7.3. Related law and regulations

The use of Internet dominates business around the world, accordingly law,

regulation and standard practice are needed to control Internet community and

protect online consumer right. I shall describe the main privacy regulatory initiatives

in Europe, The U.S. and Asian below.

• The Organization for Economic Co-operation and Development (OECD)

The content in this subsection is mainly based on OECD Web site, and Andrew,

J, 2001.

The OECD is an international organization consisted of 30 member countries

and aims to establish international standard to govern fair business and economic

conduct. The member countries include all Scandinavia countries, some Europe

countries such as France, Italy, Switzerland, and two Asia countries which are Japan

and Korea. In 1980 just before emergence of Internet, the OECD produced

Guidelines for Consumer Protection and Transborder Flows of Personal Data to

protect risk exposure of free flow of personal data between member countries, and

its data protection principle is subsequently considered an inspiration of European

directives framework (Andrews, J, 2001, 46-47). In addition, a good practice to

conduct fair business and disclosure to all stakeholders, establish user friendly

electronic payment and secure personal data of consumers are given in the

Guidelines for Consumer Protection in the Context of Electronic Commerce.

• The European Union (EU)

The content in this subsection is mainly based on EU Web site and Rendleman,

J, 2001.

25

For several years, the EU, consisting of 15 Europe countries, has been

monitoring and regulating online companies concerning how personal data of

consumers is treated. In July 1995, EU established a stringent directive for

exchanging online consumer data to non-EU countries, but it actually went into

effect in October 1998 (Rendleman, J, 2001, 57-58). There are two significant EU

directives which directly impact e-business in Europe; the European Directive on

Protection of Individuals With Regard to the Processing of Personal Data and on the

Free Movement of Such Data, and a Directive on the Processing of Personal Data

and the Protection of Privacy in the Telecommunications Sector. Such directives

include data-protection, database registration ledgers, processes for pre-approval of

specified online activities, “opt in” choice to personal data collection, and disclosure

of consumer information upon individual request.

While Europeans tend to impose stringent regulation for data protection,

Americans prefer to have a self-regulatory system, as they believe that their privacy

depends on Web site policies rather than government regulation. EU and the U.S.

Department of Trade have reached an agreement called a “safe harbour”, which

became effective by November 2000 (Nakra, P, 2001, 273). Under this agreement,

EU allows the release of personal data on an individual basis to certain users in the

U.S. whom meet established requirement. However, sensitive personal information

such as medical conditions, race, political opinion or religion are not allowed to be

collected or exchanged without a consumer’s permission. On the other side, based

on Andrew, J, 2001, 47-48, U.S. online companies must provide European

customers with more privacy protection under this agreement. A company can

voluntarily take part in safe harbour by submitting its self-certification to a

committee. The self-certification requires a security system, which is actually in

place and can be verified. Also, there are fines and prosecution for violation of safe

harbour requirements.

• The U.S.

The content in the first and second paragraph is mainly based on Allen, C, 1998,

343-347. For the third paragraph, the information is based on Andrew, J, 2001, 48.

There are three main remarkable privacy initiatives and legislations in the U.S..

Firstly, the Consumer Internet Privacy Protection Act of 1997 is a bill aiming to

protect online consumers by disallowing the disclosure of consumers’ personal

information without their consent, providing consumers with the right to cancel

26

former consent and access to their information for verification and rectification of

any error.

Secondly, the Data Privacy Act of 1997 was generated from the concern over the

interactive market on the Net. This bill established some guidelines for Web

marketer in respect of consumer right; for example, guideline for unsolicited

commercial e-mail, guideline for limiting the collection and use of consumer

personal data, and guideline for forbidding presentation of sensitive personal data

without permission from customers.

Thirdly, Children's Online Privacy Protection Act, which became effective in

2000, is about the concern of children privacy on the Net. It provides some basic

requirements that Web marketers must recognize when they want to target at

children under 13 years old. For example, clearly announcing data collection and

disclosure, informing kids to ask for permission from their parents before

information collection, use, or disclosure; and providing parents with a option to

review collected information

• Regulatory initiatives in Asia

From the facts previously listed, Europe is significantly conservative about

privacy issues and is a leader in establishing strict directives. In contrast, most

countries in Asia have not yet established clear-cut online privacy regulations.

However, development of a formal data protection framework in Asia is expected in

the near future, due to a need to gather customer information in multinational

business. For example, Thailand and Japan are observing the EU directives for

creating their own comprehensive data protection regulatory (Andrews, J, 2001, 48).

In Hong Kong, some privacy issues are mentioned in laws, however, general data

protection regulation has not been established so far.

• Other privacy guidelines

There are some non-profit organizations or associations that try to establish

standards or best practices for Web marketer to acquire information from customers

while maintaining good relationships and trust between them. According to Allen, C,

1998, 347, the Direct Marketing Association established various online privacy

guidelines such as offering customers with opt-out notice, asking for permission

before sending unsolicited commercial e-mail, giving users the right to cancel such

permission, and presenting clear security policies about data collection from

children. Another example of these organizations based on Allen, C, 1998, 349-350

27

is Electronic Privacy Information Center (EPIC). EPIC suggested the ways for Web

marketers to build trust with online customers and assure them about data privacy

policy. For example, Web sites should educate privacy policies in obvious place and

unambiguous sentences. The Web should present customers about how and when the

personal data will be collected, used or distributed, and also encourage them to use

anonymous identification if they feel more comfortable.

2.8. Analysis of threats to availability and controls

Availability or denial of services is important to communication over the Net.

According to Treadwell (Treadwell, T, 2001, 28), the survey done by the Computer

Security Institute and Federal Bureau of Investigation revealed that 38 percent of

participated organizations experienced denial of service attacks. Hence, the sound

control must be in place to protect against such problems.

From different usage of Internet, I expect that availability of network system is more

important to browsing, electronic payment, and electronic goods delivery compared with

other usage. For example, if a user cannot send or receive electronic messaging or order

goods due to the system going down, he still has various alternatives to substitute online

communication, such as teleconference, wireless phones or even traditional methods,

such as fax, telephone, and letter writing. Of course, online communication failure can

harm an organization or make a user feel awkward. However, most users, such as e-mail

account owners, tend not to need real-time processing, implying that availability of

network is not taken seriously. In contrast, browsing, electronic payment, and electronic

goods delivery require the network to work continuously and smoothly. When people

browse Wed pages or wait for goods delivery, they need a quick loading process,

completed content, and easily irritate if transferring process is interrupted. And when

they download files from the Web, they do not anticipate or wish to have denial of

service problems. Regarding electronic payment, online payment forms normally

require customers to fill in personal information such as credit card numbers and social

security numbers. It is very important to quickly deliver such sensitive data to a

destination at once. If the system is not available or fails during submission, a customer

may have to resubmit payment forms and redundancy of payment transactions possibly

occurs. Some electronic payment systems are real-time processing which really needs

online service availability at all times. Thus, availability of network service is

significantly critical to the Web server and Internet users in browsing, electronic

payment, and electronic goods delivery categories.

28

2.8.1. Possible threats to availability

Threat to availability of computer system potentially arises from various

malicious activities. For example, an active eavesdropper may create a flooding

message. A hacker also can cause network failure, and viruses and worms may

destroy files and programs. All of these examples cause inconsistency or noise of

conversation, loss of data, and inability to reach a Web server. The results of such

threats can be defined as interruption of a network system described in more detail

below.

2.8.1.1. Interruption

Interruption can be described as lost, unavailable, or not working

hardware, software or data due to malicious destruction. Threat to continuity of

network system is resulted from various methods such as flooding and

unauthorized routing modification. By the term flooding, an intruder creates a

number of spurious messages just to increase the traffic on the network and

reduce service available to the real users. SYN flooding is one example of

network protocol flooding. It works by sending so many calls to a receiver that

the receiver’s software is not able to manage them. Smurfing attack is also

based on the idea of flooding to attack an online chatting session. Regarding

routing modification, an attacker ruins the network by modifying a routing table

to disable partly or all of a communication or delivering all messages to

himself, so that he can read, edit, delete or forward them. A denial of service

has been recently recognized as a network attack. This way, a malicious person

undermines computer system and affixes malicious software, which will attack

the system with overwhelming messages at a predefined time.

2.8.2. Security controls for availability

From a Web site manager perspective, availability of network is crucial to

business in the sense that the availability failure causes the operation

discontinuance, losing business opportunity, and loss from damaged system. I

would describe in brief in this perspective as I emphasize more on consumer

perspective. There are many tools that help preventing network attack such as

Firewall, Virtual Private Network (VPN), and IPSec. These tools share common

functions to control or filter messages coming in from and going out to external

29

parties or public network. They also provide services to trace original servers,

which send messages to internal systems and reject messages from suspicious

sources. Many Web site designers, who recognize hazards from network attack,

have installed one or combinations of these tools to reduce exposure of

inconsistency of network services.

From Internet user perspective, there are many controls introduced in

previous sections, which can protect availability as well. The common controls;

including network protection and best practices, can be used in all kinds of

Internet usage. For example, there is filter software that prevents flooding of

unsolicited commercial e-mail, TLS protocol that protects against intrusion, and

injection of bogus messages during data transmission, and signed download

software that helps ensure reliability of downloaded files. In addition to these

network protection controls, I believe that self-protection or best practices are

the most cost-efficient way to protect availability. For example;

- Backup files

The user should make backup files on a regular basis. The user should

also have backup of operating system files, so he will not lose all his valuable

data, and yet be able to run the computer system.

- Utilize secure technology

When browsing the Web or using e-mail, one can apply inexpensive

security software to maintain availability of stored data and continuity of

computer system without interruption from a virus or worm. For example,

Freedom® Anti-Virus software (www.freedom.net/products/anti-

virus/index.html) serves as a protection against viruses, worms and Trojans. It is

responsible for scanning users’ computers, identifying infected and disinfected

files and deleting viruses or suspicious files. The latest virus is also updated so

that a user does not need to worry about new attacks.

- Establish a personal firewall

There are different personal firewall packages in the market. The

personal firewall, based on a firewall mechanism, protects users against threats

like spyware and malicious scripts. The firewall also uses password control to

ensure that users’ security settings are not tampered. The firewall application

also provides service for monitoring outgoing messages enabling users to see if

there is a suspicious application trying to transfer sensitive data to outsiders.

The users can use customized functions to identify trust or distrust applications

30

by themselves. If users change networks, the network detection function in a

personal firewall will automatically check file sharing and printers for

reliability. Some personal firewall products enable users to be invisible on the

Net so that nobody is able to see them and attack them.

2.9. Summary

Due to an endless growth of Internet use, concerns regarding confidentiality,

integrity, and privacy of data and availability of network services are constantly rising

accordingly. Internet invasion occurs from many possible threats such as eavesdropping,

interference, interruption and code modification. Computer security experts generate

numerous protocols and techniques, such as firewall, TLS, P3P, PGP and PEM to

protect against security vulnerabilities in different purposes and situations. The most

powerful technology used in many computer security models is cryptography algorithm,

as it can efficiently solve confidentiality and integrity problems. Many people rely on

mathematical complexity in the strong cryptography. So far, the strong cryptography

algorithm is still considered ‘unbreakable’ and no arguments against this idea have yet

come forward. Hence, there is a bright future for encryption technology. However, one

should keep in mind that no tool can ensure perfect protection of data and computer

systems, as well as each tool, may be combined with others to effectively work under

certain circumstances. Though there are various techniques and regulations to protect

the Internet system and its consumers, the implementation and success of security

procedures is not possible without the cooperation of all involved parties, including Web

site owners, system administrators and online customers.

In this chapter, I conducted the analysis based on various kinds of literature about

computer security in the Internet world. I shall present the summary table of the analysis

in table 2.1. The table combined various uses of Internet and the security attributes

together. On the table head, the types of Internet uses were presented based on the

previous classification in section 2.2. In addition, the four computer security attributes

were shown according to the content in section 2.4. For each security attribute, I created

three subcategories including the importance of a particular attribute, the potential

threats, and the appropriate controls. I shall note that the content inside a matrix was the

result from my analysis in section 2.5, 2.6, 2.7, and 2.8. For the first subcategory, the

importance of security attributes, I already described the supporting reasons of how and

why I proposed different level of importance, including ‘low’ level, ‘high’ level, or ‘not

31

applicable’ for each type of Internet uses at the beginning of section 2.5, 2.6, 2.7. and

2.8. Identifying the level of importance of security attribute was a starting point of the

analysis. I subsequently proposed the possible threats, which were the source of the

second categories or ‘threats’. Then, the solutions for reducing the possible threats were

described and it brought up the third category or ‘controls’.

This table is important, as I will integrate it with the cultural dimensions table in the

next chapter. The integration is expected to bring up the important points about how

consumers are concerned about security when using the Internet. Based on a result from

the integration, I shall further develop my hypotheses in the empirical part.

32

Types of Internet use Electronic messaging Trading transactions

Computer Security

attributes E-mail Public messaging

Browsing E-order E-payment E-delivery

Confidentiality

• Importance

High

Not applicable

Not applicable

Low

High

Low

• Threats - Eavesdropping - Interference - Hacking

Not applicable Not applicable - Eavesdropping - Interference - Hacking

- Eavesdropping - Interference - Hacking

- Eavesdropping - Interference - Hacking

• Controls - PEM - S/MIME - PGP - Web Based

Secure Mail

Not applicable Not applicable - TLS

- TLS - SET

- TLS

Integrity

• Importance

High

High

High

High

High

High

• Threats - Eavesdropping - Code

modification

- Eavesdropping - Code modification

- Eavesdropping

- Eavesdropping - Eavesdropping - Code

modification

• Controls - PEM - S/MIME - PGP - Web Based

Secure Mail - Scanning

software

- TLS - TLS - Scanning

software - Signed

download object

- TLS - TLS - SET

- TLS

Privacy

• Importance

High

High

High

High

High

High

• Threats - Hacking - Unsolicited

commercial e-mail

- Hacking - Conversation

record

- Hacking - Cookies

- Hacking - Cookies

- Hacking - Cookies

- Hacking - Cookies

• Controls - Filter software - Best practices

- Best practices

- P3P - WebTrust 3.0 - OPS - Best practices

- Best practices - SET - Best practices

- Best Practices

Availability

• Importance

Low

Low

High

Low

High

High

• Threats - Interruption

- Interruption

- Interruption

- Interruption

- Interruption

- Interruption

• Controls

- Network protection

- Best practices


- Best practices


- Best practices


- Best practices


- Best practices


- Best practices.

Table 2.1. Summary of Internet security threat and control analysis.

33

3. Influence of culture on privacy and security concern

3.1. Chapter structure

As it was mentioned earlier in chapter one, the purpose of this study is to investigate

the cultural impact on Internet consumers’ concerns about the security threats by

extending Udo’s study. I already described about Internet threats and controls in the

previous chapter. In this chapter, I present the cultural theories, which explain why

people think, believe, and behave in different ways. The understanding of cultural

theories is needed because it helps to develop an expectation about people’

characteristics in different cultures. And a survey conducted in the empirical part will

confirm or reject my expectation.

As for chapter structure, I begin with introducing definition of culture in section 3.2.

The culture theories from several literatures and how they shape behaviors are described

later in section 3.3. In this section, some relevant cultural dimensions, which possibly

affect privacy and security concerns, are described in more detail. Subsequently, I

provide my expectation about how people in different cultural dimension are aware of

privacy and security of personal data in a brief summary in section 3.4.

3.2. Definition of culture

Many anthropologists have been studied about culture for decades. Knowing about

different cultures enables people to understand why people in other societies learn, act,

think, and feel in different ways. Culture can be described as people’s mentality which

most of the time cannot support by scientific reasons. Because of advanced information

technology emergence in globalization age, boundary of countries is not considered a

barrier to operating international business any more. However, the impact of culture on

international business and management strategy is overwhelming and should not be

overlooked. To understand more about culture, various definitions of culture are

provided below.

Culture is the collective programming of the mind, which distinguishes the members of one group or category of people from another (Hofstede, G, 1991, 5).

34

Culture is a set of assumptions – shared solutions to universal problems of external adaptation (how to survive) and internal integration (how to stay together) – which have evolved over time and are handed down from one generation to the next (Schneider, S, 1997, 20). Culture is the accumulation of shared meanings, rituals, norms and traditions among the members of an organization or society. It is what defines a human community, its individuals, its social organizations, as well as its economic and political system. It includes both abstract ideas, such as values, ethics, as well as objects and services that are produced or valued by a group of people (Solomon, M, 1999, 377). Culture is the transmitted and created content and patterns of values, ideas, and other symbolic-meaningful systems as factors in the shaping of human behavior and the artifacts produced through behavior (Schutte, H, 1998, 6).

Of various definitions of culture, it can be summarized that culture is distinct

knowledge, values, norms, ideas and other symbols shared and transmitted by people in

particular society. Culture is not static but it can either gradually or instantly change.

Due to culture diversity, perspective and reaction of people in different societies can be

predicted. Though one can notice that each individual in the same society can be

different, they are more alike when compared to people in other societies.

3.3. Cultural dimensions

In order to understand one particular society, first of all one has to know its cultural

context. Many famous scholars invented cultural models to classify cultural context into

different dimensions. These models are shown as a map in figure 3.1.

35

Figure 3.1. Key dimensions of culture (Schneider, S, 1997, 31)

Based on distinct models in figure 3.1, an overall framework for integrated cultural

dimensions is provided in figure 3.2. Among various cultural dimension models, I will

use Schneider’s as the groundwork in this study. Since this framework provides a broad

view of different generally accepted models, it will help to cover all dimensions that

should be further examined about their impacts on attitudes toward privacy and security.

Schneider, S, classified the key cultural dimensions into three categories; “external

adaptation” includes relationship with the environment, “internal integration” includes

relationships among people and “linking assumption” regards as dimensions that relate

to both relationships with nature and people.

Kluckholn and Strodtbeck

- Relationship with time- Human activity- Human nature- Relationships with people- Time

Schein

- Relationship with nature - Human activity - Human nature - Relationships with people - Time - Truth and reality

Trompenaars

- Relationship with nature - Relationship with people * Universalism/Particularism * Individulaism/Collectivism * Affectivity * Diffuse/Specific * Achievement/Ascription - Relationship with time

Hall

- Space : Personal/Physical - Time : Monochronic/ Polychronic - Language : High/Low context - Friendships

Hofstede

- Uncertainty avoidance - Power distance - Individualism/Collectivism - Masculinity/Femininity

Adler

- Human nature - Relationship with nature - Individualism/Collectivism - Human activity : Being/Doing - Space : Private/Public - Time : Past/Present/Future

36

Figure 3.2. Underlying cultural dimensions (Schneider, S, 1997, 32)

I shall briefly describe the cultural dimensions of each perspective in the following

subsections. There are some dimensions that I would extensively describe, as they

potentially demonstrate the important consumers’ behaviors. The consumers’ attitudes

that relate to this research involve the concern about threats, risk controls, and security.

The related concerns are expected to represent how online consumers in different

cultures feel about computer threats and security. These concerns include the need for

security and privacy, attitude toward unfamiliar situations, trust and dependency

between one another in a society. Such concerns are obviously indicated in some

cultural dimensions including uncertainty avoidance, human nature, individualism

versus collectivism, and space. More details of related cultural dimensions are

elaborated as follow.

3.3.1. External adaptation

Relationship between human and nature can be viewed in three main groups;

relationship with nature, nature of human activity and nature of reality and truth.

In the first group, there are two main dimensions; the control over nature, and

uncertainty avoidance. In some cultures, people believe that they can control nature

while in other cultures people just let things happen as they think events are caused

Linking assumptions- Space * Personal and physical- Language * High-Low context- Time * Monochronic and polychronic * Past, present, future

External adaptation- Relationship with nature * Control * Uncertainty avoidance- Nature of human activity * Doing vs. Being * Achievement vs. Ascription- Nature of reality and truth

Internal integration- Human nature * Basically good/Basically evil- Nature of human relationships * Social vs. Task orientation * Particularism vs. Universalism * Hierarchical * Individualism vs. Collectivism

37

by nature and are unchangeable. With different perspectives toward control over

nature, people tend to have different levels of uncertainty avoidance. For example,

people may be eager to learn by mistake or trial and error, and they prepare for

unexpected outcome and uncertainty. Uncertainty avoidance happens when people

try to avoid unpredictable or risky situations. I will further emphasize the uncertainty

avoidance dimension in subsection 3.3.1.1 as it could imply to an extent, in which

people feel threatened by computer crime.

The second group involves ‘doing versus being’, and ‘achievement versus

ascription’. In doing versus being dimension, people who like to take action belong

to a ‘doing’ culture, while others who like to plan, wait to see situation, and adapt

themselves to such situation belong to a ‘being’ culture. For ‘achievement versus

ascription’, it involves the concept of what is more important between who you are

and what you are able to accomplish.

The last group is ‘nature of reality and truth’. In some societies, truth and reality

mean facts and figures. However, in other societies, truth and reality include facts,

feeling and intuition. Truth does not mean the same in different societies and will

lead to different solutions to the same problem.

3.3.1.1. Uncertainty avoidance dimension

The content in this subsection is mainly based on Hofstede, G, 1991, 109-

137. Firstly, I describe the underlying concept in order to understand the main

idea of uncertainty avoidance. Secondly, I bring up the Hofstede’s study, which

shows how people in various countries are aware of uncertain circumstances.

Thirdly, I explain why people’ opinions differ from one country to another by

referring to his study. Moreover, his supporting reasons are important, as I will

use them to analyze characteristic of people in studied countries in the next

chapter. Finally, I provide a conclusion at the end.

(1) Uncertainty avoidance concept

Uncertainty avoidance can be defined as the extent to which the member

of a culture feels threatened by uncertainty or unknown situations. This feeling is

expressed through nervous stress and in a need for predictability and written or

unwritten rules. In a strong uncertainty avoidance society, many tools are needed

to protect against threats. For example, technology helps to avoid uncertainties

caused by nature. Laws and rules prevent uncertainties in the behavior of other

38

people, and religion helps in the acceptance of the uncertainties. In addition,

members in strong uncertainty avoidance cultures need the structure of

organizations, institutions, and relationships, which lead to interpretable and

predictable events. Though they can accept familiar risks as routine, they are still

afraid of unfamiliar risks or ambiguous situations. On the other hand, in low

uncertainty avoidance, members think of uncertainty as a normal situation,

which always happens in their lives and they try to take advantage of such

situations. They feel comfortable with or are curious about unfamiliar risks.

Consequently, they tend to be more flexible and accept new things faster than

people in strong uncertainty avoidance cultures do.

(2) Uncertainty avoidance index in different countries

Hofstede did a survey study about how people in different countries react

in each cultural dimension, which I will use as fundamental point in this

subsection. First, I shall give brief research methodology of his work since I

believe it is important to understand how he gathered information. Then I will

present his survey results.

Hofstede’s model of cultural dimensions includes power distance,

individualism versus collectivism, masculinity versus femininity and uncertainty

avoidance. He developed survey questionnaires aiming to study how people in

many regions and countries respond in each dimension. During 1980-1984, the

questionnaires were spread throughout IBM local subsidiaries around the world.

Employees of IBM in 50 countries and 3 regions participated in his study. Based

on the predefined score number for each answer, he calculated the mean score of

answers for each question in all countries and then gave rank numbers of the

countries. The score or index varies approximately from zero for the lowest to

one hundred for the highest. Hofstede also pointed out that the countries could be

classified into clusters such as Anglo, Nordic, Latin, and Asian in which they

share common characteristics. The clusters of countries are shown in figure 3.3.

39

Figure 3.3. Country clusters (Schneider, S, 1997, 51)

The summary of score range in uncertainty avoidance dimension based on

his finding is presented in table 3.1.

Region or country Uncertainty

avoidance index

Level of

uncertainty

avoidance

Latin America, Latin Europe, Mediterranean

countries

112-67 High

Japan, South Korea 92, 85 High

Germanic countries 70-58 Medium high

Asian countries

(Except Japan and South Korea)

69-8 Medium to low

African, Nordic, Anglo countries 52-23 Medium to low

Remark : Finland Thailand The U.S.

59 64 46

Medium

Medium high Low

Table 3.1. Range of uncertainty avoidance index

40

The more scores a country has, the stronger uncertainty avoidance a

society has. From the index in table 3.1, the clusters having high uncertainty

avoidance scores are Latin America, Latin Europe, and the Mediterranean

region. Particular countries such as Japan and South Korea have high scores as

well. Germanic-speaking countries such as Austria, German, and Switzerland

have moderately high scores. African, Anglo and Asians excluding Japanese and

Korean have medium to low scores. The Nordic-speaking countries and the

Netherlands possess medium to low scores as well.

(3) Possible reasons for differences between clusters

• Religions

Religions possibly affect uncertainty avoidance to some extent, as many

religions establish the belief of ultimate certainty of life after death and

acceptance of the uncertainties. For example, most Orthodox and Roman

Catholic Christian countries tend to have strong uncertainty avoidance supported

by the fact that confession of sins is needed to get rid of guilty feelings when one

breaks the rules. Some Western religions are concerned about ultimate truth,

which is necessary for salvation and personal achievement purposes. Hence,

people who possess other truths are wrong and they should be converted,

avoided or even killed. The more people believe in possession of absolute truth,

the more society tends to have strong uncertainty avoidance. However, some

Westerns in weak uncertainty avoidance cultures such as Protestant Christian

countries believe in absolute truth but are less likely to believe that they alone

possess it. In contrast, Eastern religion tends to be less concerned about absolute

truth. For example, Buddhism emphasizes more on meditation rather than on

truth. Consequently, they tend to have medium to low uncertainty avoidance

levels.

• Roman and Chinese empires

Let us examine the history of some nations. The Chinese Empire was a

root of Eastern Asian culture. The Chinese Empire in the past had a system to

govern people by general principles, thus codified laws were not given much

attention. Society that desires only a few and general laws possesses the patterns

of weak uncertainty avoidance. Most Germanic countries in which people speak

German, English, Dutch, Danish, Norwegian or Swedish were separated into

small communities governed by local rulers, hence people needed only a few

rules and tended to have low uncertainty avoidance. On the other hand, in the

41

Roman Empire, the particular codified laws were initiated to rule a country and

use with every single citizen with no exceptions. It implies that they were highly

concerned about uncertainty and needed clear-cut laws to protect themselves

against ambiguous situations.

In short, people in strong uncertainty avoidance societies tend to seek safety and

security in their lives more than those in weak uncertainty avoidance societies do.

Thus laws, regulations, and security policy are crucial in a strong uncertainty

avoidance society more than in a weak one.

3.3.2. Internal integration

Based on Schneider’s model, internal integration refers to relationship among

people. The first dimension in this part is human nature. It is about how people think

about nature of people, such as whether people are good or bad. This dimension

relates to this study because the concept of ‘basically good or basically evil’ results

in the level of trust among people in a particular community. I shall further examine

in subsection 3.3.2.1 about how this concept affects attitude toward trust and

security concerns.

Secondly, many dimensions consisting of social versus task orientation,

particularism versus universalism, and hierarchical and individual versus

collectivism are groups in the nature of human relationships. I shall briefly describe

about them according to Schneider, S, 1997, 36-39.

Social versus task orientation is about how people prefer focusing on task and

establishing relationships. If people are social oriented, the relationship should be

established before two parties can talk business.

Particularism versus universalism involves people being treated equally. In

universalism, everybody should be treated and governed by the same laws. In

particularism, people are not equal, thus some people should have privileges above

others.

Next, hierarchy can be described as the structure of society or organization. In

some organizations, supervisors encourage subordinators to take part in decision

making, or the boss joins his employees in sport games, holidays, celebrations, etc.

42

This makes employees feel more comfortable when working with supervisors, and

hierarchy is not so important.

The last dimension is individualism/collectivism. This dimension involves

interdependency and trust between group members, which affect trust and attitudes

toward strangers or unfamiliar things. I shall elaborate in subsection 3.3.2.2 since it

potentially affects individual’s acceptance of new things like Web sites and their

security policies.

3.3.2.1. Human nature dimension

The content of this subsection is primarily based on Schneider, S, 1997,

36, Adler, N, 1986, 13-16 and Schein, E, 1985, 98-101.

Human nature value is the feeling about the positive and negative sides of

people. There are two main assumptions about human nature; people are

basically good or basically evil. However, some cultures fall between these two

assumptions, which means people can be both good and evil, and they can

improve themselves as well. People absorb value of evil and good from children

onward. Some religions hold a belief in original sin. It implies that people

believe that human nature is basically evil, therefore confession and asking for

forgiveness are anticipated and rules and supervision are also needed. On the

other hand, other religions are founded on assumption that human nature is

basically good and they work hard to fulfill their personal achievements.

Undoubtedly, people in ‘basically good’ cultures tend to trust one another more

than those in ‘basically evil’ cultures.

3.3.2.2. Individualism versus Collectivism dimension

The content in this subsection is mainly based on Hofstede, G, 1991, 49-

77. Firstly, I describe the underlying concept in order to understand the main

idea of individualism versus collectivism. Secondly, I bring up the Hofstede’s

study, showing that some countries tend to be individualist while some countries

are obviously collectivist, and others are in the middle. Thirdly, I explain why

people differ from one country to another. His supporting reasons are important,

as I will use them to analyze characteristic of people in studied countries in the

next chapter. Finally, I provide a brief conclusion at the end.

43

(1) Individualism versus Collectivism concept

This dimension demonstrates measurement of dependency between one

another. Individualism can be illustrated by societies in which the relationships

between individuals are weak, which means everyone is expected to look after

oneself and one’s immediate family. On the other hand, collectivism can be

defined as societies in which people from birth onwards are integrated into

strong, cohesive ingroups, which throughout people’s lifetimes continue to

protect them in exchange for unquestioning loyalty (Hofstede, G, 1991, 51).

Collectivism regards importance of group interest more than that of individual

interest, while individualists think vice versa. Compared with collectivism,

individualists are more self-reliant, dependent and aware of privacy right to a

greater extent.

The concept of trust is affected by individualism versus collectivism as

well. Trust is the expectation that arises within a community of regularity,

honesty, and cooperative behavior, based on commonly shared norms, on the

part of other members of that society (Fukuyama, F, 1995, 26). In a strong

collectivism community, people rely so much on family, friends or co-workers,

that they tend to distrust unrelated people. Consequently, from an outsider’s

point of view, collectivism is observed in a low-trust society. In order to do

business with collectivists, one must first establish trust and get to know them to

generate strong relationships. Although it takes time for collectivists to be

familiar with a stranger, a businessman can smoothly and successfully conduct

business in a long run once he finds a good relationship with them. Collectivists

regard word of mouth among acquainted people as the most faithful, thus

marketers should consider this communication channel as an effective way to get

widespread acceptance of products from a collectivism society.

(2) Individualism index in different countries

Hofstede indicated that the cluster in individualism versus collectivism

dimensions can be based on a combination of demographics, economics and

history. The countries in a stronger individualism cluster tend to be more

wealthy and industrialized than those in collectivism cluster do. I shall

summarize about the range of individualism score in table 3.2 based on

Hofstede’s findings. The score varies from zero for the most collectivism, to one

hundred for the most individualism.

44

Region or country Individualism

index

Level of

individualism/collectivism

Anglo countries (Except Ireland

and South Africa)

91-79 Very high individualism

Ireland, South Africa 70, 65 High individualism

Nordic countries 79-63 High individualism

Germanic countries 68-55 High to medium individualism

Latin Europe (Except Portugal) 76-51 High to medium individualism

India, Japan 48, 46 Low collectivism

Latin America 46-12 Medium to high collectivism

Asia (Except India and Japan) 32-14 Medium to high collectivism

Portugal 27 Medium collectivism

Remark : Finland Thailand The U.S.

63 20 91

High individualism High collectivism Very high individualism

Table 3.2. Range of individualism index

(3) Possible reasons for differences between clusters

• Wealth of country

When a country’s wealth increases, its citizens have access to resources

which allow them to ‘do their own thing’ (Hofstede, G, 1991, 76). People

naturally share something with others unless they have enough well being to buy

their own things. Decrease in degrees of sharing things with others is the result

of increase in wealth, implying that collective characteristics are changing to be

more individualist. One spends more time with oneself as one can enjoy using

his own belongings and privacy becomes more important. One can see grouping

of developed countries and less developed or developing countries in figure 3.3.

It shows that the wealthier countries based on more GDP tend to be more

individualism. See table 3.3 for abbreviations of countries and regions shown in

figure 3.3.

45

Figure 3.4. Individualism score versus 1987 GNP/capita (Hofstede, G, 1991, 75)

Abbreviation Country or region Abbreviation Country or region ARA Arab-speaking countries (Egypt,

Iraq, Kuwait, Lebanon, Libya, Saudi Arabia, United Arab Emirates)

JAM Jamaica

ARG Argentina JPN Japan AUL Australia KOR South Korea AUT Austria MAL Malaysia BEL Belgium MEX Mexico BRA Brazil NET Netherlands CAN Canada NOR Norway CHL Chile NZL New Zealand COL Colombia PAK Pakistan COS Costa Rica PAN Panama DEN Denmark PER Peru EAF East Africa (Ethiopia, Kenya,

Tanzania, Zambia) PHI Philippines

EQA Equador POR Portugal FIN Finland SAF South Africa FRA France SAL Salvador GBR Great Britain SIN Singapore GER German F.R. SPA Spain GRE Greece SWE Sweden GUA Guatemala SWI Switzerland HOK Hong Kong TAI Taiwan IDO Indonesia THA Thailand IND India TUR Turkey IRA Iran URU Uruguay IRE Ireland (Republic of) USA United States ISR Israel VEN Venezuela ITA Italy WAF West Africa (Ghana, Nigeria,

Sierra Leone) YUG Yugoslavia

Table 3.3.Abbreviations for the countries and regions studied (Hofstede, G, 1991, 55)

46

• Population growth

Rate of population growth is strongly related to this dimension. As

mentioned earlier, individualist societies tend to have a small family while

collectivism prefers to live in a big family. Population growth indicates an

average number of children in a family. Thus in a country that has high growth

rate tends to have big families and be collectivist rather than individualist.

• National history

History is one factor that always affects the culture in a particular society.

In East Asia, believing in Confucius leads to collective characteristics. In the

West, many Europeans from England, Scotland, and the Netherlands immigrated

to the new land such as the U.S., Australia and New Zealand to seek better lives.

They had to fight for themselves to occupy land and be able to live in new

environments, therefore they tend to be independent and self-reliant, which is the

individualist type.

Individualism and collectivism seem to require different levels of privacy. I shall

conclude that the extent of privacy and security concern of collectivists depends

somewhat on word of mouth of other members. Once one member accepts a

particular thing, word of mouth is spread out, then other members subsequently

accept it and the degree of security concern decreases. However, collectivists tend to

distrust the unknown or new things, which other members have not accepted, thus

consequently security concerns remain relatively high. As for individualists, I shall

assume that they care about their privacy rights, due to their self-dependent

characteristics and rely less on word of mouth.

3.3.3. Linking assumption

The linking assumption involves the relationship between nature and people. It

includes three main dimensions; space, language and time. The content of this

subsection is primarily based on Schneider, S, 1997, 39-42, and Adler, N, 1986, 12-

25.

The space dimension determines how people need their physical and personal

spaces. The space-needed can imply level of privacy that people expect, and this

dimension is considered a related cultural issue to my research objective. I will

elaborate the space dimension in subsection 3.3.3.1.

47

The language dimension can be divided into high-context and low-context

cultures. In low-context communication, people tend to use direct and explicit

words. The high-context communication seems to be opposite.

The last dimension is about time. In some societies, time is limited and should

be efficiently spent; it is considered ‘monochronic’. Other societies, time could be

expanded and one can do many things at the same time. It is called ‘polychronic’.

The concentration on past, present, and future time varies in different cultures as

well.

3.3.3.1. Physical and personal space dimension

The space in this context can be classified into two types; physical space

and personal space. The physical space involves people managing to live in a

particular environment or in limited space. Physical space management reflects

harmony between people and their environment. One can easily observe the

physical space management in a particular culture by looking at architecture

styles and other object designs. In some countries where territories are so large

and population densities are low, physical space is somewhat carelessly

managed and the concept of living in harmony with the environment is less

important. For example, buildings are designed to have only a few stories and

unutilized space between each building is not concerned wasteful. People

living in plenty of physical space tend to put less emphasis on living in

harmony and personal distances. Regarding personal space, people need a

certain distance that is not too far or too near to make them feel comfortable.

Such distance varies from one culture to another. The need for personal space

determines the demand for privacy.

The needs for personal space and physical space interrelate to each other. I

shall conclude in brief that the more people are constrained by limited physical

space, the more people need personal space or privacy.

3.4. Summary

Culture can be briefly described as shared knowledge, values, norms, ideas and other

symbols by a group of people and transmitted to the younger generation in that society.

The cross-cultural psychology has been extensively studied for several decades to help

48

solve the question of how and why different social and cultural forces influence

behaviors of members in a particular society. Various anthropologists have made

different models of cultural dimensions. However, these models have some dimensions

in common and they were integrated to present a whole picture in section 3.3. Among

many cultural dimensions, I proposed that some dimensions have the potential

influences on one’s security and privacy awareness. Later on in this section, I will use

characteristics of people, showing in the selected dimensions, to form a prediction about

how consumers in different cultures respond to the privacy and security issues. The

related cultural dimensions and their implications to consumer behaviors were

summarized in table 3.4. As for the source of this table, in the first column, the related

cultural dimensions were presented. Based on various culture literatures, the culture

could be divided into many dimensions. After I reviewed all cultural dimensions and

provided the brief explanation for each of them, I basically chose some dimensions that

obviously influence the way people are aware of security and privacy. These dimensions

included uncertainty avoidance, human nature, individualism versus collectivism, and

space. In the second column, the implications to consumer behaviors were presented.

The consumer behaviors were deduced from many literatures that I reviewed. One could

also find the source of information in this column in the conclusion in subsection 3.3.1,

3.3.2, and 3.3.3.

Involving cultural

dimensions Implication to security concerns

1. Uncertainty avoidance • Stronger uncertainty

avoidance

• Weaker uncertainty avoidance

• People tend to possess risk aversion characteristics.

They try to avoid unclear situations. • People are flexible and feel quite comfortable to

accept security risks. 2. Human nature

• People are basically good.

• People are basically evil.

• Based on the idea that people are good and behave

properly to achieve the highest goals of lives, lower awareness of threats and crime is expected in this culture.

• Holding belief of original sin, people are expected to

make mistakes, break the laws and rules. Thus, people are concerned about vulnerability caused by bad people.

Table 3.4. Summary cultural influences on privacy and security concern

49

Involving cultural dimensions

Implication to security concerns

3. Individualism/Collectivism • Individualism • Collectivism

• People are self-reliant and aware of their rights. • People are interdependent between one another.

Sharing personal data within a group is acceptable but not with outsiders. People tend to rely on word of mouth. Consequently, an extent of safety concern and awareness of threats highly depends on whether a community accepts such threats or not. If some community members feel comfortable to encounter the computer threats, the concern about online security among other members is expected to reduce.

4. Physical and personal space • Stronger need for space • Lower need for space

• People who live in limited physical space tend to

need more privacy. They respect personal affairs, confidentiality and privacy rights.

• If people are not restrained by physical space, they

desire less personal space and consequently feel more comfortable to share personal data with others.

Table 3.4. Summary cultural influences on privacy and security concern (Continued)

Next, I will integrate this culture summary table with the Internet security analysis

table derived from the previous chapter. The objective of the integration is to analyze

the impact of cultures on different security attributes. It will also refer to threats and

controls of computer security.

For review, I provided a brief discussion about the Internet security analysis table,

which was presented at the end of chapter two. In the Internet security analysis, many

types of Internet uses, such as e-mailing and electronic trading, were presented. The

general computer security attributes, such as confidentiality and integrity, were

illustrated as well. Then, the analysis of threats and controls was conducted for each

combination of Internet usage types and the security attributes.

The result from an integration of culture and computer security was shown in table

3.5. I shall describe about the table in sequence of the creation steps as follow.

1) Determine the cultural dimensions

50

To form the integrated table, firstly, all interested cultural dimensions, which were

presented in table 3.4, were included. As I mentioned in the explanation of table 3.4,

these dimensions were expected to represent the security and privacy awareness of

consumers. They consisted of uncertainty avoidance, human nature, individualism

versus collectivism, and space dimensions.

2) Select the computer security attributes

I have selected some security attributes, which represent the most obvious cases. By

‘obvious cases’, I mean the situations that apparently or potentially show the influence

of cultures on online consumer concerns. Based on the table 2.1, four types of computer

security attributes were presented. They included

• confidentiality,

• integrity,

• privacy, and

• availability.

Based on the cultural influences summary in table 3.4, the confidentiality, integrity

and privacy were likely to be the obvious concerns that would be affected by cultures.

The supporting evidences will be presented in step four. However, the availability

attribute was not chosen because it was more likely related to technical issue than

cultural differences.

3) Determine types of Internet use

From table 2.1, there were three main types of Internet use, which are electronic

messaging (including to e-mail and public message), browsing and trading transaction

(including e-order, e-payment and e-delivery). According to the selected security

attributes in step two, I shall further select the types of Internet use in which the users

would take these attributes as serious concerns. The objective of the selection is to

depict the most obvious cases for this research. Based on table 2.1, the three selected

attributes including confidentiality, integrity and privacy were considered highly

important issues for the uses of e-mail and e-payment. Consequently, I will apply the

uses of e-mail and e-payment for an analysis in the integrated table.

51

Possible threats and controls when using

Impact of cultural differences on consumer concerns Important security

attributes E-mail E-payment Uncertainty avoidance Human nature Individualism versus Collectivism

Physical and personal space

Confidentiality Threats: - Eavesdropping - Interference - Hacking Controls: - PEM - S/MIME - PGP - Web Based

Secure Mail

Threats: - Eavesdropping - Interference - Hacking Controls: - TLS - SET

The degree of confidentiality concern is expected to be • Higher in a strong

uncertainty avoidance culture.

• Lower in a weak uncertainty avoidance culture.

Note that law and regulation for online consumer protection are crucial to people in strong uncertainty culture.

The degree of confidentiality concern is expected to be • Higher in a society,

which considers human nature ‘basically evil’

• Lower in a society, which considers human nature ‘basically good’.

• In an individualism culture, the high degree of confidentiality concern is expected.

• In a collectivism culture, the degree of confidentiality concern depends on the group acceptance of a particular Web page. Ø If they accept, the

lower concern is expected. Ø If they have not

accepted, the higher concern is expected.

Not directly applicable.

Integrity Threats: - Eavesdropping - Code

modification Controls: - PEM - S/MIME - PGP - Web Based

Secure Mail - Scanning

Software

Threats: - Eavesdropping Controls: - TLS - SET

The degree of integrity concern is expected to be • Higher in a strong

uncertainty avoidance culture.

• Lower in a weak uncertainty avoidance culture.

Note that law and regulation for online consumer protection are crucial to people in strong uncertainty culture.

The degree of integrity concern is expected to be • Higher in a society,

which considers human nature ‘basically evil’

• Lower in a society, which considers human nature ‘basically good’.

• In an individualism culture, the high degree of integrity concern is expected.

• In a collectivism culture, the degree of integrity concern depends on the group acceptance of a particular Web page. Ø If they accept, the

lower concern is expected. Ø If they have not

accepted, the higher concern is expected.

Not directly applicable.

Table 3.5. Integrated computer security attributes with cultural dimensions

52

Possible threats and controls when using

Impact of cultural differences on consumer concerns Important security

attributes E-mail E-payment Uncertainty avoidance Human nature Individualism versus Collectivism

Physical and personal space

Privacy Threats: - Hacking - Unsolicited

commercial e-mails

Controls: - Filter software - Best practices

Threats: - Hacking - Cookies Controls: - SET - Best practices

Not directly applicable. Not directly applicable. • In an individualism culture, the high degree of privacy concern is expected.

• In a collectivism culture, people are less concerned about privacy when sharing information between members in their group. However, the high degree of privacy concern is expected for sharing information with outsiders.

The degree of privacy concern is expected to be • Higher in a society, in

which people live in limited space.

• Lower in a society, in which people live in adequate or large space.

Table 3.5. Integrated computer security attributes with cultural dimensions (continued)

53

4) Determine impact of cultures on security attributes

I will analyze and develope expectations based on cultural literature reviewed in the

previous sections in this chapter. I used my expectations as a basis to apply the

information gathered from the studied countries and to conduct survey research. I shall

describe the cultural impact on security concerns in sequence of the cultural dimensions.

4.1) Uncertainty avoidance dimension

• Uncertainty avoidance with confidentiality and integrity attributes:

In a strong uncertainty avoidance society, it is expected that Internet users are

highly aware of threats to personal security. They need to ensure the security control

of data modification and disclosure. Otherwise they would avoid giving the sensitive

information in e-payment form, or submitting private information via e-mail. The

sound controls and consumer protection regulation are very crucial in the society.

In a weak uncertainty avoidance society, Internet users tend to accept possible

threats. Though they are aware of the confidentiality and integrity risk, they tend to

be more comfortable and acceptable to the exchange of sensitive data on the Net.

The establishment of controls and regulation to protect against confidentiality risk

are less important, as people think of risk as a normal situation.

• Uncertainty avoidance with privacy attribute:

The uncertainty avoidance could imply risk aversion characteristic and the need

for security, but it did not show the need for privacy. Hence, I shall omit an analysis

of impact of uncertainty avoidance dimension on privacy concern. However, an

analysis will be provided on other cultural dimensions that relate to privacy issue.

4.2) Human nature dimension

• Human nature with confidentiality and integrity attributes:

There are two main aspects of how people think of human nature. Human nature

could be ‘basically good’ or ‘basically evil’. It depends on religion and other factors

which was described in subsection 3.3.2.1. However, in some societies, the human

behavior can be in-between good and bad.

Internet users, who hold the belief of ‘basically good’ human nature, are not

likely to anticipate the harm caused by other people. The thought of hazardous

situations that may lead to the revealing or changing of messages does not affect

many people when they write e-mail or give sensitive information on online

payment form. This is because they believe that people possess the appropriate

behaviors and they tend to be less aware of cyber attacks. However, the awareness of

54

confidentiality and integrity risks tends to be high for Internet users who believe that

human nature is ‘basically evil’. The supporting reason is that they hold the idea that

people tend to break the rules or make mistakes either by accident or on purpose.

• Human nature with privacy attribute:

Based on the literature review in subsection 3.3.2.1, the human nature dimension

illustrates an expectation of good or bad behaviors of human beings. Although this

expectation implies the awareness of computer criminals, it does not clearly reveal

the need for privacy. Hence, I shall defer an analysis to other cultural dimensions

that directly relate to privacy issue.

4.3) Individualism versus collectivism

• Individualism versus Collectivism with confidentiality, integrity and privacy

attributes:

An individualist is considered a self-reliant person, while a collectivist depends

on others for support. Individualists seem to consider privacy rights and personal

security as the important issues. Although the collectivist tends to accept sharing

information between group members, the privacy invasion, occurred by exchanging

information with unfamiliar Web sites, remains a significant concern. It is worth

noting that a group acceptance is very crucial in collectivism environment. Since the

collectivists rely on each other so much, the group that they belong to has powerful

influence on group members’ behaviors. Internet users in collectivism culture could

easily accept using e-mail or making payment in a particular Web page if other

group members satisfy the Web sites’ security controls or accept the possible risks.

In conclusion, Internet users in individualism culture are highly aware of the

privacy and confidentiality invasion. They are concerned about threat to data

integrity as well. As for the collectivists, their concerns about security attributes

would be similar to those of individualist. However, the degree of concern would be

significantly reduced if the group acceptance is achieved.

4.4) Physical and personal space

• Physical/Personal space with confidentiality and integrity attributes:

The space dimension described in subsection 3.3.3.1 concretely related to

privacy needs. Thus, I will leave out an analysis here.

• Physical/Personal space with privacy attribute:

According to space dimension, the physical space had correlation to the need for

privacy or personal space. It implies that people, who live in limited space, tend to

need more privacy. On the other hand, people living in adequate space tend to feel

55

comfortable to share private information with others. Consequently, I propose that

Internet users, who live in a restrained space, have stronger desire for privacy.

5) Determine impact of security threats and controls on consumer concerns

This is an additional step, which involves a comment about how the security controls

would help reduce consumer concerns. According to the various kinds of threats

presented in table 3.5, they included eavesdropping, code modification, hacking,

unsolicited commercial e-mails, cookies and interference. Internet users tend to be

familiar with some or all of these threats. For example, Internet users may face a bulk of

commercial e-mails, which are sent to them without their demands every other day.

Media and government usually publicize warnings for new viruses or worms. Today,

one can find these threats as a common issue.

To protect against possible threats, many security tools have been created. Though in

table 3.5 I classified the controls by types of security attributes, it is easier in this place

to group them into two main categories. The first category of controls consists of the

filter software, the virus-scanning software, and the best practices. These are somewhat

common and widely used by Internet consumers. They are easy to use and require only

simple computer security knowledge. Above all, they could help reduce consumer

concern about computer security to a certain level. However, these controls may be not

enough for the protection of the very sensitive data. For more complicated protection,

the second category of controls may be applied. The second category includes controls

that are based on cryptography mechanism such as PEM, S/MIME, PGP, Web Based

Secure Mail, SET and TLS. These controls apply the private and public keys to encrypt

and decrypt messages. As mentioned in chapter two, the strong cryptography has been

considered the most powerful security technology and is difficult to crack. That is why

many security tools today rely so much on cryptography. The uses of encryption and

decryption sound familiar to most of Information Technology people such as system

designers, programmers, and computerize auditors. However, the cryptography requires

more advanced knowledge compared with the controls in the first category. Thus,

normal Internet users have not expansively used it. I believe that many online consumers

may not be aware of the usefulness of cryptography. Consequently, I suggest that the

security controls, which are based on cryptography infrastructure, have not affected the

consumers’ concerns yet.

56

4. Internet security and culture influence in studied countries


In this research, I aim to analyze cultural impact on Internet consumers’ concerns

about privacy and security. According to my research objective, the knowledge about

the computer threats and security was provided in chapter two. Then, the cultural

dimensions that influence consumers’ concerns towards security and privacy issues were

presented in chapter three. The integration of the computer security and the cultural

impact was also presented in a summary of chapter three. Now, as I have acquired the

integrated knowledge of computer security and culture theories, I would further progress

by using such knowledge to generate the expectation for the selected countries including

Finland, the U.S., and Thailand. According to the conducted survey, which will be

presented later in empirical chapter, the populated samples from each country will be

used to examine my expectation. To begin creating expectation for the selected

countries, first of all, I shall provide brief backgrounds of each country. Basic

knowledge, such as history and religion is important as these factors commonly shape

the unique culture of a particular society. Thus in section 4.2, I present some

information about Finland, Thailand and the U.S., respectively. Next, I integrate the

cultural dimensions with unique characteristics of each country and make an analysis in

sections 4.3 to 4.6. Such analysis is classified by cultural dimensions, which have high

potential to affect the way people care about privacy and security according to the

knowledge from chapter three. Finally, I determine levels of privacy and security

concerns based on my expectations from previous chapter and present in section 4.7 as a

summary.

4.2. Basic background of studied countries

4.2.1. Finland

The content of this subsection is mainly based on a book called “Facts about

Finland” written by Elovainio, P, and the CIA-The World Factbook Web site.

4.2.1.1. Brief history of the nation

57

From the twelfth century to the early eighteenth century, Sweden, aiming

to spread the Christian religion, conquered others in the Crusades and occupied

Finland. Finland became a part of Swedish territory until Russia declared war on

Sweden in the early nineteenth century. Sweden defeated and ceded Finland to

Russia. Due to revolution in Russia after World War I and deposition of the

Russia monarchy, Finland announced its independence on December 6, 1917.

The Soviet Union attacked Finland again in the Winter War and the Continuation

War during 1939 to 1944. The long history of occupation and invasion ended

with a Treaty of Friendship between the Soviet Union and Finland in 1948.

4.2.1.2. Religion

The most dominant religion in Finland, like other Nordic countries, is the

Evangelical-Lutheran faith, having about 4,400,000 members or 85.2% of the

total population in 1998. The other religion is Orthodox, which has 54,000

members or 1.1% of the total population. The minority of people is Catholic,

Muslim, and other religion, and the rest of the population define themselves as

non-denominational. In reality, people do not frequently go to church, but half of

the population still consider themselves believers.

4.2.1.3. Population and other interesting facts

• Demographic facts

Finland has a population of 5,175,783. Of the whole population, people of

working-age (15 to 64) possess the highest proportion of 67%, while children

under 15 years old make up 18%, and senior citizens over 64 years old are over

15%. Population growth rate was 0.16% in 2001.

Finland is considered the third most sparsely populated country in Europe.

This is because about 25% of area is located in the North Pole, in which coldness

is a major constraint to life or building construction. Population is more dense in

the south, which is surrounded by Baltic Sea and warmer than the north. The

population density in 1998 was about 17 persons per square kilometer.

• Internet users

The number of Internet users in Finland was about 2.27 million or 44 % of

the total population in 2000.

• Other facts

58

In the early 1980s, Finland was ranked one of the world’s ten most

prosperous countries based on a clean, crime-free and low-poverty society

(Lewis, R, 2000, 269). Finland is highly industrialized and also famous for its

high technology products. GDP per capita in 2000 was about 22,900 U.S. dollar.

Being a member of EU, the Finnish government is aware of the protection

of personal data. According to “Status of legislative procedure” from Privacy.org

Web site, Finland has established The Finnish Personal Data Act (523/1999) on

April 1999. This is to comply with EU Directives.

4.2.2. Thailand

The content of this subsection is mainly based on El Kahal, S, 2001, 109-113,

Lewis, R, 2000, 363-368 and CIA-The World Factbook Web site.


The ancestors of Thais were from the Yunan province of China. Similar to

other territories, Thailand had to go to war against neighbors to protect and

extend the colony. Thailand, unlike the rest of South East Asia, has never been

colonized by other countries. Thais are independent and that is why they define

the meaning of Thailand as ‘Land of the Free’. Although Thais loved freedom

and were proud of being independent, they did not neglect building relationships

with Western countries such as France, Britain, and the U.S.. In the past, Thais

were governed by the monarchy system. The king played an important role as

father of the nation who was responsible for taking care and ensuring the well

being of his people. Although a democracy system is in place today, people still

honor their beloved king and his speeches are significantly powerful to political

and general issues.

4.2.2.2. Religion

Most Thais, 95% of the total population, are Buddhist and the minority is

Muslim (4%). There is no restriction about religion, hence Thais can freely

choose to believe in other religions such as Christianity and Hindism as well.

Buddhism stresses that humans can be reincarnated into have many lives.

Buddhists believes that good or bad things happening in lives are the results of

‘karma’ from past lives. Once one did good karma, or good behavior, in a

59

previous life, one receives good things or good luck in present life. The lifestyles

of Buddhists affect a culture in the sense that a Buddhist tends to be flexible,

tolerant, patient, and easy to forgive, because he accepts his karma and believes

that he cannot change it.


• Demographic fact

The population of Thailand was 61,797,751 in 2001. The percentage of

children under 15 years old was about 23%, people in working age 70% and

senior citizens over 64 years old was 7%. Population growth rate was 0.91% in

2001.

Thailand possesses a land area of 511,770 square kilometers, with the

population density of 121 persons per square kilometer approximately.

Population below poverty line was about 12.5% in 1998 and the country still has

a problem of equality of income distribution.

• Internet users

A number of Thai Internet users were about one million or 1.6% of total

population.

• Other facts

Thailand is playing an important role in the Asian Pacific economy.

Though it has frequent changes in government, military intervention, and recent

economic recession, the foreign trade policy is still attractive and friendly to

foreign investors. Its GDP per capita was 6,700 U.S. dollar in 2000.

4.2.3. The United States of America

This subsection is based on three main sources; CIA – The World Factbook Web

site, Shippey, K, 1995, 221-245, and Crowther, J, 1999, 17,111, 450-451.


The beginning of U.S. history started with occupation of land by native

people known as Indians. Later on during the sixteenth to seventeenth century,

there came a new group of pioneers and colonizers, mainly from Britain, France,

Spain, the Netherlands, Sweden, and Russia. After the Revolutionary War

between the U.S. and Great Britain, the mother country, Britain’s American

60

colonies declared independence in 1776. At that time, the United States of

America became a new nation and began to expand its region to neighboring

territories. In the nineteenth century, there was a Civil War between the northern

and southern states of the U.S.. Two main reasons of the war were problems of

African slavery, and power of states’ rights versus the U.S. federal government’s

rights. Then in the twentieth century, the U.S. showed its power and was a

successful force in World Wars I and II. Americans hold the pride of having a

strong and powerful country.

4.2.3.2. Religion

The U.S. does not have clear establishment of religion, which means

Americans can choose to believe in particular religions or not believe in any

religion. There are two most prevalent groups, which are Protestant (56% of total

population) and Catholic (28% of total population). Moreover, most Americans

have strong religious beliefs supported by the facts that 96% of Americans

believe in God, 90% pray and 41% go to church regularly. It is not surprising to

notice that the official U.S. motto is ‘In God we trust’. Like other countries, the

U.S. has a minority holding other religions such as Hinduism, Buddhism, and

Sikh, and some are considered non-religious.


• Demographic fact

The U.S. is ranked the world’s third largest country by population and by

size. America possesses a land area of approximately 9 million square kilometers

and the population was about 278 million in 2001. Population density was about

30 persons per square kilometer. People between 15 and 64 years old dominate

the highest portion of the whole population (66.27% or 184 million). A

proportion of children under 14 years old was 21.12% or 59 million and that of

senior citizen over 64 years old was about 12.61% or 35 million.

Similar to Thais, Americans have quite a high percentage of population

below the poverty line (12.7% in 1999). And the population growth rate was

about 0.9% in 2001.

• Internet users

61

Born in the U.S., the Internet is extensively used by Americans. The

number of Internet users was about 148 million or 53% of total population in

2000.

• Other facts

The U.S., as one of a leading industrialized country, has the largest and

most technologically powerful economy in the world. It had a very high GDP per

capita of 36,200 U.S. dollar in 2000.

By the end of this section, the objective to understanding the history and background

of the selected countries has achieved. Subsequently, I would analyze the cultural

differences based on national backgrounds. The analysis would be classified into four

interesting cultural dimensions including uncertainty avoidance, human nature,

individualism versus collectivism, and space dimensions. These cultural dimensions are

derived from the analysis of potential related cultural dimensions in table 3.4 in chapter

three.

4.3. Uncertainty avoidance analysis

Among three studied countries in this thesis, Thailand and Finland had medium to

high scores about 59-64, and the U.S. had the lowest score of 46, based on Hofstede

index in table 3.1. There are two main reasons supporting different levels of uncertainty

avoidance. The first reason concerns religion. Most of Americans are either Catholic or

Protestant, while majority of Thais is Buddhists and Lutheranism is strongly hold by

Finns. As mentioned earlier in subsection 3.3.1.1 in chapter three, uncertainty avoidance

of Protestant Christian and Buddhism tends to be weak but that of Catholic tend to be

strong. This sounds reasonable with Thais and Finns uncertainty avoidance index.

However, Americans seems to be in between due to the strong belief in both Catholic

and Protestant.

The second reason is about the history of each country. Based on a strong Chinese

cultural influence, Thailand in the past had a governing system based upon general

principles, thus codified laws were not given much attention. Society that desires only a

few general laws possesses the patterns of weak uncertainty avoidance. Finland belongs

to the Germanic cluster, which tends to have low uncertainty avoidance. However,

Finland has relatively high uncertainty avoidance compared with other Germanic

62

countries, partly due to long history of occupations and government by Sweden and

Russia. As for the U.S., though the nation was once a colony of Britain and had gone

through many big wars, Americans hold a very strong belief in democracy and freedom.

The fact that the U.S. established the first constitutional democracy in the world

confirms this belief. Freedom and independence underlie the concept that the U.S. is a

land of opportunity where risk-taking is admired (Shippey, K, 1995, 223). Americans

are not afraid of challenge. Consequently, the U.S., with the perspective of taking

opportunity from the risk, is considered a weak uncertainty avoidance society.

However, I shall point out an issue of law and regulation presented in subsection

2.7.3 in chapter two , which can also demonstrate a degree of uncertainty avoidance. In

Finland, EU Directive is imposed and it is very strict about online consumer data

protection topic. So, it implies that people are concerned about their security of personal

data to a great extent. In the U.S., though there are many regulations to ensure protection

of privacy rights, there seems to be less restriction compared with EU. Americans

emphasize on private sector responsibility more than on a strict law issued by the

government. That means they believe that the Web sites should be responsible for

providing security policy thus no need for stringent law to be established. In contrast,

Thailand, like other Asia Pacific countries, has not yet developed clear rules and

regulations for online data protection. It seems that Thailand has the weakest rules

compared with others, and that reflects low concern about online security and privacy

issues.

4.4. Human nature analysis

Based on subsection 3.3.2.1, it is pointed out that when people believe that a human

is basically good, they tend to have a high-trust society. But in low-trust societies,

humans are seen as basically evil. The basis of how people think about human nature,

whether humanity is basically good or basically evil, lies in religious belief to some

extent. As I mentioned earlier in section 4.2, about 85% of Finns being Lutheran, 95%

of Thais are Buddhists, while Americans are both mostly Protestant and Catholic.

Protestant belief was founded on the idea that human is basically good. Protestants are

taught to live and work to maximize their human potential because they believe that

hard work and task mastery are the ways of achieving human goals (Schneider, S, 1997,

36). Due to Lutheran dominance in Finland, I expect that Finns see humans as basically

good in nature.

63

Buddhist belief was also founded on perception of basically-good human nature.

Buddhists believe they should behave and help weaker persons so that good things will

return to them in the future or next lives. They focus on getting rid of desire and

selfishness to achieve the highest stage of life or so called nirvana. Thais, in the old

days, tended to have a high-trust society. Nowadays, Thailand, unlike Finland, has

problems about poverty, unequal distribution of income and a high crime rate.

Consequently, people tend to be more careful and alert to potentially dangerous

situations (Pornpitakpan, C, 2000, 69-70).

In the U.S., both the Protestant and Catholic faith are strongly held. Humans are

traditionally seen as a mixture of good and evil, capable of choosing one over the other

(Adler, N, 1986, 13). American society is in the middle between high-trust society and

low-trust society, hence Americans can be described as cautious people. Americans also

believe that people can change to improve themselves and people can be good if they

behave and do the right thing such as working hard. However, because of the changing

world and increasing crime rate in the U.S., some Americans view that people today

cannot be trusted as much as in old day (Pornpitakpan, C, 2000, 69-70).

4.5. Individualism versus Collectivism analysis

The Hofstede’s list of rank numbers in individualism versus collectivism dimension

is presented in table 3.2. Based on individualism index, Thailand has individualism

score of 20, Finland has 63 and the U.S. has 91. It implies that Thailand is a strongly

collectivist country, Finland tends to be individualist one, and the U.S. is an extremely

individualist society.

Thais are taught to depend on one another and to help others so that in the event that

they might need help, they will be helped in return (Pornpitakpan, C, 2000, 62-63).

People are traditionally supposed to live with their parents until they get married. This is

because they can take care of parents and old family members more easily. So, Thais

believe in preserving good interpersonal relationships with family, friends, colleagues,

and other familiar persons. Due to a highly collective characteristic, they trust in

acquaintances to a great extent, but they tend to distrust strangers or unfamiliar people.

According to a table 3.4 about cultural analysis in chapter three, the collectivists are

aware of security threats caused by outsiders. However, the degree of concern would be

significantly reduced if the society accepts or is familiar to a particular threat.

64

In Finland, like most of European countries, children are taught to be self-reliant.

Within certain social confinements, the individual is encouraged to act independently

without necessarily considering the family (Worm, V, 1997, 76). Finns prefer

demonstrating their ability in individual tasks to acquire support from a team (Lewis, R,

2000, 278-279). They are individualistic and independent but they still care about

others’ feelings and want to listen to different opinions. Accordingly, Finland is

considered moderately individualism when compared to strong collectivism in Thailand

and extreme individualism in the U.S..

Americans are ranked as the most individualist in Hofstede’s study. The supporting

reason can be traced back to U.S. history. American society consisted of immigrants,

who were seeking new lives in new environment, from Britain and other European

countries, thus people used to fight for land and for themselves. When trying to survive

in an unfamiliar land, they needed to depend on themselves. In addition, young children

in the U.S. are encouraged to demonstrate their ability, give opinion, and count on

themselves. In contrast with Thais, Americans are supposed to live separately from their

parents when they consider themselves as adults who are mature enough to take care of

themselves. Americans believe that the individual is responsible for what he does, thus

he takes care of himself but should not expect a society or a government to look after

him (Crowther, J, 1999, 500). In short, Americans are self-reliant, individualist, and

independent rather than group-oriented and they put less emphasis on the idea of

sacrifice for the community and cooperation (Shippey, K, 1995, 221).

Hofstede’s assumption in subsection 3.3.2.2 in chapter three that industrialized

countries and the countries with low population growth rate tend to be individualist

sounds reasonable, as the U.S. has the most GDP per capita (36,200 USD), Finland’s is

in a second place (22,900 USD)and Thailand’s is the lowest (6,700 USD). The

population growth rates in Thailand and the U.S. are quite equal (0.91% and 0.90%,

respectively), while in Finland it is pretty low (0.16%). Thus, based on his assumption,

economics and demographics could also be factors that make Thailand the most

collectivist, Finland individualist, and the U.S. extremely individualist.

4.6. Physical and personal space analysis

I shall begin with the need for physical space, which then links to levels of personal

space or privacy concerns. According to demographic facts in section 4.2, Thailand has

the greatest population density (121 persons per square kilometer), the U.S. ranks

65

second with 30 persons per square kilometer, and Finland is the most sparse one with 17

persons per square kilometer. The population density is a significant factor that affects

to what extent people have to adapt themselves in order to live in harmony within

limited space. In Thailand, where there is quite limited space for people, people learn

how to balance their need for physical space and environmental preservation. In a

traditional Thai office, one habitually closes his room’s door, which implies that privacy

is given high priority. Thais are not supposed to ask about personal information from

others, which they consider improper or rude manner, except inquiring from familiar

friends or close acquaintances.

Schneider claimed that the U.S. occupies great physical space of country, therefore

the concepts of living in harmony or respecting each other’s privacy are less important,

and Americans feel comfortable to share personal information with others or ask others

to share information with them (Schneider, S, 1997, 39-40). Schneider also mentioned

that Europeans are more reserved compared with Americans, due to the long history of

invasion and occupations, which lead to a suspicion of strangers and a need to keep

distance. Though Finland has the most sparse population density compared with the

other two countries, the privacy concern is somewhat similar to other Europeans, as in

the past, the countries were subjected to foreign denomination.

4.7. Summary

The cultures of each country I examined vary to some extents. There were four main

cultural dimensions that I used as a basis for analysis; uncertainty avoidance, human

nature, individualism versus collectivism, and space. Many factors such as war history,

religion, law enforcement and interdependency between one another had significant

influence on each dimension.

Now, to provide the concrete illustration, I proceeded by integrating the related

consumer patterns with national characteristics. A table 3.5 in chapter three was

considered the crucial foundation, as it provided the expectation of cultural impacts on

security concerns. It described how a particular cultural dimension would affect

consumer opinions. It also illustrated that some dimensions had strong influence on

privacy concerns, while others tended to be directly involved with confidentiality and

integrity concerns. By merging cultural differences in each country with this

66

expectation, the basic hypothesis for this research is derived. The result of integration

was presented in table 4.1.

To formulate a table 4.1, firstly, I used the national background in section 4.2 as

basic information for the analysis in section 4.3 to 4.6. Secondly, I concluded significant

characteristics from the analysis to present in the table. This is to show how each

cultural dimension is shaped in an individual society, and has impacted on consumers’

concerns. In this integrated table, the expected degree of security concerns varied from

the weakest degree =1, medium degree = 2 and the strongest degree =3. I shall separate

the table into two parts. The first part will present the expectation of confidentiality and

integrity concerns. The second part will present the privacy concern.

In the first part of table 4.1, one can see that Finland and the U.S. had the maximum

score, which meant their concerns about confidentiality and integrity on the Net were

among the highest compared to Thailand. For Thailand, though the score depended on

whether or not society accepted the Web sites and their security policies, it was ranked

number two, anyway. Thais had a minimum level of concern compared with the others.

Analysis of Confidentiality and integrity concerns

Finland Thailand The U.S. Involving cultural

dimensions Analysis

result

Expected

degree of

concern

Analysis

result

Expected

degree of

concern

Analysis

result

Expected

degree of

concern

Uncertainty avoidance

• Law and regulation

Medium - High

Stricted by EU

Directive

2

3

Medium –High

No clearly

established

law.

2

1

Low

Less strict law

compared with

EU Directive.

1

2

Human nature :

Basically good or evil Basically good. 1 Basically good. 1 Mixed 2

Individualism versus

Collectivism

Individualism 2 Strongly

collectivism.

Society

accepts

Web site?

Yes = 1

No = 3

Extreme

individualism.

3

Total score 8 5-7 8

Confidentiality and

integrity concern by

total score

Rank 1 Rank 2 Rank 1

Table 4.1. Summary cultural dimensions effect on security and privacy concern in studies of different countries. (Part 1)

67

In the second part of table 4.1, one can see that all studied countries had similar

scores. Their concerns about privacy invasion on the Net were among the medium high

degree. However, Thailand’s score ranged from four to six, and influenced the ranking

number. If Thai society does not accept the Web sites and their privacy protection

policies, its score would be the highest among other studied countries. Its score also

implied that the country had the strongest concern about privacy. On the other hand, if

Thai society accepts the risk or trusts in the Web sites’ security, its score would be the

same as those of the other two countries. That means that privacy concern in every

studied country would have no significant differences.

Analysis of Privacy concerns

Finland Thailand The U.S. Involving cultural

dimensions Analysis

result

Expected

degree of

concern

Analysis

result

Expected

degree of

concern

Analysis

result

Expected

degree of

concern

Individualism versus

Collectivism

Individualism 2 Strong

collectivism.

Society is

familiar

with Web

site?

Yes = 1

No = 3

Extreme

individualism.

3

Need for personal space Medium 2 Strong 3 Low 1

Total score 4 4-6 4

Privacy concern by

total score Rank 1 or 2 Rank 1 or 2 Rank 1 or 2

Table 4.1. Summary cultural dimensions effect on security and privacy concern in studies of different countries. (Part 2)

68

5. Previous research

5.1. Chapter Structure

The objective of this chapter is to provide the previous empirical evidences on

online consumers’ concern about data privacy and security. I shall note that though there

is a number of interesting previous studies, none of them provided the obvious evidence

of impact of cultures on online privacy concern.

In my opinion, computer technology in the information age is consistently improved

and new tools are rapidly developed. The technology changes more or less affect Net

consumer behavior, knowledge and awareness. There are various study researches about

how consumers are aware of their personal data protection; however, many of them are

somewhat out of date. For example, Wang’s paper in 1998 mentioned consumer privacy

concerns about Internet marketing. He and his colleagues analyzed why consumers need

privacy, the relationship between the Internet marketing activities and the privacy

concerns, the principles for protecting privacy, and the relationship between privacy

enhancing technologies and privacy concern. Briones’s article in 1998 described how

online privacy issues would challenge direct marketers. Screeton wrote a topic about

how the online privacy legislation and self-regulation in protecting consumer privacy

would affect the business in the U.S. and EU countries. Sanderson wrote a journal about

Information security in business environments, which presented today’s threats to

security and the protections of sensitive information.

According to the potential impact of rapid technology changes on consumer

behavior, I would highlight four of the most recent studies as they possibly demonstrate

more accurate and up to date results. For each of them, a brief background, objective,

research method, result and conclusion are included. In section 5.2, I shall provide a

survey about barriers to electronic commerce conducted by CommerceNet. In section

5.3, two surveys about consumer concern towards security and privacy issues are

provided. One was conducted by Hanrick Associates and another was done by AT & T

Labs-Research. In section 5.4, I present Godwin J.Udo survey study about privacy and

security concerns as major barriers for e-commerce in the U.S. His study methodology

and brief survey results are included as my empirical study is considered a further

extension of his work. I would provide his findings in more detail and compare them

69

with responses from Finn and Thai in the next chapter. A summary of this chapter is

provided in section 5.5.

5.2. Previous study about barriers to electronic commerce

The content of this section is mainly based on a survey of CommerceNet 2000. A

study framework, survey result and conclusion can be summarized as follow.

5.2.1. The research framework

CommerceNet conducted a survey about barriers to electronic commerce in

2000. The objective of a survey was to identify barriers to electronic commerce from

three perspectives; Business-to-Business electronic commerce in large companies,

Business-to-Business electronic commerce in small and medium companies and

Business-to-Consumer electronic commerce. CommerceNet developed

questionnaires asking about possible barriers which were partly based on the barriers

in a previous year survey. A target group of participants consisted of members and

visitors to the CommerceNet web site. Total respondents were more than one

thousand from six countries including the U.S. and many Asian countries.

5.2.2. The research result

As the study provided three perspectives of electronic commerce, I shall present

here only B2C perspective as it closely relates to my study. There were many

potential issues listed in top ten barriers; for instance, slow speed of Internet

connection, difficulty of making business transaction, fraud and risk of loss, legal

issues, lack of qualified personnel, difficulty of cost justification, and lack of public

key infrastructure. According to global top ten barriers to B2C e-commerce in 2000,

security and encryption were ranked the most important barrier, trust and risk were

ranked the second, and culture was ranked the ninth. The first and second issues

remained unchanged from a previous survey in 1999. However, importance of the

culture issue was radically reduced in 2000 as it used to be in the fourth place in

1999. Overall, the top ten barriers to B2C e-commerce in 1999 and 2000 did not

differ; however, some of them were changed in ranking number though.

Another interesting finding is that there were some differences of perception of

barriers to B2C e-commerce between companies in the U.S. and those in other

70

countries. For American companies, the biggest barriers seemed to be the difficulty

of operating international business and online transaction security. For example,

from the top ten barriers, the issues ranking number one, two and three were

international trade barrier, security and encryption, and lack of qualified personnel.

On the other hand, non-U.S. companies viewed security issue as a main barrier to e-

commerce. This was supported by the survey result that the top three barriers were

security and encryption problem, trust and risk problem, and difficulty to control

user authentication and lack of public key infrastructure. It is obvious that both U.S.

and non-U.S. companies viewed the security issue as a crucial factor in doing

business. They also shared similar ideas about other barriers that affected B2C

business; for example, incapable employees, and difficulty in customers searching

for vendors. In addition, the survey result showed that slow speed and unreliability

of Internet communication was considered a barrier in non-U.S. companies, but this

issue was not raised by U.S. companies. The research group of this survey believed

that this difference implied a lack of efficient Internet connectivity in non-U.S.

countries.

5.2.3. The research conclusion

The major barrier to B2C e-commerce for companies in the U.S. and other

countries was online security problems. It involved how to make use of security

technology such as encryption and public key infrastructure to ensure validity of

online transactions and help build trust between vendors and customers. Unless the

communication facility in non-U.S. countries is improved, the concern about

inefficient and unreliable Internet connectivity is expected to increase as online

business expands and gains more popularity among households.

5.3. Previous study about online privacy concerns

The content of this section is mainly based on Han, P, 2002, 35-38 (Hanrick

Associates study) and Cranor, L, 1999, 1-19 (AT&T Labs-Research). Their study

framework, survey result and conclusion can be summarized as follow.

5.3.1. The research framework

As for the first survey, Hanrick Associates developed questionnaires and

distributed them in the U.S.. The survey objective was to understand consumer

71

attitudes toward online privacy. The survey was conducted in May 2001, and there

were more than 350 participants. The second survey is similar to the first one.

AT&T Labs-Research conducted a survey in November 1998, and received 381

responses. The target respondent was heavy Internet users or possibly leading

innovators in the U.S. since AT&T anticipated this group to reflect the picture of the

future Internet user population.


Due to similarities in both studies, I shall summarize the important findings from

both studies and group them by type of concerns in table 5.1.

Types of concerns Survey findings Sources

1. General privacy of online shopping and surfing

- 62% and 49% of respondents said that privacy concerns affected their surfing and online shopping, respectively, only on a selective basis.

- 34% of respondents said that negative perceptions

about their privacy and lack of control on the Web prevent them from purchasing online; however, under particular circumstances, most of these respondents would purchase things online. This was supported by their previous online shopping records.

Hanrick

Hanrick

2. Giving out identifiable information to Web sites

- When personal data is required by predefined scenarios such as banking, news, sports Web sites, more than half of respondents would provide their information to receive personalized services. However, this number decreased if they were required to give identifiable information such as name and address.

AT&T

3. Transferring user information to Web sites

- 86% of respondents were not willing to use features or tools that would automatically transfer their information to Web sites, though such tools would make Net surfing more convenient for them.

AT&T

- 76% of respondents were uncomfortable or very uncomfortable with a company connecting user patterns to e-mail addresses for a targeted e-mail campaign.

Hanrick

4. Receiving unsolicited commercial e-mails

- 61% of respondents who said they would provide their information to receive pamphlets and coupons said they would be less likely to provide that information if it would be shared for future marketing.

AT&T

Table 5.1. Survey studies conducted by Hanrick Associates and AT&T Lab-Research

72

Types of concerns Survey findings Sources

- Over 30% of respondents agreed or strongly agreed that the benefits of personalized Web content offset privacy concerns.

- Almost 45% of respondents were comfortable with

Web sites using cookies to help track returning users and other useful statistics.

- 33% of respondents were uncomfortable with the

general use of cookies on Web sites.

Hanrick Hanrick Hanrick

5. Tracing online activities by personalized marketing tools such as cookies

- 52% of respondents were concerned about cookies. Of those who knew what cookies were, 56% stated that they had changed their cookie setting so that they would be warned before accepting cookies.

AT&T

- 86% of respondents disagreed or strongly disagreed that Web sites should be allowed to share information with other businesses or partners.

Hanrick 6. Disclosure of personal data or sharing it among organizations

- 96% of respondents were concerned about the

sharing of their information with other organizations as a very or somewhat important issue.

AT&T

Table 5.1. Survey studies conducted by Hanrick Associates and AT&T Lab-Research

(continued)


Basically, online consumers were significantly concerned about protection of

personal information. They were uncomfortable to share identifiable and sensitive

information with web sites. They did not want to receive overwhelming spam e-

mails. Some consumers believed that cookies were dangerous tools, which kept

record about their activities on the Net. However, others viewed cookies in a

positive way because they enjoyed personalize services provided by web sites that

used customer information from cookies. Finally, most consumers were concerned

about sharing of their personal information between organizations without their

consent.

5.4. Previous study about privacy concerns as barriers for e-commerce

The content of this section is mainly based on Udo, Godwin J, 2001, 165-174. He

studied the privacy and security concerns as major barriers for e-commerce. Summary

of his study is provided below.

73

5.4.1. The research objective

The objective of the study was to investigate the concerns of online IT users in

order to confirm or disprove the widely reported concerns in the press and trade

journals.

5.4.2. The research method

First, Udo classified several concerns based on various literatures related to the

topic and built them into questions. He used questionnaires as a survey instrument to

observe privacy and security concerns based on participants’ views. Each question

required the answer in a scale of “strongly agree to strongly disagree”. The

participants were also asked to rank the concerns in order to identify the severity and

importance of many types of concerns. The target group of participants was people

who had used e-mail or shopped on the Internet. He ran pilot tests with some

experience online shoppers who were familiar with the survey topic. Next, the

questionnaire was revised according to comments from the test group. Subsequently,

the questionnaires were mailed to 250 online IT users in a major city in the

Southeastern USA.


The majority of the online IT users had serious concerns about the safety and

confidentiality of their e-mails. They also needed government protection against

privacy invasion. Also, they believed that advanced security technology such as

encryption was not sufficient to reduce their concerns.

In addition, the majority of participants who were employees wanted their

organizations to establish and notify privacy and security policy for e-mail and

Internet. They believed that policy establishment and their rising awareness could

reduce risks and liability. Hence, organizations should be responsible for educating

their employees and implementing the essential hardware and software that could

protect against privacy and security intrusion.

There was a majority of participants who were very concerned about shopping

online. They pointed out that they would certainly shop online only if privacy and

security policies on the web were in place.

74


In short, the issues in news and journals, which indicated that today’s online IT

users are extremely concerned with the privacy and security invasion, were assured

by this research. The privacy and security concern was a main barrier for online

shopping. Thus web sites should consider adequacy of data protection policy in

order to reduce consumers’ fear and be successful in business.

5.5. Summary

Based on previous studies, Internet users were materially concerned about how to

secure their personal information. They preferred to be anonymous and to release

insensitive or unidentified information on the Net rather than confidential one. They

were also well aware of the use of cookies, although many of them allowed the web site

to use cookies in exchange of receiving personalize content or services. Unsolicited

commercial e-mails and disclosure of consumer information among organizations were

critical issues to online consumers as well.

From the business perspective, the security and privacy concerns were among the

top ten barriers to B2C e-commerce. These concerns involved security technology as

much as foundation of trust between web site and customers. Customers were afraid that

web sites would use their personal information without their consent, while web

marketers were moving towards customer-centric strategy, trying to use cookies to

provide one-to-one services. To come up with a better business solution, both parties

must compromise different needs. For example, web sites should create trust by

providing data protection policy, offering choices for customers to share or not to share

their personal information, and customers should learn how to protect themselves and

carefully read security policy on the sites. In addition, a third party like one’s

government must take part in the solution by enacting consumer right protection law or

promoting the use of self-protection tools like firewall when using the Net.

75

6. The research study


The empirical chapter begins with section 6.2, the hypotheses, which were based on

the various literatures from previous chapters. Next in section 6.3, the research

methodology consists of research variables, sample population, sample size, sample

method, questionnaires used in the survey, and the score measurement for the

participants’ answers in each question. In section 6.4, I shall present the survey results

and their interpretations. The statistical results and the analysis will be divided into four

main groups; the basic statistic, the analysis of cultural differences, the analysis of

consumers’ concerns, and the analysis of association between cultures and consumers’

concerns. I shall include the results from Udo’s survey in order to represent American

attitudes as well. Finally, the conclusion and some suggestions for further research will

be provided in section 6.5.

6.2. Hypotheses

The hypothesis is based on the fact that cultures are different from one country to

another and the various cultural dimensions represent special characteristics of people.

Consequently, some particular cultural dimensions have high potential to influence the

variation of Internet users’ attitudes toward privacy and security issues. I would like to

use the observed data to support or oppose these two hypotheses;

Ha = The characteristics of people in studied cultural dimensions differ from one

country to another.

Hb = There is an association between the studied cultural dimensions and Internet

consumers’ concern.

6.3. The research methodology

6.3.1. The research variable

In compliance to the research objective, the survey result is expected to present

the differences between participants’ attitudes in selected cultures. Cultures

primarily vary by countries or nationalities. Consequently, among many background

variables of the participants such as age, gender, occupation, income and education,

76

I will emphasize in the nationality variable, which I regard as a main influence in

this study.

6.3.2. The sampling population

6.3.2.1. Defining population

Based on the objective of the study, a sampling population was primarily

defined as all people in studied countries. Among the whole population, some

people were well acquainted with the Internet, some used the Net from time to

time, some heard about it but have never used it, while some do not even know

what the Internet is. People were different in terms of technological skills and

knowledge. People who never experienced browsing the Net were unlikely to

recognize about their online safety. On the other hand, it is likely that people,

who were familiar with the Internet, would utilize various usage of the Net such

as e-mail, chatting, and online shopping and were aware of privacy rights and

security on the Net. Therefore, I shall reconsider the primary sampling

population and confine it to a group of people who were acquainted with the

Internet. However, defining sampling population as Internet users was still too

broad and impractical to conduct the survey.

Consequently, I restrained a target population from ordinary Internet users

to Internet users who were university students. I conducted questionnaire survey

with the students in Swedish School of Economics and Business Administration

in Finland, and in Chulalongkorn University, Faculty of Commerce and

Accountancy in Thailand. In my opinion, the survey in two student groups was

practical and plausible due to four main supporting reasons; comparability,

competency, accessibility and cost efficiency. Firstly, the respondents in studied

countries were fairly comparable since they shared similar background for

example, age, education and familiarity with the Internet. Secondly, the students

were competent in reading and writing skills and capable in English

communication. As the questionnaire survey was a kind of self-administered

approach, the participants needed such skills, which helped reduce errors when

completing the questionnaires. Thirdly, the target group was accessible. Due to

the general fact that people’ living area were geographically dispersed, it is

acknowledged that some residents live in an area that was difficult to reach.

Accessibility was a crucial concern that led this study to focus on students who

77

could be easily approached under limitation of time. Finally, cost efficiency was

an important consideration as well. Though the dispersed and large sample

would definitely present better representatives of population in studied countries

and lead to more accurate survey result, the costs of the surveys were likely to be

uneconomical.

6.3.2.2. The implications for validity and generalization

According to a process of defining population mentioned above, there

were some groups of people in the studied societies, which had no chance to be

selected. The selected and non-selected population are depicted in figure 6.1.

Figure 6.1. Set of selected population.

The first group were people who were not Internet users. I shall separate

this group into two classifications. The first classification were people who knew

about the Net but were too afraid to use due to safety concern. It was an extreme

case and rarely found. As the Internet provides many useful applications to

facilitate worldwide communication, the benefits of using the Net tend to

outweigh the costs that might arise from privacy invasion. Thus I believed that

only a minority of people would be concerned about online privacy so much that

they avoided the risk arising from the Internet use. In short, I assumed that this

subgroup was unlikely to significantly affect the validity and generalization of

survey result. The second classification were people who did not need or did not

have a chance to use the Net, for example less educated people, people who had

occupations which hardly involved the use of the Internet such as doctors, and

small merchants, and people living in remote areas. Some of them may know

about the Internet and be aware of online security, while some may not. This

classification may affect the validity of result to a certain extent.

All people in individual country

Internet users

Student Internet

users

78

The second group that was excluded in this study was other Internet users

who were not students. Most of the Internet users such as marketers, economists,

businessmen, kids and teachers were common users. They used the Net for

working and entertainment purposes and possibly possessed a similar level of the

Internet familiarity and online security knowledge. The business school students

could be included in the ordinary user category as well. Thus the students were

expected to represent the common Internet user population.

I shall draw attention that though the sample population would not

represent all people in studied countries, it was expected to provide a reasonable

approximation to further analyze and generalize the result.

6.3.3. The sample size

According to subsection 6.3.1, nationality difference was one main variable

which significantly affected the survey result. To determine the impact of one

variable on attitude toward online security, a reasonable sample size would be thirty

respondents for each studied country. Though using a larger sample size could

reduce a sampling error, enlarging sample size would undoubtedly increase costs of

the study. Hence, the approximate number of thirty resulted from an economical

factor and a common response rate consideration.

6.3.4. The sampling method

The type of survey was a self-administered questionnaire. The survey was

conducted during April 2002. The appropriate place to conduct the survey with

students was where they gather. Thus, the questionnaires were distributed to them in

the cafeteria, which had a high turnover of incoming and outgoing students. The

method could be considered as a haphazard sampling and a convenient sampling

because students were randomly selected and they could choose whether to

cooperate or not.

6.3.5. The questionnaire

An example questionnaire used in this survey study is shown in appendix A, in

which I will describe a structure and a source of questions that were presented in the

questionnaire. At the beginning, the participants were required to identify basic

personal information, including nationality and status. Then, they were asked to

79

answer the questions that were divided into three main parts. The questions in part

one and two were based on Udo’s questionnaire (see an example of his questionnaire

in appendix B). As for part three, I developed the questions about culture according

to the cultural dimensions that potentially influence consumer concerns.

In part one, there were eleven questions, aiming to examine Internet usage

including e-mail and online shopping. For example, what kind of e-mail account a

participant had, how often a participant bought things online, and whether or not a

participant was aware of security threats. A question that asked the participants to

rank the various kinds of concerns in order of importance was included as well.

In part two, the participants were asked to express their opinions about

predetermined statements. The seventeen statements in this part were listed in table

6.1 and they involved internet security awareness when using the Net. The main

purpose of these statements was to ask about the concerns of confidentiality,

integrity and privacy when using e-mail or shopping on the Net. Some statements

involved with organizations’ security policies, while others asked about security

technology and consumer protection law. Overall, all statements demonstrated

general Internet security concerns. However, there were some statements that tended

to clearly present specific concerns over computer security attributes such as

confidentiality, integrity and privacy. Based on a summary table in chapter three,

these three basic computer security attributes were considered important for Internet

users and were suitable for using in the study cases as well. I shall categorize the

statements that were potentially relevant to such three attributes and present them in

summary table 6.1. The predefined categories would be fruitful when conducting the

statistical analysis. Regarding the participants’ answers, the respondents expressed

their attitudes in form of ‘strongly disagree’, ‘disagree’, ‘neutral’, ‘agree’, and

‘strongly agree’ with the given statements. Their attitudes implied the level of

concern about the online security. For example, when a participant strongly agreed

with the first statement that ‘E-mail safety is becoming an increasingly important

issue’, his opinion showed that he was significantly concerned about Internet

security problems.

In part three, there were nine statements about cultures presented in table 6.2.

Similar to part two, the participants could choose one of five levels of agreement. An

aim of this part was to clarify the cultural differences in the studied countries.

80

According to a former analysis, the interesting cultural dimensions, including

uncertainty avoidance, human nature, individualism versus collectivism, and space,

tended to represent different consumers’ attitudes about security and privacy. Thus,

the statements in this part were generated based on people’s attitudes in the related

cultural dimensions, in which were already described in detail in chapter three. In

the table, I identified which question related to which cultural dimension. In

addition, I linked participants’ opinions to their potential characteristics that would

show in the individual cultural dimension. For example, if a participant agreed with

the first statement that said ‘I feel nervous when I give my personal information to a

Web site.’, it implied that he felt uncomfortable to rely on the security on the Net or

to take risks. Thus, his opinion could imply that he possessed a strong uncertainty

avoidance level. The participants’ answers were anticipated to verify the expectation

about national characteristics as stated in chapter four.

81

Implication toInternet security attributes Part II: Online privacy and security concerns questions

Implication of participants’ opinion Strongly disagree --> Strongly agree All security

attributes Confidentiality

attribute Integrity attribute

Privacy attribute

1.) E-mail safety is becoming an increasingly important issue. Weak concern -----> Strong concern 4 4 4 4 2.) E-mails are less safe than regular mails. Weak concern -----> Strong concern 4 4 4 4 3.) Most e-mails are accessed by people other than the

owners. Weak concern -----> Strong concern 4 4 4 -

4.) Some e-mails do not come from the people that appear to send them.

Weak concern -----> Strong concern 4 4 4 -

5.) Employers have the right to access e-mail and Internet sites used by their employees.

Strong concern -----> Weak concern 4 - - 4

6.) To reduce the risk of liability, organizations should institute an e-mail policy and distribute it to all employees.

Weak concern -----> Strong concern 4 - - -

7.) Companies can disclose employees’ personal information if they deem it necessary.

Strong concern -----> Weak concern 4 - - 4

8.) Internet shopping is less secured than mail order. Weak concern -----> Strong concern 4 4 4 - 9.) I feel safe when I release my credit card information on

the Internet. Strong concern -----> Weak concern 4 4 4 -

10.) Security and privacy concerns are barriers for my shopping online.

Weak concern -----> Strong concern 4 4 4 4

11.) Only limited amount of personal information should be requested from children on the Internet.


12.) Children should not be asked to provide information about their parents on the Internet.


13.) The privacy of Internet users is greatly violated. Weak concern -----> Strong concern 4 - - 4 14.) Despite all the safety precautions in place today, Internet

and e-mails are not safeguarded enough. Weak concern -----> Strong concern 4 - - -

15.) Stalking and impersonation (including forged identity) are common on the Internet.


16.) The current laws and regulations are sufficient for protecting information system users.

Strong concern -----> Weak concern 4 - - -

17.) The current security features such as encryption and passwords are sufficient to provide security and safety when on the Internet.

Strong concern -----> Weak concern 4 - - -

Table 6.1. Internet security and privacy concern questions and their implications.

82

Part III: Cultural differences questions Related cultural dimensions Participants’ opinions

Strongly disagree --------------------------> Strongly agree

1.) I feel nervous when I give my personal information to a Web site.

Uncertainty avoidance Weak uncertainty avoidance -----> Strong uncertainty avoidance

2.) The regulations for personal information protection are needed and should not be broken in any circumstances.

Uncertainty avoidance Weak uncertainty avoidance -----> Strong uncertainty avoidance

3.) People are naturally good and they do not want to harm others.

Human nature People are basically ‘evil’ ---------> People are basically ‘good’

4.) People basically wish to do the right things and abide by the laws or regulations.

Human nature People are basically ‘evil’ ---------> People are basically ‘good’

5.) I am dependent on others; for example, when I need to make a decision, I prefer to consulting my friends or family first.

Individualism versus Collectivism Strong individualism -------------------> Strong collectivism

6.) The Web site’s security policy could be reliable if my acquaintances confirm me by words.

Individualism versus Collectivism Strong individualism ------------------> Strong collectivism

7.) I feel safe when I give personal information to a Web site in which many people in my community already tried and accepted its security policy.

Individualism versus Collectivism Strong individualism ------------------> Strong collectivism

8.) My physical space such as my house area or my office room area is large.

Physical and personal space Strong need for space -------------------> Low need for space

9.) My privacy or private space is adequate and comfortable. Physical and personal space Strong need for space -------------------> Low need for space

Table 6.2. Cultural differences questions and their implications.

83

After all the questions were formed, I conducted a pilot test to ensure that the

questions and language were understandable and unambiguous. A test was launched

on April 4, 2002 at Department of Accounting, Swedish School of Economics and

Business Administration and was done by five students who had experience in using

the Internet. According to the feedback, I made some language corrections, gave

more concrete examples for dubious questions, and rearranged the format and

sequence of questions. I shall note here that there was no crucial necessity to find

many participants for a pilot test. This was because two out of three main parts of the

questions were based on Udo’s study in which he ran a pretest already.

6.3.6. The score measurement

Based on the previous subsection, I derived information from the participants’

opinions expressed in the questionnaires and their implications to level of security

concerns and to cultural differences. To simplify the statistical interpretation, I shall

define these descriptive implications as specific scores ranging from 1 to 5 as follow:

Subjects Descriptive ranges Score ranges

Internet security concern Weak concern -------------------> Strong concern 1 ------->5

Uncertainty avoidance (UA) Weak UA ------------------------> Strong UA 1 ------->5

Human nature People are good. ----------------> People are evil. 1 ------->5

Individualism/Collectivism Strong individualism ------> Strong collectivism 5-4-3-4-5

Physical/Personal space Low need for space -----> Strong need for space 1 ------->5

Table 6.3. The score ranges.

The first subject was the security concern when using the Net and it involved the

responses in part two of questionnaires. The participants who possessed the stronger

concern would have a higher score. In contrast, the lower score means a lower

awareness of threats to online security.

As for other subjects, they were results from responses in part three of the

questionnaires. Based on an analysis in chapter three, people’ behaviors were

different depending on the variation of cultural dimensions. People who possessed

one or many of following characteristics tended to have very high concern about

their security and privacy: having a strong uncertainty avoidance level, holding a

belief that human nature is basically ‘evil’, being extremely individualist or

collectivist, or feeling like they were restrained by space. Thus, the participants who

84

had such characteristics got the highest score ‘5’ which demonstrated their high

security and privacy concern level. On the other end of spectrum, the participants,

who had weak uncertainty avoidance level, believed that human nature is basically

‘good’, or feel comfortable with their space, would get the lowest score ‘1’. The

participants whose characteristics showed the concern level that were in between the

highest and the lowest level received the score of 4, 3, 2, respectively. I shall note

that for the individualism versus collectivism subject, based on my analysis in

chapter three, both strong individualism and collectivism cultures tended to have

high concern about privacy right and low trust in unfamiliar Web sites.

Consequently, the ‘5’ scores were given to those who were extreme individualists or

collectivists. The participants who were somewhat strong individualists or

collectivists received ‘4’ as they were expected to show medium-high concern level.

In addition, the participants who were in the middle received ‘3’ – medium concern

level, since they did not show clear characteristics of individualism or collectivism.

6.4. The result of research and interpretation

The analysis in this section is based on the answers from the questionnaires. The

results from Finland and Thailand rely on my survey, while American’s responses were

based on Udo’s study. It is worth noting that there are some limitations of comparing my

results with Udo’s. For example, the time frames are different and the participant groups

are not completely the same. My survey study was conducted in 2002 while his was

done one year earlier. I targeted the student group, while he had diversified participants

whomever he considered online IT users.

Regarding a structure of this section, it begins with subsection 6.4.1, which is the

basic statistic about sample population such as numbers of responses, types of e-mails

used by the participants, and frequency of online shopping. Next, from subsection 6.4.2

to 6.4.4, the analysis of the main results is provided. It includes the examination of

important questions and answers which directly relate to the hypotheses. There were

some questions and answers left over. Subsequently, in subsection 6.4.5, the rest of the

questions and answers are inspected. At the end, I shall provide a conclusion based upon

the analysis and raise some points for further research.

85

6.4.1. The basic statistic

Of 60 distributed questionnaires in Finland and Thailand, the usable responses

were 30 from Finland and 29 from Thailand, respectively. According to Udo’s

survey, in the U.S., the number of usable responses was 158 out of 250

questionnaires. The majority of the participants were students, while the rest were

both students and employees.

The following statistic was based on two parts of the questionnaires: the

participants’ information and some questions from part one. From part one, the

selected questions included question number 1, 2, 7, 8, 9 and 10. These were the

general questions about Internet usage including a number of participants who used

e-mail, types of e-mail account, and online shopping behaviors.

The percentage of participants who had e-mail accounts was significantly high.

Thus the information implies that the participants met the target group of this

research. The percentages can be presented as follow.

Country % of participants who have e-mail accounts

Finland 100% Thailand 86.21% The U.S. 90.50%

Table 6.4. Percentage of persons who have e-mail accounts

Additional basic information about occupations, types of e-mail accounts and

whether the participants had ever bought something online are presented in figures

6.2, 6.3 and 6.4.

Figure 6.2. Occupations of the participants

Occupations of participants

3934

18

4 4

27

100 100

0

25

50

75

100

Students Employees Supervisors /Managers

Facultymember

Others

Per

cent

(%)

Finn Thai American

86

Figure 6.3. Types of e-mail accounts

Figure 6.4. Online shopping experience

About half or more of overall participants indicated that they had purchased

things on the Net. The percentage of American participants who had experienced

buying things online was somewhat higher than that of Finn or Thai. The possible

reason might be that among three countries the U.S. is considered the most advanced

in Internet technology. In fact, America is the initiator of the Internet. Hence it is

possible that they have been familiar with the Net for a longer time and online

shopping is not something new for them.

Among the participants who had experienced online shopping, figure 6.5 shows

how often they purchased goods or services. Note that Udo did not present a

frequency of online shopping; hence I would omit the U.S. result here.

Types of e-mail

59

1017

45 44

32

97

4043

17

0102030405060708090

100

Home e-mail Workinge-mail

School e-mail

Other

Per

cent

(%)

Finn Thai American

Has a participant ever purchased anything online?

50 5052 48

67

33

0

20

40

60

80

100

Yes No

Per

cent

(%)

Finn Thai American

87

Figure 6.5. Frequency of shopping online

From figure 6.5, it is evident that Thai participants purchased things on the Net

much more often than Finn’s; though the number of experienced online shoppers in

these two countries was about the same. Finn’s might have o40%40%ther

considerations or probably an awareness of Internet security that reduces or affects

the frequency of their shopping online.

The participants, who used to shop online, were asked whether they were

concerned about threats to sensitive information such as credit card number. Over

70% of American participants showed that they were concerned. Compared to

Americans, Thai’s and Finn’s tended to be less concerned about this issue. Figure

6.6 shows that about 60% of Finn and 40% of Thai were aware of the abuse of

personal information.

Figure 6.6. Consumers’ concerns about personal information security

How frequently does a participant purchase things online?

3

2317

10

24

737

10

0

10

20

30

40

50

More thanonce a month

Once amonth

At least oncein 6 months

At least oncea year

Less thanonce a year

Per

cent

(%)

Finn Thai

Has a participant concerned about abuse of personal information when purchasing things online?

59

4141

55

0

20

40

60

80

100

Yes No

Per

cent

(%)

Finn Thai

88

All participants, including those who had never bought anything online, were

asked if they would shop online if their concerns were eliminated. The result from

the U.S. showed that over 70% said ‘yes’. In Finland, the answers were similar to

those in the U.S., as over 60% of Finns also said ‘yes’. However, Thais may have

other hidden concerns or supporting reasons because 57% of Thai participants still

did not want to purchase goods online, though their concerns were diminished.

Figure 6.7. Opinions about online shopping when concerns are reduced.

6.4.2. The analysis of cultural differences

I have analyzed the respondents’ opinions about cultures. This is to examine the

cultural differences in the studied countries. This subsection is composed of three

main components. Firstly, the source of data using in an analysis is defined.

Secondly, a statistical method is used in the final calculation. Finally, an analysis for

each cultural dimension is provided.

6.4.2.1. The source of data

The main source of raw data was from the participants’ answers from part

three of the questionnaires, which involved a set of cultural questions. As a

cultural part of my questionnaire is an extension from Udo’s work, this resulted

in a lack of cultural opinions from the U.S. to be used in statistical analysis.

Would a participant shop on the Net if his/her concerns are addressed or eliminated?

63

3743

57

0

20

40

60

80

100

Yes No

Per

cent

(%)

Finn Thai

89

6.4.2.2. The statistical method

From part three of the questionnaires, the participants’ opinions about

cultures were obtained. The descriptive implications of respondents’ opinions

were translated into the scores ranging from 1 to 5 based on the score

measurement defined in subsection 6.3.6. I recorded the frequency of opinions

and the mean scores were calculated to determine the central tendency. The

supporting figures of frequency and scores were presented in appendix C.

The first hypothesis is reintroduced below:

Ha = The characteristics of people in studied cultural dimensions differ

from one country to another.

To examine the first hypothesis, it is needed to determine whether there

were significant differences between the mean scores of Finn and Thai. I shall

apply the basic statistic ‘t-test’. According to Moore, D, 1989, 538, ‘t-test’ is

used to solve two-sample problems. The basic idea of t-test is that it can be used

to compare the responses in two groups which are considered to be the sample

from two distinct populations, and the responses in each group are independent

of those in other groups. To enhance the efficiency when performing t-test

analysis, I used ‘t-test function’ in Microsoft Excel program to help calculate t-

test value. The t-test function would return the probability to determine whether

two samples are likely to have come from the same two underlying populations

that have the same mean. Thus, if the probability turns out to be high, two

sampling populations are considered having the similar mean scores and no

significant differences are found. I shall establish the cut-off point at 0.10 or 10%

which means that the t-test value if less than 10% will prove that there are

significant differences between two sampling groups.

6.4.2.3. The statistical result and analysis

Below, I present a summary of mean scores for each cultural dimension

and t-test results.

90

Mean scores Ttest results

Cultural dimensions Finn Thai Ttest value %

Uncertainty avoidance 3.65 3.57 0.6715 67.15%

Human nature 3.00 2.66 0.1072 10.72%

Individualism/Collectivism 3.82 3.71 0.3449 34.49%

Physical/personal space 2.50 2.38 0.5323 53.23%

Table 6.5. Cultures mean scores and t-test value.

In general, there were no significant differences between cultures of Finn

and Thai because t-test values of all cultural dimensions were above 10%.

Regarding human nature dimension, the t-test result showed a weak comparison

between the two samples. However, this may be the result of a small sample.

Next, I shall further investigate the differences between my expectations

and actual results by cultural dimension.

In the summary table of chapter four (column ‘Analysis result’), I analyzed

the potential characteristics of each country presenting in the four cultural

dimensions. Here I shall compare such expectations with the actual results. I

created four comparison tables, table 6.6 to 6.9, that are classified by cultural

dimensions. The structure of these tables was alike. Firstly, the mean scores for

individual cultural dimensions are listed. Secondly, the implication of the mean

score is provided based on an interpretation of scores in table 6.3. Thirdly, the

expectation from chapter four is presented. The comparison tables and

descriptions are demonstrated in a sequence of cultural dimensions as follow.

• Uncertainty avoidance comparison

The participants were asked two questions about their nervousness when

giving personal information to the Web, and the opinion about the need for strict

rules and regulations. The questions imply the participants’ feelings under stress

and the rule-orientation.

Based on the actual average score, both countries had medium to high

scores. According to t-test, 67% showed no significant differences between the

mean scores of two countries. These participants tended to avoid uncertain

91

circumstances. They seemed to feel uncomfortable when releasing important

information on the Net.

To sum up, the actual and expected results of Finn and Thai were similar.

Uncertainty avoidance Country Mean Score

Implication of the average score Expectation from the analysis

Finland 3.65 Medium to high uncertainty avoidance. Medium to high uncertainty avoidance.

Thailand 3.57 Medium to high uncertainty avoidance. Medium to high uncertainty avoidance.

Table 6.6. Comparing actual uncertainty avoidance results with expectations.

• Human nature comparison

There were two statements involved with human nature dimension. The

participants responded with the statements that ‘people are naturally good’, and

‘they do not want to harm others, and they want to abide by the rules and

regulations’. These statements were formed based on the idea that ‘human nature

is basically good and people behave properly.’. If the respondent disagreed with

the statements, he tended to believe that people were expected to make mistakes

or break the rules and one should be aware of the effects caused by bad people.

According to religious foundations in Finland and Thailand, I anticipated

that both Finn and Thai would believe that human nature was basically ‘good’.

However, it turned out that they tended to have mixed attitudes that human

beings could be good or bad. The participants in both countries were aware of

rule breaking but were still comfortable in giving a chance to other people to

improve their behavior or fix their mistakes. According to the t-test value, the

10% shows minor significance differences between Finn’s and Thai’s mean

score.

Human nature Country Mean score

Implication of the mean score Expectation from the analysis

Finland 3.00 Sampling group believed that human was mixed between good and evil.

People were basically good.

Thailand 2.66 Sampling group believed that human was mixed between good and evil.

People were basically good.

Table 6.7. Comparing actual human nature results with expectations.

92

• Individualism versus collectivism comparison

The actual results and my expectations for Finn’s culture were somewhat

different. My assumption was based on Hofstede’s study which indicated that

Thai people tended to be very strong collectivist while Finn were more likely to

be individualist. However, the results of opinions from both Finn and Thai

participants showed that their characteristics were likely to be considered strong

collectivists. They were likely to depend on families or friends. They were likely

to trust the Web sites that their acquaintances recommended without strong

needs to prove the reliability of the Web sites by themselves. There were no

significant differences between two countries as t-test percentage was about

34%.

Individualism versus Collectivism Country Mean score


Finland 3.82 Strong collectivism. Individualism

Thailand 3.71 Strong collectivism. Strong collectivism

Table 6.8. Comparing actual individualism results with expectations.

• Physical and personal space comparison

Finn’s actual result was somewhat similar to my anticipation. However, the

Thai result needed less space than I expected. Both Finn and Thai respondents

seemed to need moderate physical and personal space. They felt that their room

spaces or other physical spaces were adequate or large enough. They were

comfortable with their privacy. They did not greatly desire to seek more private

space. According to 53% of t-test, there were no material differences between

the two studied countries.

Physical/Personal space Country Mean score


Finland 2.50 Medium low need for space Moderate need for space.

Thailand 2.38 Medium low need for space High need for space

Table 6.9. Comparing actual space results with expectations.

93

6.4.2.4. Conclusion

Based on the results from t-test, the hypothesis states ‘the characteristics of

people in studied cultural dimensions differ from one country to another’ for the

chosen countries could, possibly, be rejected. T-test percentages were so high for

all cultural dimension results that there was high probability that the two

sampling groups shared the same mean. As there were no important variations

between Finland and Thailand, their cultures were unlikely to differ from each

other.

My predictions about uncertainty avoidance characteristics of two

populations were supported by the actual results. The observed Finn and Thai

characteristics in some dimensions partly conform to my expectations. However,

in the human nature dimension, it turned out that my expectation that people in

both countries tended to believe that ‘human nature are basically good’,

completely differed from the actual results as both Finn and Thai thought that

‘human nature are mixed between good and evil’.

6.4.3. The analysis of consumers’ concerns

A purpose of an analysis is to determine the differences of degree of security

concerns between the studied countries. Though an analysis may not directly verify

the hypothesis, it provides the general idea of how Finn and Thai Internet users are

concerned about their personal online safety and how large the variation of

awareness degree between the two countries is.


An analysis of the consumers’ concerns in the studied countries basically

relied on the participants’ opinions expressed in part two of the questionnaires.

Their expressions reveal how much they were aware of possible risks that

occurred from inadequate computer security. The respondents’ concerns about

safety when sharing personal information and online privacy were stated as well.

After reviewing an explanation about the questionnaires in subsection

6.3.5, I classified the questions into three main types of concerns: overall

concerns, confidentiality and integrity concerns, and privacy concern. This was

because some questions implied specific concerns such as attitudes towards

94

violation of privacy, while some were more likely to present the general concern

such as asking about adequacy of laws and regulation to protect online

consumers. Here, I shall use all questions in part two of the questionnaires to

analyze overall or general concerns. As for confidentiality, integrity and privacy

concerns, I chose particular questions based on my former judgment in

subsection 6.3.5 table 6.1.


Similar to the statistical method for cultural differences analysis, the

descriptive implications of respondents’ opinions were translated into the scores

ranging from 1 to 5 based on the score measurement defined in subsection 6.3.6.

I calculated the mean scores based on the frequency of opinions. The record of

frequency and scores are presented in appendix D.

I use the basic statistic ‘t-test’ to determine any material variances between

the mean scores of two sampling groups. I applied ‘t-test function’ in Microsoft

Excel program to help calculate t-test value. Again, I established the cut-off

point at 0.10 or 10% which means t-test value when less than 10% proves that

there are significant differences between two sampling groups.

6.4.3.3. The statistical results and analysis

I present a summary of mean scores for concerns about computer security

and t-test results as follow:

Mean score Ttest results

Internet security concerns Finn Thai American Ttest

value %

Overall concerns 3.54 3.30 3.58 0.0068 0.68%

Confidentiality and integrity

concerns

3.48 3.35 3.54 0.2190 21.90%

Privacy concern 3.58 3.31 3.50 0.0044 0.44%

Table 6.10. Consumers’ concerns mean scores and t-test value

One should note that t-test results in this place showed the differences

between mean scores of Finn and Thai. Due to the limitation of data presented in

Udo’s research, I calculated only the mean score of the U.S. but not the t-test

95

value. In addition, I added the related previous research that I mentioned in

chapter five in comparison with my observed data.

• Overall security attributes

The participants in three studied countries tended to be aware of the online

safety. Their mean scores were above 3 but did not reach 4, which implied that

the participants’ attitudes varied from neutral to moderately high concern about

consumers’ safety.

According to t-test results, Finn’s mean score was materially higher than

Thai’s. The Finn’s participants were likely to be more concerned about potential

security risk. One possible reason is that Finland is well known for the advanced

technology, communication and wide use of the Internet (Internet users were

44% of total population) thus Finn is likely to keep pace with today’s threats to

security. In contrast, the computer security technology in Thailand may be

considered behind that of Finland. Thai Internet users are only 1.6% of the total

population and they may not be knowledgeable about possible computer security

threats or how to protect themselves. In addition, Thai have comfortable styles of

living and the invasion of personal security may not be taken as a big issue

except for the really serious cases.

• Confidentiality and integrity attributes

Similar to overall concerns about security attributes, the participants in all

studied countries tended to be aware of the confidentiality and integrity of their

personal data. Their mean scores were around 3.3 to 3.5, which implied that the

participants’ attitudes were ranged from disinteresting in confidentiality and

integrity attributes to moderately high concern about these subjects. They agreed

that e-mail safety was becoming an increasingly important issue, but they did not

think that e-mails were less safe that normal mail. They were aware of the

statements that most e-mails were accessed by people other than the owners or

some e-mails did not come from the people that appeared to send them. They

were slightly concerned that online shopping was less secure than mail order.

They were likely to feel unsafe when releasing the credit card number on the

Net. They somewhat agreed that security issues were barriers for shopping

online.

96

In chapter four table 4.1, I proposed the degree of confidentiality and

integrity concerns for each studied countries. Based on my assumption about

cultural differences between Finland and Thailand, I presumed that Finland and

Thailand would be respectively ranked first and second regarding degree of

confidentiality and integrity concerns. That means the Finn’s participants had a

higher concern about confidentiality and integrity attributes than Thai’s.

However, the actual results revealed that participants in both countries had

neutral attitudes or moderately high concerns about these two attributes. In

addition, by checking t-test value, there were no significant variations between

Finn’s and Thai’s opinions. One reason of why the actual awareness degree

differed from my expectation was that my underlying assumptions about cultures

were partly invalid after checked against the real responses. A concise

comparison table is provided below.

Confidentiality and integrity concerns

Expectation from the analysis

Country Mean score

Implication of the mean score

Rank Expectation

Finland 3.48 Ranging from neutral attitudes to moderately high concerns

1 Higher concerns

Thailand 3.35 Ranging from neutral attitudes to moderately high concerns

2 Lower concerns

Table 6.11. Comparing actual confidentiality/integrity concerns results with expectations.

The trend of participants’ attitudes in my study somewhat resembles those

of other researches. Based on previous researches mentioned in chapter five,

today’s online consumers were concerned about identifiable information. Most

people disagreed or strongly disagreed that the Web sites should be allowed to

share information with other organizations. The majority of people believed that

sharing information without the consent from owners was of a somewhat or very

important issue. The implication from previous researches was that online

consumers were greatly aware of the confidentiality of their personal data.

• Privacy attribute

Similar to the previous analysis, the participants in all studied countries

tended to be aware of their privacy. Their mean scores were around 3.3 to 3.6,

which implied that the participants’ attitudes were ranged from neutral to

97

moderately high concern. In general, they realized the importance of e-mail

safety. They somewhat disagreed that employers should have the right to access

e-mail and Internet sites used by employees and disclose employees’ personal

information. They somewhat agreed that privacy of Internet users is greatly

violated and this issue creates barriers for shopping online.

Now, I compare the actual results with my expectation from chapter four.

A summary table is provided below.

Privacy concern

Expectation from the analysis

Country Mean score

Implication of the mean score

Rank Expectation

Finland 3.58 • Ranging from neutral attitudes to moderately high concern

• Higher concern

1or2 Higher or Lower concern

Thailand 3.31 • Ranging from neutral attitudes to moderately high concern

• Lower concern

1or2 Higher or Lower concern

Table 6.12. Comparing actual privacy concern results with expectations.

Comparing Finn’s and Thai’s actual responses, the t-test value indicated

that Finn’s mean score was significantly higher than Thai’s. That means Finn

seemed to have higher privacy awareness level than Thai had. My expectations

based on cultural analysis showed that Finland and Thailand could be ranked

first or second regarding the degree of privacy awareness. The ranking number

depended on whether or not Thai was familiar with particular Web sites. I

emphasized again that my underlying assumptions about cultures were partly

invalid after checking with the real responses. Hence, I could not completely rely

on my assumption to conclude that Thai’s privacy concern was lower than Finn’s

because Thai felt familiar with and trust in the Web site.

The related researches from previous chapter also presented consumers’

concern about privacy invasion. The majority of their respondents stated that

they were uncomfortable to receive unsolicited commercial e-mails. Though

many of them loved to receive free coupons or special discount when giving

some personal information to the Web, they were less likely to provide

information if it is to be shared for future marketing. Some respondents accepted

98

the usefulness of cookies so that they could receive personalized contents, while

others thought that the risk from using cookies overweighed the benefits. Based

on previous researches and the result from my study, it is obvious that Internet

consumers were somewhat or very worried about their privacy.

6.4.3.4. Conclusion

According to t-test results, Finn’s and Thai’s responses about ‘overall

Internet security concern’ and ‘privacy concern’ material differed. Their

opinions ranged from the neutral attitudes to moderately high concerns. Finn’s

mean scores were materially higher than Thai’s. Thus Finn was likely to be more

concerned about the overall potential security risk and privacy invasion.

6.4.4. The analysis of association between cultures and consumers’ concerns


Like in the previous sections, in this association analysis I used cultural

opinions and consumers’ concerns attitudes from part three and two of the

questionnaires, respectively. The basic idea is consistent. The part three

questions had been classified into four cultural dimensions consisting of

uncertainty avoidance, human nature, individualism versus collectivism, and

space. And from part two, the Internet security concerns were classified into

overall concerns, confidentiality and integrity concerns and privacy concern.

Unlike the previous parts where I had to separate Finn’s and Thai’s scores in

order to determine the differences between two countries, now I used the Finn’s

and Thai’s scores together to analyze correlation between cultures and

consumers’ attitudes as a whole.


First of all, I shall reintroduce the hypothesis with the observed data and

statistical analysis tool which is examined in this part.

Hb = There is an association between the studied cultural dimensions and

Internet consumers’ concern.

To examine the association between two variables or more, one usually

applies the linear regression statistical model. The linear regression model helps

99

analyze the effect of the values of one or more independent variables on a single

dependent variable. Based on Moore, D, 1989, 697, the model for linear

regression with one response variable y and p explanatory variables x1, x2, ..., xp

is

Yi = βo + β1xi1 + β2xi2 + ...+ βpxip + εi

where i = 1, 2, ..., n. The εi are assumed to be independent and normally

distributed with mean 0 and standard deviation σ. The parameters of the model

are βo, β1, β2, ..., βp, and σ.

To increase efficiency and reduce errors during the statistical calculation

process, I applied the ‘Data Analysis’ tool of Microsoft Excel to calculate the

regression based on the observed values of y and x at the confidence level of

95%. The program provided me with the ‘Summary Output’ which showed the

linear regression model and various statistical values. Of many statistical results,

some were truly useful and crucial for the associations’ investigation, while

some were less likely to influence my interpretation. The statistical values that

would be emphasized in this place were described primarily based on Moore, D,

as follow;

• R Square :

R Square is the square the correlation coefficient and always reported along

with the regression results. r2 is the fraction of the variation in the values of y

that is explained by the least squares regression of y on x. The roles of x and y in

this interpretation can be interchanged. r2 ranges in value from 0 to 1. When the

model demonstrates a perfect correlation showing no difference between the

estimated y-value and the observed y-value, r2 equals 1. However, the model

could not be used to efficiently estimate a y-value if r2 is 0. r2 is normally

multiplied by 100 and presented as a percent. In short, r2 is a direct measure of

the success of the regression. One shall note that a high r2 value does present the

successful prediction of the model but does not imply the cause and effect

relationship.

100

• P-Value :

P-Value involves a test of significance that assesses the evidence against

the null hypothesis. P-Value calculation is done assuming that null hypothesis is

true. From the calculation, one would get P-Value or the probability that the test

statistic will take a value at least as extreme as that actually observed. P-Value

also demonstrates probability of the incorrect regression model. The smaller the

P-Value is, the stronger is the evidence against the null hypothesis provided by

the data. One could also present P-Value as a percent.

I used the significance level of P-Value at 5%, which is commonly used in

the research study. Thus, the models that have P-Value less than 5% indicate that

the observed data are strongly against the null hypothesis but support the

alternative hypothesis.

• Significance F:

The significance F concept is similar to the P-Value. In a simple regression

model that has only one independent variable, the significance F is equal to P-

Value. However, if the model has many independent variables, the significance F

would present the significance value of variables as a whole so it would differ

from P-Value which shows the significance value of each variable.

Again, I established the cut-off significance F value at 5%, which is

normally accepted in statistical research. Thus, the multiple linear regression

models that have significance F value less than 5% indicate that the observed

data are strongly against the null hypothesis but support the alternative

hypothesis.

6.4.4.3. The statistical results and analysis

I presented the linear regression models and their statistical values that

resulted from applying Microsoft Excel Data Analysis Tool. I divided the

analysis into two main parts. In the first part, I examined the association between

each individual cultural dimension and consumers’ concern by using the simple

linear regression. In the second part, I further examined the effect of a

combination of cultural dimensions on consumers’ attitudes. The correlation was

investigated by using the multiple linear regression.

101

6.4.4.3.1. The association between individual cultural dimension and

consumers’ concerns

The following statistical results were illustrated in an order of

consumers’ attitude classifications including ‘overall concern’,

‘confidentiality and integrity concerns’ and ‘privacy concern’ as usual. For

each classification, each cultural dimension was used as an independent

variable and the consumers’ attitudes toward Internet security were a

dependent variable.

• Each cultural dimension and overall concern

The uncertainty avoidance dimension and overall Internet security concerns

Variables Definitions X Uncertainty avoidance degree Y Degree of Internet security concern

Linear regression equation Y = 60.37 - 0.37X R Square 0.88% P-Value 48.04%

The human nature dimension and overall Internet security concerns

Variables Definitions X Belief in 'evil' or 'good' human nature Y Degree of Internet security concern

Linear regression equation Y = 55.92 + 0.37X R Square 0.88% P-Value 48.04%

The individualism/collectivism dimension and overall Internet security concerns

Variables Definitions X Individualism or collectivism degree Y Degree of Internet security concern


The physical/personal space dimension and overall Internet security concerns

Variables Definitions X Need for physical and personal space Y Degree of Internet security concern


Table 6.13. Linear regression of each cultural dimension and overall concerns.

For each linear regression result showing in the above table, the

computed value of the R square was very low and P-Value was over 5%.

102

That means of the individual cultural dimension was not a significant

predictor of a degree of overall Internet security concerns. And evidences

supported by the observed data were too weak to reject the null hypothesis.

I conclude that the correlation between the individual cultural

dimension and the degree of general consumers’ concern is seriously weak.

• Each cultural dimension and confidentiality and integrity (C&I)

concerns

The uncertainty avoidance dimension and C&I concerns

Variables Definitions X Uncertainty avoidance degree Y Degree of C&I concern


The human nature dimension and C&I concerns

Variables Definitions X Belief in 'evil' or 'good' human nature Y Degree of C&I concern


The individualism/collectivism dimension and C&I concerns

Variables Definitions X Individualism or collectivism degree Y Degree of C&I concern


The physical/personal space dimension and C&I concerns

Variables Definitions X Need for physical and personal space Y Degree of C&I concern


Table 6.14. Linear regression of each cultural dimension and C&I concerns.

For each linear regression result showing in the above table, the

computed value of the R square was very low and not over 10%. That

means the individual cultural dimension was not a significant predictor of a

degree of confidentiality and integrity concerns. Most of P-Value results

103

were over 5% except for a P-Value in an examination of association

between the uncertainty avoidance dimension and C&I concern which was

4.86%. When the P-value was over or nearly 5%, the evidences against the

null hypothesis were not strong.

In short, there was materially weak association between the

individual cultural dimension and the degree of confidentiality and

integrity concern.

• Each cultural dimension and privacy concern

The uncertainty avoidance dimension and privacy concern

Variables Definitions X Uncertainty avoidance degree Y Degree of privacy concern


The human nature dimension and privacy concern

Variables Definitions X Belief in 'evil' or 'good' human nature Y Degree of privacy concern


The individualism/collectivism dimension and privacy concern Variables Definitions

X Individualism or collectivism degree Y Degree of privacy concern

Linear regression equation Y = 13 + 0.66X R Square 9.04% P-Value 2.07%

The physical/personal space dimension and privacy concern

Variables Definitions X Need for physical and personal space Y Degree of privacy concern


Table 6.15. Linear regression of each cultural dimension and privacy concern.

One could see that the computed values of the R square were very

low. Most of P-Value results were over 5%.

104

However, an association between individualism versus collectivism

dimension and privacy concern was quite obvious as the statistical results

showed 9.04% of R square and 2.07% of P-Value. Though 9% of R square

was not high enough, it still implied that this cultural dimension was not a

perfect explanation for a degree of privacy concerns. However, it did

indicate a certain level of their association. With the P-value about 2%, the

evidences supported by the observed data against the null hypothesis were

considered strong. From the linear regression, the individualism or

collectivism degree had a positive impact on a degree of privacy concern.

When people seemed to be the stronger individualist or collectivist, a

degree of privacy concern tended to be higher. This is similar to my

expectation from chapter three about impact of the individualism versus

collectivism dimension on privacy concern.

In short, there was a weak association between the individualism

versus collectivism cultural dimension and the degree of privacy concern.

Other cultural dimensions seemed to have no material effect on consumers’

privacy concern.

6.4.4.3.2. The association between all cultural dimensions and

consumers’ concerns

Here I further investigated the impact of all cultural dimensions on

Internet consumer’s attitudes. I reported the statistical results in an order of

consumers’ attitude classifications including ‘overall concern’,

‘confidentiality and integrity concerns’ and ‘privacy concern’. For each

classification, all cultural dimensions were used as the independent

variables and the consumers’ attitudes toward Internet security as the

dependent variable.

105

• All cultural dimensions and overall concerns

All cultural dimensions and overall Internet security concerns Variables Definitions

X1 Uncertainty avoidance degree X2 Belief in 'evil' or 'good' human nature X3 Individualism or collectivism degree X4 Need for physical and personal space Y Degree of Internet security concern

Linear regression equation Y = 25.17 + 1.51X1 + 0.52X2 + 1.40X3 + 0.65X4 R Square 20.80% Significance F 1.22% P-Value :

X1 0.82% X2 29.71% X3 2.84% X4 25.15%

Table 6.16. Linear regression of all cultural dimensions and overall concerns.

The value of R square was about 20% meaning that a multiple linear

regression explained 20% of the observed variation in degree of overall

concern. Although an R square percentage was not very high and did not

indicate the successful explanation between the variables, it assured a

certain level of relationship and predictability of y-value.

Considering all the variables as a whole, the statistic analysis turned a

result of significance F at approximate 1%. That means this multiple linear

regression models had the overall observed data that were strongly against

the null hypothesis. Thus the alternative hypothesis could be accepted.

Regarding the significance of each independent variable, I found that

the P-Values of the uncertainty avoidance degree and the

individualism/collectivism degree were lower than 5%. Hence, the

observed data in these two dimensions had strong evidence against the null

hypothesis. In addition, based on a linear regression, it showed that these

two dimensions had positive effect on overall Internet security concern. If

people tend to greatly avoid ambiguous situations or tend to be strong

individualists or collectivists, they are likely to be strongly concerned about

Internet security as a whole.

106

• All cultural dimensions and confidentiality and integrity concerns

All cultural dimensions and C&I concerns

Variables Definitions X1 Uncertainty avoidance degree X2 Belief in 'evil' or 'good' human nature X3 Individualism or collectivism degree X4 Need for physical and personal space Y Degree of C&I concern

Linear regression equation Y = 16.32 + 0.59X1 - 0.05X2 + 0.18X3 + 0.30X4 R Square 8.37% Significance F 30.76% P-Value :

X1 5.81% X2 85.40% X3 61.62% X4 33.65%

Table 6.17. Linear regression of all cultural dimensions and C&I concerns.

Based on the results shown in a table, the R Square was very low, the

significance F was higher than 5%, and the P-Value for each independent

variable was over 5%. Thus, I concluded from the statistical results that this

multiple linear regression could not explain the observed variation in the

degree of confidentiality and integrity concern very well, as there was no

significant association between a whole of cultural dimensions and the

degree of C&I concern.

• All cultural dimensions and privacy concern

All cultural dimensions and privacy concern

Variables Definitions X1 Uncertainty avoidance degree X2 Belief in 'evil' or 'good' human nature X3 Individualism or collectivism degree X4 Need for physical and personal space Y Degree of privacy concern

Linear regression equation Y = 9.92 + 0.37X1 - 0.02X2 + 0.66X3 + 0.10X4 R Square 12.77% Significance F 11.12% P-Value :

X1 15.08% X2 93.21% X3 2.58% X4 71.14%

Table 6.18. Linear regression of all cultural dimension and privacy concern.

107

The R Square was low, the significance of F was higher than 5%, and

the P-Value for each independent variable was over 5% except for the

individualism/collectivism variable. Although at a detail level the observed

data about individualism/collectivism degree was likely to provide the

strong evidence against the null hypothesis, the overall picture of this

multiple linear regression was that it could not explain the observed

variation in the degree of privacy concern very well. There was no

significant association between the whole cultural dimensions and the

degree of privacy awareness.

6.4.4.4. Conclusion

Firstly, in the linear regression analysis, I provided the statistical results

about the association between the individual cultural dimension and the degree

of consumers’ concern. However, I found only a weak association between the

individualism versus collectivism cultural dimension and the degree of ‘privacy

concern’. In addition, based on the linear regression, the individualism or

collectivism degree had a positive impact on a degree of privacy concern. Other

cultural dimensions seemed to have no material effect on overall Internet

security concern, confidentiality and integrity concerns, and privacy concern.

Secondly, I conducted a statistical analysis to determine whether or not the

‘whole cultural dimensions’, including uncertainty avoidance, human nature,

individualism/collectivism, and space dimension, had significant correlation with

the Internet security awareness. Based on the statistical results, I found the point

informative about the relationship between ‘all cultural dimensions’ and ‘general

Internet security concern’. The linear regression model was considered

successful when using to predict the degree of overall consumers’ concern. The

observed data provided strong evidence to help reject the null hypothesis that

‘the cultural dimensions has no effect on Internet consumers’. It was likely that

all four cultural dimensions somewhat associated with the consumers are aware

of their security when using the Net. In addition, two cultural dimensions

including the uncertainty avoidance and the individualism versus collectivism

dimension strongly support the alternative hypothesis and showed a positive

effect on the degree of overall Internet security concern.

108

6.4.5. Other results

This subsection contributed to the rest of questions from the questionnaires that

were not included in the previous subsections. The questions were from part one of

the questionnaires and included the statements asking about Internet security policy

and the ranked number of concerns.

Figure 6.8. Opinions about the e-mail policy establishment.

Based on figure 6.8, most of the participants, who were students or employers,

indicated that their schools or companies had e-mail usage policy. About 20% of

Finn and Thai participants showed that no e-mail policies were established in their

organizations, while only 6% of American participants revealed this fact. The rest of

the participants possessed about 15-20% of the sampling population were not sure

whether their organizations had e-mail usage policy or not.

Figure 6.9. Opinions about the e-mail usage monitoring.

Does the participant's organization have e-mail policy?

53

20 23

48

1424

70

176

0

20

40

60

80

100

Yes Not sure No

Per

cent

(%)

Finn Thai American

Does employer or school monitor participant's e-mail usage?

17

40 43

2821

3131 3526

0102030405060708090

100

Yes Not sure No

Per

cent

(%)

Finn Thai American

109

Although I found that most organizations had e-mail usage policy based on the

previous question, figure 6.9, the majority of participants were either not sure if their

organizations really monitored their e-mail usage or were sure that the e-mail

monitoring policy was not applied in practice.

Figure 6.10. Opinions about the types of e-mail usage monitoring.

The response to the question shown in figure 6.10 was not mentioned in Udo’s

study. Thus I presented only Finn’s and Thai’s opinions. About 30% of Thai

respondents said their schools or employers monitored their e-mail usage by

interception and reading their e-mail. About 10-20% of Finn and Thai participants

indicated that their organizations filtered out or blocked certain mails. No

participants indicated that their organization monitored them by checking usage time

or using other monitoring methods.

Figure 6.11. Opinions about using work e-mail for personal purpose.

How does your employer of school monitor your e-mail usage?

17

34

10

0

10

20

30

40

50

Interception Monitoringusage time

Filtering outmails

Other

Per

cent

(%)

Finn Thai

Is participant allowed to use work e-mail for personal use?

80

13

62

21

3844

0

20

40

60

80

100

Yes No

Per

cent

(%)

Finn Thai American

110

From figure 6.11, for Finn and Thai, it was obvious that the participants were

allowed to use their work e-mail account for personal purposes. In contrast, about

half of American respondents indicated that they were not allowed to use work e-

mail for personal purposes. It should be noted that all of Finn and Thai participants

were students and some of them were both students and employees, while 40% and

30% of American respondents were students and employees, respectively. A

probable assumption for this difference may be that the business organizations have

stringent restrictions about personal e-mail usage, while the academic institutions

seem to provide their students with Internet facility including school e-mail accounts

for educational and leisure purposes. This might be the reason why most Finn and

Thai participants, who were students, indicated that they could use work e-mail as

personal e-mail as well.

Finally, the last question in part one of the questionnaires asked the participants

to give the ranked number for the five main types of Internet consumers’ concerns in

order of importance. They included privacy concern, security and preventing threats

concern, children protection concern, censorship concern, and impersonation or

forged identity concern. The participants could also give additional consideration in

the ‘others’ bracket. The results from the participants’ opinions are presented in

more detail in appendix E. Here I shall shortly illustrate the types of concerns and

the percentage of the participants who believed that the particular concern type was

the most important.

Nationality Types of concerns that the participants ranked

the most important % of the

participants Finn

Privacy concern 50% Security and preventing threats concern 17% Children protection 0% Censorship 0% Preventing impersonation and forged identity 33% Other concern 0%

Thai Privacy concern 3% Security and preventing threats concern 38% Children protection 3% Censorship 7% Preventing impersonation and forged identity 7% Other concern 0%

Table 6.19. A rank of the most important concern.

111

Nationality Types of concerns that the participants ranked

the most important % of the

participants American

Privacy concern 55% Security and preventing threats concern 15% Children protection 9% Censorship 2% Preventing impersonation and forged identity 11% Other e-mail concern 4%

Table 6.19. A rank of the most important concern. (Continued)

From table 6.19, about half of the Finn and American participants ranked the

‘privacy concern’ as the most important issue. About one third of Finn participants

and 11% of American participants indicated that the impersonation and forged

identity was the most important concern. About 15-20% of Finn and American

participants thought security and preventing threats were the most important issues.

On the other hand, Thai tended to believe that security and preventing threats

concern was the most crucial problem. Only 3% of Thai considered the privacy

invasion as the most important. Additional concerns including children protection,

censorship and other concerns were not considered the most crucial issue by most of

the participants in all three countries.

6.5. Summary

At this time, I would like to reintroduce my research process from the beginning up

until this point. As I mentioned before, Udo’s study was an inspiration for my research

objective. His study revealed that most Internet users were extremely concerned about

their privacy and security while shopping on the Internet or using e-mail. Online

businesses should be aware of establishing security systems and trust among consumers

in order to eliminate or reduce the consumers’ concerns. I found the result from his

survey interesting, so I aimed to extend his research to examine whether the cultural

differences could influence the consumers’ attitudes or not. Firstly, I acquired computer

security and cultural knowledge to develop the expectations. Secondly, I conducted the

questionnaire survey in two countries; Finland and Thailand, to find out whether the

actual responses were similar to my expectations or not. Although I anticipated to see

the cultural variation between Finn and Thai, the actual results were quite astonishing as

they did not significantly differ from each other in overall picture. Some of my cultural

expectations are similar to the observed data, while some differ. Though I found an

112

interesting point from the survey, that cultures seem to have a certain impact on Internet

consumer attitudes, the cultural influences are not strong enough to perfectly describe

the online consumer behaviors. One possible reason may be because of the globalization

of the Internet. Based on the fact that the Net is so common and is available almost

everywhere in the world, the Internet consumers probably share common behaviors and

create within this spectrum a new special norm or value in their community.

Consequently, the national characteristics or cultures may not have significant effect on

Internet consumers’ attitudes.

I shall summarize the actual results and expectations in table 6.20 and present

whether my hypotheses are confirmed or rejected.

Last but not least, I shall provide some suggestions for future study. In this study,

my questionnaires were conducted with approximately 30 student participants from each

country, including Finland and Thailand. The possible errors in my analysis and the

statistical results may occur from the small size and the group of sampling population.

For further research, I suggest expanding the size of population and diversifying the

target group to provide stronger evidence when examining the hypotheses.

113

Hypothesis Expected versus Actual results Conclusion

Ha = The characteristics of people in

studied cultural dimensions

differ from one country to

another.

• Comparing cultural difference:

Based on the results from t-test, the t-test percentages were so high for all

cultural dimension results, meaning that there was high probability that two

sampling groups, Finn and Thai, shared the same mean. As there were no

important variations between Finland and Thailand means, their cultures, as

related to this analysis, were unlikely to differ from each other.

• At the individual cultural dimension level:

My predictions about uncertainty avoidance characteristics of two

populations were supported by the actual results. The observed Finn and Thai

characteristics in other dimensions including the individualism versus

collectivism dimension and space dimension partly conform to my

expectations. However, in the human nature dimension, it turned out that my

expectation that people in both countries tended to believe that ‘human nature

is basically good’, completely differed from the actual results as both Finn and

Thai thought that ‘human nature is mixed between good and evil’.

The actual results did not strongly support

my expectation. Thus the hypothesis is

rejected

Table 6.20. The research study conclusion

114

Hypothesis Expected versus Actual results Conclusion

Hb = There is an association between

the studied cultural dimensions

and Internet consumers’

concern.

• At the individual cultural dimension level:

There was a weak association between the individualism versus

collectivism cultural dimension and the degree of ‘privacy concern’. The

individualism or collectivism degree had a positive impact on a degree of

privacy concern, which conformed my expectation from chapter three. Other

cultural dimensions seemed to have no material effect on overall Internet

security concern, confidentiality and integrity concerns, and privacy concern.

• At an aggregate cultural dimension level:

Based on the statistical results of multiple linear regression, I found the

relationship interesting between ‘all cultural dimensions’ and ‘overall Internet

security concern’. This multiple linear regression model is considered

successful in that all four cultural dimensions are somewhat associated with

the degree of Internet safety awareness. Moreover, two cultural dimensions,

the uncertainty avoidance and the individualism versus collectivism

dimension, strongly support my hypothesis and showed positive effect on the

degree of overall Internet security concern.

At an aggregate cultural dimension level,

all cultural dimensions show notable

association with the degree of overall

Internet safety awareness, although in the

individual cultural dimension level I did

not find a strong association. I shall

confirm my hypothesis with the observed

data in my survey, which provided strong

evidence to help reject the null hypothesis

in that ‘the cultural dimensions has no

effect on Internet consumers’.

Table 6.20. The research study conclusion (continued).

Reference list

Books and journals:

1. Allen, Cliff (1998), Internet world: guide to one-to-one Web marketing, New York:

Wiley and Sons.

2. Adler, Nancy J.(1986), International dimensions of organizational behavior, the

U.S.: PWS-Kent Publishing Company.

3. Anderson, Ross J. (2001), Security Engineering: A guide to building dependable

distributed systems, New York: Wiley Computer Publishing.

4. Andrew, Hawker (2000), Security and control in information systems: A guide for

business and accounting, London and New York: Routledge.

5. Andrew, Jonathan D.(2001), Erosion of trust - E-Commerce and the loss of

privacy, Information Systems Control Journal, volume 3, 46-49.

6. Briones, Maricris G.(1998), IT, Privacy issues will challenge direct marketers,

Marketing News, Chicago, December 7, volume 32, 8.

7. Camp, L., Jean (2000), Trust and risk in Internet commerce, the U.S.: The MIT

Press.

8. Crowther, Jonathan and others (1999), Guide to British and American culture,

China: Oxford University Press.

9. El Kahal, Sonia (2001), Business in Asia pacific: Text and cases, Oxford: Oxford

University Press.

10. Elovainio, Paivi and others (2000), Facts about Finland, Keuruu: Otava Publishing.

11. Ford, Warwick and Baum, Michael S. (2001), Secure electronic commerce:

Building the infrastructure for digital signature and encryption, Upper Saddle River,

New Jersey: Prentice hall.

12. Fukuyama, Francis (1995), Trust – The social virtues and the creation of

prosperity, London: Hamish Hamilton.

13. Han, Peter and Maclaurin, Angus (2002), Do consumers really care about online

privacy?, Marketing Management, Chicago, January/February, 35-38.

14. Hofstede, Geert (1991), Cultures and organizations: Software of the mind,

Cambridge: McGraw-Hill.

15. Kalakota, Ravi, and Marcia Robinson (2001), e-Business 2.0: Roadmap for

success, Upper Saddle River, New Jersey: Addison-Wesley.

16. Lewis, Richard D. (2000), When cultures collide: Managing successfully across

cultures, Illinois: Nicholas Brealey Publishing.

17. Moore, David S, and McCabe, George P (1989), Introduction to the practice of

statistics, the U.S.: W.H. Freeman and company.

18. Nakra, Prema (2001), Consumer privacy right: CPR and the age of the Internet,

Management Decision, volume 39, number 4, 272-279.

19. Pfleeger, Charles P (1997), Security in computing, Upper Saddle River, New

Jersey: Prentice hall.

20. Pornpitakpan, Chanthika (2000), Trade in Thailand: A three-way cultural

comparison, Business horizons, March/April, volume 43, issue 2, 61-70.

21. Rendleman, John (2001), Europe's eye on privacy, Information week, Manhasset,

June 25, issue 843, 53-58.

22. Schein, Edgar (1985), Organizational culture and leadership – A dynamic view, the

U.S.: Jossey-Bass.

23. Schneider, Susan, and Barsoux, Jean-Louis (1997), Managing across cultures,

Great Britain: Prentice Hall Europe.

24. Schutte, Hellmut, and Deanna Ciarlante (1998), Consumer behavior in Asia, New

York: New York University Press.

25. Screeton, Lisa Scott (1998), There’s no business like your business: Protecting

consumer privacy online, Business America, Washington, August, volume 119, 29-

30.

26. Shippey, Karla C. and others (1995), USA business: The portable encyclopedia for

doing business with the United States, California: World Trade Press.

27. Solomon, Michael R., Bamossy, Gary and Askegaard, Soren (1999), Consumer

behavior: A European perspective, Upper Saddle River, New Jersey: Prentice Hall.

28. Treadwell, Terry (2001), Seven security suggestions, Credit Union Management,

Madison, December, volume 24, issue 12, 28.

29. Udo, Godwin J. (2001), Privacy and security concerns as major barriers for e-

commerce: A survey study, Information management and computer security, volume

9, number 4, 165-174.

30. Wang, Huaiqing, Lee, Matthew K.O. and Wang, Chen (1998), Consumer privacy

concerns about Internet Marketing, Association for Computing Machinery

Communications of the ACM, New York, March, volume 41, 63-70.

31. Worm, Verner (1997), Vikings and Mandarins: Sino-Scandinavian Business

Cooperation in Cross-Cultural Settings, Arhus: Handelshojskolens Forlag.

Webpages:

1. Center of Democracy and Technology (CDT), Top ten ways to protect your

privacy online, www.cdt.org/privacy/guide/basic/topten.html, accessed on April 2,

2002.

2. Central Intelligence Agency (CIA), CIA – The World Factbook,

www.cia.gov/cia//publications/factbook, accessed on February 11, 2002.

3. CommerceNet 2000, Barriers to electronic commerce,

www.commerce.net/research/barriers-inhibitors/2000/Barriers2000study.html,

accessed on April 5, 2002.

4. Cranor, L., and others (1999), Beyond concern - Understanding Net users’

attitudes about online privacy (AT &T Labs-Research Technical Report TR 99.4.3),

www.research.att.com/library/trs/TRs/99/99.4/, accessed on April 5, 2002.

5. EU, http://europa.eu.int, accessed on April 2, 2002.

6. EU, Community legislation in force – Directive 97/66/EC of the European

Parliament and of the Council of 15 December 1997 concerning the procession of

personal data and the protection of privacy on the telecommunications sector,

http://europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html, accessed on April 2,

2002.

7. Hoffman, Paul (1997), Unsolicited Bulk E-Mail: Definition and problems, Internet

Mail Consortium Report, www.imc.org/ube-def.html, accessed on February 2, 2002.

8. OECD, www.oecd.org, accessed on April 2, 2002.

9. OECD, Guidelines on the protection of privacy and transborder flows of personal

data, www1.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTML, accessed on April 2,

2002.

Appendix A : Example of questionnaire

Impact of cultural differences on privacy and security concerns of Internet users Objective of the survey: To study how people in different countries are aware of online privacy and security. Structure of questions: Part I is to examine frequency of Internet usage and how the participant ranks the concerns. Part II is to examine privacy and security awareness when using the Net. Part III is to clarify cultural differences in studied countries. Participant information: 1. What is your nationality? ____Finn ____Thai ____Other(please specify____________) 2. Please check the blank that closely identifies your current status: ____Supervisor/Manager ____Employee ____Student ____Other (please specify_____________)

(If you have more than one current status, for example you are working and studying, please check both employee and student.)

Part I: Internet usage and rank of concerns Please check the answer that best describes you or is closest to your position. 1. Do you have an e-mail account/address? ____Yes ____No (If you answered “Yes” continue with question no 2; if you answered “No” skip to question

no.7) 2. What kind of e-mail account do you have? ____Home ____Work ____School ____Other 3. Does your company/university have an Internet-use policy? ____Yes ____No ____Don’t know 4. Does your employer or school monitor your e-mail usage? ____Yes ____No ____Don’t know

(If you answered “Yes” continue with question no.5; if you answered “No” or “Don’t know” skip to question no.6)

5. How does your employer or school monitor your e-mail usage? ____Interception and reading e-mail ____By monitoring your usage time ____By filtering out or blocking certain mails ____Other (please specify_____________________________) 6. Are you allowed to use your work e-mail account for personal use? ____Yes ____No 7. Have you ever purchased anything online? ____Yes ____No (If you answered “No” skip to no.10; if you answered “Yes” continue to question no.8) 8. How frequently do you purchase things online? ____More than once a month ____Once a month ____At least once in six months ____At least once a year ____Less than once a year

Appendix A : Example of questionnaire (Continued)

Part I: Internet usage and rank of concerns (Continued) 9. Have you ever been concerned about abuse of your credit card and other personal

information when you purchase things online? ____Yes ____No 10. Would you purchase anything online if your concerns are addressed or eliminated? ____Yes ____No 11. Please rank the following concerns about the use of e-mail and Internet in order of

importance, 1 being the most important ____Privacy ____Security and preventing threats (For example, protecting e-mail account against

malicious hackers.) ____Children protection on the Internet (Protect the kids from giving their or their parents’

information without awareness of privacy risk.) ____Censorship (For example, an employer monitors employees’ e-mail usage by filtering

incoming or outgoing mails.) ____Preventing impersonation and forged identity (For example, protecting attacker from

using your credit card number to make payment fraud.) ____Others (please specify__________________________)

In part II and III, please respond to the following statements by circling the number that most reflects your opinion.

1. = Strongly disagree 2. = Disagree 3.= Neutral 4. = Agree 5. = Strongly agree Part II: Online privacy and security concerns 1.) 1 2 3 4 5 E-mail safety is becoming an increasingly important issue. 2.) 1 2 3 4 5 E-mails are less safe than regular mails. 3.) 1 2 3 4 5 Most e-mails are accessed by people other than the owners. 4.) 1 2 3 4 5 Some e-mails do not come from the people that appear to send them. 5.) 1 2 3 4 5 Employers have the right to access e-mail and Internet sites used by their

employees. 6.) 1 2 3 4 5 To reduce the risk of liability, organizations should institute an e-mail policy

and distribute it to all employees. 7.) 1 2 3 4 5 Companies can disclose employees’ personal information if they deem it

necessary. 8.) 1 2 3 4 5 Internet shopping is less secured than mail order. 9.) 1 2 3 4 5 I feel safe when I release my credit card information on the Internet. 10.) 1 2 3 4 5 Security and privacy concerns are barriers for my shopping online. 11.) 1 2 3 4 5 Only limited amount of personal information should be requested from

children on the Internet. 12.) 1 2 3 4 5 Children should not be asked to provide information about their parents on

the Internet. 13.) 1 2 3 4 5 The privacy of Internet users is greatly violated. 14.) 1 2 3 4 5 Despite all the safety precautions in place today, Internet and e-mails are not

safeguarded enough. 15.) 1 2 3 4 5 Stalking and impersonation (including forged identity) are common on the

Internet. 16.) 1 2 3 4 5 The current laws and regulations are sufficient for protecting information

system users. 17.) 1 2 3 4 5 The current security features such as encryption and passwords are sufficient

to provide security and safety when on the Internet.

Appendix A : Example of questionnaire (Continued)

Part III: Cultural differences 1.) 1 2 3 4 5 I feel nervous when I give my personal information to a Web site. 2. ) 1 2 3 4 5 The regulations for personal information protection are needed and should

not be broken in any circumstances. 3.) 1 2 3 4 5 People are naturally good and they do not want to harm others. 4.) 1 2 3 4 5 People basically wish to do the right things and abide by the laws or

regulations. 5.) 1 2 3 4 5 I am dependent on others; for example, when I need to make a decision, I

prefer to consulting my friends or family first. 6.) 1 2 3 4 5 The Web site’s security policy could be reliable if my acquaintances confirm

me by words. 7.) 1 2 3 4 5 I feel safe when I give personal information to a Web site in which many

people in my community already tried and accepted its security policy. 8.) 1 2 3 4 5 My physical space such as my house area or my office room area is large. 9.) 1 2 3 4 5 My privacy or private space is adequate and comfortable.

Appendix B : Example of Udo’s questionnaire

Kindly complete this questionnaire as candidly as possible. 1. Check the blank that closely identifies your current status: ____Supervisor/Manager ____Employee ____Faculty ____Student ____Other (please specify_____________) 2. Do you have an e-mail account/address? ____Yes ____No (If you answered “Yes” continue with question no 3; if you answered “No” skip to question

no.8) 3. What kind of e-mail account do you have? ____Home ____Work ____School ____Other 4. Does your company/university have an Internet-use policy? ____Yes ____No ____Don’t know 5. Does your employer or school monitor your e-mail usage? ____Yes ____No ____Don’t know

(If you answered “Yes” continue with question no.6; if you answered “No” or “Don’t know” skip to question no.7)

6. How does your employer or school monitor your e-mail usage? ____Interception and reading e-mail ____By monitoring your usage time ____By filtering out or blocking certain mails ____Other (please specify_____________________________) 7. Are you allowed to use your work e-mail account for personal use? ____Yes ____No 8. Have you ever purchased anything online? ____Yes ____No (If you answered “No” skip to no.10; if you answered “Yes” continue to question no.9) 9. How frequently do you purchase things online? ____More than once a month ____Once a month ____At least once in six months ____At least once a year ____Never 10. Have you ever been concerned about abuse of your credit card and other personal

information when you purchase things online? ____Yes ____No 11. Would you purchase anything online if your concerns are addressed or eliminated? ____Yes ____No 12. Please rank the following concerns about the use of e-mail and Internet in order of

importance, 1 being the most important ____Privacy ____Security and threats ____Children protection on the Internet ____E-mail safety ____Censorship ____Impersonation and forged identity ____Others (please specify__________________________)

Appendix B : Example of Udo’s questionnaire (Continued)

Please respond to the following statements by circling the number that most reflects your opinion. Strongly agree = 1 Agree = 2 Neutral = 3 Disagree = 4 Strongly disagree = 5 1 2 3 4 5 E-mail safety is becoming an increasingly important issue. 1 2 3 4 5 Employers have the right to access e-mail and Internet sites used by their

employees.

1 2 3 4 5 The privacy of Internet users is greatly violated. 1 2 3 4 5 To reduce the risk of liability, organizations should institute an e-mail policy and

distribute it to all employees. 1 2 3 4 5 Despite all the safety precautions in place today, Internet and e-mails are not

safeguarded enough. 1 2 3 4 5 Companies can disclose employees’ personal information if they deem it

necessary.

1 2 3 4 5 The current laws and regulations are sufficient for protecting information system users.

1 2 3 4 5 The current security features such as encryption and passwords are sufficient to

provide security and safety when on the Internet.

1 2 3 4 5 E-mails are less safe than regular mails. 1 2 3 4 5 Internet shopping is less secured than mail order. 1 2 3 4 5 I feel safe when I release my credit card information on the Internet. 1 2 3 4 5 Most e-mails are accessed by people other than the owners. 1 2 3 4 5 Only limited amount of personal information should be requested from children on

the Internet. 1 2 3 4 5 Children should not be asked to provide information about their parents on the

Internet.

1 2 3 4 5 Stalking and impersonation (including forged identity) are common on the Internet.

1 2 3 4 5 Some e-mails do not come from the people that appear to send them. 1 2 3 4 5 Security and privacy concerns are barriers for my shopping online.

Appendix C : Opinions on cultural dimensions

Finn Thai Uncertainty avoidance questions F S F*S Mean F S F*S Mean

1. I feel nervous when I give my personal

information to a Web site

• Strongly disagree 1 1 1 3 1 3

• Disagree 9 2 18 4 2 8

• Neutral 6 3 18 5 3 15

• Agree 12 4 48 13 4 52

• Strongly agree 2 5 10 4 5 20

Subtotal 30 95 3.17 29 98 3.38

2. The regulations for personal information

protection are needed and should not be

broken in any circumstances.


• Disagree 1 2 2 2 2 4

• Neutral 5 3 15 8 3 24

• Agree 13 4 52 14 4 56


Subtotal 30 124 4.13 29 109 3.76

Total 60 219 3.65 58 207 3.57

Remark: F = Frequency, S = Score

Appendix C : Opinions on cultural dimensions (Continued)

Finn Thai Human nature questions

F S F*S Mean F S F*S Mean 3. People are naturally good and they do not

want to harm others.


• Disagree 9 4 36 5 4 20

• Neutral 8 3 24 11 3 33

• Agree 8 2 16 11 2 22


Subtotal 30 97 3.23 29 85 2.93

4. People basically wish to do the right

things and abide by the laws and

regulations.


• Disagree 5 4 20 2 4 8

• Neutral 11 3 33 10 3 30

• Agree 12 2 24 14 2 28


Subtotal 30 83 2.77 29 69 2.38

Total 60 180 3 58 154 2.66


Finn Thai Individualism versus Collectivism questions

F S F*S Mean F S F*S Mean 5. I am dependent on others.


• Disagree 5 4 20 2 4 8

• Neutral 5 3 15 11 3 33

• Agree 11 4 44 11 4 44


Subtotal 30 124 4.13 29 110 3.79

6. The Web site’s security policy could be

reliable if my acquaintances confirm me

by words.


• Disagree 6 4 24 3 4 12

• Neutral 16 3 48 14 3 42

• Agree 7 4 28 9 4 36


Subtotal 30 105 3.5 29 105 3.62

7. I feel safe when I give personal

information to a Web site in which many

people in my community already tried and

accepted its security policy.


• Disagree 5 4 20 9 4 36

• Neutral 7 3 21 11 3 33

• Agree 16 4 64 6 4 24


Subtotal 30 115 3.83 29 108 3.72

Total 90 344 3.82 87 323 3.71


Finn Thai Physical and personal space questions

F S F*S Mean F S F*S Mean 8. My physical space such as my house area

or my office room area is large.


• Disagree 13 4 52 0 4 0

• Neutral 6 3 18 14 3 42

• Agree 8 2 16 11 2 22


Subtotal 30 89 2.97 29 68 2.34

9. My privacy or private space is adequate

and comfortable.


• Disagree 2 4 8 2 4 8

• Neutral 6 3 18 11 3 33

• Agree 13 2 26 13 2 26


Subtotal 30 61 2.03 29 70 2.41

Total 60 150 2.50 58 138 2.38

Appendix D : Opinions on Internet security concern

Finn Thai American Online privacy and security questions

F S F*S Mean F S F*S Mean F S F*S Mean 1. E-mail safety is becoming an increasingly important issue.

• Strongly disagree 0 1 0 0 1 0 1 1 1 • Disagree 0 2 0 0 2 0 8 2 16 • Neutral 3 3 9 9 3 27 20 3 60 • Agree 16 4 64 12 4 48 50 4 200 • Strongly agree 11 5 55 8 5 40 75 5 375

Subtotal 30 128 4.27 29 115 3.97 154 652 4.23 2. E-mails are less safe than regular mails.


Subtotal 30 99 3.30 29 89 3.07 155 477 3.08 3. Most e-mails are accessed by people other than the owners.


Subtotal 30 72 2.40 29 96 3.31 154 475 3.08 Remark: F = Frequency, S = Score

Appendix D : Opinions on Internet security concern (Continued)


F S F*S Mean F S F*S Mean F S F*S Mean

4. Some e-mails do not come from the people that appear to send them.


Subtotal 30 106 3.53 29 96 3.31 155 545 3.52 5. Employers have the right to access e-mail and Internet sites used by their employees.


Subtotal 30 119 3.97 28 90 3.21 155 460 2.97 6. To reduce the risk of liability, organisations should institute an e-mail policy and distribute it to all employees.


Subtotal 30 113 3.77 29 102 3.52 154 631 4.10




7. Companies can disclose employees’ personal information if they deem it necessary.


Subtotal 30 102 3.40 29 85 2.93 154 544 3.53 8. Internet shopping is less secured than mail order.


Subtotal 30 97 3.23 29 93 3.21 154 488 3.17 9. I feel safe when I release my credit card information on the Internet.


Subtotal 30 125 4.17 29 100 3.45 154 601 3.90




10. Security and privacy concerns are barriers for my shopping online.


Subtotal 30 103 3.43 27 85 3.15 155 3.78 11. Only limited amount of personal information should be requested from children on the Internet.


Subtotal 30 120 4 29 95 3.28 154 603 3.92 12. Children should not be asked to provide information about their parents on the Internet.


Subtotal 30 131 4.37 29 104 3.59 155 668 4.31




13. The privacy of Internet users is greatly violated. • Strongly disagree 0 1 0 0 1 0 3 1 3 • Disagree 7 2 14 5 2 10 15 2 30 • Neutral 14 3 42 8 3 24 66 3 198 • Agree 8 4 32 11 4 44 53 4 212 • Strongly agree 1 5 5 4 5 20 18 5 90

Subtotal 30 93 3.10 28 98 3.50 155 533 3.44 14. Despite all the safety precautions in place today, Internet and e-mails are not safeguarded enough.


Subtotal 30 108 3.60 29 102 3.52 155 584 3.77 15. Stalking and impersonation (including forged identity) are common on the Internet.


Subtotal 30 96 3.20 29 97 3.34 155 541 3.49




16. The current laws and regulations ar sufficient for protecting information system users.


Subtotal 30 15 105 3.50 29 91 3.14 154 518 3.36 17.The current security features such as encryption and passwords are sufficient to provide security and safety when on the Internet.


Subtotal 30 15 90 3 29 78 2.69 151 486 3.22 Total 510 1807 3.54 489 1616 3.30 2623 9392 3.58

Appendix E : Ranked number of concern types

Each graph shows one of the five main types of Internet security concerns; including privacy

concern, security and preventing threats, children protection, censorhip, and preventing

impersonation and forged identity. Other concerns could be added if the participant indicated. The

graph presents the participants’ perspectives about how important the particular type of concern

was. The participants were asked to give the ranked number from 1 to 6 in order of importance. The

number one is the most important concern while number five or six (if the participants identified

any other concerns) are the least important one.

Ranked number of privacy concern

50

17 20

1033 7

14 17

55

23

81

10 10

0102030405060708090

100

1 2 3 4 5

Per

cent

(%)

Finn Thai American

Ranked number of security and threats concern

17

47

30

7

38

1017

3

13

2

24

8

31

15

25

0102030405060708090

100

1 2 3 4 5 6

Per

cent

(%)

Finn Thai American

Appendix E : Ranked number of concern types (Continued)

Ranked number of children protection concern

3

2112

10

30

20

40

2831

1015

20

9

18 18

0102030405060708090

100

1 2 3 4 5 6

Per

cent

(%)

Finn Thai American

Ranked number of censorship concern

7

21

2 27

17

39

3

53

10

27

7 3

38

24 24

0

10

20

30

40

50

60

70

80

90

100

1 2 3 4 5 6

Per

cent

(%)

Finn Thai American

Ranked number of preventing impersonation and forged identity concern

7

31

11 1418 17

1120

2023

20

33

3

28

3

24

0

10

20

30

40

50

60

70

80

90

100

1 2 3 4 5 6

Per

cent

(%)

Finn Thai American

Ranked number of other concern

48

12

2229

1817

3

10

0

10

20

30

40

50

60

70

80

90

100

1 2 3 4 5 6

Per

cent

(%)

Finn Thai American

Impact of Cultural Differences on Privacy and Security ... · 5.3.3. The research conclusion 72 5.4. Previous study about privacy concerns as barriers for e-commerce 72 5.4.1. The

Documents