Applying the Theory of Planned Behaviour to ... - IngentaConnect

Original Article

Applying the Theory of Planned Behaviour to predicting online safety behaviour Sarah Burns* and Lynne Roberts School of Psychology and Speech Pathology, Curtin University, GPO Box U1987, Perth, 6845, Western Australia. E-mails: [email protected]; [email protected] *Corresponding author.

Abstract

A widely promoted preventative measure against becoming a victim of cybercrime is the control of personal information online; however, little is known about what predicts the use of this type of protective safety behaviour. This study examines the utility of the Theory of Planned Behaviour in predicting online protective behaviours. Participants (N = 150) completed measures of online privacy attitudes, normative inﬂuence, perceived behavioural control (PBC), intention to use and actual use of online protective behaviours. Path analysis indicated the effects of online privacy attitudes and normative beliefs on online protective safety behaviours were mediated through intention, while PBC had a signiﬁcant direct effect on online protective safety behaviours. The model explained 81 per cent of the variance in protective online safety behaviours. The results of this study facilitate understanding of the psychological processes underlying the use of online protective behaviours, and can be used in the development of educational materials and cyber-identity theft prevention strategies. Crime Prevention and Community Safety (2013) 15, 48–64. doi:10.1057/cpcs.2012.13

Keywords: cybercrime; online privacy; Theory of Planned Behaviour; cyber-victimization; protective behaviours; cyber-identity theft

Introduction

I

ndividuals across the world are increasingly at risk of exploitation by criminals who facilitate illegal acts through the use of information technology, predominantly the Internet (Higgins and Blakely, 2010).

© 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64 www.palgrave-journals.com/cpcs/

Predicting online safety behaviour

Such actions have resulted in the creation of new types of crime; cybercrimes. One type of cybercrime is online identity theft and related fraudulent activity. Difficulties in policing transnational cybercrimes (Koops and Brenner, 2006), including the lack of a global cybercrime treaty (Alkaabi et al, 2010), have resulted in an increased focus on the need for Internet users to adopt strategies to protect their own identity online (Norberg et al, 2007). While there are a range of known behaviours that individuals can adopt to protect themselves from the activities of cyber-criminals, little is known about what predicts engaging in these protective behaviours. Obtaining an understanding of the psychological processes underlying the use of online protective behaviours is important as such knowledge can be used to guide the development of educational materials and cybercrime prevention strategies. In this article we explore the utility of applying the Theory of Planned Behaviour (TPB) to the prediction of online protective behaviours.

Cybercrime There has historically been a lack of cohesive definition of cybercrime, with many theorists and researchers specifying different cybercrime taxonomies (Alkaabi et al, 2010); however, cybercrimes have been generally described as those crimes that involve the use of the Internet and technology as an ‘object, instrument or environment’ (Koops, 2010, p. 738). Two broad categories of cybercrime are interpersonal cybercrime and property cybercrime. Interpersonal cybercrimes involve some form of personal assault against the victim or their reputation (for example, cyberbullying, cyberstalking and cyberharassment), whereas property cybercrimes (for example, cyberidentity theft and online fraud) primarily involve financial gain (Roberts, 2008). Of current, key concern to both organizations and individuals are information security breaches resulting in identity theft and/or financial fraud (Martin and Rice, 2011). Cyberidentity theft involves the misappropriation of online identity tokens that can include email addresses, web-pages, usernames and passwords (Roberts, 2009b). Crimes in this category include fraud-related activities such as online auction frauds, modem and webpage hijacking, advanced fee scams and identity theft (Phair, 2007). Recent research has suggested that individuals using the Internet for banking/email/instant messaging purposes are 50 per cent more likely to be victims of identity theft than others (Reyns, 2011). The impact of cyberidentity theft on the individual victim can include social, psychological damage as well as financial harm (Ngo and Paternoster, 2011). More specifically, cyberidentity theft can result in financial loss, criminal investigation and impaired credit ratings, as well as having detrimental effects on the integrity of a person’s identity (Roberts, 2009a). Psychological impacts of cybervictimization can be both short term such as acute stress and relationship breakdowns (LoPucki, 2001) and long term such as anxiety, depression © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

49

Burns and Roberts

and clinical somatization (Sharp et al, 2004). These long-term effects tend to emerge in situations where it is difficult to resolve the problems associated with the identity theft (Sharp et al, 2004). Online privacy One key way in which individuals can help protect themselves from cyberidentity theft and related fraudulent activity is to control the release of information about themselves online. Providing education in appropriate ways to control personal information flow on the Internet has been suggested as being an important aid in implementing online protective strategies appropriately (Reyns, 2010). Having control over personal information emerged as a dominant theme in research investigating individual’s attitudes towards reading website privacy notices (Milne and Culnan, 2004), and many Internet users place great value on this control (Yao et al, 2007). Although individuals perceptions of privacy are highly subjective (Schoeman, 1984), surveys and polls consistently indicate that approximately three-quarters of online users are at least somewhat concerned with their online privacy (Metzger and Docter, 2003; Cho et al, 2009). Although there has been a noted increase in self-reported online privacy concern (O’Neil, 2001), this has not always translated into protective action. While this may be partly due to a lack of online safety education (Reyns, 2010), it has been suggested that people tend to put their privacy concerns aside for the sake of convenience (Miyazaki and Fernandez, 2001). For example, Norberg et al (2007) reported that levels of actual information disclosure are significantly higher than intentions to disclose. Further, a strong optimistic bias exists where individuals judge themselves as being at less risk than others to invasions of online privacy (Cho et al, 2010). It is important to make the distinction between the concepts of online ‘security’ and ‘privacy’. While they are related concepts, data security can be seen as a requirement underlying privacy protection. A change or breach in security is likely to affect an individual’s perceptions of their state of online privacy (Martin and Rice, 2010). Protective strategies Failure to protect online security, and hence privacy, can result in increased risk of victimization for financial cybercrimes (Henson et al, 2011). Two broad categories of protective behaviours against cybercrime are those behaviours that involve an overall cautiousness on the part of the individual (such as reading license agreements and privacy policies on websites before registering for them); and those behaviours that require some knowledge of online technology in order to implement them (such as using pop-up window blockers, implementing firewalls and other internet security programs, and regularly checking the computer for spyware) (Buchanan et al, 2007). 50

© 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64


It is important to establish the reasons why individuals engage, or do not engage, in online protective behaviours in order to guide adequate cybercrime prevention and education programmes. Research employing the use of behaviour prediction models may assist in doing so. One highly influential psychological model for predicting social behaviour is the TPB (Ajzen, 1991). Theory of Planned Behaviour TPB is a widely used predictive model (see Figure 1) that stipulates that attitudes and subjective norms (SN) influence behavioural intention, which in turn influences actual behaviour (Ajzen, 1991). An individual’s attitude towards any particular behaviour involves the extent to which they positively or negatively appraise the behaviour. In the context of this research, the attitudes of importance are attitudes relating to privacy concern. SN refer to perceived pressure from an individual’s immediate and intermediate social forces to engage or not in a specific behaviour. These norms are determined by behavioural expectations of family and friends, or ‘normative beliefs’ (Ajzen, 1991). Intention is considered to be the immediate precursor of behaviour. Intention encompasses motivation and likelihood to engage in the behaviour. Factors influencing the strength of this intention–behaviour relationship include the degree to which measures of intention and behaviour correspond, the temporal stability of that intention (Ajzen and Fishbein, 1980) and the degree to which the behaviour in question is premeditated (Sheeran et al, 1999). The TPB model also posits that perceived behavioural control (PBC) may influence behaviours (Ajzen, 1991). PBC refers to the individual’s perception of his/her own capacity to carry out target behaviours. Whether or not PBC has a direct relationship with behaviour or an indirect one through intention has been found to be largely dependent on the nature of the behaviour being predicted (Ajzen and Madden, 1986). PBC may have particular relevance in the context of predicting online safety behaviour, where knowledge of how to

Figure 1:

The Theory of Planned Behaviour.


51

Burns and Roberts

implement safety procedures that protect an individual’s identity online may vary widely among the Internet using population. The TPB provides the theoretical and measurement framework for the current research. Limited published research has reported on the use of TPB to predict online safety behaviours. Dinev and Hu (2007) applied the TPB model to predicting intention to use preventative technologies such as anti-spyware software that can be used in eliminating malicious software (‘malware’). Results confirmed the expected relationships between attitudes and PBC and intention within the TPB model. However, SN was not a significant predictor of intention. An additional variable, ‘level of technological awareness’ was also found to be significantly related to intention to use protective technology. Dinev et al (2009) tested the influence of culture on the earlier developed model, reporting that culture moderated the relationships reported. Further, the relationship between SN and intention was stronger within South Korean than United States computer users. A major limitation of both these studies, however, is that only part of the TPB model was examined, with no attempt made to measure or predict actual behaviour. Yao and Linz (2008) investigated online safety behaviour prediction within the framework of the TPB with the addition of four predictors (‘psychological need for privacy’, ‘general fear of crime’, ‘general self-efficacy’ and ‘previous Internet use experience’). Four online behaviours were examined: ‘making sure that online forms are secure’, ‘opting out of third party sharing’, ‘reading privacy policy’ and ‘clearing cache memory’. Results indicated that PBC did not have a direct influence on the adoption of protection strategies; however, it did have a direct relationship with intention, as did attitudes. SN was not a significant predictor of intention to engage in online protective strategies. ‘General self-efficacy’, along with attitudes and PBC, accounted for 21 per cent of the variability in intention, while PBC was significantly influenced by both self-efficacy and Internet use experience. Overall, the final revised model accounted for 46 per cent of the variance in intention and 28 per cent of the variance in actual adoption of online protective behaviours. Limitations of this research were the limited range of protective behaviours included in the outcome measure and the lack of parsimony in the final proposed model. Current study Previous studies (Dinev and Hu, 2007; Yao and Linz, 2008) have been limited by focusing on individual behaviours and direct effects, rather than the full range of online behaviours required to protect identity online. As a result, there is limited applicability of such studies, as protecting oneself online requires the user to engage in a range of general and technical protective behaviours. The research presented in this article advances knowledge by applying the TPB 52



model to predicting variance in general online safety behaviour, rather than focusing on individual behaviours.

Method Res earc h des ig n The study employed a cross-sectional correlational design with online safety behaviour as the criterion variable. The predictor variables were attitudes, SN and PBC, with intention as a mediating variable. Participants An a priori power analysis based on values obtained from a previous TPB meta-analysis (Armitage and Conner, 2001) and Yao and Linz’s (2008) study produced an estimated sample size of 50 participants needed to detect significant effects at an alpha level of 0.05. Sample size recommendations of a 20:1 ratio of participants per parameter for path analysis (Kline, 2005) indicate that 100 participants would be required. The sample of 150 participants (80.7 per cent female; M age 26.2 years (SD = 9.8 years)), who completed the online survey meets both these requirements. Convenience sampling employing online recruitment methods included advertisements on academic and social networking websites and listings on multiple search engines, with the incentive of winning gift vouchers offered. Incentives such as this have previously been found to be effective in both gaining initial survey responses, as well as preventing attrition during survey completion (Goritz, 2006). Inclusion criteria for participation were being aged 18 years of age or older and having used the Internet in the past month. One hundred and ten participants stated Australia as their country of origin, making up 73.3 per cent of the sample. Other countries included the United States (14 per cent), Canada (4 per cent), various countries within the United Kingdom (3.3 per cent), New Zealand (2 per cent) and Hong Kong (1.3 per cent). Participants from Greece, Singapore and Norway each made up less than 1 per cent of the sample. The amount of time participants spent online ranged between 1 and 20 hours per day (Median 4 h). Measures O n l i n e s afet y b e h av i o u r Online safety behaviour was measured with a revised version of the General Caution and Technical Protection Scales (Buchanan et al, 2007). The General Caution subscale measures the frequency of general behaviours adopted to protect online privacy. An example item is ‘Do you read a website’s privacy policy before you register your information?’. Two of the six items that were not specific to protection of privacy online were removed, leaving the © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

53

Burns and Roberts

modified version with four items. The six-item Technical Protection Scale measures the frequency of use of technology to carry out privacy protection behaviours. An example of an item is ‘Do you check your computer for spyware?’. For both behaviour scales, participants ranked how frequently they adopted these behaviours on a 5-point Likert scale, ranging from ‘never’ (1) to ‘always’ (5). In this sample, Principal Axis Factoring with Varimax rotation resulted in a two-factor solution with all items loading on the intended subscales. Internal consistency of the General Caution and Technical Protection scales for the current sample was adequate, with Cronbach’s values of 0.83 and 0.74, respectively. The two scales are moderately correlated (r = 0.41) and the scale items combined provide a measure with high internal consistency (Cronbach’s = 0.81). Behavioural intention The scales for measuring online safety behaviour were modified for their use in measuring intention. The 10 items were the original statements about behaviour with the prefix ‘In future, I intend to’ preceding them, and participants were asked to what extent they agreed or disagreed along a 5-point Likert scale ranging from ‘never’ (1) to ‘always’ (5) Principal Axis Factoring with Varimax rotation extracted two clear factors equating to the General Caution and Technical Protection scales. The internal consistency of each factor and the overall measure was high (Cronbach’s Factor 1 = 0.87, Factor 2 = 0.80, Combined = 0.83). The two scales were moderately correlated (r = 0.32) and the combined mean score is used in further analyses. Attitudes Attitudes towards online privacy concern were measured with the 16-item Privacy Concern Scale (Buchanan et al, 2007). This scale asks participants to rate their concern about various aspects of online privacy on a 5-point Likert scale, ranging from ‘not at all’ to ‘very much’. An example item is ‘Are you concerned about people online not being who they say they are?’. Principal Axis Factoring with Varimax rotation extracted a two-factor solution with multiple cross-loadings. Treated as a unidimensional measure it has high internal consistency (Cronbach’s = 0.94). Subjective norms SN was measured with five items developed from Ajzen’s (2006) guidelines for developing a TPB questionnaire. Each item reflects how normative influences assist in making decisions about the adoption of online safety behaviour. An example item is ‘Most people that are important to me think that I should protect my online privacy’ (see Appendix for all items). Participants were asked to rate on a 5-point Likert scale to what extent they agreed or disagreed with 54



each statement. Principal Axis Factoring extracted one factor. The measure has good internal consistency (Cronbach’s = 0.80). Perceived behavioural control PBC was measured using a modified version of the four-item measure developed by Yao and Linz (2008). In the original measure four different prefixes reflecting different aspects of PBC preceded four different online safety behaviours. For the purpose of the current study, the four prefixes have formed four modified statements about general online safety behaviour. An example item is ‘Even if I want to, I don’t have the necessary ability to protect my privacy online’ (see Appendix for all items). Participants were asked to rate to what extent they agree or disagree with the statements on a 5-point Likert scale. In this sample the measure was unidimensional with good internal consistency (Cronbach’s = 0.90). In addition to these measures, participants were asked to provide demographic details. Age, gender and frequency of Internet use items were included as possible control variables for the analysis. Procedure Following ethics approval the measures were combined into an online questionnaire hosted by SurveyMonkey (a survey design and hosting website), and accessed via a link from an information page on Curtin University’s website. Informed consent from all participants was assumed upon completion and submission of the questionnaire. The questionnaire was accessible for a period of 8 weeks after which the data was downloaded for analysis and the questionnaire was removed from the server. Preliminary and descriptive analyses were conducted using SPSS v. 17.0 and the path analyses were conducted using LISREL (Student Version 8.80).

Results Descriptive statistics for each of the key variables in the TPB model can be seen in Table 1. Table 2 displays the frequency with which participants engaged in each of the online behaviours. Three variables were tested as potential control variables for the analysis: age, gender and time spent online in an average day. Only online time was significantly correlated with online safety behaviour (r = 0.254, P = 0.002) and was kept as a control variable for the analysis. A logarithm transformation was applied to online time because of its substantial positive skewness. Bivariate correlations were computed to test the assumptions underlying mediation models (Baron and Kenny, 1986). A non-significant relationship between PBC and intention (r = 0.143, P = 0.081) indicated that the relationship © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

55

Burns and Roberts

Table 1: Summary of descriptive statistics for key variables in Theory of Planned Behaviour model

Behaviour Intention PBC Attitudes Subjective norms

Mean (SD)

Median

3.214 (0.719) 3.736 (0.607) 2.289 (1.018) 2.804 (0.884) 3.751 (0.675)

3.331 — 3.800 — 2.000 — 2.75 — 3.800 —

Range

Skewness

Kurtosis

− 0.142 — − 0.344 — 0.549 — 0.455 — − 0.573 —

− 0.426 — 0.849 — − 0.444 — − 0.252 — 1.247 —

3.5 — 3.5 — 4 — 3.94 — 3.6 —

Table 2: Percentage (%) of respondents reporting engaging in online protective behaviours (N=150) Questionnaire item

Do you only register for websites that have a privacy policy? Do you read a website’s privacy policy before you register your information? Do you look for a privacy certification on a website before you register your information? Do you read license agreements fully before you agree to them? Do you watch for ways to control what people send you online (such as check boxes that allow you to opt-in or opt-out of certain offers)? Do you remove cookies? Do you use a pop-up window blocker? Do you check your computer for spyware? Do you clear your browser history regularly? Do you block messages/emails from someone you do not want to hear from?

Never

Rarely

9.3

14.7

27.3

Sometimes

Most of the time

Always

32

33.3

10.7

34

18.7

16.7

3.3

28

31.4

20.7

14.7

5.3

37.3

32.7

16.7

9.3

4

5.3

1.3

10.7

45.4

37.3

18 2 7.3

19.3 4.7 10.7

28.7 7.3 12.7

20.7 32.7 31.3

13.3 53.3 38

16.7

21.3

16

23.3

22.7

9.3

7.3

15.3

26.7

41.3

between PBC and behaviour was not mediated by intention, suggesting a revised TPB model dropping this pathway should also be tested. No other violations of assumptions were detected. A correlation matrix partitioning out online time (see Table 3) along with values for measurement error were input into LISREL for path analysis. The 56



Table 3: Summary of partial correlations for scores on the TPB survey when controlling for ‘online time’ (N=150) Measure

1

2

3

4

5

PBC Behaviour Attitudes Intention Subjective norms

— — — — —

− 0.20* — — — —

0.27* 0.28* — — —

0.18* 0.66* 0.48* — —

0.03 0.38* 0.28* − 0.48* —

Note: Correlations marked with * are significant at P=0.05.

Figure 2:

The Theory of Planned Behaviour model.

Figure 3: removed.

Trimmed Theory of Planned Behaviour model with the mediating effect of PBC

standard TPB path model (Figure 2) was compared against the revised TPB path model (Figure 3). A summary of model fit indices are presented in Table 4. The fit indices for both the TPB model and the revised TPB model provide a good fit to the data. The revised TPB model was selected as the more parsimonious model. The revised TPB model explains 47 per cent of the variance in intention and 81 per cent of the variance in online safety behaviour. © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

57

Burns and Roberts

Table 4: Summary of model fit indices Goodness of fit index

Recommended cut-off

TPB

Revised TPB

Normed 2(Normal Theory Weighted Least Squares 2 divided by its degrees of freedom)

Values < or equal to 3=good fit (Kline, 2005)

0.67/2=0.335

1.63/3=0.543

Comparative Fit Index (CFI)

Values > or equal to 0.9=good fit (Benet-Martínez and Karakitapoglu-Aygün, 2003)

1.00

1.00

Non-normed Fit Index (NNFI) Values > or equal to 0.9=good fit (Benet-Martínez and Karakitapoglu-Aygün, 2003) Standardised Root Mean Values < 0.08=good fit Square Residual (SRMR) (Marsh et al, 2004)

1.03

1.02

0.008

0.020

Root Mean Square of Approximation (RMSEA)

0.000

0.000

Values < 0.08=good fit (Marsh et al, 2004)

On the basis of Cohen’s (1992) effect size conventions, f 2 values for behaviour and intention of 0.89 and 4.26, respectively, indicate these are extremely large effects.

Discussion This research aimed to test the utility of the TPB model in predicting online safety behaviour. A revised version of the model, with PBC as only a direct predictor of online safety behaviour provided good fit to the data, accounting for more than 80 per cent of the variance in online safety behaviour. Attitude and SN accounted for 39 per cent and 45 per cent of the variance in intention, and their effect on online safety behaviour was fully mediated by intention. Our findings vary from previous research in a number of important ways. First, our revised TPB model accounted for significantly greater variance in both intention and online safety behaviour than previous research (Dinev and Hu, 2007; Yao and Linz, 2008). Our findings indicate a strong, significant relationship between SN and intention, suggesting that influence from external parties had a significant bearing on whether an individual intends to engage, or not engage, in protective behaviours. This significant relationship is substantially larger than reported in previous research implementing the TPB (Armitage and Conner, 2001). This finding does, however, reflect Lewis et al’s (2008) finding that an influential predictor of students setting their profiles to ‘private’ on social networking sites is whether their friends implement the same privacy settings on their profiles. A possible reason for similarities 58



between Lewis et al’s (2008) findings and the current study is the high female response rate in each sample. Further research into gender differences in safety behaviour implementation in relation to peer influence may be warranted given these findings. Second, PBC was a direct predictor of online safety behaviour in this study, but an indirect predictor in the study by Yao and Linz (2008). A possible reason for this is due to design differences of the two studies. Yao and Linz (2008) adopted a longitudinal design with intention and behaviour measured at separate time periods, while the current cross-sectional study measured these elements at the same time; hence this might be a reason for the variations in results. A second explanation may lie in the phrasing of items used to measure PBC in the current study, resulting in the lack of direct relationship between PBC and intention. Each item was prefaced with ‘even if I want to …’, rather than ‘even if I intend to …’. The word ‘want’ may evoke an emotion-based response rather than a deliberated response, which may be elicited through the word ‘intend’. This possible measurement issue could be an explanation of the non-significant PBC–Intention relationship, and indicates the need for further research on the role of PBC in predicting online safety behaviours. Sampling issues (method of sampling and sample composition) were a limitation in the current study. A convenience sampling method was adopted for this study, limiting the extent to which the results can be generalized to the larger population of Internet users. As previously noted, the over-representation of females in the sample further limits the generalizability of the findings. It is recommended that future research include adolescent participants to determine if the modified TPB is also predictive within this new generation of Internet users. Findings from such a study may assist in implementing safety awareness programmes targeted at a younger population. Another sampling issue of this research was the gender imbalance in the convenience sample of participants recruited. Preliminary testing indicated there was no statistical difference in online safety behaviour between males and females; however, this is inconsistent with previous research. For example, in a study asking participants to rate concern for their privacy in a number of hypothetical situations, females were found to be significantly more concerned for their privacy than males in 5 of the 15 situations presented (Sheehan, 1999). Interestingly, males were found to be more likely to protect their information online than females in an online community sample (Milne et al, 2004). Future research on a larger sample with equal representation of males and females would enable the testing of the revised TPB model for each gender separately, as well as making appropriate comparisons across males and females. Another limitation of this research is the reliance on a self-report measure of past protective behaviours as the behavioural measure. This constraint is one that appears in many studies that use TPB as a framework for behaviour prediction (Ouellette and Wood, 1998; Armitage and Conner, 2001; Rhodes © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

59

Burns and Roberts

and Courneya, 2003). In order to most accurately infer a relationship between intention and behaviour, intent must first be measured with an allocated amount of time allowed to pass before measuring the behaviour in question (Ajzen, 2002). Future research would benefit from adopting a longitudinal design to achieve this. As noted previously, one possible avenue for addressing cybercrime is to shift the focus away from the often difficult task of apprehension of cybercriminals (Thomas and Loader, 2000) to emphasize the use of protective behaviours by Internet users. This is consistent with the victimization perspective on crime prevention (Lewis and Lewis, 2011). The results from the current study suggest that whether or not a person chooses to adopt online protection strategies is directly influenced by their perceptions of their own capacity to do so (that is, their PBC). Consequently, individuals who do not see themselves as having the necessary ability and knowledge to protect their personal information online simply do not do so. This highlights the need for awareness campaigns and educational programmes focusing on online protective behaviours. Awareness campaigns aim to keep cybercrime risks within the minds of Internet users, while education campaigns provide the knowledge and skills required to engage in online safety behaviours (Martin and Rice, 2011). The results of this study indicate that the online protective behaviours that are least likely to be engaged in include reading license agreements fully before agreeing to them, reading privacy policies and looking for privacy certification on websites before registering personal information. Of concern, many participants neither currently engage in these protective behaviours nor intend to in the future. This suggests that one avenue for improvement could involve modifying the way in which privacy policies and license agreements are presented to consumers. Milne and Culnan (2004) have acknowledged that it is difficult to persuade consumers to read privacy notices; however, to increase the likelihood of having these notices read and trusted, they must be simplified and made far more accessible to the public in a condensed format. To further increase the possibility of privacy notices being read, other opportunities for programme development may involve changing individuals’ views of the importance of reading such information. Any such cybercrime prevention programmes will require evaluation to determine their effectiveness. Further research is required to determine whether online privacy concern increases or decreases upon programme completion, and the impact this has on engaging in online safety behaviours. This would assist in shedding light on the debate over whether knowledge fuels concern or whether it relieves it (O’Neil, 2001). In conclusion, the current research provides support for the utility of a revised version of the TPB for predicting online safety behaviours. The effect of attitude and normative beliefs on online safety behaviours is mediated through intention to engage in those behaviours. In addition, PBC had a 60



significant direct effect on online safety behaviours. To protect one’s identity online, engaging in a range of both general and technical protective behaviours is required.

Acknowledgements The authors thank the significant contribution of the anonymous reviewers in the revision process of this article.

References Ajzen, I. (1991) The theory of planned behaviour. Organisational Behaviour and Human Decision Processes 50(2): 179–211. Ajzen, I. (2002) Residual effects of past on later behaviour: Habituation and reasoned action perspectives. Personality and Social Psychology Review 6(2): 107–122. Ajzen, I. (2006) Theory of planned behaviour, http://people.umass.edu/aizen/index.html, accessed 19 February 2009. Ajzen, I. and Fishbein, M. (1980) Understanding Attitudes and Predicting Social Behaviour. Englewood Cliffs, NJ: Prentice-Hall. Ajzen, I. and Madden, T.J. (1986) Prediction of goal-directed behavior: Attitudes, intentions, and perceived behavioral control. Journal of Experimental Social Psychology 22(5): 453–474. Alkaabi, A., Mohay, G.M., McCullagh, A.J. and Chantler, A.N. (2010) Dealing with the problem of cybercrime. In: Conference Proceedings of 2nd International ICST Conference on Digital Forensics & Cyber Crime, 4–6 October, Abu Dhabi. Armitage, C.J. and Conner, M. (2001) Efficacy of the theory of planned behavior: A meta-analytic review. British Journal of Social Psychology 40(4): 471–499. Baron, R.M. and Kenny, D.A. (1986) The moderator-mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. Journal of Personality and Social Psychology 51(6): 1173–1182. Benet-Martínez, V. and Karakitapoglu-Aygün, Z. (2003) The interplay of cultural syndromes and personality in predicting life satisfaction. Journal of Cross-cultural Psychology 34(1): 38–60. Buchanan, T., Paine, C., Joinson, A.N. and Reips, U. (2007) Development of measures of online privacy concern and protection for use on the internet. Journal of the American Society for Information Science and Technology 58(2): 157–165. Cho, H., Lee, J.S. and Chung, S. (2010) Optimistic bias about online privacy risks: Testing the moderating effects of perceived controllability and prior experience. Computers in Human Behaviour 26(5): 987–995. Cho, H., Rivera-Sanchez, M. and Lim, S.S. (2009) A multinational study on online privacy: Global concerns and local responses. New Media & Society 11(3): 395–416. Cohen, J.A. (1992) A power primer. Psychological Bulletin 112(1): 155–159. Dinev, T., Goo, J.M., Hu, Q. and Nam, K. (2009) User behaviour towards protective information technologies: The role of national cultural differences. Information Systems Journal 19(4): 391–412. Dinev, T. and Hu, Q. (2007) The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems 8(7): 386–408. © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

61

Burns and Roberts

Goritz, A.S. (2006) Incentives in web studies: Methodological issues and a review. International Journal of Internet Science 1(1): 58–70. Henson, B., Reyns, B.W. and Fisher, B.S. (2011) Security in the 21st century. Criminal Justice Review 36(3): 253–268. Higgins, G.E. and Blakely, C.R. (2010) Cybercrime: An Introduction to an Emerging Phenomenon. New York: McGraw-Hill Higher Education. Kline, R.B. (2005) Principles and Practice of Structural Equation Modelling, 2nd edn. New York: Guilford Press. Koops, B. (2010) The internet and its opportunities for cybercrime. In: M. Herzog-Evans (ed.) Transnational Criminology Manual. Nijmegen: WLP, pp. 735–754. Koops, B. and Brenner, S.W. (2006) Cybercrime jurisdiction: An introduction. Cybercrime and Jurisdiction: A Global Survey. The Hague, The Netherlands: TMC Asser Press, pp. 1–7. Lewis, K., Kaufman, J. and Christakis, N. (2008) The taste for privacy: An analysis of college student privacy settings in an online social network. Journal of Computermediated Communication 14(1): 79–100. Lewis, S. and Lewis, D.A. (2011) Digitalizing crime prevention theories: How technology affects victim and offender behavior. International Journal of Criminology and Sociological Theory 4(2): 756–769. LoPucki, L.M. (2001) Human identification theory and the identity theft problem. Texas Law Review 80(1): 89–135. Marsh, H.W., Hau, K.T. and Wen, Z. (2004) In search of golden rules: Comment on hypothesis-testing approaches to setting cutoff values for fit indexes and dangers in overgeneralizing Hu and Bentler’s (1999) findings. Structural Equation Modeling 11(3): 320–341. Martin, N. and Rice, J. (2010) Building better Government IT: Understanding community beliefs and attitudes towards smart card technologies. Behaviour and Information Technology 29(4): 433–444. Martin, N. and Rice, J. (2011) Cybercrime: Understanding and addressing the concerns of stakeholders. Computers & Security 30(8): 803–814. Metzger, M. and Docter, S. (2003) Public opinion and policy initiatives for online privacy protection. Journal of Broadcasting and Electronic Media 47(3): 350–374. Milne, G. and Culnan, M. (2004) Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices. Journal of Interactive Marketing 18(3): 15–29. Milne, G.R., Rohm, A.J. and Bahl, S. (2004) Consumers’ protection of online privacy and identity. Journal of Consumer Affairs 38(2): 217–232. Miyazaki, A.D. and Fernandez, A. (2001) Consumer perceptions of privacy and security risks for online shopping. Journal of Consumer Affairs 35(1): 27–44. Ngo, F.T. and Paternoster, R. (2011) Cybercrime victimization: An examination of individual and situational level factors. International Journal of Cyber Criminology 5(1): 773–793. Norberg, P.A., Horne, D.R. and Horne, D.A. (2007) The privacy paradox: Personal information disclosure intentions versus behaviours. Journal of Consumer Affairs 41(1): 100–126. O’Neil, D. (2001) Analysis of internet users’ level of online privacy concerns. Social Science Computer Review 19(1): 17–31. Ouellette, J.A. and Wood, W. (1998) Habit and intention in everyday life: The multiple processes by which past behaviour predicts future behaviour. Psychological Bulletin 124(1): 54–74.

62



Phair, N. (2007) Cybercrime: The Reality of the Threat. Kambah, Australia: Nigel Phair. Reyns, B.W. (2010) A situational crime prevention approach to cyberstalking victimization: Preventive tactics for Internet users and online place managers. Crime Prevention and Community Safety 12(2): 99–118. Reyns, B.W. (2011) Online routines and identity theft victimization: Further expanding routine activity theory beyond direct-contact offenses. Journal of Research in Crime and Delinquency, published online 8 November. doi: 10.1177/0022427811425539. Rhodes, R.E. and Courneya, K.S. (2003) Modelling the theory of planned behaviour and past behaviour. Psychology, Health and Medicine 8(1): 57–68. Roberts, L. (2008) Cyber-victimisation in Australia: Extent, Impact on Individuals and Responses. Briefing Paper no. 6: Tasmanian Institute of Law Enforcement Studies. Roberts, L. (2009a) Cyber-victimisation. In: R. Luppicini and R. Adell (eds.) Handbook of Research on Technoethics. New York: Information Science Reference, pp. 575–592. Roberts, L. (2009b) Cyber identity theft. In: R. Luppicini and R. Adell (eds.) Handbook of Research on Technoethics. New York: Information Science Reference, pp. 542–557. Schoeman, F. (1984) Philosophical Dimensions of Privacy. Cambridge: Cambridge University Press. Sharp, T., Shreve-Neiger, A., Fremouw, W., Kane, J. and Hutton, S. (2004) Exploring the psychological and somatic impact of identity theft. Journal of Forensic Sciences 49(1): 131–136. Sheehan, K.B. (1999) An investigation of gender differences in online privacy concerns and resultant behaviours. Journal of Interactive Marketing 13(4): 24–38. Sheeran, P., Orbell, S. and Trafimow, D. (1999) Does the temporal stability of behavioral intentions moderate intention-behavior and past behavior-future behavior relations? Personality and Social Psychology Bulletin 25(6): 724–734. Thomas, D. and Loader, B.D. (eds.) (2000) Cybercrime: Law Enforcement, Security and Surveillance in the Information Age. New York: Routledge. Yao, M.Z. and Linz, D.G. (2008) Predicting self-protections of online privacy. CyberPsychology and Behaviour 11(5): 615–617. Yao, M.Z., Rice, R.E. and Wallis, K. (2007) Predicting user concerns about online privacy. Journal of the American Society for Information Science and Technology 58(5): 710–722.

Appendix Perceived behavioural control items Even if I want to, I don’t have the necessary confidence to protect my privacy online Even if I want to, I don’t have the necessary ability to protect my privacy online Even if I want to, I don’t have the necessary knowledge to protect my privacy online Even if I want to, I don’t have the necessary resources to protect my privacy online © 2013 Macmillan Publishers Ltd. 1460-3780 Crime Prevention and Community Safety Vol. 15, 1, 48–64

63

Burns and Roberts

Subjective norms items Most people that are important to me think that I should protect my online privacy It is expected of me that I protect my online privacy The people in my life whose opinions I value would approve of me protecting my online privacy To the extent of my knowledge, most people who are important to me protect their online privacy Many people like me protect their online privacy

64
