Next Article in Journal
Research on the Impact Mechanism of Smart City Construction on Economic Growth—An Analysis Based on the Schumpeterian Innovation Theory Framework
Previous Article in Journal
An Integrated CREAM for Human Reliability Analysis Based on Consensus Reaching Process under Probabilistic Linguistic Environment
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Systems
Volume 12
Issue 7
10.3390/systems12070250
systems-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Research on Privacy-by-Design Behavioural Decision-Making of Information Engineers Considering Perceived Work Risk

by
Fei Bu
1,
Nengmin Wang
2,3,*,
Qi Jiang
2 and
Xiang Tian
1
1
School of Economics and Management, Xi’an Technological University, Xi’an 710021, China
2
School of Management, Xi’an Jiaotong University, Xi’an 710049, China
3
ERC for Process Mining of Manufacturing Services in Shaanxi Province, Xi’an 710049, China
*
Author to whom correspondence should be addressed.
Systems 2024, 12(7), 250; https://doi.org/10.3390/systems12070250
Submission received: 9 May 2024 / Revised: 6 July 2024 / Accepted: 9 July 2024 / Published: 11 July 2024
(This article belongs to the Section Systems Practice in Social Science)
Browse Figures
Versions Notes

Abstract

:
Privacy by design (PbD) has attracted considerable attention from researchers and information security experts due to its enormous potential for protecting private information and improving the privacy and security quality of information technology products. The adoption of PbD among information engineers is currently limited owing to its innovativeness and the distinctive traits of the information technology industry. Utilising the Technology Acceptance Model as a framework, this study innovatively explores the pivotal factors and mechanisms that influence information engineers’ decision-making in the adoption of PbD from the viewpoint of the perceived work risk. In this empirical research, professional information engineers were invited to complete a questionnaire survey. After analysing the data using partial least squares structural equation modelling, the results reveal that information engineers’ perceived work risk in PbD (PWRP) negatively affects their perceptions of the usefulness and ease of use of PbD. This negative perception subsequently reduces their intention to implement PbD (INTP) and adversely impacts their attitudes towards implementing PbD (ATTP). Furthermore, the study findings reveal that a positive ATTP among engineers boosts their INTP and positively influences their behaviours regarding information security. This study provides an in-depth examination of these findings and lays a solid theoretical groundwork for the further promotion and implementation of PbD in information technology enterprises. Moreover, the findings offer invaluable support for management decisions in both information technology companies and information security regulatory authorities, significantly contributing to the expansion and deepening of research in the field of PbD.

1. Introduction

The era of the internet and cloud computing has witnessed the strong growth of the global big data storage volume. According to the reports of the International Data Corporation (IDC), the global big data storage volume has maintained an annual growth rate of 40% in recent years. A report issued by the IDC in May 2024 forecasts that 159.2 zettabytes (ZB) of data will be generated globally in 2024, a figure expected to more than double, reaching 384.6 ZB, by 2028. This substantial increase in data volume presents both challenges and opportunities for enterprises and institutions. The management, storage, analysis, and securing of such vast amounts of data demand sophisticated technologies and strategies [1]. Furthermore, Statista Inc. revealed that the global big data analytics market was worth over 240 billion in 2021, and it is anticipated to surpass 650 billion by 2029 [2]. Meanwhile, the extensive application of information products and the popularity of internet plus have increased the scale and complexity of the data related to information products. The enormous data scale, diversified data structure, and more frequent data processing and exchange activities have led to the frequent leakage of private personal information in recent years. The need to safeguard private personal information has become increasingly apparent, necessitating the adoption of effective measures for the protection of personal data.
Information products are characterised by the particularity of rapidly increasing demands and fierce market competition. At present, most information technology enterprises adopt the traditional passive recovery privacy and security strategy, i.e., enterprises prioritise the production speed of products and then adopt “patches” to fix the privacy loopholes in the subsequent use of the products. However, the frequent occurrence of privacy leaks not only causes huge economic losses for enterprises and customers but also seriously damages the reputation of the information technology industry and deteriorates the credit system of the network and even society as a whole [3]. In 2019, the Capital One Group experienced a severe leakage of the sensitive information of credit card customers, and it incurred costs as high as USD 100 million to USD 150 million to remedy this [4]. The existing passive privacy and security policies have become increasingly insufficient to meet the privacy and security needs of the public, enterprises, and society. Protecting privacy-related information in IT products should not merely involve devising reactive and passive security measures. An active privacy and security strategy is better aligned with the public’s needs for privacy and security and more conducive to the future development of information technology enterprises. In the design, production, operation, and maintenance processes of IT products, information holders and all stakeholders who are responsible for information security should pay more attention to the protection of privacy-related information. Therefore, a continuous focus on and improvement of the privacy and security quality of information products, as well as the ongoing refinement of product privacy and security strategies, represent inevitable trends in the development of the IT industry [5].
Information engineers, as providers of information technology and information services, constitute a pivotal component of information technology organisations. They serve as the primary decision-makers in selecting and implementing privacy policies for information products. They can collect, process, manage, and use a large amount of user data and information. Therefore, their behavioural decisions will affect the adoption of information security technologies and the deployment of privacy and security policies. Information engineers’ behaviours directly affect the final privacy and security quality of information products [6,7]. A data leakage investigation report indicates that human error accounts for 23% of the total data leakages. For example, in 2017, the staff of the data analysis company Deep Root Analytics updated the database on a cloud server without security measures such as password protection, resulting in the disclosure of the personal information of more than 190 million individuals [8]. In 2021, an American medical service provider was accused of leaking the sensitive information of more than 650,000 patients due to poor awareness of information security and the failure to properly deploy system security measures, resulting in huge losses [9]. It has been found that the underlying cause of many large-scale privacy breaches is the insufficient emphasis placed on privacy protection by the information engineers involved. At present, with the enactment of various data and privacy protection laws and regulations, the designers and developers of information products need to comply with strict data protection and data operation compliance requirements. Privacy and security risk management has become a challenge for many enterprises. The heightened focus on privacy and security among consumers and legislators has led to reforms in the information technology industry. For information technology enterprises to pursue long-term development, they must pay full attention to data security and privacy protection in information products [10].
Privacy by design (PbD) is an active privacy security methodology for information products and a comprehensive privacy security strategy that includes the overall privacy design concept and principles, private information protection technology, and a privacy protection architecture [11]. PbD, as an active long-term privacy and security paradigm, emphasises providing active private information protection from the initial stage of product design to the end of the product life cycle [12,13]. PbD is user-centred and aims to provide user privacy and information security and protection at every stage of the product life cycle [14,15]. Implementing PbD throughout the entire life cycle of an IT product is an important approach to effectively enhance the privacy and security quality of information products.
In recent years, data breach investigation reports have pointed out that the information technology industry is the industry with the highest incidence of data leakages, and the frequent occurrence of privacy leakage events decreases customer and social trust in this industry [14,16,17,18]. In an environment in which the information technology industry exhibits an increasing demand for privacy and security, PbD becomes a double-edged sword, bringing both challenges and opportunities for information technology enterprises [19]. Research related to PbD is of great significance for both the development of the IT industry and the comprehensive improvement of privacy and security in information products.
Information engineers are the practical executors of PbD, and the specific technical measures intended to improve the privacy and information security levels of products also need to be implemented by information engineers [14,20]. The attitudes of information engineers towards privacy and security and their corresponding decisions are crucial to the privacy design of information products. However, currently, in the operation of information technology enterprises and the work of information engineers, priority is given to quickly realising the functional system requirements of the product, rather than prioritising the improvement of the product’s privacy and security protection. As an active privacy and security strategy, PbD differs from the current mainstream passive privacy and security measures. PbD emphasises the proactive protection of private information throughout the entire life cycle of an information product, which contrasts with the current situation, where private information protection is of lower priority in the production of information products. The survey results presented by Bednar et al. [20] indicate that many senior system engineers working for software companies and well-known research institutions believe that paying attention to or strictly adhering to privacy requirements at work increases their workload. Although engineers believe that privacy protection is important, they are still reluctant to address this problem when designing information products [21,22]. The risk of obstacles caused by adopting PbD at work has become one of the main concerns among information engineers regarding PbD. Regarding the current production process of IT products, PbD is not a mainstream privacy security strategy adopted by information engineers in product design and production. Most information engineers do not proactively implement PbD during the product design and production process [7,23]. The implementation of PbD in the information technology industry has become an important topic. Studying the impact mechanisms behind information engineers’ concerns about PbD-related obstacles and their attitudes towards PbD and behavioural decisions is of significant importance for the successful implementation of PbD and the enhancement of privacy and security in information products.
The Technology Acceptance Model (TAM) is a theoretical framework used to explain how users accept and adopt new technologies. It is often applied to discuss the driving factors and impact mechanisms of individuals’ adoption of new information technologies or systems [24,25,26,27]. The strengths of the TAM lie in its simplicity and strong explanatory power. The TAM has been proven to be effective in explaining the decision-making mechanisms of individuals in adopting new information technologies or systems. It has found applications in various fields of information technology and system adoption studies, such as e-commerce, mobile computing, educational technology, and other domains [28,29,30,31].
The existing privacy and information security research mostly focuses on passive privacy and security strategies, including explorations of fundamental privacy and security theories, enhancements of private information protection technologies, and studies of user privacy and security behavioural norms. Only a small number of studies exist on PbD [23]. PbD demands a more proactive approach towards privacy and information security compared to the prevalent reactive privacy and security measures. Furthermore, existing research findings indicate that information engineers often view the stringent privacy and security demands of PbD as creating an additional workload, which can disrupt their work schedules as they focus on the swift achievement and updating of products’ functional capabilities. Most information engineers do not actively embrace PbD. Hence, exploring the factors that motivate information engineers to implement PbD is pivotal in advancing PbD’s adoption and improving the safeguarding of private information within information products. Nevertheless, at present, empirical studies on the driving factors and impact mechanisms associated with PbD adoption among information engineers are scarce.
Based on the importance of PbD for private information protection and the sustainable development of the information technology industry, this study explores the factors and mechanisms that affect information engineers’ attitudes and intentions regarding PbD, and their PbD-related information security behaviours, based on the TAM. Additionally, this study investigates the impact and mechanism of the perceived work risk caused by PbD on the decision to embrace PbD. Utilising an empirical research approach, this study conducts an in-depth quantitative investigation into how information engineers’ perceptions of work risks influence their decision to adopt PbD. Through the research design, research method, results, and discussion, this study aims to provide valuable decision support and management recommendations for information security regulatory authorities and information enterprises in advancing the implementation of PbD. The core objective of this research is to assist organisations in better comprehending and addressing the impact of individual perception-related factors among information engineers regarding PbD adoption, ultimately fostering the widespread acceptance and utilisation of PbD.

2. Research Design

2.1. Intention to Implement PbD (INTP) and Behaviours Regarding Information Security (BEIS)

Intention is a mental state that is widely used in the study of individual behaviours, referring to the tendency of an individual to engage in a certain behaviour [32,33]. Intention to implement PbD (INTP) refers to the intention of information engineers to carry out PbD. Behaviours regarding information security (BEIS) refer to the actual privacy- and information-protecting practices of information engineers in their work, including the implementation of privacy protection policies in the whole product cycle. Existing studies have proven that individuals’ intentions to use certain information systems or technologies will significantly affect their specific behaviours [32,34,35]. If an information engineer has a strong intention to implement PbD, the probability that they will engage in PbD-related privacy protection and information security behaviours is higher. Therefore, based on the reasoning above, this study proposes the following hypothesis.
H1. 
The intention to implement PbD (INTP) among information engineers positively influences their behaviours regarding information security (BEIS).

2.2. Attitudes towards Implementing PbD (ATTP), Intention to Implement PbD (INTP), and Behaviours Regarding Information Security (BEIS)

Attitude is a psychological tendency that is associated with an individual’s emotions towards a target behaviour. An individual’s attitude towards a behaviour is determined by their evaluation of the outcomes of this behaviour [36]. Attitude is often used to predict an individual’s intention and behaviour when adopting new technologies [37]. In their study of users’ willingness to use mobile payments, Patil et al. [25] found that individuals’ attitudes towards the use of mobile payments significantly affected their willingness to accept and use mobile payments. Furthermore, after investigating the usage of mobile health services, Zhao et al. [38] discovered that personal attitudes were a key factor in predicting behavioural intention.
Studies have shown that individuals have positive attitudes towards behaviours that are expected to have positive consequences and negative attitudes towards behaviours that are considered to have negative consequences [32]. Studies based on the TAM prove that an individual’s attitudes towards behaviours have a significant impact on their behaviours, i.e., the more positive an individual’s attitude towards a behaviour, the more likely they are to accept it [39]. Spiekermann et al. [22] found that the privacy-protective and information security behaviours of information engineers are related to their personal attitudes towards privacy and information security. Therefore, it can be reasonably inferred that if an information engineer exhibits a positive attitude towards and perception of the use of PbD and believes that employing PbD will have a positive impact on various aspects of private information protection in IT products, the strength of the engineer’s intention to engage in PbD and the probability that they will perform PbD-related information security behaviours will be higher. Thus, the following hypotheses can be proposed.
H2a. 
Attitudes towards implementing PbD (ATTP) among information engineers are positively associated with their intention to implement PbD (INTP).
H2b. 
Attitudes towards implementing PbD (ATTP) among information engineers are positively associated with their behaviours regarding information security (BEIS).

2.3. Perceived Usefulness of PbD (PUP), Attitudes towards Implementing PbD (ATTP), and Intention to Implement PbD (INTP)

Perceived usefulness refers to the degree to which a person believes that using a particular system or technology will be effective in improving their job performance [40]. Perceived usefulness is a core construct in the TAM that influences individuals’ specific behavioural attitudes. Guner and Acarturk [41] investigated the use of information and communication technologies among older and younger adults in Turkey, grounding their research within the TAM. The findings indicated that when individuals perceive information and communication technologies as useful, their attitudes towards using these technologies are more positive [41]. Individuals’ subjective measurement of whether a new information system or information technology is useful will determine their positive or negative judgement of the target behaviour to some extent [42]. In this study, the perceived usefulness of PbD (PUP) is defined as the extent to which information engineers believe that using PbD during their work process will enhance the privacy and security performance of the IT products that they design and produce. If an information engineer believes that PbD will improve the privacy and information security quality of their information technology products, their subjective attitude towards PbD is likely to be more positive.
On the other hand, the research results of Abduljalil and Zainuddin [43] prove that achieving higher work performance is one of the motivations to use new information technologies or systems. In addition, the research by Chaouali et al. [44] found that users’ assessments of the usefulness of online banking could effectively predict their willingness to use online banking. As the market competition for information products becomes increasingly fierce, and with the changing information security environment, consumers and markets are paying more attention to IT products’ privacy and information security. While focusing on the functionality and production speed of IT products, information technology companies are also beginning to pay attention to products’ privacy protection and information security quality. For instance, testing for IT products’ privacy protection has been integrated into the quality testing that IT products undergo before entering the market. It can be postulated that if information engineers believe that PbD can help them to protect users’ privacy and information security during the work process and improve the information security quality of their IT products, they will be more willing to accept PbD. Therefore, the following hypotheses can be proposed.
H3a. 
The perceived usefulness of PbD (PUP) among information engineers is positively associated with their attitudes towards PbD implementation (ATTP).
H3b. 
The perceived usefulness of PbD (PUP) among information engineers is positively associated with their intention to implement PbD (INTP).

2.4. Perceived Ease of Use of PbD (PEUP), Attitudes towards Implementing PbD (ATTP), and Intention to Implement PbD (INTP)

The TAM defines perceived ease of use as the degree to which individuals believe that they can easily use new systems or technologies [42,45]. Based on the existing research on the TAM, an individual’s perception of the ease of use of a new technology or system is an important factor affecting its perceived usefulness and their subjective attitude [46,47]. For example, when tourists use an online travel system, if they perceive the system to be easy to use, they will hold a more positive attitude towards it [48]. In this study, the perceived ease of use of PbD (PEUP) is defined as the information engineers’ perception of the difficulty of using PbD. When information engineers believe that they can easily implement PbD, they will perceive PbD to be useful and display a positive attitude towards it. Meanwhile, the research results of Sánchez-Prieto et al. [49] confirm the significant relationship between perceived ease of use and behavioural intention. If information engineers perceive PbD as a privacy and security policy that is easy to implement, they may be more willing to adopt it. Furthermore, Alhazmi and Arachchilage [50] suggest that perceived ease of use can also indirectly influence behavioural intention by affecting perceived usefulness. When information engineers believe that PbD is easy to implement, they will have higher expectations regarding the benefits of PbD [7]. Based on the above, the perceived ease of use of PbD will positively influence information engineers’ judgements regarding the perceived usefulness of PbD. Therefore, the following hypotheses can be proposed.
H4a. 
The perceived ease of use of PbD (PEUP) among information engineers is positively associated with their attitudes towards implementing PbD (ATTP).
H4b. 
The perceived ease of use of PbD (PEUP) among information engineers is positively associated with their intention to implement PbD (INTP).
H4c. 
The perceived ease of use of PbD (PEUP) among information engineers is positively associated with the perceived usefulness of PbD (PUP).

2.5. Perceived Work Risk concerning PbD (PWRP), Perceived Usefulness of PbD (PUP), and Perceived Ease of Use of PbD (PEUP)

PbD, as a new working mode for information system, is mainly a private information protection framework that encompasses a series of privacy data protection technologies and methods. It adopts the idea of privacy protection across the whole life cycle of an information product and timely, updated information protection technology. In the results of interview surveys on privacy design, it can be found that most information engineers recognise the important role of PbD in improving the privacy and security of information technology products. At the same time, the interviewed information engineers also commonly believe that implementing PbD in their workflow would result in an increased workload. Information engineers point out that the benefits of adopting PbD would be more directly reflected at the user level. For example, with PbD, IT products will protect customers’ privacy information more effectively, making the customers the direct beneficiaries. At the same time, a good reputation regarding their products’ privacy and security is conducive to the future development of information technology enterprises. However, as a new working mode, PbD is very different from the current, mainstream passive privacy protection strategies regarding their technical requirements and implementation priorities. Bednar et al. [20] found that many senior information engineers consider strict privacy requirements to be a burden in the production process, and they believe that habitual workflows must be changed and additional effort must be made to meet such privacy protection standards. On the other hand, in order to meet the demand for rapid product updates and pursue higher market competitiveness, in practice, IT enterprises require engineers to strictly control the scheduling of product projects. As a result, information engineers must implement trade-offs between productivity and the privacy and information security of their products. In this study, the perceived work risk concerning PbD (PWRP) is defined as the degree to which information engineers perceive an increased risk of work obstruction when they carry out PbD in their workflows. The greater the perceived interference of PbD in their work, the greater the negative effect on their judgement of the perceived usefulness and perceived ease of use of PbD. Meanwhile, if information engineers feel that their work has become more difficult in the process of adopting PbD, their judgement regarding the consequences of PbD’s implementation will be more negative, and they will be less willing to accept and adopt PbD in the future. Therefore, this study proposes the following hypotheses.
H5a. 
The perceived work risk concerning PbD (PWRP) among information engineers is negatively associated with the perceived usefulness of PbD (PUP).
H5b. 
The perceived work risk concerning PbD (PWRP) among information engineers is negatively associated with the perceived ease of use of PbD (PEUP).
H5c. 
The perceived work risk concerning PbD (PWRP) among information engineers is negatively associated with their attitudes towards PbD implementation (ATTP).
H5d. 
The perceived work risk concerning PbD (PWRP) among information engineers is negatively associated with their intention to implement PbD (INTP).
This study aims to explore the influence and mechanisms associated with the personal perceptions of information engineers regarding the adoption of PbD and to discuss the significant role of the perceived work risk concerning PbD (PWRP) based on the TAM. In summary, based on the TAM, this study comprehensively considers the interactive impact of the perceived work risk concerning PbD on information engineers’ attitudes towards PbD (ATTP), their intention to implement PbD (INTP), the perceived usefulness of PbD (PUP), and the perceived ease of use of PbD (PEUP). Based on the comprehensive analysis conducted, the aforementioned hypotheses (elaborated in Table 1) are proposed, and a research model, illustrated in Figure 1, is established.

3. Research Method

3.1. Data Collection and Samples

This study explores the factors influencing the attitude and intention of information engineers regarding PbD and their behaviours regarding information security. Therefore, information engineers from different stages in the life cycle of information technology products were chosen as the respondents in this investigation. To empirically validate the hypotheses and research models proposed, data were gathered via interviews, as well as offline and online questionnaires. In the empirical investigation, the questionnaire design incorporated computational questions, reverse questions, and repeated questions as detection items. These detection items can effectively reduce the impact of default bias and malicious filling on survey results [51]. Additionally, the items in the questionnaire were randomly ordered. Items appearing in a random sequence help to reduce the impact of order deviation on the results [52]. The data collection process was divided into two stages, separated by at least a 24 h interval, to reduce the impact of emotional bias on the survey results [53]. The diverse data sources and the spaced data collection process aimed to reduce the impact of method biases on the research findings [52]. Finally, a total of 295 samples were effectively recovered through quality screening. In this study, the aforementioned measures were primarily adopted to reduce the impact of method biases, inherent mindsets, and malicious filling on the survey results.
The respondents of this survey were the current employees of information technology enterprises. Among the respondents, 51.19% were female and 48.81% were male, showing a balanced gender distribution (elaborated in Table 2). Respondents aged between 20 and 39 accounted for 95.25% of the sample, with a relatively concentrated age distribution. In terms of the educational level, the proportion of undergraduates was the highest, reaching 80.00%, while only 5.42% of the respondents had a lower education level, which was more aligned with the characteristics of the employees of information technology enterprises. Therefore, the data were reliable. In addition, 67.12% of the respondents reported that they had only heard about PbD but lacked detailed knowledge of it. Moreover, 1.02% of the respondents reported that they were completely unaware of PbD. This shows that PbD is not a mainstream privacy protection strategy at present, and relevant research on PbD has theoretical and practical significance.
PLS-SEM is a statistical analysis method that combines principal component analysis with multiple regression, optimising the predictive performance of the model through iterative estimation. It excels in handling complex data situations, including small samples, non-normally distributed data, and the presence of multicollinearity, making it applicable to both reflective and formative models [54,55,56]. Compared to conventional CB-SEM, PLS-SEM offers the advantage of requiring a smaller sample size, which is crucial when sample resources are limited. Typically, PLS-SEM can perform effective analysis with a sample size between 30 and 100, and Reinartz et al. [57] further noted that the performance of the partial least squares method is less affected by small sample sizes, allowing it to be used with sample sizes of 250 to 500. Furthermore, a widely used minimum sample size estimation method in PLS-SEM is the “10-times rule” method [58]. To ensure the stability and reliability of the research findings, considerable efforts were made in the data collection phase of this study to gather a large sample of data, laying a solid foundation for the subsequent data analysis and model validation. In this study, the measurement scale consists of 18 items, and a total of 295 valid samples were collected, exceeding 10 times the total number of these items. Given the statistical power and significance level, the current sample size is considered adequate to effectively detect the expected effect size, ensuring the stability and reliability of the research findings. Additionally, in empirical research, the actual feedback data collected does not always strictly follow a normal distribution. PLS-SEM does not require the data to strictly adhere to a normal distribution, thereby greatly augmenting its adaptability and utility in handling real-world datasets. Based on the aforementioned strengths of PLS-SEM, this study utilised PLS-SEM to validate the proposed research model and investigate the causal linkages between the variables. Moreover, the SmartPLS 4.0 software was utilised for the data analysis and hypothesis testing [59].

3.2. Measurement

This study considered six research variables: the perceived work risk concerning PbD, the perceived usefulness of PbD, the perceived ease of use of PbD, attitudes towards PbD, the intention to implement PbD, and behaviour regarding information security. In order to ensure the reliability and validity of the survey, the scale was adapted based on the scales of related studies and the research background [12,14,22,37,60,61,62]. Table 3 displays selected measurement items and their respective sources. The measurement of each variable in the scale consisted of three to five measurement items, measured through a 7-point Likert scale, which in turn ranged from “strongly disagree” to “strongly agree”.

4. Results

4.1. Reliability and Validity Analysis

There are six reflective constructs in this study, and the indicators of each construct are interchangeable. The proposed hypothesis and research model were tested using the SmartPLS 4.0 software, which was also used to perform the data analysis, and the path coefficients and research hypotheses were evaluated through 5000 bootstrapping calculations. Peterson [63] suggests that the threshold of the Cronbach’s α score should be between 0.5 and 0.6. The Cronbach’s α values of the variables in this study were all around 0.7, which indicated that the scales used had good reliability [64]. Meanwhile, Bagozzi and Yi [65] propose that the composite reliability (CR) is a more suitable indicator to measure internal consistency and reliability than Cronbach’s α. The CR values for all variables in this study were higher than 0.8, meeting the threshold requirement, indicating that the results of this study had sufficient reliability. At the same time, the scale in this study was extracted and perfected according to existing scales, leading to good content validity. In structural equation modelling analysis, the average variance extracted (AVE) serves as a critical indicator in assessing the convergent validity. As is evident from Table 4, the AVE values for all constructs in this study were greater than 0.5, satisfying the threshold criteria and demonstrating good convergent validity [65].
Factor loadings represent the strength of the relationships between latent variables and their corresponding observed indicators, reflecting the extent to which the observed variables can represent or reflect their corresponding latent variables. According to Hair et al. [66], the standardised loading should be 0.5 or higher, ideally 0.7 or above. As demonstrated in Table 5, the majority of the items exhibit standardised factor loadings exceeding 0.7, with only one item registering a loading value of 0.626. Nonetheless, this value surpassed the threshold of 0.5, thereby fulfilling the required criterion [67]. And the factor loading between each measured variable and its corresponding latent variable is greater than the cross-loading of that measured variable with other latent variables. This suggests that the measurement model demonstrates strong discriminant validity [7,57,64].
In Table 6, the values on the diagonal represent the square roots of the AVE for each variable. The results indicate that the square roots of the AVE values for each latent variable were significantly greater than their correlation coefficients with other latent variables. This finding aligned with the criteria established by Fornell and Larcker [64], thus confirming that the scale used in this study demonstrated good discriminant validity.
The heterotrait–monotrait ratio of correlations (HTMT) is another tool used to assess the discriminant validity among constructs. When the HTMT ratio is below the threshold of 0.90, it can be considered that there is acceptable discriminant validity among different constructs [55,68,69]. As can be seen from the results in Table 7, the proposed model of this study met the requirement for discriminant validity.
In addition, the standardised root mean square residual (SRMR) serves as a crucial indicator in assessing the goodness of fit of a model. According to Henseler et al. [55], a model demonstrates a good fit when the SRMR value is below 0.08. In this study, the obtained SRMR value was 0.072, which fell below the critical threshold of 0.08. This finding provides compelling evidence that the proposed model in this study met the good-fit criteria. Moreover, Hair et al. [58] pointed out that when the VIF value is below 5, multicollinearity is not a serious issue. In this study, all VIF values were below 5, with the highest VIF value being 1.502, demonstrating the good stability and predictive power of the research model and revealing adequate discriminant validity [64,70].
The above data analysis results fully demonstrate that the measurements in this study exhibited good reliability and validity.

4.2. Structural Model Analysis and Hypothesis Testing

This study primarily employed a questionnaire survey method to collect the data and used the partial least squares method with the SmartPLS 4.0 software to test the research model and hypotheses. Table 8 and Figure 2 present the specific results of the model and hypothesis testing analysis.
Explained variance can be used to evaluate how well a model’s predicted values correspond to actual observed values. The evaluation metric, R2, is the percentage form of explained variance. A value of R2 closer to 1 indicates that the model has a stronger explanatory power for changes and better prediction results, whereas a value closer to 0 suggests that the model has a weaker explanatory power for data variation [53,55]. For example, it can be seen in Table 9 that the R2 value of 0.489 of engineers’ behaviours regarding information security (BEIS) indicates that 48.9% of the variance in the endogenous construct of BEIS is explained by the predictors of information engineers’ attitudes towards PbD (ATTP) and their intention to implement PbD (INTP). Moreover, the Q2 value is greater than zero, suggesting the predictive relevance of the research model of the study [58,66].
The results indicate that information engineers’ intention to implement PbD significantly and positively influences their information security behaviours (β = 0.423, t = 7.441, p = 0.000), and hypothesis H1 is supported. Information engineers’ attitudes towards PbD implementation have a significant and positive impact on their intention to implement PbD (β = 0.311, t = 3.680, p = 0.000) and their behaviours regarding information security (β = 0.314, t = 4.525, p = 0.000), supporting H2a and H2b. The perceived usefulness of PbD among information engineers is positively correlated with their attitudes (β = 0.449, t = 8.172, p = 0.000) and intentions regarding PbD implementation (β = 0.292, t = 3.737, p = 0.000), indicating that H3a and H3b are supported. The ease of use of PbD among information engineers has a significant and positive effect on their attitudes towards PbD implementation (β = 0.354, t = 7.808, p = 0.000), their intention regarding PbD implementation (β = 0.171, t = 3.393, p = 0.006), and the perceived usefulness of PbD (β = 0.310, t = 5.809, p = 0.000), revealing that H4a, H4b, and H4c are supported. Information engineers’ perceived work risk concerning PbD has a significant and negative impact on the perceived usefulness of PbD (β = −0.152, t = 2.965, p = 0.003) and perceived ease of use of PbD (β = −0.235, t = 4.669, p = 0.000), supporting H5a and H5b. Moreover, information engineers’ perceived work risk concerning PbD has a negative impact on their attitudes towards PbD implementation (β = −0.088, t = 2.223, p = 0.026), supporting H5c. However, the direct impact of information engineers’ perceived work risk concerning PbD on their intention to implement PbD has not yet been confirmed (β = −0.028, t = 0.642, p = 0.521). The p-value is greater than 0.05; thus, hypothesis H5d is not supported. This means that there is no significant influence of the perceived work risk concerning PbD on the intention to implement PbD among information engineers. In addition, the research results show that there is a significant influence of the duration of employment, as the control variable (working years), on the privacy-related behaviours of information engineers (β = 0.173, t = 3.675, p = 0.000).

5. Discussion

5.1. Main Findings

PbD is an active and comprehensive private information protection strategy covering the entire life cycle of information technology products. As a relatively new information protection strategy, PbD has broad prospects for development. PbD has strict requirements regarding the privacy and security of IT products, making it notably different from the current and mainstream passive privacy and security policies, and it has not been widely adopted by information engineers. In the existing research on PbD, there is little discussion of the factors influencing information engineers’ behaviours regarding information security [21]. In this practical context, this study focuses on the impact of information engineers’ perceived works risk regarding PbD implementation. The study combines the perceived work risks regarding PbD among information engineers with the TAM, constructing a research model to explore the influencing factors and interaction mechanisms associated with PbD implementation by information engineers. An empirical study is conducted on the interactive relationship between the individual perceptions of information engineers and their attitudes, intentions, and behaviours regarding information security.
The results of this study validate the effectiveness of the proposed model and support most of the hypotheses. The analysis reveals that information engineers’ attitudes towards PbD positively influence their intention regarding PbD implementation and behaviour regarding information security. Furthermore, the perceived usefulness and ease of use of PbD positively impact information engineers’ attitudes and intention regarding PbD implementation. Nevertheless, the perceived work risks significantly and negatively affect the perceived usefulness, ease of use, and attitudes towards PbD.
This study contributes to the theoretical research on PbD. Moreover, it offers valuable support for relevant professionals, aiding them in identifying opportunities to enhance their PbD practices. The findings of this research are beneficial for privacy and information security professionals, as well as for information technology enterprises, in exploring methods to improve the PbD-related attitudes of information engineers and enhance their willingness to implement PbD practices. This study carries both theoretical value and practical importance.

5.2. Theoretical Implications

Firstly, the intention to implement PbD and the attitudes towards PbD among information engineers have a very significant and positive impact on their behaviours regarding information security. At the same time, the attitudes towards PbD among information engineers also significantly affect their intention to implement PbD. The above results are consistent with the existing research results on the adoption of information technology and information systems based on the TAM and the TPB theory [36,47]. It is proven that the attitudes towards PbD and the intention to implement PbD among information engineers are very important regarding their behaviours related to information security. Therefore, IT companies should first understand information engineers’ attitudes towards PbD before carrying out PbD implementation projects. Taking appropriate management measures to improve the attitudes towards PbD among information engineers would be beneficial to increase engineers’ tendency to conduct PbD and increase the probability that they will engage in behaviours related to information security.
Secondly, this study found that the perceived usefulness of PbD and perceived ease of use of PbD among information engineers had a significant and positive effect on their attitudes towards PbD and intention to implement PbD. Compared with the basic TAM, this study proves that the perceived usefulness of PbD and perceived ease of use of PbD not only indirectly affect information engineers’ intention to implement PbD by influencing their attitudes towards PbD but also directly and positively promote their intention to implement PbD. It can be concluded that if information engineers believe that PbD is beneficial to their work and can be easily implemented in their daily practice, they will have a more positive attitude towards PbD and will be more willing to use it. This conclusion is significant regarding the reversal of the current situation wherein most information engineers have a negative attitude towards PbD. On the other hand, this study also proves that the perceived ease of use of PbD has a positive influence on the perceived usefulness of privacy design, which indicates that if information engineers feel that they can easily implement PbD, they will believe that PbD is more conducive to their work, thus promoting their behaviours regarding information security.
Thirdly, the perceived work risk of PbD among information engineers is one of the major concerns highlighted in this study. Presently, the majority of information technology enterprises encourage their employees to focus solely on the essential privacy and security requirements of information products, as opposed to enforcing strict adherence to PbD principles. The prevalent emphasis within information technology enterprises is on elevating the pace of production and the renewal of information products. Consequently, information engineers focus predominantly on expeditiously fulfilling products’ functional requirements. To expedite the achievement of product functionalities, most IT companies only implement basic information security and protection requirements for their employees. Hence, a rigorous, comprehensive privacy and security safeguarding strategy is not the prevalent option for information engineers in their professional work. PbD differs significantly from the currently prevailing reactive privacy and security strategies, and it is not unusual for information engineers to encounter obstacles in implementing PbD. Prior studies have also shown that one of the factors discouraging information engineers from adopting PbD is their belief that it may negatively impact their individual performance, such as by prolonging the time necessary to finalise development tasks. The results of this study demonstrate that the perceived work risk of PbD among information engineers diminishes their perception of PbD’s usefulness and ease of use. This suggests that if information engineers believe that implementing PbD will increase their workloads and hinder their ability to complete tasks on time, they are more likely to judge the implementation of PbD to be impractical and offer no benefits to their work performance. Simultaneously, the findings of this study establish that the perceived work risk among information engineers significantly impacts their attitudes towards PbD in a negative manner. Although prior survey results indicate that information engineers acknowledge PbD’s potential to improve information security, this favourable perception diminishes if they believe that implementing PbD practices will reduce their work efficiency. Under such circumstances, it would be difficult for IT companies to promote PbD on a large scale.
However, the results of this study do not support the hypothesis regarding the relationship between information engineers’ perceived work risk regarding PbD and their intention to implement PbD. This indicates that the perceived work risk does not have a directly negative impact on information engineers’ PbD intention. Based on the analysis results of this study, it can be observed that the perceived usefulness and perceived ease of use of PbD fully mediate the relationship between the perceived work risk and PbD intention. The perceived work risk concerning PbD can indirectly influence information engineers’ intention to implement PbD and their corresponding behaviours through its negative impact on the perceived usefulness, perceived ease of use, and attitudes towards PbD.

5.3. Conclusions and Practical Implications

This study takes information engineers as its object to examine the factors influencing their intention to implement PbD and behaviours regarding information security, which is a new privacy protection strategy implemented throughout the whole life cycle of information technology products. Based on the TAM, this study proposes an extended research model that incorporates the perceived work risk and comprehensively considers the interactions between behavioural factors. The results are helpful to further expand the application of PbD in the life cycle of information products. Furthermore, the results of this study have significant practical implications. Nowadays, with the introduction of information security laws and regulations, consumers, information technology enterprises, and information security supervision departments impose higher requirements for the privacy and security of information products. It is of great significance for the operation and development of information technology enterprises to improve the quality of the privacy and information security of their information products, enhance consumers’ perceptions of the products’ security, and build a brand image and reputation characterised by high security through the implementation of PbD.
Enterprises should actively conduct privacy and information security governance and publicise and promote PbD. During the initial survey process of this study, 6.1% of the respondents indicated that their companies did not have explicit private information protection regulations and information security policies. At the same time, a total of 71% of the respondents stated that although they had heard of PbD, they were not familiar with its specific content and requirements. At the same time, in the previous production and management processes, the privacy, security, and quality of information technology products did not receive sufficient attention. Therefore, information technology enterprises should first standardise the security requirements of information technology products by implementing clear information security policies to improve in-service information engineers’ attention to the privacy security of the products. At the same time, the enterprise can also adopt publicity, lectures, and other activities to integrate privacy and security design into the construction of the enterprise atmosphere. This can promote information engineers’ understanding of PbD, actively improve their attitudes towards PbD, strengthen their willingness to carry out privacy design, promote their behaviours regarding information security, and finally lead to good privacy and security performance within enterprises.
Enterprises should provide regular privacy and security training for information engineers to ensure open communication channels. In the process of promoting privacy design, it is very important to improve the attitudes and willingness of information engineers to conduct PbD. For most information technology enterprises and information engineers, PbD is a relatively new concept. The architecture, standards, content, and requirements of PbD are not well understood by enterprises and engineers. In this case, information engineers do not have a sufficient understanding of the important role of PbD in improving the privacy and security quality of information technology products, which undoubtedly weakens the perceived usefulness of PbD. On the other hand, due to the lack of a detailed understanding of PbD, information engineers do not sufficiently understand the requirements of information technology, the requirements of platforms, the key activities of implementation, and other technical aspects of PbD, which may lead to hesitance and negative attitudes regarding the perceived usability of PbD. In addition, in the development and production of information technology products, there are no ideal information security practice guidelines. Improving the privacy and security protection of information technology products requires continuous investment and innovation. Considering the rapid development of information technology and its high update speed, it is suggested that enterprises provide regular privacy and security training for information engineers, ranging from the concept and technology to other aspects, to improve the engineers’ awareness of privacy and information security and strengthen their work abilities. Additionally, since the development and production of information technology products are mostly carried out in teams or project groups, it is also extremely important to create and maintain open communication channels between teams to improve information engineers’ privacy awareness and data protection skills. This can effectively enhance information engineers’ assessment of the perceived usefulness and perceived ease of use of PbD and further improve their attitudes towards PbD and their intention to adopt PbD. Ultimately, these measures will positively influence the occurrence of PbD-related information security behaviours in their work.
The promotion of overall information security management and product privacy and security needs the support of management. Senior managers’ attention to information security management and privacy can effectively promote the planning and design of PbD promotion activities in terms of systems and processes. The results of this study prove that information engineers’ perceived work risk concerning PbD is a significant negative factor in their implementation of PbD. The current priority of information technology companies is still the speed of production. From the perspective of individual information engineers, their concern regarding the implementation of PbD stems from the fear that PbD may affect the speed at which they can achieve their development goals, potentially leading to issues such as decreased personal performance. In this case, the implementation of PbD needs to be supported by senior management. PbD is of great significance in enhancing the privacy and information security of IT products. A good reputation regarding privacy and security is beneficial to the sustainable development of information technology enterprises. Senior management’s support of PbD can promote the reform of work processes and performance appraisal. For example, PbD can be included in the assessment of information engineers’ work performance to reduce engineers’ concerns about implementing PbD. In this way, it would be possible to improve engineers’ evaluations of the usefulness and ease of use of PbD and then promote their information security behaviours regarding PbD in many aspects, finally achieving the goal of improving the privacy and security quality of information technology products and the competitiveness of enterprises.

6. Limitations and Future Research

In this study, by integrating PbD research and the TAM, a research model of the influencing factors and behavioural mechanisms associated with PbD among information engineers is proposed, and an empirical analysis is carried out. This study focuses on the influence of information engineers’ personal perceptions on their attitudes, intention towards PbD, and behaviour regarding information security, and it draws some valuable conclusions that enrich the theoretical research on the implementation of PbD. In addition, it provides management decision support to enable information technology enterprises and information security supervision departments to implement privacy by design in practice. However, there are still deficiencies and limitations in this study. (1) Although the research results indicate that there is a significant relationship between the working time of information engineers and their behaviours regarding information security, this study did not investigate it thoroughly. In future studies, it could be further investigated whether and how the working time of information engineers influences their behaviours regarding information security. (2) At present, there is no strict and detailed standard for the privacy and security of information technology products, and the work of information engineers is highly professional. Therefore, it is necessary to discuss whether and how the professional ethics of information engineers affect their behaviours regarding information security in future work.

Author Contributions

Conceptualisation, F.B. and N.W.; Data curation, Q.J. and X.T.; Investigation, Q.J. and X.T.; Methodology, F.B. and N.W.; Writing—original draft, F.B. and N.W.; Writing—review and editing, F.B. and Q.J. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Major Program of the National Natural Science Foundation of China, grant numbers 72192830, 72192834; by the National Natural Science Foundation of China, grant number 72301205; by the Shaanxi Natural Science Basic Research Project, grant number 2024JC-YBQN-0737; and by the Scientific Research Plan Projects of the Education Department of Shaanxi Province, grant number 22JK0099.

Data Availability Statement

The data presented in this study are available from the corresponding author upon reasonable request.

Acknowledgments

The authors gratefully acknowledge the support of the editors and all participants who participated in the study.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Wright, A. Worldwide IDC Global DataSphere Forecast, 2024–2028: AI Everywhere, But Upsurge in Data Will Take Time; IDC Corporate: Needham, MA, USA, 2024. [Google Scholar]
  2. Taylor, P. Global Big Data Analytics Market Size 2021–2029; Statista Inc.: New York, NY, USA, 2024. [Google Scholar]
  3. Alashoor, T.; Aryal, A.; Kenny, G. Understanding the privacy issue in the digital age: An expert perspective. In Proceedings of the 22nd Americas Conference on Information Systems (AMCIS), San Diego, CA, USA, 11–14 August 2016. [Google Scholar]
  4. Capital One Financial Corporation. Capital One Announces Data Security Incident; Capital One Financial Corporation: McLean, VA, USA, 2019. [Google Scholar]
  5. Risk Based Security Inc. 2020 Year End Vulnerability QuickView Report; Risk Based Security Inc.: Richmond, VA, USA, 2021. [Google Scholar]
  6. Mathew, A.; Cheshire, C. Risky business: Social trust and community in the practice of cybersecurity for internet infrastructure. In Proceedings of the 50th Hawaii International Conference on System Sciences, Honolulu, HI, USA, 4 January 2017; pp. 2341–2350. [Google Scholar]
  7. Bu, F.; Wang, N.M.; Jiang, B.; Jiang, Q. Motivating information system engineers’ acceptance of Privacy by Design in China: An extended UTAUT model. Int. J. Inf. Manag. 2021, 60, 102358. [Google Scholar] [CrossRef]
  8. UpGuard Team. The RNC Files: Inside the Largest US Voter Data Leak. Available online: https://www.upguard.com/breaches/the-rnc-files (accessed on 1 February 2023).
  9. Coble, S. Sea Mar Accused of Negligence over Data Breach. Available online: https://www.infosecurity-magazine.com/news/sea-mar-negligence-data-breach/ (accessed on 25 February 2022).
  10. Jozani, M.; Ayaburi, E.; Ko, M.; Choo, K.R. Privacy concerns and benefits of engagement with social media-enabled apps: A privacy calculus perspective. Comput. Hum. Behav. 2020, 107, 106260. [Google Scholar] [CrossRef]
  11. Mashaly, B.; Selim, S.; Yousef, A.H.; Fouad, K.M. Privacy by Design: A Microservices-Based Software Architecture Approach. In Proceedings of the 2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC), Cairo, Egypt, 8–9 May 2022; pp. 357–364. [Google Scholar]
  12. Cavoukian, A. Privacy by design: The definitive workshop. A foreword by Ann Cavoukian, Ph.D. Identity Inf. Soc. 2010, 3, 247–251. [Google Scholar] [CrossRef]
  13. Chaudhuri, A.; Cavoukian, A. The proactive and preventive privacy (3P) framework for IoT privacy by design. EDP Audit. Control Secur. Newsl. 2018, 57, 1–16. [Google Scholar] [CrossRef]
  14. Bu, F.; Wang, N.; Jiang, B.; Liang, H. “Privacy by design” implementation: Information system engineers’ perspective. Int. J. Inf. Manag. 2020, 53, 102124. [Google Scholar] [CrossRef]
  15. Antignac, T.; Métayer, D.L. Privacy by design: From technologies to architectures. Comput. Sci. 2014, 8450, 1–17. [Google Scholar]
  16. IBM Corporation. Cost of a Data Breach Report 2020; International Business Machines Corp.: Armonk, NY, USA, 2020. [Google Scholar]
  17. Verizon. 2020 Data Breach Investigations Report; Verizon: New York, NY, USA, 2020. [Google Scholar]
  18. Verizon. 2019 Data Breach Investigations Report; Verizon: New York, NY, USA, 2019. [Google Scholar]
  19. Aljeraisy, A.; Barati, M.; Rana, O.; Perera, C. Privacy laws and privacy by design schemes for the Internet of Things: A developer’s perspective. ACM Comput. Surv. 2021, 54, 102. [Google Scholar] [CrossRef]
  20. Bednar, K.; Spiekermann, S.; Langheinrich, M. Engineering privacy by design: Are engineers ready to live up to the challenge? Inf. Soc. 2019, 35, 122–142. [Google Scholar] [CrossRef]
  21. Spiekermann, S. The challenges of privacy by design. Commun. ACM 2012, 55, 38–40. [Google Scholar] [CrossRef]
  22. Spiekermann, S.; Korunovska, K.; Langheinrich, M. Inside the organization: Why privacy and security engineering is a challenge for engineers. Proc. IEEE 2019, 107, 600–615. [Google Scholar] [CrossRef]
  23. Cavoukian, A.; Chibba, M. Start with privacy by design in all big data applications. In Guide to Big Data Applications; Srinivasan, S., Ed.; Springer International Publishing: Cham, Switzerland, 2018; Volume 26, pp. 29–48. [Google Scholar]
  24. Rana, N.P.; Dwivedi, Y.K.; Williams, M.D.; Weerakkody, V. Adoption of online public grievance redressal system in India: Toward developing a unified view. Comput. Hum. Behav. 2016, 59, 265–282. [Google Scholar] [CrossRef]
  25. Patil, P.; Tamilmani, K.; Rana, N.P.; Raghavan, V. Understanding consumer adoption of mobile payment in India: Extending meta-UTAUT model with personal innovativeness, anxiety, trust, and grievance redressal. Int. J. Inf. Manag. 2020, 54, 102144. [Google Scholar] [CrossRef]
  26. Li, Y.; Liu, R.; Wang, J.; Zhao, T. How does mHealth service quality influences adoption? Ind. Manag. Data Syst. 2022, 122, 774–795. [Google Scholar] [CrossRef]
  27. Pan, Z.; Xie, Z.; Liu, T.; Xia, T. Exploring the key factors influencing college students’ willingness to use AI coding assistant tools: An expanded technology acceptance model. Systems 2024, 12, 176. [Google Scholar] [CrossRef]
  28. Melas, C.D.; Zampetakis, L.A.; Dimopoulou, A.; Moustakis, V. Modeling the acceptance of clinical information systems among hospital medical staff: An extended TAM model. J. Biomed. Inform. 2011, 44, 553–564. [Google Scholar] [CrossRef] [PubMed]
  29. Marangunić, N.; Granić, A. Technology acceptance model: A literature review from 1986 to 2013. Univers. Univers. Access Inf. Soc. 2015, 14, 81–95. [Google Scholar] [CrossRef]
  30. Siwale, M. Applying technology acceptance model to measure online student residential management software acceptance. J. Int. Technol. Inf. Manag. 2022, 31, 22–47. [Google Scholar] [CrossRef]
  31. Moon, J.; Shim, J.; Lee, W.S. Exploring Uber taxi application using the technology acceptance model. Systems 2022, 10, 103. [Google Scholar] [CrossRef]
  32. Nur, T.; Dewanto, P.A. The Influence of Attitude toward Behavior, Subjective Norms, Perceived Behavioral Control on the Behavioral Intention of using PayLater Apps moderated by Financial Literacy and Hedonic Value. In Proceedings of the 2022 10th International Conference on Cyber and IT Service Management (CITSM), Yogyakarta, Indonesia, 20–21 September 2022; pp. 1–6. [Google Scholar]
  33. Martínez-López, F.J.; Esteban-Millat, I.; Cabal, C.C.; Gengler, C. Psychological factors explaining consumer adoption of an e-vendor’s recommender. Ind. Manag. Data Syst. 2015, 115, 284–310. [Google Scholar] [CrossRef]
  34. Venkatesh, V.; Davis, F. A theoretical extension of the technology acceptance model: Four longitudinal field studies. Manag. Sci. 2000, 46, 186–204. [Google Scholar] [CrossRef]
  35. Alam, M.Z.; Hoque, M.R.; Hu, W.; Barua, Z. Factors influencing the adoption of mHealth services in a developing country: A patient-centric study. Int. J. Inf. Manag. 2020, 50, 128–143. [Google Scholar] [CrossRef]
  36. Ajzen, I.; Fishbein, M. Understanding Attitudes and Predicting Social Behavior; Prentice-Hall: Hoboken, NJ, USA, 1980. [Google Scholar]
  37. Taylor, S.; Todd, P.A. Understanding information technology usage: A test of competing models. Inf. Syst. Res. 1995, 6, 144–176. [Google Scholar] [CrossRef]
  38. Zhao, Y.; Ni, Q.; Zhou, R. What factors influence the mobile health service adoption? A meta-analysis and the moderating role of age. Int. J. Inf. Manag. 2018, 43, 342–350. [Google Scholar] [CrossRef]
  39. Chen, T.; Chen, J.; Or, C.K.; Lo, F.P. Path analysis of the roles of age, self-efficacy, and TAM constructs in the acceptance of performing upper limb exercises through immersive virtual reality games. Int. J. Ind. Ergon. 2022, 91, 103360. [Google Scholar] [CrossRef]
  40. Tsai, J.; Cheng, M.; Tsai, H.; Hung, S.; Chen, Y. Acceptance and resistance of telehealth: The perspective of dual-factor concepts in technology adoption. Int. J. Inf. Manag. 2019, 49, 34–44. [Google Scholar] [CrossRef]
  41. Guner, H.; Acarturk, C. The use and acceptance of ICT by senior citizens: A comparison of technology acceptance model (TAM) for elderly and young adults. Univers. Access Inf. Soc. 2020, 19, 311–330. [Google Scholar] [CrossRef]
  42. Scherer, R.; Siddiq, F.; Tondeur, J. The technology acceptance model (TAM): A meta-analytic structural equation modeling approach to explaining teachers’ adoption of digital technology in education. Comput. Educ. 2019, 128, 13–35. [Google Scholar] [CrossRef]
  43. Abduljalil, K.M.; Zainuddin, Y. Integrating technology acceptance model and motivational model towards intention to adopt accounting information system. Int. J. Manag. Account. Econ. 2015, 2, 346–359. [Google Scholar]
  44. Chaouali, W.; Yahia, I.B.; Souiden, N. The interplay of counter-conformity motivation, social influence, and trust in customers’ intention to adopt Internet banking services: The case of an emerging country. J. Retail. Consum. Serv. 2016, 28, 209–218. [Google Scholar] [CrossRef]
  45. Huda, M.Q.; Hasanati, N.; Tyas, R.A. Behavioral Intention Analysis of Distance Education System Using the Innovation Diffusion Theory and Technology Acceptance Model. In Proceedings of the 2022 10th International Conference on Cyber and IT Service Management (CITSM), Yogyakarta, Indonesia, 20–21 September 2022; pp. 1–6. [Google Scholar]
  46. Bailey, A.A.; Pentina, I.; Mishra, A.S.; Mimoun, M.S.B. Mobile payments adoption by US consumers: An extended TAM. Int. J. Retail Distrib. Manag. 2017, 45, 626–640. [Google Scholar] [CrossRef]
  47. Davis, F.D. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 1989, 13, 319–340. [Google Scholar] [CrossRef]
  48. Muñoz-Leiva, F.; Hernández-Méndez, J.; Fernández, J.S. Generalising user behaviour in online travel sites through the Travel 2.0 website acceptance model. Online Inf. Rev. 2012, 36, 879–902. [Google Scholar] [CrossRef]
  49. Sánchez-Prieto, J.C.; Olmos-Migueláñez, S.; García-Peñalvo, F.J. Informal tools in formal contexts: Development of a model to assess the acceptance of mobile technologies among teachers. Comput. Hum. Behav. 2016, 55, 519–528. [Google Scholar] [CrossRef]
  50. Alhazmi, A.; Arachchilage, N.A.G. I’m all ears! Listening to software developers on putting GDPR principles into software development practice. Pers. Ubiquitous Comput. 2021, 25, 879–892. [Google Scholar] [CrossRef] [PubMed]
  51. King, W.; Liu, C.; Haney, M.; He, J. Method effects in IS survey research: An assessment and recommendations. Commun. Assoc. Inf. Syst. 2007, 20, 457–482. [Google Scholar] [CrossRef]
  52. Burton-Jones, A. Minimizing method bias through programmatic research. MIS Q. 2009, 33, 445–471. [Google Scholar] [CrossRef]
  53. Peterson, R.A. Constructing Effective Questionnaires; Sage Publications: Thousand Oaks, CA, USA, 2000. [Google Scholar]
  54. Cai, Y.; Shi, W. The influence of the community climate on users’ knowledge-sharing intention: The social cognitive theory perspective. Behav. Inf. Technol. 2022, 41, 307–323. [Google Scholar] [CrossRef]
  55. Henseler, J.; Ringle, C.M.; Sarstedt, M. A new criterion for assessing discriminant validity in variance-based structural equation modeling. J. Acad. Mark. Sci. 2015, 43, 115–135. [Google Scholar] [CrossRef]
  56. Tenenhaus, M.; Vinzi, V.E.; Chatelin, Y.M.; Lauro, C. PLS path modeling. Comput. Stat. Data Anal. 2005, 48, 159–205. [Google Scholar] [CrossRef]
  57. Reinartz, W.J.; Haenlein, M.; Henseler, J. An empirical comparison of the efficacy of covariance-based and variance-based SEM. Int. J. Res. Mark. 2009, 26, 332–344. [Google Scholar] [CrossRef]
  58. Hair, J.F.; Ringle, C.M.; Sarstedt, M. PLS-SEM: Indeed a silver bullet. J. Mark. Theory Pract. 2011, 19, 139–152. [Google Scholar] [CrossRef]
  59. Ringle, C.M.; Wende, S.; Becker, J. SmartPLS 4. Available online: https://www.smartpls.com (accessed on 11 April 2024).
  60. Gefen, D.; Karahanna, E.; Straub, D.W. Trust and TAM in online shopping: An integrated model. MIS Q. 2003, 27, 51–90. [Google Scholar] [CrossRef]
  61. Bulgurcu, B.; Cavusoglu, H.; Benbasat, I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Q. 2010, 34, 523–548. [Google Scholar] [CrossRef]
  62. Taylor, S.; Todd, P. Decomposition and crossover effects in the theory of planned behavior: A study of consumer adoption intentions. Int. J. Res. Mark. 1995, 12, 137–155. [Google Scholar] [CrossRef]
  63. Peterson, R.A. A Meta-Analysis of Cronbach’s Coefficient Alpha. J. Consum. Res. 1994, 21, 381–391. [Google Scholar] [CrossRef]
  64. Fornell, C.; Larcker, D.F. Evaluating structural equation models with unobservable variables and measurement error. J. Mark. Res. 1981, 18, 39–50. [Google Scholar] [CrossRef]
  65. Bagozzi, R.P.; Yi, Y. On the evaluation of structural equation models. J. Acad. Mark. Sci. 1988, 16, 74–94. [Google Scholar] [CrossRef]
  66. Hair, J.F.; Black, W.C.; Babin, B.J.; Anderson, R.E.; Tatham, R.L. Multivariate Data Analysis, 6th ed.; Pearson Education: Upper Saddle River, NJ, USA, 2006. [Google Scholar]
  67. Adiguzel, Z.; Ozcinar, M.F.; Karadal, H. Does servant leadership moderate the link between strategic human resource management on rule breaking and job satisfaction? Eur. Res. Manag. Bus. Econ. 2020, 26, 103–110. [Google Scholar] [CrossRef]
  68. Segarra-Moliner, J.R.; Moliner-Tena, M.Á. Customer equity and CLV in Spanish telecommunication services. J. Bus. Res. 2016, 69, 4694–4705. [Google Scholar] [CrossRef]
  69. Franke, G.; Sarstedt, M. Heuristics versus statistics in discriminant validity testing: A comparison of four procedures. Internet Res. 2019, 29, 430–447. [Google Scholar] [CrossRef]
  70. Tanantong, T.; Wongras, P. A UTAUT-Based Framework for Analyzing Users’ Intention to Adopt Artificial Intelligence in Human Resource Recruitment: A Case Study of Thailand. Systems 2024, 12, 28. [Google Scholar] [CrossRef]
Systems 12 00250 g001
Figure 1. Conceptual model.
Figure 1. Conceptual model.
Systems 12 00250 g001
Systems 12 00250 g002
Figure 2. Results of the model test. Note: * p < 0.05, ** p < 0.01, *** p < 0.001, ns: not significant [based on t(4999), one-tailed test]. t(0.05, 4999) = 1.65; t(0.01, 4999) = 2.33; t(0.001, 4999) = 3.10.
Figure 2. Results of the model test. Note: * p < 0.05, ** p < 0.01, *** p < 0.001, ns: not significant [based on t(4999), one-tailed test]. t(0.05, 4999) = 1.65; t(0.01, 4999) = 2.33; t(0.001, 4999) = 3.10.
Systems 12 00250 g002
Table 1. Research hypotheses.
Table 1. Research hypotheses.
VariableHypothesis
Intention to Implement PbD
(INTP)		H1 (+)The intention to implement PbD among information engineers positively influences their behaviours regarding information security.
Attitudes towards Implementing PbD (ATTP)H2a (+)Attitudes towards implementing PbD among information engineers are positively associated with their intention to implement PbD.
H2b (+)Attitudes towards implementing PbD among information engineers are positively associated with their behaviours regarding information security.
Perceived Usefulness of PbD (PUP)H3a (+)The perceived usefulness of PbD among information engineers is positively associated with their attitudes towards PbD implementation.
H3b (+)The perceived usefulness of PbD among information engineers is positively associated with their intention to implement PbD.
Perceived Ease of Use of PbD (PEUP)H4a (+)The perceived ease of use of PbD among information engineers is positively associated with their attitudes towards implementing PbD.
H4b (+)The perceived ease of use of PbD among information engineers is positively associated with their intention to implement PbD.
H4c (+)The perceived ease of use of PbD among information engineers is positively associated with the perceived usefulness of PbD.
Perceived Work Risk Concerning PbD
(PWRP)		H5a (−)The perceived work risk concerning PbD among information engineers is negatively associated with the perceived usefulness of PbD.
H5b (−)The perceived work risk concerning PbD among information engineers is negatively associated with the perceived ease of use of PbD.
H5c (−)The perceived work risk concerning PbD among information engineers is negatively associated with their attitudes towards PbD implementation.
H5d (−)The perceived work risk concerning PbD among information engineers is negatively associated with their intention to implement PbD.
Table 2. Descriptive statistics of the respondents.
Table 2. Descriptive statistics of the respondents.
CategorySub-CategoryFrequency
(N = 296)		Percentage
(%)
GenderFemale15151.19
Male14448.81
Non-binary00.00
Age (years)20~2914348.47
30~3913846.78
40~49124.07
50~5920.68
Educational LevelBelow undergraduate165.42
Undergraduate23680.00
Postgraduate4314.58
Working YearsLess than 512241.36
5 to 1015151.19
More than 10227.46
PbD AwarenessUnaware of PbD31.02
Knowing about PbD, lacked details134.41
Knowing about PbD, not often used in work19867.12
Aware of PbD8127.46
Table 3. Examples of measurement items.
Table 3. Examples of measurement items.
VariableCodeItemReference
Behaviours regarding Information Security (BEIS)BEIS1Throughout my work process, the protection of privacy information has always been my focal point.[12,14]
BEIS2I always begin considering proactive measures to safeguard users’ privacy information even before commencing work.
BEIS3Protecting user privacy has consistently been a default objective in my work.
Intention to Implement PbD (INTP)INTP1I intend to adopt PbD in my work practices.[14,37,60]
INTP2I intend to fully integrate PbD into my work routines.
INTP3I highly recommend implementing PbD in the work.
Attitudes towards Implementing PbD (ATTP)ATTP1Implementing PbD into my workflow is a wise idea.[61,62]
ATTP2I like the idea of implementing PbD in my professional workflow.
ATTP3It is pleasant to incorporate PbD into my workflow.
Perceived Usefulness of PbD (PUP)PUP1PbD enhances the information security performance of information technology products.[60]
PUP2PbD enables me to produce more secure information technology products.
PUP3PbD has been instrumental in helping me raise the security level of my products.
Perceived Ease of Use of PbD (PEUP)PEUP1I find it effortless to become proficient in implementing PbD.[60]
PEUP2Mastering the use of PbD is quite straightforward.
PEUP3I consider PbD easy to use.
Perceived Work Risk Concerning PbD (PWRP)PWRP1Implementing PbD would slow down my response speed to the needs of colleagues, clients, and managers.[14,22,61]
PWRP2I feel that the requirements of PbD hinder the improvement of my work efficiency.
PWRP3I find adhering to the demands of PbD to detract from my work productivity.
Table 4. Results of validity and reliability of measures.
Table 4. Results of validity and reliability of measures.
ConstructCronbach’s Alpha (α)Composite Reliability (CR)Average Variance Extracted (AVE)
ATTP0.6820.8260.613
BEIS0.6690.8180.600
INTP0.7330.8490.651
PEUP0.7120.8350.628
PUP0.6350.8040.578
PWRP0.6540.8120.595
Range0.635–0.7330.804–0.8490.578–0.651
Criteria>0.6>0.8>0.5
Note: Constructs are defined in Table 3.
Table 5. Results for factor loadings and cross-loadings.
Table 5. Results for factor loadings and cross-loadings.
ItemATTPBEISINTPPEUPPUPPWRPVIF
ATTP10.8010.4240.4890.3360.541−0.2141.416
ATTP20.8170.4840.4760.4380.446−0.2251.449
ATTP30.7280.4560.3990.4750.400−0.2001.220
BEIS10.4810.7890.4150.4770.360−0.2131.368
BEIS20.3400.7390.4900.3590.285−0.1551.283
BEIS30.5140.7950.5220.3930.373−0.3331.273
INTP10.3880.5310.7900.2480.382−0.0941.436
INTP20.4890.4640.8200.3640.496−0.1671.502
INTP30.5240.4980.8110.4500.430−0.2591.415
PEUP10.3510.3650.3110.7680.210−0.1781.447
PEUP20.4910.4930.4220.8390.408−0.2311.310
PEUP30.3950.3720.2940.7670.141−0.1311.466
PUP10.4640.3830.3770.2310.766−0.1541.313
PUP20.4640.3130.3930.2630.778−0.1181.329
PUP30.4220.3120.4600.2900.736−0.2351.167
PWRP1−0.121−0.175−0.141−0.159−0.1520.6261.141
PWRP2−0.263−0.207−0.155−0.157−0.1830.8271.473
PWRP3−0.229−0.318−0.205−0.223−0.1830.8411.455
Note: Indicators and constructs are defined in Table 3. The bold in the table indicates the factor loading of each item. VIF represents variance inflation factor.
Table 6. Fornell–Larcker criteria.
Table 6. Fornell–Larcker criteria.
ConstructATTPBEISINTPPEUPPUPPWRP
ATTP0.783
BEIS0.5810.775
INTP0.5820.6150.807
PEUP0.5300.5280.4430.792
PUP0.5910.4410.5410.3450.760
PWRP−0.273−0.310−0.219−0.235−0.2240.771
Note: The bold on the diagonal represents the square root of AVE for each variable. Constructs are defined in Table 3.
Table 7. Heterotrait–monotrait ratio (HTMT).
Table 7. Heterotrait–monotrait ratio (HTMT).
ConstructATTPBEISINTPPEUPPUPPWRP
ATTP
BEIS0.850
INTP0.8170.878
PEUP0.7450.7470.588
PUP0.8980.6730.7880.470
PWRP0.3970.4460.3080.3300.345
Note: Constructs are defined in Table 3.
Table 8. PLS estimation results.
Table 8. PLS estimation results.
HypothesisPathPath Coefficient (β)t-ValuepDecision
H1 (+)INTP → BEIS0.4237.4410.000Supported ***
H2a (+)ATTP → INTP0.3113.6800.000Supported ***
H2b (+)ATTP → BEIS0.3144.5250.000Supported ***
H3a (+)PUP → ATTP0.4498.1720.000Supported ***
H3b (+)PUP → INTP0.2923.7370.000Supported ***
H4a (+)PEUP → ATTP0.3547.8080.000Supported ***
H4b (+)PEUP → INTP0.1713.3930.001Supported **
H4c (+)PEUP → PUP0.3105.8090.000Supported ***
H5a (−)PWRP → PUP−0.1522.9650.003Supported **
H5b (−)PWRP → PEUP−0.2354.6690.000Supported ***
H5c (−)PWRP → ATTP−0.0882.2230.026Supported *
H5d (−)PWRP → INTP−0.0280.6420.521Not supported
Note: Constructs are defined in Table 3. * p < 0.05, ** p < 0.01, *** p < 0.001, ns: not significant [based on t(4999), one-tailed test]. t(0.05, 4999) = 1.65; t(0.01, 4999) = 2.33; t(0.001, 4999) = 3.10.
Table 9. R-squared value and Q-squared value.
Table 9. R-squared value and Q-squared value.
Dependent VariablesR2Q2
ATTP0.4780.284
BEIS0.4890.270
INTP0.4210.254
PEUP0.0550.029
PUP0.1410.077
Note: Constructs are defined in Table 3.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bu, F.; Wang, N.; Jiang, Q.; Tian, X. Research on Privacy-by-Design Behavioural Decision-Making of Information Engineers Considering Perceived Work Risk. Systems 2024, 12, 250. https://doi.org/10.3390/systems12070250

AMA Style

Bu F, Wang N, Jiang Q, Tian X. Research on Privacy-by-Design Behavioural Decision-Making of Information Engineers Considering Perceived Work Risk. Systems. 2024; 12(7):250. https://doi.org/10.3390/systems12070250

Chicago/Turabian Style

Bu, Fei, Nengmin Wang, Qi Jiang, and Xiang Tian. 2024. "Research on Privacy-by-Design Behavioural Decision-Making of Information Engineers Considering Perceived Work Risk" Systems 12, no. 7: 250. https://doi.org/10.3390/systems12070250

APA Style

Bu, F., Wang, N., Jiang, Q., & Tian, X. (2024). Research on Privacy-by-Design Behavioural Decision-Making of Information Engineers Considering Perceived Work Risk. Systems, 12(7), 250. https://doi.org/10.3390/systems12070250

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop