Content area
Purpose
This study aims to argue that user’s continued use behavior is contingent upon two perceptions (i.e. the app and the provider). This study examines the moderating effects of user’s perceptions of apps and providers on the effects of security and privacy concerns and investigate whether assurance mechanisms decrease such concerns.
Design/methodology/approach
This study conducts a scenario-based survey with 694 mobile cloud computing (MCC) app users to understand their perceptions and behaviors.
Findings
This study finds that while perceived value of data transfer to the cloud moderates the effects of security and privacy concerns on continued use behavior, trust only moderates the effect of privacy concerns. This study also finds that perceived effectiveness of security and privacy intervention impacts privacy concerns but does not decrease security concerns.
Originality/value
Prior mobile app studies mainly focused on mobile apps and did not investigate the perceptions of app providers along with app features in the same study. Furthermore, International Organization for Standardization 27018 certification and privacy policy notification are the interventions that exhibit data assurance mechanisms. However, it is unknown whether these interventions are able to decrease users’ security and privacy concerns after using MCC apps.
1. Introduction
The use of mobile devices such as smartphones and tablets has been increasing over time. Accordingly, individuals spend a considerable amount of time using mobile apps at an average of five to six hours per day in the USA (Statista, 2022). Furthermore, many individuals have more than one mobile device (Pew Research Center, 2018). The growing use of mobile apps and multiple mobile devices create several challenges. For instance, users need to access increasing amounts of data through different devices, often exceeding storage capacity. Users also need to access data through multiple mobile devices. To meet these needs, mobile app developers use cloud computing technologies to develop mobile cloud computing (MCC) apps (Noor et al., 2018). MCC refers to a computing model integrating mobile computing and the cloud, where the latter provides large remote storage and processing for mobile devices (Shamshirband et al., 2020; Wang et al., 2019). A large number of mobile apps are now designed as MCC apps to offer benefits such as a larger storage capacity and simultaneous access from multiple devices.
Despite their benefits, MCC apps raise concerns as users provide a wide range of personal data to them (e.g. Evernote, Dropbox, OneDrive) (Noor et al., 2018; Wang et al., 2019). Prior research recognizes mobile app users’ concerns and categorizes them into privacy concerns and security concerns (Balapour et al., 2020). Privacy is about information control and governance (Bansal, 2017; Menard and Bott, 2020), and the privacy issue with MCC apps is the lack of direct control over data stored in the cloud (Wang et al., 2019). On the other hand, security deals with protecting information against external threats (Nikkhah and Grover, 2022; Shamshirband et al., 2020). As users tend to use MCC apps with more than one mobile device, the authentication of mobile devices in the cloud, authorization of an MCC app to access user data, data integrity during the transfer from the mobile device to the cloud, and data breaches of the cloud services are the main security concerns (Nikkhah and Sabherwal, 2021; Wang et al., 2015). Such concerns could be costly for app developers if they drive users to remove apps as acquiring new users costs much more than retaining current ones (Bhattacherjee, 2001a). For example, after WhatsApp announced that it would share users’ personal information with its parent company, Facebook, a large number of users expressed their concerns and switched to alternative apps (Moore, 2021). Therefore, developers need to understand and address users’ concerns after an app’s adoption to retain their users.
Users can only properly evaluate the security and privacy issues of an app after installing and using it, which intensifies their concerns and leads to them removing it (Levenson, 2016). For example, users become more conscious of potential security and privacy issues on being requested for permission for the app to access various functions of their mobile devices (e.g. contacts, camera) while opening an app for the first time. Understanding users’ security and privacy perceptions after using MCC apps is important because the perceptions before and after use might be different (Bhattacherjee, 2001a). In fact, a study that investigated 37,000 apps found that a fifth of users drop apps after just one use (Localytics, 2018). However, previous mobile app research did not examine users’ security and privacy perceptions after using MCC apps and whether security and privacy concerns inhibit them from continuing to use these apps. Furthermore, prior mobile app research did not consider the integration of mobile and cloud technologies (Balapour et al., 2020; Gutierrez et al., 2019; Rocha et al., 2020) and did not investigate this new generation of mobile apps. The perceptions of these apps are drawn from the features of the app as well as the app provider that uses cloud computing services (Noor et al., 2018; Zhou and Buyya, 2018). However, prior mobile app studies mainly focused on mobile apps and did not investigate the perceptions of app providers along with app features in the same study (Balapour et al., 2020; Gutierrez et al., 2019). Thus, the first objective of this study is to examine the effects of privacy and security concerns after using MCC apps and whether they are impacted by the perceptions of MCC apps’ features and providers.
To decrease users’ security and privacy concerns, many MCC app providers develop security and privacy interventions to notify users about their advanced security and privacy practices. These interventions are assurance mechanisms that are represented to the users to reassure them that their data are placed in a secure location. To this end, MCC app providers adopt the industry self-regulation, International Organization for Standardization (ISO) 27018, which is specifically developed for the security and privacy of data in the cloud and show it on their websites (e.g. Amazon, Google, Dropbox). They also send notifications to current users about recent privacy policy updates. ISO 27018 certification and privacy policy notification are the interventions that exhibit data assurance mechanisms. However, it is unknown whether these interventions are able to decrease users’ security and privacy concerns after using MCC apps. Given the time and resources required for developing these interventions, it is important for MCC app providers to know whether these interventions are effective. Thus, the second objective of this study is to examine the effect of security and privacy interventions on users’ concerns in the post-adoption phase.
To fulfill the research objectives, we first review prior MCC security and privacy studies and privacy calculus research to build the theoretical foundation. We then develop a security and privacy post-adoption model and delineate perceptions of the MCC apps’ features and providers to discuss their moderating roles. We also argue that security and privacy interventions delivered by mobile app providers can decrease users’ concerns. Then, we describe a scenario-based survey (n = 694) conducted to examine the research model. Finally, we present the results followed by a discussion of the implications for research and practice.
2. Literature review and theoretical development
In this section, we first review MCC security and privacy research to identify the main results. Then, we review privacy calculus studies in information systems (IS) to adopt an extended privacy calculus and better understand the factors that affect users’ continued behavior.
2.1 Mobile cloud computing security and privacy
Prior MCC research offers different perspectives on the security and privacy issues of the cloud user, the cloud provider, and the relationship between them (Noor et al., 2018; Shamshirband et al., 2020; Zhou and Buyya, 2018). Prior MCC security and privacy studies argue that the security and privacy of MCC include the security and privacy of cloud computing (Nikkhah and Sabherwal, 2021). As a result, we also review the studies that discuss the security and privacy of cloud computing.
Our review of cloud computing security and privacy literature (Appendix 1) reveals that these studies fall into five categories:
general security and privacy issues;
security and privacy design and architecture;
security and privacy regulation;
data security and privacy; and
security and privacy beliefs.
Our review of cloud computing studies finds that while technical concerns have been emphasized, users’ security and privacy beliefs have not received sufficient consideration (Appendix 1). Because this research examines the behavioral aspect of MCC apps security and privacy, our literature review focuses on security and privacy beliefs. The few studies that examine users’ perceptions suffer from several shortcomings. First, some cloud computing studies on users’ beliefs investigate either their perceptions of security or of privacy (Burda and Teuteberg, 2014; Park and Kim, 2014). Second, others combine security and privacy perceptions to make a composite perception and examine the effect of the composite construct (Arpaci et al., 2015). Finally, none of these studies on users’ beliefs examine their perceptions of security and privacy after using cloud computing services and applications (i.e. in a post-adoption context), and their focus was mainly on their intention to use them (Burda and Teuteberg, 2014; Park and Kim, 2014) or information sharing (Alsmadi and Prybutok, 2018).
In the MCC apps context, Nikkhah et al. (2022) examine whether dispositional traits and behavior-based traits can affect users’ decision to disclose personal information and found personality traits (i.e. stability meta-trait and plasticity meta-trait) impact user’s privacy decision-making behavior. In another study, Nikkhah and Sabherwal (2021) find that while privacy concerns inhibit users from disclosing personal information, perceived security increases users’ willingness to disclose information. Although MCC security and privacy studies elaborate on security and privacy issues, they do not argue whether MCC security and privacy can affect users after adopting MCC apps (continued use). In addition, these studies do not examine the relationship between users’ perceptions of the apps and the cloud, as MCC apps integrate both technologies.
2.2 Adoption vs post-adoption (continued use)
Managers and information system (IS) developers try to persuade employees and end-users to accept new ISs. However, even if users adopt an IS in organizational or non-organizational settings, it may not lead to long-term use of the IS. Initial acceptance of IS may suggest IS success, but the eventual success of IS depends on continued use of IS rather than one-time use (Bhattacherjee, 2001a). Further, prior studies discuss that the factors that affect users to adopt IS might not be effective after adoption because many users stop using IS after adoption (Bhattacherjee, 2001b; Zhou, 2011). IS research distinguishes adoption and post-adoption behaviors and investigates factors that affect the continued use of IS in various contexts. As we study the continued use of MCC apps that integrate mobile apps and cloud computing, our review of post-adoption IS studies focuses on the continued use of mobile technologies as well as cloud computing applications and services.
Prior research on mobile continued use of mobile-related technologies mostly draws on adoption theories such as the theory of planned behavior (Hong et al., 2008), the technology acceptance model (Hong et al., 2006), the extended unified theory of acceptance and use of technology (Tam et al., 2018) and two-factor theory (Lee et al., 2009) to investigate post-adoption perceptions. However, Zhou (2011) uses the post-adoption theory (i.e. expectation confirmation theory) and finds that satisfaction is the main determinant of continuance intention of using mobile services. In cloud computing post-adoption research, Yang and Lin (2015) find that perceived usefulness has a positive effect on continuance intention and privacy protection risk and the lack of privacy-policy risk negatively moderates this relationship. Another study (Ratten, 2016) finds that personal attitude, perceived behavioral control positively and risk negatively relates to continuance use of cloud computing. Cheng (2018) also examines cloud post-adoption perceptions and finds that subjective norm, perceived behavioral control, perceived usefulness and satisfaction drive users to continue to use cloud enterprise resource planning. Finally, our review finds that post-adoption research that studies MCC together (e.g. MCC apps) is sparse and needs more attention.
IS post-adoption research argues that continued use of IS depends on the outcome of the evaluation process in which users examine prior IS use and compare the costs and benefits of using IS to confirm their expectations (Bhattacherjee, 2001a, 2001b). To better understand the cost-benefit analysis of mobile users after using MCC apps, and study post-adoption perceptions of MCC apps, we adopt privacy calculus and extend it by incorporating security.
2.3 Privacy calculus
Privacy research argues that individuals do a cost-benefit analysis before disclosing information (Cavusoglu et al., 2016). Based on this analysis, individuals share their private information with third parties online when the cumulative benefits they gain by disclosing information outweigh the associated cumulative costs (Dinev and Hart, 2006; Gerber et al., 2018; Kokolakis, 2017). Privacy calculus is a cognitive/mental analysis that harmonizes the competing forces stemming from the benefits of information sharing and the costs of not withholding information (Cavusoglu et al., 2016). Hence, privacy calculus has been used in many IS privacy studies to investigate individuals’ privacy cost-benefit analysis and behaviors (Table 1). As Table 1 shows, concerns about privacy are the main inhibitors of users’ intentions and behaviors. While security concerns can also inhibit users from disclosing information and using IS, none of these studies consider security concerns; thus, we extend the privacy calculus by incorporating security concerns in the user’s cost-benefit analysis. Table 1 also shows that utilitarian (i.e. perceived usefulness) and hedonic benefits (i.e. perceived enjoyment) drive users to disclose information and use IS. Another important driver in privacy calculus research is trust, which offsets users’ concerns in online settings. When users trust a third party, they are more willing to share information with the party; thus, users’ concerns would not prevent them from engaging with that third party online (Dinev et al., 2006; Liao et al., 2011).
Prior research also examines the effect of institutional interventions on privacy calculus to find how online firms can empower privacy drivers and undermine privacy inhibitors. Xu et al. (2009) find that privacy interventions, such as compensation, industry self-regulation and government regulation, can affect individuals’ privacy cost-benefit analysis on the location-based services of mobile apps. Keith et al. (2016) argue that privacy assurance mechanisms increase the likelihood that users’ privacy is assured and found that privacy assurance (i.e. industry self-regulation) has a negative effect on perceived privacy risk. Thus, we consider institutional interventions (i.e. security and privacy interventions) after the adoption of MCC apps to examine their effect on users’ cost-benefit analysis of the continued use of MCC apps.
3. Research model
We present our research model based on prior discussions on privacy calculus and prior MCC apps studies (Figure 1). MCC apps comprise two components (app and cloud), and the final user’s behavior is based on their perceptions of these components. As noted by prior research, the main concerns about using MCC apps are related to privacy and security (Noor et al., 2018; Zhou and Buyya, 2018). Privacy concerns about MCC apps are only related to the cloud, but security concerns are about the whole app, the cloud, and communication between the app and the cloud, as discussed later. Thus, Figure 1 shows that security and privacy concerns are the main inhibitors to the continued use of MCC apps.
We believe that perceptions of MCC apps’ features and provider can impact the effect of security and privacy concerns on an individual’s continued use (Figure 1). Figure 1 shows that the perceptions of MCC apps are categorized into cognitive perception and that which comes from the signals that providers send to users. We found trust to be the main cognitive perception of a provider because prior research consistently showed that users who trust an online party are more engaged in online transactions with them, and it is a facilitator of using cloud computing (Habib et al., 2012).
MCC apps’ features are mainly akin to the older mobile apps, but they provide one unique feature that differentiates them from the other apps: automatically sending any file that is stored on the app to the cloud, which is accessible to other devices and the Web simultaneously. We believe that this unique feature (i.e. accessibility) provides utilitarian and hedonic benefits and is the main reason for using these apps, despite the associated concerns. So, the research model includes the perception of this feature that counteracts the effects of privacy and security concerns. We do not differentiate between MCC apps in the research model because all MCC apps share this feature, and our study focuses on this aspect of MCC apps in general.
Finally, the providers notify users by creating security and privacy interventions (i.e. ISO 27018 and privacy policy). Although users might not read privacy policies and ISO 27018 certification information, these interventions can influence them when their presence is perceived as effective (Steinfeld, 2016; Xu et al., 2011). Thus, we believe that the preconceptions of security and privacy interventions can decrease users’ security and privacy concerns (Figure 1).
3.1 Perceived privacy concerns
Privacy concerns about the internet involve the gathering, storing and analyzing of users’ information without permission. Online companies have enhanced their technical capabilities over time to gather, analyze, and process information, which raises concerns about information privacy. Information privacy refers to “the desire of individuals’ ability to control or have some influence over data about themselves” (Bélanger and Crossler, 2011, p. 1017). When users input information into MCC apps, this information is transferred and stored in the cloud where they are not able to control it. In fact, the main concern about using cloud computing applications is the lack of control over the information sent to the cloud for storage and processing (Sun et al., 2011).
Perceived privacy concerns in this study refer to the concerns about any opportunistic behavior that MCC apps and their providers can perform with the mobile users’ data. In addition to the lack of direct control, data theft and unauthorized modification in the cloud are other privacy concerns about using MCC apps (Pearson et al., 2009). The cloud servers might be located in different countries whose governments can legally survey and monitor the users’ data in the cloud (Robison, 2009), while users may not be content with such surveillance. Additionally, online companies such as MCC app providers can use the users’ data for marketing and sell it to other companies (Conger et al., 2013; Lowry et al., 2011; Smith et al., 1996). Their employees can also invade users’ privacy by reading their private information in an unauthorized way.
Privacy concerns about using MCC apps are not restricted to the opportunistic behavior of the providers and their employees and also incorporate the opportunistic behavior of the apps. To illustrate, MCC apps require users to give them permission to access various mobile devices’ functions and settings (e.g. network, storage, contact, camera, microphone) during installation, which raises further privacy concerns (Shaykhet, 2017; Souppouris, 2012). MCC apps can steal the users’ data stored on mobile devices (e.g. photos and contacts) and secretly track their locations. All these concerns make mobile users reluctant to use MCC apps further. Moreover, IS privacy research shows the negative effect of perceived privacy concerns on users’ behavior in other contexts, such as online transactions (Dinev and Hart, 2006; Dinev et al., 2006), networking sites (Krasnova et al., 2012) and instant messaging mobile apps (Lowry et al., 2011). Privacy concerns have also been found to be a significant factor in cloud continuance models (Trenz, 2013). Thus, we hypothesize as follows:
Perceived privacy concerns have a negative effect on continued intention to use MCC apps.
3.2 Perceived security concerns
The probability of being the target of external threats and the victim of security attacks increases when users connect to the internet. Mobile users need to connect to the internet to use MCC apps, as they require a connection to the cloud through the internet, which makes security one of the major issues of using MCC apps. Perceived security concerns refer to the probability that users’ information will be read and manipulated by unauthorized parties after using MCC apps. While privacy concerns are about the intentional opportunistic behavior of MCC app providers, security concerns are about the external threats to the safety of MCC apps, the communication between MCC apps and the cloud, and the cloud infrastructure (Ali et al., 2015; Rahimi et al., 2014). Mobile devices are exposed to security threats, such as malicious codes (e.g. viruses, worms, Trojan horses, spyware), by installing MCC apps, and hackers can use these codes to hack mobile devices (Ashford, 2015). However, protecting mobile devices against such threats is more difficult than on resourceful devices, such as personal computers (Dinh et al., 2013).
The security of communication between MCC apps and the cloud is another concern about using such apps because this communication can face threats, such as denial-of-service, man-in-the-middle, eavesdropping, IP spoofing-based flooding, and masquerading (Ali et al., 2015). Users are also concerned about data breaches as a result of hacking the cloud infrastructure by external threats, such as hackers and other cloud users. A recent report on cloud security confirmed the possibility of cloud hacking by arguing that the misconfiguration of the cloud platform, insecure interfaces and the hijacking of accounts are cloud security threats (Cloud Security Report, 2018).
Prior IS research extensively argues that security concerns affect users’ behaviors (Anderson and Agarwal, 2010; Johnston et al., 2015). Chen and Zahedi (2016) found that concerns about online security threats lead to coping behaviors, such as avoidance. In another study, Ho-Sam-Sooi et al. (2021) identified the effect of security on users’ purchasing behavior. Likewise, mobile users react to their concerns about the security of MCC apps. For instance, many users stopped using Starbucks and Uber apps on their mobile devices when they found that these apps are vulnerable and that there are security threats associated with such MCC apps (Cox, 2017; Gross, 2015). As a result, we believe that security concerns are another major factor that inhibits continued MCC apps’ use, and we hypothesize as follows:
Perceived security concerns have a negative effect on continued intention to use MCC apps.
3.3 Perceived value of data transfer to the cloud
Consumer behavior research indicates that individuals use products based on their utilitarian or hedonic nature (Babin et al., 1994; Holt, 1995). In IS research, utilitarian and hedonic benefits have been found to affect technology acceptance and use (Venkatesh et al., 2012). While utilitarian benefits focus on extrinsic motivation and improve job performance, hedonic benefits focus on intrinsic motivation and give users pleasure (Van der Heijden, 2004).
When MCC apps transfer data to a central location (cloud), they deliver several exclusive utilitarian and hedonic benefits to users. First, the storage capacity that users can have in the cloud is significantly higher than that of mobile devices. Each MCC app provides either free unlimited storage capacity (e.g. Skype) or limited storage capacity that is still higher than that of mobile devices (e.g. Dropbox provides a free 5 GB storage). In either case, users are not worried about storing large files and saving their important data when working with their mobile devices. Second, when data are stored in a central location, different devices can concurrently access them. This feature is important for those users who need to work on collaborative projects. Third, as MCC apps are internet-based and put information in the cloud, mobile devices with different operating systems do not have compatibility issues to access data. Thus, one user with an android tablet can work on the same spreadsheet file as another user with an iOS mobile phone. Fourth, data in the cloud are backed up automatically by MCC app providers, and even if a mobile device is broken, users still can access their data through other devices. Thus, users download and install MCC apps because of the value that these apps can provide based on utilitarian and hedonic benefits.
The perceived value of data transfer to the cloud refers to what extent users believe that doing so provides utilitarian and hedonic benefits. In this regard, prior research argues that in the mobile context, utilitarian and hedonic beliefs drive users’ behaviors (Wakefield and Whitten, 2006). Prior research also examines why users disclose their private information despite their concerns about doing so and found that users admit to sharing information to receive benefits (Kokolakis, 2017; Nikkhah et al., 2022). Privacy calculus studies also show that when the perception of the benefits IS provides is high, users are more willing to use IS despite concerns about information disclosure (Dinev et al., 2006; Li et al., 2010).
Consistent with findings of mobile and privacy calculus studies, we posit that although users have privacy and security concerns about continuing to use MCC apps, the utilitarian and hedonic benefits of sending data to the cloud offset such concerns. In fact, while MCC app users have concerns about the control (privacy) and protection (security) of their data, they continue to use these apps because of the unique utilitarian and hedonic benefits that such apps provide. While users have privacy and security concerns about using MCC apps, those users who have a higher perception of the value of data transfer to the cloud have higher intentions to continue to use such apps. Thus, we hypothesize as follows:
Perceived value of data transfer to the cloud moderates the relationship between perceived privacy concerns and continued intention to use MCC apps, such that the relationship is weaker with a higher level of perceived value of MCC apps.
Perceived value of data transfer to the cloud moderates the relationship between perceived security concerns and continued intention to use MCC apps, such that the relationship is weaker with a higher level of perceived value of MCC apps.
3.4 Trust
Trust plays a key role in an exchange between two parties, especially in online settings. It facilitates an online transaction by encouraging the parties to disclose information to each other (McKnight et al., 2002). There are different definitions for trust in the literature, and researchers consider multiple dimensions for it. For example, Johnson-George and Swap (1982) consider the intention to take risks as one of the characteristics shared by all trust situations. Mayer et al. (1995) define trust as:
the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.
Metzger (2004) suggests that when individuals weigh the benefits and costs of a social transaction, trust increases transaction willingness. Trust has been shown to offset users’ concerns in various online contexts because it provides the feeling of security and safety that enables users to engage more in online activities (Liao et al., 2011; Malhotra et al., 2004; Nikkhah et al., 2018a, 2018b).
Prior privacy calculus studies have highlighted the importance of trust during the cost–benefit analysis of online behaviors and found that trust increases users’ online actions despite their concerns (Table 1). For instance, Dinev and Hart (2006) argue that trust is one of the “confidence and enticement” beliefs that drives users to provide personal information to transact on the internet. When users trust an MCC provider, they believe that it considers their best interests regarding their data and fulfills its promises related to their information. Trust in an MCC provider means it does not sell users’ personal information to other companies (Conger et al., 2013), is hesitant to allow the government to survey users’ data in the cloud and uses the best data protection mechanisms. Users’ perceptions of using MCC apps are drawn from the intertwined perceptions of apps and their providers, and perceptions of the latter can affect users’ perceptions of the apps and using them in general. With the same level of concern about the misuse of information given to MCC apps and the safety of data transfer from MCC apps to the providers, those users who have a higher level of trust in MCC app providers are more willing to use such apps. Thus, we expect as follows:
Trust moderates the relationship between perceived privacy concerns and the continued intention to use MCC apps, such that the relationship is weaker with a higher level of trust.
Trust moderates the relationship between perceived security concerns and the continued intention to use MCC apps, such that the relationship is weaker with a higher level of trust.
3.5 Perceived effectiveness of security and privacy interventions
With the growing concerns about online information disclosure, online companies attempt to assure users that data transactions and storage are safe and that they protect users’ data against security and privacy threats. Online companies can reduce the disutility caused by data collection if they commit to using data responsibly and convey this commitment through security and privacy interventions (Hui et al., 2007). Security and privacy interventions are the signals that online companies give to users to convey their efforts to protect users’ data. Prior studies indicate that security and privacy interventions affect users’ cost-benefit analysis, which encourages users to disclose information and use online services more (Keith et al., 2016; Xu et al., 2009).
MCC app providers develop security and privacy interventions to show their fair information practices in the cloud. In this study, we define the perceived effectiveness of security and privacy interventions as the extent to which a user believes that MCC app providers’ security and privacy interventions are able to provide accurate and reliable information about the efforts that have been devoted to protecting users’ information (Xu et al., 2011). Prior studies mention that two common interventions are privacy policy and industry self-regulation (Nikkhah and Sabherwal, 2021; Wu et al., 2012; Xu et al., 2011), which are adopted by MCC app providers too. MCC app providers create privacy policies to describe what data are collected, how they are handled and processed, and for what purposes they are used. Even after downloading and using MCC apps, the providers notify the current users about privacy policies’ updates and remind them to read and accept the latest versions.
Figure 2 shows Viber’s prompt to a smartphone user to read the latest changes about controlling and protecting information and accept the new update of the privacy policy. Most privacy policies not only include information about privacy practices but also about security practices and how technical security solutions can protect data in the cloud. For example, in its privacy policy, Viber provides information about security by mentioning:
We maintain technical, physical, and administrative security measures to protect the security of your personal information against loss, misuse, unauthorized access, disclosure, or alteration. Some of the safeguards we use include firewalls, data encryption, physical access controls to our data centers and information access authorization controls […] (Viber Privacy Policy, 2019).
Finally, although many users do not read privacy policy statements, these prompts affect their perceptions of security and privacy (Balapour et al., 2020).
MCC app providers (e.g. Microsoft, Dropbox, Amazon) have also adopted the international standard ISO 27018 as another intervention to assure users of their information’s safety in the cloud. ISO 27018 is aimed at protecting personally identifiable information in the cloud, which includes controls within the process of implementing a cloud computing information security management system based on ISO 27001. For example, in its announcement about achieving ISO 27018 certification, Microsoft elaborates on how users’ information is assured using the ISO 27018 guidelines: “(a) you are in control of your data, (b) you know what’s happening with your data, (c) we provide strong security protection for your data, (d) your data won’t be used for advertising, (d) we inform you about government access to data” (Microsoft, 2015). Prior research found that industry self-regulation decreases users’ concerns about disclosing information because industry self-regulators provide users with a means of recourse if they are aggrieved (Xu et al., 2009, 2011).
When users encounter providers’ security and privacy interventions (i.e. privacy policy and industry self-regulation), they are informed about security and privacy practices. Even if users do not read privacy policies and ISO 27018, they perceive (by facing these interventions) MCC app providers to consistently make an effort to improve the privacy and security of their data. When users believe that these interventions are effective and reliable, their privacy and security concerns about using MCC apps decrease. Thus, we hypothesize as follows:
Perceived effectiveness of security and privacy interventions decreases perceived privacy concerns.
Perceived effectiveness of security and privacy interventions decreases perceived security concerns.
3.6 Control variables
This study incorporates several control variables consistent with prior research (Malhotra et al., 2004) to examine the relationships of the model. In addition to age and gender, this study includes experience with the internet and MCC apps as the control variables because experienced users might better evaluate different facets of these apps. Those users whose privacy has been violated in the past and those who have read or heard about privacy incidents are more conscious of different privacy issues as a result of information disclosure. Thus, the research model also includes past invasion of privacy and media exposure as the other control variables.
4. Methodology
4.1 Data collection
We conducted an online scenario-based survey through CloudResearch in the USA to test the relationships of the research model. The process of our data collection comprised three phases: pretest, pilot study and primary study. Before collecting data, we first received institutional review board approval from a Midwest university in the USA. For the pretest, we solicited two IS researchers with doctorate degrees to review our survey and provide feedback. They suggested that we provide general information about MCC apps and the purpose of our study for the study participants. As a result, we explained the nature of MCC apps and provided examples from well-known apps at the beginning of the survey (Appendix 2). We also explained to our participants that the survey focused on data transfer to the cloud through MCC apps and that we needed to investigate their perceptions of this aspect of such apps. We asked the participants to answer the survey items based on a note-taking MCC app (e.g. Evernote) that can be installed on multiple operating systems and can accept any file format (Appendix 2).
For the pilot study, we conducted a Web-based survey with 40 respondents who were similar to our primary study participants to receive feedback. We added a few open-ended questions at the end of the survey and asked the pilot study participants about the clarity of the questions and explanation about MCC apps. Accordingly, we revised the survey by changing the wording of some questions and making the questions clearer based on the pilot study feedback. We conducted another Web-based survey for the primary study to reach a wide range of MCC apps users of different age groups, genders and education levels (Lowry et al., 2016). We also encouraged participation with a small monetary incentive and therefore collected 800 responses.
We followed a systematic approach (Lowry et al., 2016) to improve data quality. First, to exclude major cultural differences among respondents, we used IP addresses and geolocation information to remove any responses from outside the USA. Then, we removed responses from individuals who were not currently using or had no experience with MCC apps. Subsequently, we removed the responses that:
did not correctly name an MCC app (Appendix 2);
were completed in less than five minutes (based on the pilot study); or
did not answer security questions correctly.
Finally, an outlier is “one that appears to deviate markedly from other members of the sample in which it occurs” (Hodge and Austin, 2004, p. 85). We detected and removed outliers that were inconsistent with the main cluster of data from our study (Chatterjee and Hadi, 1986). This produced 694 acceptable responses, which was sufficient to have the power of 1.0, with a large-size effect and 0.01 significance level, for further analyses. Appendix 3 summarizes the demographics of respondents, most of whom had used the internet for 16–20 years and MCC apps for 4–6 years.
4.2 Measurement items
We operationalized the constructs by adapting existing items to fit the study (Appendix 4). Some constructs of the model are multidimensional and need to be measured as second-order variables, while others can be measured as first-order, as suggested by prior studies. For example, we used the items of continued intention to use MCC apps from Bhattacherjee (2001a, 2001b) and those of trust and perceived privacy concerns from Dinev and Hart (2006). To measure participants’ prior use of MCC apps, we asked: “How long have you been using MCC apps?”
We considered perceived security concerns as a second-order construct due to the need to capture the security concerns about MCC apps, the relationship with the cloud, and the cloud infrastructure. We adapted the items of perceived security susceptibility and perceived severity of security attacks from Chen and Zahedi (2016). Perceived value of data transfer to the cloud was also measured as second-order to incorporate both hedonic and utilitarian benefits (Wakefield and Whitten, 2006). We measured perceived enjoyment (hedonic benefit) using items from van der Heijden (2004) and perceived usefulness (utilitarian benefits) using items from Davis (1989) as the associated first-order constructs. Another second-order construct is perceived effectiveness of security and privacy interventions; prior studies stated that providers use multiple security and privacy interventions to influence users, and the two common interventions that are also adopted by MCC app providers are industry self-regulation and privacy policy (Xu et al., 2009, 2011). Thus, we adapted the scales of perceived effectiveness of perceived privacy policy and perceived effectiveness of industry self-regulation from Xu et al. (2011) to measure perceived effectiveness of perceived security and privacy interventions as the second-order construct. All survey items used a seven-point Likert scale.
4.3 Preliminary analysis
Prior research asserted that reflective and formative latent variables need different measurement adequacy tests (Petter et al., 2007). There are four criteria to choose formative or reflective measurement:
the direction of causality is from items to construct;
items are not necessarily interchangeable;
items do not necessarily covary; and
it is possible for the nomological net of the items to differ (Maruping et al., 2019; Petter et al., 2007).
Following Petter et al.’s (2007) rules to decide on formative and reflective measurement, we found that all the second-order constructs of our research model should be considered formative, and the first-order variables should be considered reflective. Thus, we conducted several different tests to assess the measurement model.
We followed prior research that examined the measurement model with formative and reflective latent variables (Maruping et al., 2019). Thus, we first estimated fit indices to measure the model fit of data, as suggested by prior research (Hu and Bentler, 1999; Maruping et al., 2019). The results (CFI = 0.98, TLI = 0.98, SRMR = 0.02, RMSEA = 0.05) show that fit indices meet the recommended thresholds and confirm a good fit to the data. We also checked the reliability and validity of constructs, and Table 2 demonstrates the descriptives and reliabilities of the measures, as well as the inter-variable correlations. Table 2 shows that the values of Cronbach’s alpha (α) for all reflective variables exceed the recommended threshold of 0.70 (Nunnally, 1978), supporting the reliability. The results also show the convergent validity of reflective variables is supported by the value of average variance extracted (AVE) being above the threshold of 0.50. Discriminant validity is confirmed by all inter-variable correlations being below the square root of the variable’s AVE value (Segars, 1997).
For the latent variables with formative measures, prior research argued that different evaluation criteria should be adopted (Maruping et al., 2019; Petter et al., 2007). The variables with formative measurements are required to be evaluated for multi-collinearity using the variance inflation factor (VIF) with an upper threshold of 10 (Diamantopoulos and Winklhofer, 2001; Maruping et al., 2019). Appendix 5 shows that for each formative latent construct, the VIF was below 2.0, and the weight range of the associated indicators was significant.
4.4 Common method variance
Common method variance is a potential issue in survey research, causing flawed results (Podsakoff et al., 2003). So, we first examined whether our study suffers from common method bias. Following prior recommendations to test common method variance (Nikkhah and Grover, 2022), we first conducted Harmon’s one-factor test (Podsakoff and Organ, 1986). We found that the first factor could only explain 28% of the model variance. Then, we ran Lindell and Whitney’s (2001) marker variable test by using the smallest observed correlation in our data set. The results show that the marker variable has low and insignificant correlations (ranging from −0.03 to 0.07) with the variables of the study. These results indicate that common method variance is not a threat in this research.
4.5 Hypotheses testing
We used Stata 15.0 to test hypotheses with hierarchical moderated regression. For robustness, data are also analyzed with the maximum likelihood (ML) method. To test moderated hypotheses, we estimated the interaction terms by cross-multiplying the mean-centered items of the relevant constructs. [1] We entered the terms in a stepwise approach starting with control variables (Model 1), followed by the main effects (Model 2) and interactions (Model 3). Table 3 shows the path coefficients and explained variances when using hierarchical regression, as well as ML results. The model explains 47% of the variance in the continued intention to use MCC apps (Model 3). The incremental F-test of the R2 change is also estimated, and the results (F1 = 57.66, p < 0.001; F2 = 44.23, p < 0.001) show that the independent variables and interaction terms significantly increase explained variance in continued intention to use MCC apps (Models 2 and 3).
The results confirm users’ concerns about their information governance and protection after adopting MCC apps. Models 2 and 3 show that privacy and security concerns have negative effects on continued intention to use MCC apps, even considering the direct effects of moderators and the associated interaction effects. Thus, H1 and H2 are supported. Model 3 demonstrates the significant role of perceived value of data transfer to the cloud in driving users to continue to use MCC apps. As shown in Table 3, perceived value of data transfer to the cloud not only has a significant positive effect on the dependent variable (DV) but also on its interaction with privacy and security concerns, which positively impacts continued intention to use MCC apps. In other words, perceived value of data transfer to the cloud offsets users’ concerns about using MCC apps and moderates the relationships of perceived privacy and security concerns with continued intention to use MCC apps. As a result, H3a and H3b are supported. These interesting results deserve more attention. Thus, to further interpret the interactions of perceived value of data transfer to the cloud with perceived privacy and security concerns, we plotted two separate graphs (Figures 3 and 4). These graphs show the relation between the high and low levels of one independent variable and the DV with high and low levels of perceived value of data transfer to the cloud (Aiken and West, 1991; Jaccard and Turrisi, 2003).
Figures 3 and 4 show that when privacy and security concerns are low, continued intention to use MCC apps is higher than when these concerns are high. However, when perceived value of data transfer to the cloud is high, continued intention to use MCC apps is high regardless of the levels of privacy and security concerns.
The results also suggest different moderating effects of trust on the relationships of perceived privacy and security concerns with continued intention to use MCC apps. As shown in Model 3, in addition to the positive effect on DV, trust moderates the negative effect of privacy concerns on DV. Model 3 shows that the interaction of trust and perceived privacy concerns has a positive effect on continued intention to use MCC apps, thereby supporting H4a. We also plotted the relations of high and low levels of perceived privacy concerns and trust with DV (Figure 5). This graph shows that a higher level of trust can offset privacy concerns because regardless of the level of privacy concerns, continued intention to use MCC apps is high when trust is high.
Despite the moderating effect of trust in the relationship between perceived privacy concerns and the DV, Model 3 shows that the interaction of trust with perceived security concerns does not affect continued intention to use MCC apps. Trust does not moderate the relationship between perceived security concerns and the DV. Thus, H4b is not supported.
Table 3 also shows the effects of control variables and perceived effectiveness of security and privacy interventions on perceived privacy and security concerns. The two models (Model 2) of privacy and security concerns show that while perceived effectiveness of security and privacy interventions decreases perceived privacy concerns, it does not affect perceived security concerns. Consequently, H5a is supported, but H5b is not. Table 3 also reveals that control variables do not affect endogenous variables with one exception. MCC apps use experience has a positive effect on continued intention and a negative effect on perceived privacy concerns.
The results of the ML estimation are akin to those of hierarchical moderated regression. ML results in Table 3 are consistent with the results of Model 3 regarding the continued intention to use MCC apps and Model 2 regarding privacy and security concerns. The similarity between the ML and hierarchical moderated regression results indicates the robustness of our findings.
5. Discussion
5.1 Implications for research
This study offers several insights for security and privacy research, as discussed next. First, privacy and security research on MCC apps predominantly provides technical solutions to address the relevant issues (Dinh et al., 2013; Rahimi et al., 2014; Zhou and Buyya, 2018), while giving little attention to users’ security and privacy perceptions. This study has argued that understanding users’ security and privacy perceptions after the adoption of MCC apps is important to retain current users. Thus, we examined whether security and privacy concerns are effective after the adoption of MCC apps. Some cloud computing security and privacy research studies mainly focused on privacy concerns to find whether they inhibit users from adopting cloud computing applications/services or disclosing information to the cloud (e.g. Burda and Teuteberg, 2014). However, security concerns are also a salient factor that individuals consider for sharing information and communicating with entities on the internet (Lowry et al., 2017). Some other studies that investigated the effect of security and privacy concerns combined both concerns as one construct in the model (Arpaci et al., 2015), which shrouds the separate effects of security and privacy concerns on cloud users’ beliefs. However, it was not clear if either security or privacy concerns impact mobile users after using the apps. This study teases out users’ concerns about using MCC apps by including security and privacy concerns distinctively in the same nomological network to investigate whether they have different influences on users. The findings confirm that users have different concerns about using MCC apps. Security and privacy concerns are the two main facets of users’ concerns about MCC apps, and each can stop them from continuing to use such apps.
Moreover, prior research has viewed individuals’ concerns only before adopting cloud computing applications and services (Arpaci et al., 2015; Burda and Teuteberg, 2014; Widjaja and Chen, 2012), but this research has found security and privacy concerns to have different effects on users in a post-adoption phase. The results suggest that users are worried about inadequate control over their data in the cloud. This concern is significant as users provide more personal information, such as photos, audio, videos and project data, to the cloud through MCC apps. This insufficient control indicates the possibility that third parties (e.g. the government, internal staff, hackers) can access and misuse users’ files. We also found that security concerns influence users’ perceptions after using MCC apps and can convince them to stop using these apps. Thus, our findings show that users have concerns about the safety of MCC apps, the communication with the cloud, and the protection mechanisms of the cloud. Users work with MCC apps on the move using different internet connections and are not confident about these connections’ protections against security attacks. MCC apps send out users’ data from mobile devices to be saved on cloud servers, and users do not know how secure these servers are. Additionally, mobile users are worried about the security of MCC apps and whether they can be targeted by security attacks through these apps. Malicious codes, such as viruses, worms, spyware and Trojan horses, threaten the safety of mobile devices, and MCC apps can be a suitable home for these codes. Hackers can also penetrate mobile devices through MCC apps to steal or manipulate users’ private information. Hackers can access any data saved on mobile devices through MCC apps because these apps receive permission to access the storage and network connections from users during their installation.
Prior research examines the perceptions of mobile apps’ features with respect to users’ behaviors (Balapour et al., 2020; Gutierrez et al., 2019). However, MCC apps are hybrid, and the perceptions of these apps are drawn from those of cloud computing providers and mobile apps. The findings of this study support the view that the perceptions of cloud computing providers and mobile apps are intertwined. In fact, we found that trusting the provider can moderate the effect of privacy concerns. Despite the fact that users have privacy concerns about MCC apps, users tend to continue using apps whose providers they trust. Users might believe that the providers they trust would not misuse their data by, for example, selling to third parties. However, we found that trust in the provider is not able to cancel out the negative effect of security concerns. This might be due to the inability of MCC app providers to completely secure their communications with mobile devices, as users acquire different connections and internet service providers. Furthermore, many big cloud companies have faced data breaches (Nikkhah and Grover, 2022) despite practicing security mechanisms (e.g. Dropbox faced a data breach in 2022). Thus, although users trust in a provider, they believe that security threats could be out of the provider’s control. Prior research debates why users disclose their personal information despite privacy concerns (for a review, see Kokolakis, 2017). The findings of this research reveal that the benefits users enjoy from the integration of cloud computing and mobile apps nullify the negative effects of security and privacy concerns. As such, although users have security and privacy concerns, they use MCC apps because of the values they offer, such as enabling working on collaborative projects by concurrently accessing the same data through multiple devices, operating systems compatibility, automatic data backup and Web access.
Prior privacy research shows the relationship between interventions and privacy costs and benefits (Xu et al., 2009). We extended this relationship by separately examining the effect of security and privacy interventions (i.e. ISO 27018 and privacy policy) on security and privacy concerns. We found that the MCC providers’ interventions to signal assurance mechanisms have different effects on users’ perceptions. We found that although the interventions provide information about MCC app providers’ security practices, they are not able to decrease security concerns. Many privacy policies include information about the provider’s security practices (e.g. Dropbox), but users do not discern these policies from the statement about the procedure of securing data. Adopting ISO 27018 is not an effective way to decrease security concerns, as most may not know that this is a security standard for the cloud. However, the perception of these interventions can decrease privacy concerns. Users might not read the privacy policies or ISO 27018 (Balapour et al., 2020), and the prompts about these interventions simply indicate that MCC app providers are significantly attempting to keep users’ data private in the cloud.
5.2 Implications for practice
The findings of this study also help MCC app providers and developers in several ways. First, MCC app developers should understand that individuals have different concerns before and after the adoption of MCC apps. The findings of this study show that users’ security and privacy concerns can inhibit continued use of MCC apps, and the current security and privacy interventions are not able to decrease security concerns. Thus, MCC app providers and developers should devise new approaches to assure users about their communications and infrastructure safety. For example, we suggest that MCC app providers enable the encryption of communication to the cloud so that hackers and other users cannot easily detect it to capture users’ data. Additionally, MCC app developers should design the MCC apps, and the way data are stored in the cloud such that users can encrypt data in the cloud with their own keys. If users can put a password on their data in the cloud, they will feel reassured about the protection and security of their data in the cloud, especially against external threats. In fact, MCC providers should allow users the ability to configure their settings for the security of communication and storage in the cloud. Thus, we suggest that MCC apps provide several security and privacy interventions. For example, in addition to the privacy policy and ISO 27018, we suggest that MCC app developers provide a security policy and prompt current users periodically to read and accept new versions of it. MCC app providers can also provide new versions of the MCC apps that are more secure and ask their users to upgrade the app not only because of new functionality features but also new security settings. Finally, as prior experience with MCC apps increases the likelihood of continuing to use other apps, MCC app providers can advertise their apps on freeware or shareware MCC apps to attract experienced users.
5.3 Limitations and future research directions
We acknowledge several limitations of our study that can be addressed in future research. First, we asked the survey participants to focus on the MCC apps’ shared feature of sending data to the cloud, but they could have had different perceptions of different MCC apps. Future studies can select a few MCC apps in different categories such as games and education and experiment with mobile users to better understand their cost-benefit analysis of MCC apps.
Second, this study does not have any context-oriented construct in the research model. Future research can identify the constructs relevant to the MCC apps’ features and examine the individuals’ perceptions of such constructs. Third, although the participants of this study belonged to different classes of society and were representative of MCC app users, they were in the USA. Future studies can examine other cultures to find whether mobile users perceive the cost and benefit of using MCC apps in the same way. Future studies can examine differences across cultures in users’ perceptions. Finally, we focused mainly on security and privacy in this research, but there might be other factors that influence users to continue using MCC apps (e.g. group conformity, addiction, quality of service of the app/cloud provider). Thus, future research can investigate MCC app users’ decision-making behavior from other lenses.
6. Conclusion
Based on an extended privacy calculus model, we examined whether security and privacy concerns distinctively inhibit users from using MCC apps after adopting them. We also discussed how the perceptions of MCC apps’ features and providers are interrelated. We examined the moderating roles of trust in the providers and the value of data transfer to the cloud in the relationships of security and privacy concerns with continued intention to use MCC apps. As most MCC apps develop privacy policies, and many cloud computing providers adopt the self-regulatory standard ISO 27018, we investigated whether the perceptions of these interventions can decrease security and privacy concerns. To this end, we conducted a scenario-based survey with 694 mobile users and found that each security and privacy concern can inhibit users from further using MCC apps. We also found that their perceived value of data transfer moderates the effects of their security and privacy concerns, but trust in the provider only moderates the effect of privacy concerns. The findings also indicate that the perceptions of the effectiveness of privacy policy and ISO 27018 can only decrease privacy concerns. We finally discussed how these findings provide implications for research and practice.
Note
1.For formative second-order constructs, we use a two-stage partial least square approach to estimate the latent variables scores and then use the scores in regression analysis (Henseler and Fassott, 2010, p. 724; Ye and Kankanhalli, 2018).
Research model
Privacy policy prompt
Interaction between perceived value of data transfer and privacy concerns
Interaction between perceived value of data transfer and security concerns
Interaction between trust and perceived privacy concerns
Prior studies based on privacy calculus models
| Study | Context | Inhibitors | Drivers | Outcome |
|---|---|---|---|---|
| Gutierrez et al. (2019) | Mobile location-based advertising | Internet privacy concerns, intrusiveness | Personalization, monetary reward | Acceptance of mobile location-based advertising |
| Bol et al. (2018) | Health, news, and commerce websites | Risk perception, risk belief, privacy concern | Trust, benefit | Self-disclosure |
| Keith et al. (2016) | Location-based mobile apps | General privacy concerns, Perceived privacy risk | Perceived usefulness, perceived ease of use | Intention to adopt/disclose, willingness to pay |
| Krasnova et al. (2012) | Social networking site | Privacy concerns | Enjoyment, trust | Self-disclosure |
| Liao et al. (2011) | Online transactions | Privacy concerns, Perceived risk | Trust | Intention to transact, intention to retrieve privileged information |
| McKnight et al. (2011) | Social networking site | Privacy concerns, information sensitivity | Trusting beliefs, enjoyment, perceived usefulness | Usage continuance intention, information disclosure |
| Li et al. (2010) | E-commerce transaction | Privacy risk belief | Perceived usefulness, monetary rewards | Behavioral intention |
| Xu et al. (2009) | Location-based mobile apps | Perceived risks | Locatability, personalization | Intention to disclose personal information |
| Dinev and Hart (2006) | E-commerce transaction | Perceived privacy risk, perceived privacy concerns | Trusting beliefs, personal interest | E-commerce use |
| Dinev et al. (2006) | E-commerce transaction | Perceived risk, perceived privacy concerns | Institutional trust | Willingness to provide personal information |
| Xu et al. (2005) | Location-based mobile apps | Perceived privacy risks | Trust beliefs | Behavioral intention |
Source: Created by authors
Descriptives, reliabilities, average variance extracted and correlations
| Variable | Mean | SD | AVE | α | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1. Age | 37.89 | 14.25 | N/A | N/A | N/A | |||||||||||
| 2. Gender | 0.52 | 0.49 | N/A | N/A | 0.06 | N/A | ||||||||||
| 3. Invasion of Privacy | 3.20 | 1.58 | N/A | N/A | −0.06 | 0.06 | N/A | |||||||||
| 4. Media Exposure | 4.98 | 1.43 | N/A | N/A | 0.13*** | 0.09* | 0.28*** | N/A | ||||||||
| 5. MCC Apps Exp | 5.35 | 3.20 | N/A | N/A | −0.03 | 0.00 | 0.00 | 0.09* | N/A | |||||||
| 6. Internet Exp | 18.56 | 5.38 | N/A | N/A | 0.39*** | 0.02 | 0.00 | 0.15*** | 0.27*** | N/A | ||||||
| 7. Interventions | 4.54 | 1.03 | N/A | N/A | 0.00 | 0.09* | −0.01 | 0.04 | 0.05 | 0.01 | N/A | |||||
| 8. Security Concerns | 4.65 | 0.96 | N/A | N/A | 0.05 | 0.00 | −0.01 | −0.01 | −0.01 | −0.03 | −0.05 | N/A | ||||
| 9. Privacy Concerns | 5.14 | 1.24 | 0.93 | 0.84 | 0.04 | −0.02 | −0.03 | −0.01 | 0.04 | 0.00 | −0.20*** | 0.48*** | 0.91 | |||
| 10. Data Transfer | 5.13 | 0.84 | N/A | N/A | −0.03 | 0.01 | −0.01 | 0.04 | 0.02 | −0.03 | 0.30*** | −0.04 | −0.13*** | N/A | ||
| 11. Trust | 4.34 | 1.14 | 0.89 | 0.76 | −0.03 | 0.05 | 0.00 | 0.04 | 0.02 | 0.00 | 0.51*** | −0.23*** | −0.33*** | 0.29*** | 0.87 | |
| 12. Continued Int | 5.27 | 1.03 | 0.94 | 0.85 | −0.01 | 0.00 | 0.00 | 0.03 | 0.05 | 0.00 | 0.24*** | −0.13*** | −0.18*** | 0.54*** | 0.29*** | 0.92 |
Notes:Diagonal is square root of average variance extracted (AVE); *p < 0.05; **p < 0.01; ***p < 0.001; SD = standard deviation; α = Cronbach’s alpha; MCC Apps Exp = MCC apps use experience; Internet Exp = Internet use experience; Interventions = perceived effectiveness of security and privacy interventions; Data Transfer = perceived value of data transfer to the cloud; Continued Int = continued intention to use MCC apps
Source: Created by authors
Results of the structural model and hypotheses testing
| Continued intention | Privacy concerns | Security concerns | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Model 1 | Model 2 | Model 3 | ML | Model 1 | Model 2 | ML | Model 1 | Model 2 | ML | |
| Age | 0.00 | 0.01 | 0.02 | 0.00 | −0.02 | −0.01 | 0.00 | −0.01 | −0.01 | 0.00 |
| Gender | 0.02 | 0.00 | 0.00 | 0.02 | −0.02 | 0.00 | −0.03 | 0.00 | 0.00 | −0.09 |
| Prior invasion of privacy | 0.00 | 0.01 | 0.00 | 0.00 | −0.04 | −0.04 | −0.02 | −0.01 | −0.01 | 0.00 |
| Media exposure | 0.02 | 0.00 | 0.00 | 0.00 | 0.00 | 0.01 | 0.00 | 0.00 | 0.00 | 0.00 |
| MCC apps use experience | 0.24*** | 0.16*** | 0.16*** | 0.11*** | −0.06* | −0.06* | −0.05* | 0.00 | 0.00 | 0.00 |
| Internet experience | 0.01 | 0.01 | 0.01 | 0.01 | 0.08* | 0.07* | 0.05* | 0.03 | 0.03 | 0.01 |
| Perceived effectiveness of security and privacy interventions | −0.20*** | −0.21*** | −0.05 | −0.05 | ||||||
| Perceived privacy concerns | −0.07* | −0.08** | −0.07* | |||||||
| Perceived security concerns | −0.06* | −0.07* | −0.06* | |||||||
| Perceived value of data transfer to the cloud | 0.57*** | 0.54*** | 0.55*** | |||||||
| Trust | 0.10** | 0.09** | 0.08** | |||||||
| Perceived value of data transfer to the cloud × Perceived privacy concerns | 0.07* | 0.08* | ||||||||
| Perceived value of data transfer to the cloud × Perceived security concerns | 0.06* | 0.07* | ||||||||
| Trust × Perceived privacy concerns | 0.07* | 0.06* | ||||||||
| Trust × Perceived security concerns | −0.01 | −0.01 | ||||||||
| R2 | 0.063 | 0.45 | 0.47 | 0.01 | 0.05 | 0.00 | 0.00 | |||
| ΔR2 | 0.39*** | 0.02*** | 0.04*** | 0.00 | ||||||
Notes:*p < 0.05; **p < 0.01; ***p < 0.001
Source: Created by authors
Cloud computing security and privacy studies
| Research stream | Studies | Argument and finding |
|---|---|---|
| General security and privacy issues | Pearson et al. (2009) | Rogue employees of cloud computing providers, hackers, and even other customers of the same provider can steal the users’ private information from the cloud. Data theft from virtual machines in the cloud is one of the biggest security and privacy challenges in cloud computing |
| Sun et al. (2011) | Security and privacy issues of cloud computing pertain to control over the private information, safety of transferring information to the cloud, legal requirement responsibility and supervising the cloud subcontractors | |
| Takabi et al. (2010) | Security and privacy concerns about cloud computing are authentication and identity management, access control and accounting, trust management and policy integration, secure-service management, privacy and data protection and organizational security management | |
| Zhou et al. (2010) | Privacy concerns named so far are still scant and more threats can be contemplated in terms of five security features: availability, confidentiality, data integrity, control and audit | |
| Security and privacy design and architecture | Alruwaili and Gulliver (2014) | An information security, privacy and compliance readiness model is proposed to evaluate whether an organization is prepared sufficiently to resolve privacy issues and address compliance violations |
| Pearson (2009) | It is recommended that system designers, architects, and developers take into account the following guidelines when designing cloud computing: minimize personal information sent to and stored in the cloud; protect personal information in the cloud; maximize user control; allow user choice; specify and limit the purpose of data usage; provide feedback | |
| Sharma and Khiva (2013) | A secure architecture to reduce privacy concerns and the secure cloud computing should include four components: the third-party website, the cloud service provider, the user, and the third-party database | |
| Security and privacy regulation | Kerr and Teng (2012) | Traditional contracts and licensing do not provide enough legal resources and protection associated with the cloud computing relationships; thus, terms of use agreements, and service level agreements need to employ new patterns to encompass different cloud computing scenarios |
| Mather et al. (2009) | Security and privacy concerns about using cloud computing applications and services can be decreased if the following regulations are adopted: Federal Rules of Civil Procedure, USA Patriot Act, Electronic Communications Privacy Act, the U.S. Federal Information Security Management Act of 2002, the Gramm-Leach-Bliley Act and the Health Information Technology for Economic and Clinical Health Act | |
| Svantesson and Clarke (2010) | Cloud computing has serious risks of privacy and consumer rights, and the current privacy law is insufficient to address the risks. Thus, cloud computing services should be used cautiously | |
| Data security and privacy | Chen and Zhao (2012) | A data life cycle (generation, transfer, use, share, storage, archival and destruction) for cloud computing services is presented and security and privacy of data at each phase of data life cycle are analyzed |
| Khan and Hamlen (2012) | A mechanism of anonymizing circuit based on Tor can be implemented by cloud computing providers; this mechanism assists users to safely transfer their personal and sensitive information to the cloud | |
| The effect of security and privacy beliefs | Alsmadi and Prybutok (2018) | Security and privacy concerns are not significant influences on information sharing and storage behavior |
| Arpaci et al. (2015) | Security and privacy as a joint perception influences the students’ attitudes towards using cloud services for educational purposes | |
| Burda and Teuteberg (2014) | Perception of risk inhibits the intention to use cloud storage for archiving | |
| Menard et al. (2014) | Perceived threat severity and perceived threat susceptibility to lose data in local storage increase intention to adopt cloud computing as a backup solution | |
| Park and Kim (2014) | Perceived security increases users’ attitude toward using MCC | |
| Widjaja and Chen (2012) | Privacy concerns decrease trust in using cloud computing services |
Source: Created by authors
Demographics of respondents
| Demographic variables | Category | Frequency | Percent |
|---|---|---|---|
| Gender | Female | 316 | 45.53 |
| Male | 378 | 54.47 | |
| Age | 18–24 | 88 | 12.68 |
| 25–29 | 124 | 17.87 | |
| 30–34 | 132 | 19.02 | |
| 35–39 | 83 | 11.96 | |
| 40–49 | 139 | 20.03 | |
| 50 and above | 128 | 18.44 | |
| Education | High school/some college | 269 | 38.76 |
| Bachelor’s degree | 301 | 43.37 | |
| Master’s degree | 100 | 14.41 | |
| Doctorate | 24 | 3.46 | |
| Number of years using the internet | 10 and under | 63 | 9.08 |
| 11–15 | 159 | 22.91 | |
| 16–20 | 292 | 42.07 | |
| 21 and above | 180 | 25.94 | |
| Number of years using MCC apps | 3 and under | 205 | 29.54 |
| 4–6 | 305 | 43.95 | |
| 7–9 | 70 | 10.09 | |
| 10 and above | 114 | 16.43 |
Source: Created by authors
Formative constructs validity
| Latent variable | VIF | Dimensions | Weight | Items | Weight |
|---|---|---|---|---|---|
| Perceived MCC apps value | 1.26 | Perceived usefulness | 0.56*** | PU1 | 0.16*** |
| PU2 | 0.17*** | ||||
| PU3 | 0.16*** | ||||
| PU4 | 0.17*** | ||||
| Perceived enjoyment | 0.60*** | PEJ1 | 0.18*** | ||
| PEJ2 | 0.13*** | ||||
| PEJ3 | 0.17*** | ||||
| PEJ4 | 0.16*** | ||||
| Perceived security concerns | 1.72 | Perceived susceptibility | 0.65*** | SUS1 | 0.24*** |
| SUS2 | 0.23*** | ||||
| SUS3 | 0.23*** | ||||
| Perceived severity of attacks | 0.52*** | SEV1 | 0.19*** | ||
| SEV2 | 0.21*** | ||||
| SEV3 | 0.19*** | ||||
| Perceived effectiveness of security and privacy interventions | 1.00 | Perceived effectiveness of privacy policy | 0.60*** | PEPP1 | 0.21*** |
| PEPP2 | 0.22*** | ||||
| PEEP3 | 0.21*** | ||||
| Perceived effectiveness of industry self-regulation | 0.53*** | REG1 | 0.18*** | ||
| REG2 | 0.20*** | ||||
| REG3 | 0.20*** |
Notes:*p < 0.05; **p < 0.01; ***p < 0.001
Source: Created by authors
© Emerald Publishing Limited.