Individual privacy concern and organisational privacy practice - bridging the gap

Technology services offer users benefits, including travel assistance, reviews and recommendations, social contact, and access to useful information. Users try to evaluate the risks of disclosing personal information in light of the benefits they believe they will receive, by seeking a limited set of information cues about the technology service. Existing measures of privacy concern do not recognise this, and are disconnected from organisational privacy practice. For individuals, privacy research has not provided a model of privacy concern based on the trust signals generated by organisational privacy practice. For organisations, research has not unified its insights on privacy, information security and trust into a framework for effective privacy practice, and has not provided tools to analyse the root causes of privacy failures – one of the many influences on people’s privacy concern. This thesis approaches this problem by proposing a conceptual model based on the trust-risk framework, which explicitly links organisational privacy practice with people’s perceived risks of information disclosure; an antecedent of interpersonal privacy concern. For individuals, this thesis proposes a model of privacy concern encompassing – in addition to interpersonal privacy concern – environmental and dispositional privacy concern, the latter shown by this thesis to be influenced by an individual’s personality (N = 353). For organisations, this thesis proposes a Privacy Security Trust (PST) Framework as part of the conceptual model, which applies the two dimensions of trust – ability and motivation – to information privacy practice. A Q methodology study (N = 58) which analysed the importance individuals attach to different information cues – many describing a technology service’s ability and motivation to safeguard and respect their privacy – identified five salient privacy personas. Results from a validation study describing two innovative technology services (N = 872 and N = 740) found differences in dispositional privacy concern between the personas, and information cues – specific to each persona – influenced Perceived Information Risks and Intention to Use a technology service. Finally, from an organisational perspective, this thesis shows how the PST Framework may also be used as the basis of a privacy-specific formal systems model to analyse and potentially predict privacy failures.