Privacy concerns and protection behavior during the Covid-19 pandemic ”

This paper aims to analyze the protection behavior of employees while working remotely during the Covid-19 pandemic using online video chat software. This pandemic changed the way organizations work, managers meet with employees, and employees communicate. An e-mail-based survey among computer users who use video chat software for remote working is employed in this study. Using 306 responses, structural equation modeling explores the relationship between privacy concerns, protection behavior, and antecedents. The technological changes induced due to Covid-19 influence privacy concerns and protection behavior. Privacy efficacy increases privacy concerns and protection behavior. Perceived vulnerability increases privacy concerns. Perceived effectiveness of organization software affects privacy concerns but does not affect protection behavior. There is a positive relationship between privacy concerns and protection behavior; however, this positive relation is negatively moderated by a propensity to trust. A finding of threat severity measure using Covid-19 factors concludes that both privacy concerns and protection behavior increased for online video chat software users. The theoretical model explicates 75% of variances in privacy concerns and 57% of variances in protection behavior. Every one-unit increase in Covid-19 induced changes regarding the work environment increases the privacy concern by 35%, and every one-unit increase in perceived effectiveness of organization software increases privacy concern by 22%. Every one-unit increase in the privacy concern increases the protection behavior by 48%, and every one-unit increase in privacy efficacy increases protection behavior by 59%.
AcknowledgmentThe assistance provided by Arun Thottath in reaching out to survey participants was greatly appreciated.


INTRODUCTION
Human behavior is the feeblest link in any security chain (Crossler et al., 2013). Human errors cause one-quarter of cybersecurity attacks (Waldrop, 2016). It is important to understand users' protection behavior determinants when protecting their devices, computers, and networks. Several theories have been applied to study protection behavior. Protection motivation theory has been widely used in protecting against the viruses (Lee et al., 2008), spyware (Johnston & Warkentin, 2010), password leaks (Stanton et al., 2005), information leaks (Tsai et al., 2016), and social networking (Hoy & Milne, 2010).
Sudden changes imposed by the Covid-19 pandemic forced organizations to resort to remote working using the available tools (CDC, 2020).
The privacy risk portrayed by the media and the fact that users were suddenly forced to install online video chat software to facilitate office meetings prompted the paper to study the protection behavior in this context.
A new dimension to measure the effect of users' perception of the effectiveness of software chosen by the organization is introduced in this study. The theoretical basis is a meta-model using protection motivation theory (PMT) along with additional factors such as perceived effectiveness of software and propensity to trust to measure protection behavior mediated by privacy concerns.
The online video chat software such as Zoom, Microsoft Teams, and Google Meet gave a quick platform for remote working and became a target for much negative news. There were numerous warnings against security threats posed by them. The Pentagon in the United States and the German Government warned against Zoom use and restricted this software (Singh & Awasthi, 2020). These warnings and bad news sparked disagreement and uncertainty over the choice of video chat software. The Covid-19 pandemic changed the organization's work routines and structure. Organizational changes affect the organization (Herold et al., 2008) if unplanned changes are not strategically and quickly handled (Shaw, 2017). Organizations had to set up remote working quickly, so they had to select one of the software without being able to plan or compare with better alternatives (Carroll & Conboy, 2020). That meant there was no time for understanding privacy implications. Employee compliance with organization security policies is a widely discussed topic. Employees' trust in their organization improves safety performance (Conchie et al., 2012). Unfortunately, employees often breach safety policies even if they are aware of the security risks (Kirlappos & Sasse, 2014).
The more concerned the employees are about the dangers of online information misuse, the more they should restrict the information. In other words, as privacy concerns of employees increase, protection behavior should also increase. Literature has different conclusions as to whether privacy concerns increase the protection behavior. Many argue that an increased concern for privacy does not lead to the corresponding protective behavior, defined as the privacy paradox (Acquisti & Gross, 2006;Taddei & Contena, 2013;Norberg et al., 2007). Social media users concerned about their privacy disclose information instead of limiting the information disclosure. Privacy calculus theory states that users calculate the expected loss of privacy and potential gain of disclosure. The benefit gained in the form of fulfilling their desire is stated to be one of the reasons for this risky behavior. However, several studies suggested a positive relationship between privacy concerns and protection behavior (Youn, 2009;Dienlin & Trepte, 2015). Another issue observed in the literature on the privacy paradox premise is that result varies depending on the methods employed and the inclusion of behavior intention instead of the actual protection behavior (Sheeran, 2002).
Among these four theories, TPB and PMT have been widely used to study employees' compliance.
PMT (Rogers, 1975(Rogers, , 1983 suggests people appraise the threat and the efficacy mechanisms when facing a threatening event. Protective behavior is motivated by these two appraisals -threat appraisal (TA) and coping appraisal (CA). Threat appraisal informs the users of the risks associated with the threat. Coping appraisal informs the necessary safety behavior to undertake. Protection behavior is also influenced by users' perception of how others think they should behave. This is called subjective norm. In an organizational context, PMT has been used to study the effectiveness of persuasive messaging to align users' security behavior with the organization's security policy. Using persuasive messaging increases the users' threat appraisal, which in turn improves their protection behavior (Johnston & Warkentin, 2010). Security tools alone cannot improve users' compliance with organizational security policies. It is affected by organizational, environmental, and behavioral factors. The possibility of security breaches (Herath & Rao, 2009a) is undermined by users. Protecting the resources of an organization is users' commitment to organizational wellbeing.
In summary, a review of relevant research puts forth two observations. First, a meta-model including the core constructs of PMT and perceived effectiveness of security software and Covid-19 induced changes in work in a single framework to measure the actual behavior is necessary. There is a need to measure actual technical protection behavior in an online video chat context rather than asking users to rate their protection behavior. As stated in prior literature, factors influencing protection behavior are privacy concern, perceived vulnerability, and privacy efficacy. Applying to organization setting, protection behavior of users may be influenced by the choice of the security software used in their organizations. Apart from this, external situations may induce changes in the way users work, which influences users' concern for privacy and the desire to protect information. Therefore, this study uses the following constructs to understand the influence of various factors on users' protection behavior.
Protecting information is essential when a user is connected via the internet, irrespective of the applications one uses. Adopting Rogers (1983) definition of protection behavior (PB), this construct measures how effectively a user adopts secure behavior to stop the intruder, avoid malicious software, stop unwanted participants from joining the meeting, and information protection mechanisms from marketing agencies to control the risk, threat, and danger in the context of an online video chat application. PB construct measures the necessary protection behaviors that are critical for stopping the threats imposed by video chat software.
The privacy concern measure adopted from Buchanan et al. (2007) was modified to suit the online video chat context addressing various privacy dimensions such as online presence, impersonation, identity theft, and email fraud. Privacy concern (PC) adopted from Buchanan et al. (2007) measures internet privacy concerns.
Perceived vulnerability measure was adopted from Workman et al. (2008). The likelihood of personal information loss in a user's computer when using online video chat is defined as perceived vulnerability. It is measured by the possibility of information violation threats expected by the user.
Measures of self-efficacy should apply to the task (Peterson & Arnn, 2005); hence, skills needed for online privacy adapted from Workman et al. (2008) are measured. In addition, studies suggested that the predicating power of privacy coping behavior is explained through privacy efficacy (Dinev & Hart, 2005Yao & Linz, 2008). Privacy efficacy refers to the user's perceived ease of performing a particular behavior; thus, user's ease of applying preventative measures and stopping information security violations are measured.
The severity of the threat brought by the sudden changes that forced the user to carry out office meetings from home is measured. The threat exposure from carrying out office meetings from the computers and devices without office network protection is another threat component. CO measures the threat severity of users due to the changes caused by the Covid-19 pandemic. CO stands for Covid-19 measure. Item development, scale development, and scale evaluation of this new construct were performed as per the procedure listed for scale development (Boateng et al., 2018). To evaluate the scale items, interviews with twenty experts and twenty end-users were conducted. The original scale had eight items, and this was brought down to five with multiple rounds of testing.
How users perceive the effectiveness of software selected by their organization is a form of trust component. Past research has shown that trust increases users' compliance with security policy. However, employee compliance measurement using a new construct was found to be lacking in the literature review analysis (Lebek et al., 2014). A new construct for employee compliance is introduced in this study, measured through the perceived effectiveness of the organization's choice of software by following the scale development procedure (Boateng et al., 2018). OR measures the users' perception of their organization's choice of video chat software. OR stands for users' perceived effectiveness of software decided by their organizations.
Users who are highly concerned about privacy employ privacy-enhancing mechanisms as a means to avoid negative consequences. Concerns about online privacy result in protective behaviors such as removing personal information from marketa-ble databases (Son & Kim, 2008), desisting from self-disclosure (Krasnova et al., 2010) in the e-commerce domain, and deleting cookies (Lutz & Strathoff, 2014). Protection in the video software context should be stopping the intruders who force their entry into meetings, not installing the app from malicious installation download sources, not displaying the background for others to misuse, and not transmitting unencrypted data to participants. Suppose the software is connected to the internet. In that case, invasion of privacy such as spam emails, offensive communication, creation of databases consisting of personal information, and misuse of that information is unavoidable. Any additional use of the software is an additional threat introduced to the existing online threats. "Knowledge" is the passive element of information privacy, and "control" is the active element; however, both are highly interrelated (Malhotra et al., 2004). Past research in e-commerce, social networking sites, Facebook, online, and with studies focusing on teens and adults groups showed that as concern for privacy increases, there would be more protective behaviors to guard their privacy ( Pandemic brings many fundamental changes in mundane activity patterns, which provoke crime rates (Cohen & Felson, 1979). The Covid-19 pandemic brought sudden changes and forced people to work from home. A structural change in routine activities came in the form of using home computers for office work. Home computers and devices are not updated with the latest security patches, latest security policies, and do not have anti-virus or any other security protection an office computer would have. These changes further brought other changes in data storage; data had to be transferred to removable hard disks or flash memory cards, which are easily prone to hacking. Criminals take advantage of emergencies where individuals are vulnerable (Khan et al., 2020).
The pandemic period reported a significant increase in spam messages, malware attacks, and malicious links (Khan et al., 2020;Naidoo, 2020). In addition, vulnerable home PCs are targeted for denial of service attacks, spam, and phishing emails (Furnell et al., 2007). Studies recommend a multifaceted protection approach called defense in depth (Schou & Trimmer, 2004). This means that if the perimeter layer of security is breached, additional layers provide defense and protection from attack. These additional layers of protection are missing for home computers, as there are no perimeter firewalls or security devices. These changes in security posture increase the perception of threats and concerns. Organizational practices that make employees view management as legitimate are the main factor that will encourage an employee to trust its choices. Only when an employee trusts the organization, he/she will be motivated to accept the organization's choice of software and follow compliance. Trust in an organization is integral to employees' perceptions of privacy.
Self-efficacy is "the belief in one's capabilities to execute the courses of action" (Bandura et al., 1999). Privacy efficacy is the user's mastery experiences in managing the security threats and protecting the system. Privacy efficacy has been shown to enhance the privacy-protecting behaviors of online consumers by restricting self-disclosure (LaRose & Rifon, 2007). Social network users with high privacy efficacy are found to limit profile visibility and self-disclosure while conducting online transactions (Chen & Chen, 2015).
Only when the users are confident in their privacy-enhancing skills, they will undertake security measures (Jutla & Bodorik, 2005). Privacy efficacy paves the way for easy learning (Martocchio, 1994) of privacy technologies. With this learning, commitment to search for suitable alternatives for limiting the information disclosure increases (Latham et al., 2002).
Propensity to trust is a general inclination to display faith and trust others based on ongoing life experiences. In e-commerce, consumers with a high trust propensity form higher trust with selling parties (McKnight et al., 1998). Social media users with a high propensity to trust disclose more information online (Mesch, 2012). A lower privacy concern increases trust ( Olivero & Lunt, 2004). Increased propensity to trust reduces the perception of the risk connected with privacy (Zimmer et al., 2010). Thus, the positive relation between privacy concern and protection behavior is negatively moderated by the propensity to trust.
This study aims to analyze whether privacy efficacy, perceived vulnerability, organization choice of software, and Covid-19 induced changes in the office work settings and increased protection behavior. Also, this study analyses whether privacy concerns positively influence protection behavior. With the aim of testing the impact of these factors on protection behavior and based on the review of prior findings, the following hypotheses were proposed ( Figure 1): H1: Stronger privacy concern leads to stronger protection behavior.
H3: Perceived effectiveness of an organization's choice of software increases protection behavior.
H4: Stronger privacy efficacy leads to stronger protection behavior.
H5: Privacy concern and protection behavior relation are negatively moderated by a propensity to trust.

METHODS
An email requesting several computer users who use video chat software for remote working was sent to test the hypotheses. The email contained a link to the web-based questionnaire. Three hundred and fifteen responses were received.
Snowball sampling was used in this study to identify users who use video chat software for remote working. Forty primary contacts of authors helped forward the survey to the broader working audience through their contacts. The respondents were working professionals from India. The primary contacts explained the purpose of the survey and made sure only the working professionals who used video chat software for remote working participated in the survey. The survey has been conducted for six months. A survey was not restricted to a particular video chat software. This study considers all the video chat software used for remote working. The adversarial sentence was added as an attention check, and nine samples were removed that failed this attention check. Therefore, the total sample was three hundred and six.

Measures
The questionnaire consisted of 33 items, which included a variety of measures to assess protection behavior, privacy concern, perceived vulnerability, privacy efficacy, Covid-19 factors, and perceived effectiveness of organization's choice of software.
Propensity to trust, a control variable, is the inclination to believe in the positive attributes of others in general, and it is measured on a five-point The survey instruments have five items measured using a five-point Likert scale anchored by strongly disagree (1) to strongly agree (5). The questionnaire was pretested by ten knowledgeable cyber professionals, five IT professionals, and eighty regular video chat users. Test-retest reliability with two weeks intervals was .95. Internal consistency was measured using Cronbach's alpha. Ten cyber security experts checked face validity, content validity, and criterion validity. Factor loadings ranged from 0.885 to 0.946. Cronbach's alpha for OR construct is 0.885, CO construct is 0.898, and for PB construct is 0.946.

Sample
Male participants constitute 36% and females 63% of the sample. Age below 35 years accounts for 67%, and the age group between 35 to 56 years accounts for 33% of respondents.

Analysis
The reliability of the scales was checked using composite reliability (Fornell & Larcker, 1981) and coefficient alpha (Cronbach, 1951). Table 1 shows composite reliability for each of the scales, and it varies from 0.916 to 0.958. Coefficient alpha ranges from 0.828 to 0.906. These levels are within the range of levels suggested by Nunnally (1967).
The validity of the scales was examined using confirmatory factor analysis with covariance-based structural equation modeling. The total number of items equals 33.
Pairwise correlation between six factors was compared with average variance extracted to check discriminant validity recommended by Fornell and Larcker (1981). Average variance exceeded the square of the correlation between the factors thus proving discriminant validity.
The lowest average variance extracted is 0.685, and the lowest composite reliability is 0.916, so convergent validity is proved (Fornell & Larcker, 1981). The result is shown in Table 1.

RESULTS
Hypothesis 1 (the stronger the privacy concerns, the stronger the protection behavior) is supported with β = 0.48, P < .01 (Figure 2).
Covid-19 not only increases the privacy concerns but also the protection behavior. Hypothesis 5 (the propensity to trust negatively moderates privacy concerns and protection behavior relation) is supported. Here β = -0.13, P < .01. The result is shown in Figure 3. The moderator graph is shown in Figure 4. Analysis reported females having more protection behavior (β = -0.15, P < .01). There was a negative relationship between trust propensity and

DISCUSSION
Positive relationship between privacy concerns and protection behavior agrees with past studies (Youn, 2009; Dienlin & Trepte, 2015). However, this finding contradicts Acquisti and Gross (2006) and Tufekci (2008), who reported no relationship. The privacy paradox states that privacy concerns and the corresponding protection behavior have no relation. The finding of this study suggests  The study demonstrated interesting implications from a practitioner's perspective. Privacy efficacy, perceived vulnerability, and Covid-19 induced changes in the office work settings increased protection behavior. Propensity to trust reduces protection behavior. Females employ more protection behavior than males.

CONCLUSION
This study aimed to analyze the influence of privacy efficacy, perceived vulnerability, organization choice of software, and Covid-19 induced changes on users' protection behavior in the office work settings. In addition, this study aimed to analyze whether privacy concerns positively influenced protection behavior. Findings illustrated the positive relationships among privacy efficacy, Covid-19 induced changes, and protection behavior. Privacy efficacy and Covid-19 induced changes increase protection behavior. In normal circumstances, users delegate the security responsibility to the IT team, but users had to take personal responsibility for securing data and devices during the pandemic. That is why Covid-19 induced changes in work settings increased protection behavior. Since privacy efficacy increases protection behavior when a particular threat situation is faced by an organization, the corresponding coping mechanism to tackle the threat should be imparted to the users. Organization choice of software is positively related to privacy concerns but not protection behavior. Another important finding is that privacy concerns increased protection behavior. Analysis of this study showed that there is no privacy paradox.

Figure 4. Graph of moderator analysis
The study concludes with some important practical implications. Organizations that use online video chat software need to move the scope of their IT team from on-premises security behavior to securing their employee devices over the untrusted public internet. Implications for the research community are that the construct for measuring security threats induced by Covid-19 could be used in future studies. In addition, the protection behavior constructs created to measure the security behavior of online video software users can also be used by future studies.