Security Journal

https://doi.org/10.1057/s41284-019-00170-0

ORIGINAL ARTICLE

A security risk perception model for the adoption of mobile

devices in the healthcare industry

Alex Alexandrou1 · Li‑Chiou Chen1

© Springer Nature Limited 2019

Abstract
Within the past few years, we have seen increasing use of mobile devices in the
healthcare environment. It is crucial to understand healthcare practitioners’ attitudes
and behaviors towards adopting mobile devices and to interacting with security con-
trols, while understanding their risks and stringent regulations in healthcare. This
paper aims to understand how healthcare practitioners perceive the security risks of
using mobile devices, and how this risk perception affects their intention to use the
devices, and to adopt the security controls that are required. To facilitate such under-
standing, we propose a theory-grounded conceptual model that incorporates subjec-
tive beliefs, perception of security risk, and behavioral intentions to both use mobile
devices and comply with security controls. Furthermore, we studied the behavio-
ral intentions under two scenarios among practitioners, when healthcare institutions
provided the mobile devices, called hospital-provided devices, or when practitioners
used their own devices, bring-your-own-devices. Based upon our conceptual model,
we conducted an empirical study, recruiting 264 healthcare practitioners from three
hospitals and their affiliated clinics. Our study provided several practical implica-
tions. First, we confirmed that it is critical in healthcare institutions to have safe-
guards on mobile devices that are convenient for practitioners to adopt. Second, to
promote security policy compliance in mobile devices and safeguard medical infor-
mation, healthcare administrators must take different approaches to security depend-
ing on how they provide mobile devices to practitioners. Third, the security training
for devices should deliver different messages to different occupational groups. Last
but not the least, our proposed model offers new perspectives towards a better under-
standing of integrating perceived security risk, behavioral intention to adopt a tech-
nology, and behavioral intention to comply with security control in the healthcare
industry.

Keywords  Mobile devices · Healthcare · Bring-your-own-devices (BYOD) ·

Security risk perception · Behavioral intention · Security controls · Electronic
medical records (EMR)

Extended author information available on the last page of the article

Vol.:(0123456789)
 A. Alexandrou, L.-C. Chen

Introduction

As healthcare institutions are required to adopt electronic medical record (EMR),

mobile devices have become one of the technological choices for healthcare prac-
titioners. The devices are popular among physicians, nurses and medical students,
even though some medical institutions do not support them due to security consid-
erations. Vulnerabilities of mobile devices make them an attractive target for hackers
attempting to collect personal information on a massive scale (Mylonas et al. 2011).
The information technology (IT) departments in healthcare organizations must have
a strategy to support these devices while protecting confidential data.
Our goal of this research is to understand how healthcare practitioners perceive
the security risks of using mobile devices, and how this risk perception affects their
intention to use the devices, and to adopt the security controls that are required.
This research will provide healthcare administrators with insight on how to man-
age mobile devices in the healthcare environment. In this study, security risks refer
to the inherent security threats in the use of mobile devices, and security risk per-
ception refers to the subjective judgment of the healthcare practitioners regarding
information security threats when using a mobile device. For example, unauthorized
personnel might be able to gain access to the mobile device due to its portability
and software vulnerabilities, and therefore, lead to the security risk to patient medi-
cal and personal information. The security risk perception in this case refers to how
likely the healthcare practitioners think such incidents will occur.
To connect our research with healthcare practice, we examined the security risk
perception of mobile devices in two different scenarios: when healthcare institutions
provided the mobile devices, hospital-provided devices (HPD), and when practition-
ers used their own devices, bring-your-own-devices (BYOD). BYOD has raised a
debate among healthcare institutions (Astani et  al. 2013) since the administrators
have little controls over these devices and there have been concerns about regulatory
compliance. However, some healthcare practitioners have adopted this practice. To
provide insights into the debate, we examined the factors that contribute to the secu-
rity risk perception of mobile devices in these two scenarios.
This research provided an integrated approach to challenges facing mobile
devices in healthcare. In particular, we address the research questions below:

• What factors impact the security risk perception for mobile devices?
• Does security risk perception affect practitioners’ intentions to use mobile
devices and to adopt security controls required for the use of the mobile devices?
• What additional factors affect practitioners’ intention to use mobile devices in
their workplace?
• What additional factors affect practitioners’ intention to adopt the security con-
trols for the mobile devices?
• Are the behavior intentions different between BYOD and HPD?

This research will contribute to establishing the theoretical foundation in under-

standing how security risk perception plays a role in the adoption of security
A security risk perception model for the adoption of mobile…

controls, in the case of using mobile devices in the healthcare environment. We

also collected empirical data regarding the healthcare practitioner’s perceptions,
to bridge the gap between research and practice, and to predict intended behavior
regarding the risks and use of mobile devices in healthcare.

Literature review of theoretical models

Previous studies (Gagnon et al. 2016; Kim et al. 2016; Koehler et al. 2013; Marshall
2014) have investigated the factors contributing to the adoption of mobile devices in
healthcare. However, none of these considers the impact of perceived security risk
in both the adoption of mobile devices and of security controls. In particular, behav-
ioral foundations are lacking in explaining how healthcare practitioners will act in
an environment where patient care is the top priority.
In the theory of reasoned action (TRA), Fishbein and Ajzen (1975) consider
beliefs and motivation as dominant forecasters of behavior. Based on the TRA,
Ajzen proposed the theory of planned behavior, TPB (Ajzen 1985, 1991; Schifter
and Ajzen 1985). TPB focuses on the behavioral intentions of the individual. The
more an individual intends to do something, the more likely he is to do it. The
behavioral intention is a function of three factors: attitudes, subjective norms, and
behavioral controls. TPB is the foundation of later theories including the Technol-
ogy adoption model (TAM) and the protection motivation theory (PMT), which we
integrated in the proposed theoretical model.
To hypothesize the relationship among perceived security risk, the adoption of
mobile devices, and the adoption of security controls in the healthcare environment,
we developed our theoretical model based upon several behavioral theories rooted in
TPB. First, protection motivation Theory (PMT) was integrated to explain the fac-
tors that impact individuals’ behaviors in the situation when threats are perceived.
In our case, threats are the information security risks perceived by the healthcare
practitioners when they use mobile devices to process patient information. Their
intentions to adopt the security controls on the mobile devices would be the coping
mechanisms theorized in PMT to respond to the threats. Second, technology accept-
ance model (TAM) is integrated to explain the factors that drive healthcare practi-
tioners to adopt mobile devices. TAM has been previously used to explain IT adop-
tion in healthcare (Holden and Karsh 2010; Yarbrough and Smith 2007; Venkatesh
et al. 2011). In the healthcare industry, mobile devices are relatively new technol-
ogy. At the individual level, it is likely healthcare professionals might be driven by
the same reasons to adopt mobile devices although other institutional factors, such
as regulatory concern, might also play a role in additional to factors in the original
TAM model. Because of this reason, we integrated the third behavioral theory, the
general deterrence theory (GDT) to incorporate regulatory concern. By integrating
accepted behavioral theories, including protection motivation theory, the technol-
ogy acceptance model, and the general deterrence theory, we will explore whether
and how healthcare practitioners will use mobile devices and adopt security controls
in compliance with rules and guidelines such as Health Insurance Portability and
 A. Alexandrou, L.-C. Chen

Accountability Act of 1996 (HIPAA) and the Health Information Technology for
Economic and Clinical Health Act (HITECH).

Protection motivation theory (PMT)

PMT helps us understand appeals to fear, and how people cope with fear (Rog-
ers 1975). The theory describes both the threat appraisal and the coping appraisal.
Threat appraisal describes how individuals evaluate their vulnerability to a threat,
and how it will affect them. Coping appraisal involves response efficacy and self-
efficacy. Response efficacy describes how individuals cope with or react to danger.
Self-efficacy is an individual’s belief in his or her ability to succeed in a particular
situation through self-directed actions (Conner and Norman 2005).
Protection motivation theory has been used to understand computer users’ behav-
iors toward adopting security measures (Chenoweth et al. 2009; Rhee et al. 2009).
Healthcare practitioners believe that using mobile devices instead of traditional
methods to access EMR leads to a greater security risk (Burns and Johnson 2015).
We assess this risk using the threat appraisal hypothesis in PMT. In addition, lack of
understanding of safeguards such as firewalls and secure passwords, and difficulty in
using them creates barriers to compliance with security controls, reducing motiva-
tion and creating frustration (Sun et al. 2013). The coping appraisal concept in PMT
may further the understanding of compliance with security controls.

Technology acceptance model (TAM)

Davis (Davis 1986, 1989) developed the TAM theory, influenced by the TRA. The
theory predicts the acceptability of an information system to a user. The two factors
that influence attitude and IT adoption of the system are perceived usefulness and
perceived ease of use. The TAM theory has been extensively used in healthcare IT
studies and general healthcare (Holden and Karsh 2010; Yarbrough and Smith 2007;
Venkatesh et al. 2011). In nursing, a study employed the TAM model to analyze the
attitude of nurses toward the use of automated unit-based medication storage and
distribution systems (Escobar-Rodriguez and Romero-Alonso 2013). Findings indi-
cated that perceived risks, experience level, and training all relate to the perceived
ease of use and perceived usefulness of these systems. Another study examined fac-
tors and predictors that influence nurses’ intention to use telemedicine technology in
healthcare settings. It demonstrated that perceived usefulness is the most influential
factor affecting nurses’ intention to use this technology (Kowitlawakul 2011).

The general deterrence theory (GDT)

The GDT theory comes from social philosophers like Cesare Beccaria (1738–1794),
and Jeremy Bentham (1748–1832). Its two principles are certainty of sanctions and
severity of sanctions (Blumstein et al. 1977; Straub and Welke 1998). Certainty is
the likelihood that criminal behavior will be discovered, and severity is the extent to
which an individual will be severely penalized (Cheng et al. 2013). The essence of
A security risk perception model for the adoption of mobile…

the theory is that people choose to obey or violate the law after evaluating the prob-
able consequences of their actions.
In any healthcare institution, HIPAA restricts access to medical records by insur-
ers, employers, and clinical researchers to protect patient privacy. This study used
the GDT to understand practitioners’ willingness to follow HIPAA regulations and
those of the HITECH Act. To measure this, we created the regulatory concern (RC)
construct, meaning that practitioners will decide to comply with regulations and
guidelines after evaluating the probable penalties from ignoring them. We did not
distinguish certainty from severity in this analysis.
The GDT theory has been widely used in the study of criminal behavior to study
aspects of information security. One study showed that sanctions are more effec-
tive than education in reducing information security misuse among users (D’Arcy
et al. 2009). Using the GDT theory, another study explored why employees violated
information security policy in organizations. The study found that deterrence, social
bonds and social pressure are all significant factors in preventing information secu-
rity policy violation behaviors (Cheng et al. 2013).

Conceptual model: constructs and hypotheses

Our conceptual model, Fig.  1, hypothesized healthcare practitioners’ perception

that security risks in mobile devices are associated with multiple subjective beliefs,
affecting their intention to use mobile devices and to adopt security controls at the
healthcare institutions where they work.
The conceptual model with constructs and hypotheses (Fig.  1), illustrates the
conceptual model and the study’s hypotheses. The model consists of 11 constructs
and 10 hypotheses. Each rectangle indicates a construct or conceptual idea on which
we later designed quantitative measures for collecting data. Each arrow represents
a hypothesis, denoted by the letter “H”, expressing the dependency relationship
between two constructs. The arrowhead shows the dependent variable and the begin-
ning point of the arrow indicates the independent variable. The plus sign “+” refers
to a positive correlation, and the minus sign “−” refers to a negative correlation.

Intention to use mobile devices (INU) and intention to comply with security

control (INC)

INU refers to the healthcare practitioner’s intent to use mobile devices as tools in
the workplace. INC refers to healthcare practitioner’s intention and willingness to
comply with security controls. The TRA and the TPB constructs support the inten-
tion to use and the intention to comply. A study by Bulgurcu et al. (2010) found that
an employee’s intention to comply is influenced by attitude, subjective norms (influ-
ence by others), and self-efficacy (the belief that the individual is able to succeed in
a particular situation). Another study found that perceived behavioral control and
attitude have a major impact on the user’s intention to comply with security policies
(Zhang et al. 2009).
 A. Alexandrou, L.-C. Chen

Perceived Security Self-Efficacy Safeguard

Susceptibility Measure (SEF) Cost
(PSU) Efficacy (SAF)
H1+ (SME)

H3+ H4+ H5-

Perceived
H2+
Severity Perceived Security Intention to Comply
(PSE) Risk of Mobile H7+ with Security Control
H10+ Devices (PSR) (INC)
H6-
Regulatory Perceived Easiness
Concern of Use Mobile
(RC) devices Intention to Use Mobile
H9+ Devices
Perceived (INU)
Usefulness of
Mobile Devices H8+

Fig. 1  The theoretical model with supporting theories and hypotheses

Perceived susceptibility (PSU)

PSU refers to the probability that a healthcare practitioner perceives a security threat
from a mobile device. Rogers (1975, 1983) uses PMT to provide a basis for this
idea. He shows that the fear of illicit data communication can influence perception,
attitudes, and behavioral intentions. When healthcare practitioners perceive a secu-
rity threat to be real and imminent, they are more likely to perceive a higher level of
security risk than when risks are perceived to be more remote or improbable. There-
fore, this study hypothesizes that:

Hypothesis 1 (H1) Perceived susceptibility has a positive impact on perceived

security risks regarding mobile devices in the workplace. The higher the perceived
susceptibility, the higher the perceived security risk regarding the use of mobile
devices.

Perceived severity (PSE)

PSE refers to the degree to which a healthcare practitioner believes there are poten-
tial consequences to compromise the technology they are using. Pyszczynski et al.
stated, “In general, individuals adjust their behavior in response to the extent of
the danger the risk may cause” (Pyszczynski et al. 1997). PSE will lead healthcare
A security risk perception model for the adoption of mobile…

practitioners to behave more cautiously as their perception of the damage or danger

increases. This construct has been used in the literature to study the user’s com-
puter security behavior in IT security (Liang and Xue 2009, 2010; Tejaswini and
Rao 2009; D’Arcy et al. 2009). Because a security breach in the healthcare indus-
try can result in the exposure of patients’ personal and health information to unau-
thorized individuals or even cause the interruption of critical medical services, this
study proposes that:

Hypothesis 2 (H2) Perceived severity has a positive impact on perceived secu-

rity risk on mobile devices in the workplace: the higher the perceived severity, the
higher the perceived security risk regarding the use of mobile devices.

Security measure efficacy (SME)

SME is the efficiency and/or the attitude of a computer user (healthcare practitioner)
toward the use of security measures in mobile devices. When healthcare practition-
ers believe that using security measures, for example passwords, will protect the
security of patient information, they will do so. While healthcare practitioners wel-
come innovative technology, they often do not want to take the time or responsibility
to learn to use it fully. Medical institutions have implemented security practices to
minimize compromising sensitive information, but they cannot succeed with tech-
nology alone (Workman et al. 2008). SME (sometimes referred to as “response effi-
cacy”) was previously used to measure employee perceptions regarding the effec-
tiveness of computer security policies (Tejaswini and Rao 2009).
This study theorizes that healthcare practitioners’ beliefs can help to minimize
threats by affecting preventative security practices. Healthcare practitioners are
required to be aware of the security policies set by their institutions, for example,
choosing strong passwords, backing up data, and exercising caution with suspicious
emails. In reality, due to the demanding pace of their jobs, it is questionable whether
these standards are followed consistently. Therefore, this study proposes that:

Hypothesis 3 (H3)  Security measure efficacy has a positive impact on the healthcare
practitioner’s intention to comply with security controls in the use of mobile devices
in the workplace. When using mobile devices, the more healthcare practitioners
believe that security controls will be effective in protecting patients’ information, the
more likely they are to comply with them.

Self‑efficacy (SEF)

According to PMT theory, SEF is the belief in an individual’s ability to execute

recommended courses of action successfully (Rogers 1975). This construct evalu-
ates the level of confidence felt when health practitioners have to undertake recom-
mended preventive security controls on mobile devices. SEF has been studied by
numerous researchers in information technology adoption, confirming that computer
users are more driven to implement computer security behaviors when self-efficacy
 A. Alexandrou, L.-C. Chen

increases (Ng et  al. 2009; Workman et  al. 2008). Siponen et  al. (2014) suggested
that self-efficacy had a significant influence on how employees follow organizational
security policy. Thus, this study proposes that:

Hypothesis 4 (H4)  Self-efficacy positively affects the healthcare practitioner’s inten-

tion to comply with security policies when using mobile devices in the workplace.
The more comfortable healthcare practitioners are with security controls in mobile
devices, the more likely they are to follow through with using them.

Safeguard cost (SAF)

This study defines SAF as the barriers that healthcare practitioners perceive as
inconvenient regarding compliance with security controls. The safeguard cost con-
struct derives from the PMT construct “response cost”, which is defined as the
behavior that prevents individuals from achieving a task or a goal. The concept has
been adapted to computer security and to patient mobile health services (Liang and
Xue 2009; Sun et al. 2013). For example, if healthcare practitioners incur significant
burdens in deploying safeguards such as firewalls and password setup, they are less
likely to follow through with those practices. Therefore, the study proposes that:

Hypothesis 5 (H5) Safeguard cost negatively affects and limits the intention of

healthcare practitioners to comply with security controls using mobile devices in the
workplace. The more costly, inconvenient or time-consuming it is for them to follow
through with security controls, the less likely they are to adopt/comply with them.

Perceived security risk of mobile devices (PSR)

PSR refers to what healthcare practitioners believe are the inherent security risks
in the use of mobile devices. When these devices are lost, stolen or mishandled,
the costs to the healthcare institution can be massive. PSR has been discussed
extensively in the literature as one factor affecting consumer behavior in electronic
commerce (Chen and Barnes 2007), online banking (Lee 2009), and online secu-
rity (Garg and Camp 2012). Accordingly, this study proposes the following two
hypotheses:

Hypothesis 6 (H6)  Perceived security risk of mobile devices negatively affects the
intention to use mobile devices in the workplace. The higher the perceived security
risk healthcare practitioners perceive in using mobile devices, the less likely they are
to use them.

Hypothesis 7 (H7)  Perceived security risks of mobile devices will favorably influ-
ence the intention to comply with security controls. The greater the security risk that
healthcare practitioners perceive in using mobile devices, the more likely they will
be to follow through with security controls and safety practices for the devices.
A security risk perception model for the adoption of mobile…

Perceived usefulness of mobile devices (PUS)

PUS is the healthcare practitioner’s belief that the use of a mobile device will
improve patient care by enabling faster access to EMR. According to Davis
(1986, 1989), perceived usefulness increases when a user finds a technology sys-
tem that provides positive and effective performance in completing a task. This
study will test the strength of the relationship between perceived usefulness of
mobile devices and the intention to use them. Therefore, this study proposes:

Hypothesis 8 (H8)  Perceived usefulness of mobile devices has a positive influence

on the intent to use mobile devices in workplace. The more healthcare practitioners
think that mobile devices are useful for their work the more likely they are to use
them.

Perceived ease of use mobile devices (PEU)

PEU refers to the healthcare practitioner’s belief that using mobile devices makes
it easier to get the job done. Davis (1986, 1989) defined perceived ease of use
as “the degree to which a person believes that using a particular system would
be free from effort.” If the user perceives a system as easy to use, the user will
develop a positive attitude toward it. In our case, as practitioners use mobile
devices to handle sensitive and personal medical information in a fast-paced and
heavily regulated environment it is even more important that the devices are easy
to use. This study thus proposes:

Hypothesis 9 (H9)  Perceived ease of use of mobile devices has a favorable influence
on the intent to use them in the workplace. The more healthcare practitioners think
that it is easy to use mobile devices the more likely they are to use them.

Regulatory concerns (RC)

This refers to healthcare practitioners’ assessment of the overall impact of a

violation against the rules and guidelines that protect the privacy and security
of patients’ medical and personal information. According to GDT, people will
choose to follow or to defy a law or a regulation after evaluating the conse-
quences and taking into consideration the penalties and sanctions from HIPAA
and HITECH. Thus, this study proposes that:

Hypothesis 10 (H10)  Regulatory concerns have a positive impact on the perceived

security risks of using mobile devices in the workplace. The more concerns that
healthcare practitioners have towards regulations, the greater the security risk they
will perceive from using mobile devices.
 A. Alexandrou, L.-C. Chen

Design of the empirical study and data collection

Based on the proposed theoretical model, we designed a survey instrument that

we used to collect data from healthcare practitioners. The survey instrument was
pretested through interviews and a pilot study with healthcare providers, who
made suggestions for improvement. The study included two to four questions that
measured each construct and ten questions that controlled for demographic infor-
mation including gender, age group, and occupation of the participants, and addi-
tional background questions. Appendix 1 shows the background questions and
Appendix 2 shows the 5-point Likert scale questions to measure the constructs in
our model. In the survey, subjects were asked to respond to two hypothetical sce-
narios of using mobile devices in their institutions: a BYOD scenario, where the
practitioners are allowed to use their own mobile devices in their workplace and
a HPD scenario, where the practitioners are restricted to using only the mobile
devices provided by their institutions. The subjects were asked to respond to the
same questions under both scenarios.
We administered the survey using a web interface on an iPad. The responses
were mandatory once the survey had started, and subjects were not able to go
back and make changes after completing the questions. We visited three inpatient
hospitals and their outpatient clinics in New York City to conduct the surveys,
because the hospital administrations were considering adopting mobile devices
at the time. In addition, because of the geographic proximity, it was feasible for
us to process and obtain Internal Review Board (IRB) approvals to conduct the
study. The IRB approvals were obtained from the University where we conducted
the study and the healthcare institutions where we collected the data.
We administered the survey to two groups, clinicians in healthcare institu-
tions and clinicians in private practice. 264 healthcare practitioners provided
responses, including nurses, physician assistants, physicians, healthcare admin-
istrators, medical and nursing students, and information technology technicians.
The subjects were volunteers from the three hospitals and medical clinics. We
hosted our study station inside the hospitals and clinics all day, and healthcare
practitioners participated and worked with us on a one-to-one basis during their
spare time at work. Completing the entire interview and survey took about 20 to
30 min per subject. We used an iPad tablet to record all interviews and surveys.
Since the healthcare institutions involved were in the process of adopting Citrix,
an EMR application for mobile devices at the time of the study, we first demon-
strated the application on the iPad and then instructed each subject to complete
the survey on the same iPad.
A security risk perception model for the adoption of mobile…

Table 1  Demographic summary of survey samples

Variables Sample size Categories Percent

Gender 71 Male (gender = 1) 26.9%

193 Female (gender = 2) 73.1%
Age Group 7 18 to 21 (age group = 1) 2.7%
137 22 to 34 (age group = 2) 51.9%
49 35 to 44 (age group = 3) 18.6%
45 45 to 54 (age group = 4) 17.0%
23 55 to 65 (age group = 5) 8.7%
3 65 and over (age group = 6) 1.1%
Occupation 89 Doctors (occupation = 1) or medical students (occupation = 2) 33.7%
145 Nurses (occupation = 3), nursing students (occupation = 4), or 54.9%
medical technologist (occupation = 5)
30 Healthcare administrators (occupation = 6) or IT administra- 11.3%
tors/technicians (occupation = 7)

Results and analyses

Demographics

Table  1 provides a summary of the demographics from the survey subjects,

including 193 females (73.1%) and 71 males (26.9%). Among the subjects, 89
(33.7%) were either medical doctors or medical students, 145 (54.9%) were either
nurses, nursing, students or medical technologists, and 30 (11.3%) were either
healthcare or information technology administrators/technicians.
The age distribution of participants ranges from 18 to 21 years (2.7 percent), 22
to 34 years (51 percent), 35 to 44 years (18.6 percent), 45 to 54 years (17 percent),
55 to 65  years (8.7 percent), and 65  years and older (1.1 percent). Most subjects
had used mobile devices at home and at work, from 1 to 15 years or more. Only a
few had never used mobile devices at home (1.1 percent) or at work (14 percent).
The most common reason (129 subjects) reported for using mobile devices was for
communication (checking email or conferencing). The second most common reason
(111 subjects) was for surfing the Internet. The third most common reason (104 sub-
jects) was work related, accessing information to aid in patient care, such as looking
up medical reference information for medication references. These practitioners also
reported that they spent a great deal of time using their devices for entertainment
(96 subjects), such as watching movies and playing games (75 subjects). For EMR
applications usage, 46.2 percent had been using this technology for 1 to 5  years,
31.4 percent for less than a year and 9.8 percent stated that they had never used
EMR technology.
We also asked questions to elicit their experience in understanding comput-
ing related risks. 46.6 percent of the practitioners reported that they had experi-
enced a security issue on one or two occasions, while 32.6 percent reported that
they had never experienced a computer security problem. We also inquired how
 A. Alexandrou, L.-C. Chen

frequently they heard or read news regarding security issues, (e.g.,) computer
virus attacks or unauthorized data by hackers. The majority had heard related
news stories, while only 15.2 percent had never heard or read about computer
security issues.

Validity of measurements

We conducted data analyses using structural equation modeling (SEM) in Smart-

PLS for model validation and parameter estimation. SmartPLS is widely used
for SEM when testing hypotheses in the early stages (Fornell and Bookstein
1982; Ma and Agarwal 2007). Two types of SEM techniques have been used:
partial-least-square (PLS) based and covariance based. Using PLS for model
validation and parameter estimation is debatable among researchers (Hair et al.
2017; Rönkkö et al. 2016; Richter et al. 2016; Ringle et al. 2012, 2013, 2014).
These concerns have been addressed by other researchers and concluded that
PLS is a suitable tool to analyze data coming from a small sample size (Henseler
et al. 2014, Gefen et al. 2000). We decided to use PLS-based SEM because PLS
allows for an exploratory study over a small sample size.
Both Tables  5 and 6 in Appendix 3 demonstrate the internal validity of the
measurements for the constructs in our model for the HPD and BYOD scenarios,
respectively. Loading construct measurements to the corresponding constructs
are all above 0.7 except for PUS1 (= 0.61). These results are generally consist-
ent with conventions in the literature (Hair et al. 2014).
We also analyzed both convergent validity and discriminant validity at the
construct level. Convergent validity is the degree to which different attempts
to measure the same construct agree (Cook and Campbell 1979). Typically, an
average variance extracted (AVE) value of .50 or higher indicates that, on aver-
age, the construct explains more than half of the variance of its indicators (Hair,
et al. 2014). The values of Cronbach’s Alpha and Composite Reliability are typi-
cally accepted for a value of 0.74 or above. In this study, as shown in Tables 7
and 8 in Appendix 3, the AVEs are all above 0.5. Both the Cronbach’s alpha and
composite reliability are all above or equal to 0.7. The results provide the con-
vergent validity of the constructs measured.
“Discriminant validity is the extent to which a construct is truly distinct from
other constructs by empirical standards” (Hair et al. 2014). Discriminant conver-
gence is determined through the correlation matrix and cross-loadings of meas-
urements. Tables  7 and 8 in Appendix 3 show the correlation matrices of the
constructs with diagonal values calculated by the square root of AVE. The tables
measure external validity, the correlation matrix of all constructs in both HPD
and BYOD scenarios. The two tables show that the correlation within the con-
struct measurements is larger than their correlations with measurements in other
constructs in both scenarios. The results demonstrate the external validity of our
constructs measured in the survey.
A security risk perception model for the adoption of mobile…

Table 2  Hypotheses testing for hospital-provided device (HPD)

Hypotheses Dependency Sample mean Standard Standard error T statistics
deviation

H1 ***PSU → PSR 0.44 0.07 0.07 6.07

H2 PSE → PSR − 0.06 0.07 0.07 1.00
H3 SME → INC 0.02 0.07 0.07 0.04
H4 SEF → INC 0.10 0.07 0.07 1.40
H5 ***SAF → INC − 0.25 0.08 0.08 2.95
H6 **PSR → INU − 0.14 0.06 0.06 2.32
H7 PSR → INC − 0.04 0.06 0.06 0.64
H8 PEU → INU 0.15 0.08 0.08 1.53
H9 PUS → INU 0.06 0.09 0.09 0.61
H10 *RC → PSR 0.12 0.07 0.07 1.71

Statistical significance: ***p < 0.01 (t > 2.57), **p < 0.05 (t > 1.96), *p < 0.1 (t > 1.64)

Boldface is used to highlight important findings

Table 3  Hypotheses testing for bring-your-own-device (BYOD)

Hypotheses Dependency Sample mean Standard Standard error T statistics
deviation

H1 ***PSU → PSR 0.29 0.07 0.07 3.88

H2 ***PSE → PSR 0.17 0.06 0.06 2.69
H3 SME → INC 0.05 0.10 0.10 0.53
H4 SEF → INC 0.03 0.07 0.07 0.21
H5 **SAF → INC − 0.14 0.07 0.07 2.03
H6 PSR → INU 0.06 0.07 0.07 0.84
H7 ***PSR → INC 0.32 0.07 0.07 4.80
H8 *PEU → INU 0.14 0.07 0.07 1.83
H9 **PUS → INU 0.16 0.08 0.08 2.01
H10 RC → PSR 0.03 0.07 0.07 0.02

Statistical significance: ***p < 0.01 (t > 2.57), **p < 0.05 (t > 1.96), *p < 0.1 (t > 1.64)

Boldface is used to highlight important findings

Model estimation and hypotheses testing

We further tested the statistical significance of the hypotheses using the non-
parametric bootstrapping method (Efron and Tibshirani 1986). We selected 5000
bootstrap samples of the 264 subjects, as recommended (Hair et al. 2014) to test
the hypotheses using the SmartPLS. The bootstrapping method produced T-sta-
tistics to determine the statistical significance of dependency in the model. We
used the T-statistics to decide whether to support or reject the null hypotheses.
Tables  2 and 3 show the estimation of model parameters and the statistical sig-
nificance of hypotheses in the BYOD and HPD scenarios, respectively.
From Tables 2 and 3 we learned that:
 A. Alexandrou, L.-C. Chen

1. Two hypotheses (H1 and H5) are statistically significant in both scenarios (HPD
and BYOD). In hypothesis H1, the more the healthcare practitioners perceive the
mobile device as vulnerable (PSU is higher), the higher the level of security risk
they will perceive from the adoption of mobile device in their workplace (PSR
is higher). In hypothesis H5, the more inconvenient and time consuming it is for
healthcare practitioners to adopt the safeguards for the mobile devices (SAF is
higher), the less likely they will be to adopt these safeguards (INC is lower).
2. Two hypotheses (H6 and H10) are statistically significant only in the HPD sce-
nario. Through these two hypotheses, we found that regulatory concern (RC) has
a positive impact on perceived security risk (PSR), which in turn has a negative
impact on the intention to use hospital devices (INU).
3. Third, four hypotheses (H2, H7, H8, and H9) are statistically significant only in
the BYOD scenario. The higher the security risk practitioners perceive (PSR is
higher), the more likely they are to adopt safeguards on their own mobile devices
(INC is higher). However, the perceived security risk has no significant impact on
the intention to adopt the mobile devices (INU), which is positively impacted by
how useful the mobiles devices are (PUS) and how easy it is to use them (PEU).

Our results lead us to question whether the ownership of mobile devices plays
a significant role in how healthcare practitioners perceive security. In general, we
confirmed that “convenience” is the key factor for healthcare practitioners in adop-
tion of security safeguards. The perceived vulnerabilities of mobile devices will lead
healthcare practitioners to perceive a higher level of security risks. However, these
risks will only lead them to a higher level of compliance with safeguards when they
use their own devices. When hospitals provide mobile devices, a higher level of per-
ceived security risk will lead healthcare practitioners to be less likely to adopt them.

The impact of control variables

We tested the impact of control variables on the dependent variables using linear
regressions. Table  4 shows the results of these tests. The three control variables
(see Table  1 for number coding of the variables) include gender, age group and

Table 4  The impact of control variables on dependent variables

Control variables Dependent variables

Intention to use mobile devices (INU) Intention to comply with security control
(INC)

HPD BYOD HPD BYOD

Coefficient p Coefficient p Coefficient p Coefficient p

Gender 0.02 0.90 0.60 0.003*** 0.03 0.80 0.40 0.04**

***
Age group − 0.05 0.44 − 0.23 0.006 − 0.02 0.71 − 0.19 0.013**
* *** *
Occupation − 0.06 0.09 − 0.14 0.002 − 0.04 0.06 − 0.16 0.0004***

***p < 0.01; **p < 0.05; *p < 0.1

A security risk perception model for the adoption of mobile…

occupation, and the dependent variables are intention to use mobile devices (INU)
and intention to comply with security control (INC). In the HPD scenario, only
occupation has a weak statistical significance on INU (p = 0.09) and INC (p = 0.06),
respectively. The two other control variables have no significant impact on both
dependent variables. However, in the BYOD scenario, all of the three control vari-
ables have a significant impact on the two dependent variables. From these tests, it
is clear that both behavior intentions only vary between genders, among age groups
and among occupations when the healthcare practitioners are asked to bring their
own mobile devices to process patient information. In the BOYD scenario, males
are more likely to both use mobile devices and adopt security controls than females,
younger practitioners are more likely to both use mobile devices and adopt secu-
rity controls than older practitioners, and doctors/medical students are more likely
to both use mobile devices and adopt security controls than nurses/nursing students/
administrators.

Implications, limitations and future work

Implications for healthcare practice

Based on the results and analyses of our empirical study, we can draw several prac-
tical implications for healthcare institutions that are considering deploying mobile
devices in the workplace.

1. To promote security policy compliance in mobile devices and safeguard medical

information, healthcare administrators must take different approaches to secu-
rity depending on how they provide mobile devices to practitioners. In the HPD
scenario, when healthcare institutions manage and provide mobile devices, prac-
titioners will have more concern over regulatory penalties, and because of this
concern, practitioners will be less willing to use the devices. Educating healthcare
practitioners regarding regulations on security controls and penalties will not be
effective in getting them to adopt the security controls but instead will decrease
their willingness to use hospital provided mobile devices at the workplace. In the
BYOD scenario, practitioners will be willing to bring and use their own devices
because they are easy to use and are useful for their work. In this case, admin-
istrators should focus on educating practitioners regarding the vulnerabilities of
their own devices. This will increase their perceived security risks, and therefore,
increase their intention to follow up with security controls.
2. It is critical in healthcare institutions to have safeguards on mobile devices that
are convenient for practitioners to adopt. Regardless of whether mobile devices
are hospital provided or not, the more practitioners find security controls costly
or inconvenient, the less likely they are to adopt them. IT administrators should
evaluate security controls and make sure they are usable and convenient.
3. Although practitioners are willing to use mobile devices provided by healthcare
institutions, the security training for devices should deliver different messages
to different occupational groups. For BYOD devices, the security training for
 A. Alexandrou, L.-C. Chen

doctors should focus on their vulnerabilities, which will trigger a higher level of
perceived security risk among them. The security training for nurses should focus
on how to implement security controls easily so that they will not consider these
safeguards a waste of time.

Theoretical implications

The theory-grounded conceptual model we used in this study provides a founda-

tion for further examination of how the healthcare industry can best deploy mobile
devices. Our study has several implications.

1. Little research has focused on theory-grounded empirical research addressing

information security behavior, in particular, behavior intentions influenced by
individuals’ risk perceptions of using mobile devices. Our research model has
drawn theories from PMT, TAM, and GDT. A similar model and experimental
design may be used to examine the same problems in other industries.
2. Each of the three theoretical models that we integrated explains either a posi-
tive or a negative aspect in technology adoption. By integrating these models,
our conceptual model measured both a healthcare practitioner’s intention to use
mobile devices, the positive aspect, and their intention to adopt safeguards for the
devices, and the negative or preventive aspect. By integrating the two different
aspects in the same model, we were able to discover some evidence that the per-
ceived security risk actually played different roles in these two aspects depending
on the context or the scenarios of the technology adoption.
3. The relationship between perceived security risks and device ownership could
be an important factor in technology adoption, and is worth examining in other
contexts. Based on our results, depending on who owns the technology, perceived
security risks play different roles in the adoption of new technology and in the
adoption of safeguards. In our study, when healthcare practitioners used their own
devices at the workplace, perceived security risk became an important cause of
their willingness to adopt security controls or safeguards. However, when they
thought they would use devices that did not belong to them, the perceived security
risk then hindered the practitioners’ intention to adopt the mobile devices. This
relationship has not been addressed in other literature and should be examined
further in a different context and environment.

Limitations and future work

Even though this research makes significant contributions to the study of mobile
devices in healthcare, it has several limitations. First, the labor intensiveness of the
interview and the difficulty of recruiting subjects was problematic and limited the
sample size. The sample of 264 healthcare practitioners in the quantitative analysis
and qualitative interviews could have been greater, given a larger scale of study. Sec-
ond, the research locale was limited to three medical institutions in New York City;
it is not certain whether the results are generalizable outside of the area. Finally, the
A security risk perception model for the adoption of mobile…

research would have been more complete if the researcher had been able to distribute
mobile devices to healthcare practitioners for longer periods when treating patients.
In our survey, one of the groups, doctors and medical students, had more hands-on
experience using EMR systems on mobile devices compared to the other two groups
(nurses and administrators) since doctors must be certified in using EMR. By pro-
viding devices to the other groups, we could have obtained broader results.
The use of mobile devices has brought additional security concerns to health-
care IT. This problem has drawn increasing attention from decision makers in
healthcare institutions. Results of this study generate a number of areas to study in
mobile device security in healthcare, and we hope that it will inspire others. First,
this research can be modified to further investigate organizational support and influ-
ence in information security. Second, the model can address other problems related
to behavior intentions in IT security. Third, since HIPAA regulations are crucial
in healthcare, it is worth investigating the effects of regulations such as HIPAA on
healthcare IT adoption. Finally, a longitudinal study would help to shed light on the
changes to behavioral intentions over time when healthcare practitioners are more
and more familiar with mobile devices and their risks.

Conclusion

In conclusion, this research helps us better understand the adoption of mobile

devices in healthcare institutions. First, the factors that encourage medical prac-
titioners to use their own devices at work are ease of use and usefulness of the
devices. By increasing the awareness of perceived security risks, medical practition-
ers will then increase their intention to follow through in adopting and maintain-
ing security controls. IT administrators should focus on promoting awareness in the
practitioners of security risks and their consequences. Second, the more healthcare
practitioners believe security controls are costly or inconvenient, the less likely they
will be to adopt them. IT administrators should design security controls that are both
convenient to use and efficient. Third, this research provides valuable data regarding
the healthcare practitioner’s perception, attitudes and intended behavior regarding
the risks and use of mobile devices in healthcare. By understanding a user’s per-
ception and behavior intentions, we can better understand how to educate health-
care practitioners and develop security policies and controls. Finally, we proposed
a conceptual model to investigate the relationship among security risk perception,
intention to use a new technology and intention to adopt the security controls for the
technology. In the future, our model might be used to investigate similar problems in
other domains.
 A. Alexandrou, L.-C. Chen

Appendix 1

Background questions Sample Categories Percent

How long have you used mobile devices at 3 Never 1.1%

home? 6 Less than 1 year 2.3%
52 1–5 years 19.7%
114 6–10 years 43.2%
89 11–15 years 33.7%
For what purposes have you been using 129 Communication (email, conferencing)
mobile devices? (Please select all that 96 Entertainment (watching movies etc.)
apply)
75 Games
111 Surging the internet
104 Work related (accessing information)
How long have you used mobile devices at 37 Never 14%
work? 35 Less than 1 year 13.3%
109 1–5 years 41.3%
51 6–10 years 19.3%
32 More than 10 years 12.1%
How long have you used electronic medical 26 Never 9.8%
records (EMR) in the workplace? 83 Less than 1 year 31.4%
122 1–5 years 46.2%
21 6–10 years 8.0%
12 More than 10 years 4.5%
How frequently have you personally been 86 Never 32.6%
affected by a computer security problem? 123 Once or twice 46.6%
(e.g., computer virus attacks or unauthor-
30 3–5 times 11.4%
ized access to data by hackers)
25 More than 5 times 9.5%
How much have you heard or read during 40 Never 15.2%
the last year about computer security 76 Once or twice 28.8%
problems? (e.g., computer virus attacks or
55 3–5 times 20.8%
unauthorized access to data by hackers)
93 More than 5 times 35.2%

Survey Questionnaire (Background Questions).

Appendix 2

Survey Questions with constructs (*questions measured both HPD and BYOD
scenarios).

Label Questions

PSU Perceived Susceptibility

Please indicate how likely the following will occur on a scale of 1–5. (1: Extremely unlikely;
2: Unlikely; 3: Possible; 4: Likely; 5: Extremely likely)
A security risk perception model for the adoption of mobile…

Label Questions
 PSU-1 Mobile devices can be lost or stolen easily
 PSU-2 Mobile devices cannot provide secure access to electronic medical records (EMR)
 PSU-3 Mobile devices could have security problems that allow unauthorized personnel to access to
(EMR)
PSE Perceived Severity
Please rate how severe the consequences will be, if the following occur, on a scale of 1–5. (1:
Very Low; 2: Low; 3: Moderate; 4: Severe; 5: Very Severe)
 PSE-1 Sabotage of patients’ medical information (patient records, medical images, medication
management)
 PSE-2 Sabotage of patients’ personal information, such as Social Security Number (SSN), credit card
numbers or addresses
SME Security Measure Efficacy
Please indicate how much you agree with each of the following statements. Indicate on a scale
of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 SME-1 When using mobile devices, I am sure that certain managerial and technical procedures exist
to protect patient information
 SME-2 When using mobile devices, I am sure that there is an effective way of deterring hacker attacks
 SME-3 When using mobile devices, I am sure that there are specific guidelines that describe accept-
able use of mobile device passwords
 SME-4 When using mobile devices, I am sure that there is a security policy that forbids employees
from accessing computer systems that they are not authorized to use
SEF Self-Efficacy
Please indicate how much you agree with each of the following statements. Indicate on a scale
of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 SEF-1 I would feel comfortable to reset or change the password of mobile devices
 SEF-2 I would be able to follow the security procedures that include changing my password fre-
quently for the mobile devices even if there was no one around to help me
 SEF-3 I could follow written directions about how to reset or change my password of the mobile
devices
SAF Safeguard Cost
Please indicate how much you agree with each of the following statements. Indicate on a scale
of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 SAF-1 Having a password is inconvenient for accessing electronic medical records (EMR)
 SAF-2 Using a password will take more time away from caring for patients
 SAF-3 Remembering a password is hard for me
 SAF-4 Using a password on mobile devices is time-consuming
INU* Intention to use Mobile Device
If you can choose whether or not to use a mobile device in the work place, either HPD or
BYOD, please indicate your views using a scale from 1 to 5. (1: Strongly Disagree; 2: Disa-
gree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 INU-1 I plan to use the mobile devices at work
 INU-2 I will use the mobile devices to access Electronic Medical Records (EMR)
 INU-3 I intend to use the mobile devices to access patients’ personal information
PSR* Perceived Security Risk
How do you plan on complying with security measures regarding the use of either HPD
or BYOD? Please indicate your views using a scale from 1 to 5. (1-Strongly Disagree,
5-Strongly Agree)
 PSR-1 The use of mobile devices to access electronic medical records (EMR) is risky
 A. Alexandrou, L.-C. Chen

Label Questions
 PSR-2 The use of mobile devices to access patient medical information is risky
 PSR-3 The use of mobile devices to access patient personal information is risky
INC* Intention to Comply with Security Control
How much are you concerned about the following for both Hospital Provided Devices (HPD)
and Bring-Your-Own-Devices (BYOD)? Please indicate your views using a scale from 1 to
5. (1-Strongly Disagree, 5-Strongly Agree)
 INC-1 I will comply with organizational Information Technology (IT) security policies for the mobile
device, such as securing my password
 INC-2 I will not give my mobile device password to other personnel as required by security policies
 INC-3 I plan to change the password on mobile devices as required by security policy for example,
every three months
PEU Perceive Easiness of use Mobile Devices
Please indicate your comfort level in using mobile devices. Indicate on a scale of 1–5. (1:
Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 PEU-1 My interaction with mobile devices is clear and understandable
 PEU-2 I find mobile devices make it easier to perform my job, such as accessing patient medical
information
 PEU-3 Overall, I find mobile devices easy to use
PUS Perceive Usefulness of Mobile Devices
Please indicate what you think about the use of mobile devices in the workplace. Indicate on a
scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 PUS-1 Use of mobile devices can reduce the time needed to perform patient care
 PUS-2 Use of mobile devices can significantly increase my productivity and allow me to spend more
time in patient care activities
 PUS-3 Use of mobile devices can increase the quality of patient care
RC Regulatory Concern
Please indicate your level of concern regarding the following statements. Indicate on a scale of
1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 RC-1 I am concerned that the use of mobile devices in the workplace may result in a violation of
HIPAA regulations
 RC-2 I am concerned that the use of mobile devices in the workplace may result in a violation of the
Joint Commission’s requirements regarding IT security
 RC-3 I am concerned that the use of mobile devices in the workplace may result in a violation of
institutional policies

Appendix 3

Quality of Measurement and Correlations of Constructs (See Tables 5, 6, 7, 8).

A security risk perception model for the adoption of mobile…

Table 5  Quality of measurement for hospital-provided-devices (HPD)

AVE Composite R square Cronbach’s alpha Communality Redundancy
reliability

INC 0.75 0.90 0.09 0.84 0.75 0

INU 0.78 0.91 0.05 0.86 0.78 0.02
PEU 0.69 0.87 0.00 0.79 0.69 0
PSE 0.95 0.97 0.00 0.94 0.95 0
PSR 0.85 0.95 0.22 0.91 0.85 − 0.02
PSU 0.72 0.88 0.00 0.81 0.72 0
PUS 0.73 0.89 0.00 0.84 0.73 0
RC 0.90 0.96 0.00 0.94 0.90 0
SAF 0.77 0.93 0.00 0.90 0.77 0
SEF 0.76 0.90 0.00 0.84 0.76 0
SME 0.72 0.91 0.00 0.87 0.72 0

Boldface is used to highlight important findings

Table 6  Quality of measurement for bring-your-own-device (BYOD)

AVE Composite R square Cronbach’s alpha Communality Redundancy
reliability

INC 0.87 0.95 0.13 0.93 0.87 0.09

INU 0.81 0.93 0.06 0.89 0.81 0.03
PEU 0.71 0.88 0.00 0.79 0.71 0
PSE 0.95 0.97 0.00 0.94 0.95 0
PSR 0.88 0.96 0.15 0.93 0.88 0.06
PSU 0.72 0.89 0.00 0.81 0.72 0
PUS 0.75 0.90 0.00 0.84 0.75 0
RC 0.90 0.96 0.00 0.94 0.90 0
SAF 0.77 0.93 0.00 0.90 0.77 0
SEF 0.76 0.90 0.00 0.84 0.76 0
SME 0.70 0.90 0.00 0.87 0.70 0

Boldface is used to highlight important findings

 A. Alexandrou, L.-C. Chen

Table 7  Correlations of constructs for hospital-provided-devices (HPD)

INC INU PEU PSE PSR PSU PUS RC SAF SEF SME

INC 0.87 0 0 0 0 0 0 0 0 0 0
INU 0.36 0.88 0 0 0 0 0 0 0 0 0
PEU 0.17 0.18 0.83 0 0 0 0 0 0 0 0
PSE − 0.04 − 0.06 0.01 0.97 0 0 0 0 0 0 0
PSR − 0.07 − 0.17 − 0.16 0.12 0.92 0 0 0 0 0 0
PSU − 0.01 − 0.13 − 0.21 0.38 0.46 0.85 0 0 0 0 0
PUS 0.05 0.14 0.51 0.02 − 0.16 − 0.15 0.85 0 0 0 0
RC − 0.13 − 0.18 − 0.23 0.18 0.29 0.43 − 0.16 0.95 0 0 0
SAF − 0.28 − 0.11 − 0.16 − 0.12 0.16 0.03 − 0.12 0.11 0.88 0 0
SEF 0.17 0.09 0.42 0.21 0.04 0.04 0.24 − 0.07 − 0.31 0.87 0
SME 0.09 0.10 0.30 0.10 − 0.13 − 0.18 0.23 − 0.25 − 0.20 0.40 0.85

Boldface is used to highlight important findings

Table 8  Correlations of constructs for bring-your-own-device (BYOD)

INC INU PEU PSE PSR PSU PUS RC SAF SEF SME

INC 0.93 0 0 0 0 0 0 0 0 0 0
INU 0.54 0.90 0 0 0 0 0 0 0 0 0
PEU 0.15 0.21 0.84 0 0 0 0 0 0 0 0
PSE 0.03 − 0.14 0.03 0.97 0 0 0 0 0 0 0
PSR 0.32 0.05 − 0.04 0.29 0.94 0 0 0 0 0 0
PSU − 0.05 − 0.17 − 0.18 0.39 0.35 0.85 0 0 0 0 0
PUS 0.15 0.22 0.52 0.05 − 0.05 − 0.13 0.87 0 0 0 0
RC − 0.04 − 0.08 − 0.20 0.18 0.15 0.42 − 0.15 0.95 0 0 0
SAF − 0.15 0.03 − 0.17 − 0.12 0.00 0.02 − 0.11 0.11 0.88 0 0
SEF 0.09 0.04 0.44 0.20 0.06 0.05 0.24 − 0.07 − 0.31 0.87 0
SME 0.07 0.06 0.31 0.06 − 0.05 − 0.18 0.25 − 0.24 − 0.18 0.36 0.84

Boldface is used to highlight important findings

References
Ajzen, I. 1985. From intention to actions: A theory of planned behavior. In Action-control: From cogni-
tion to behavior, ed. J. Kuhl and J. Beckman. New York: Springer.
Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes
50 (2): 179–211.
Astani, M., K. Ready, and M. Tessema. 2013. BYOD Issues and strategies in organizations. Issues in
Information Systems 14 (2): 195–201.
Blumstein, A., J. Cohen, and D. Nagin. 1977. Deterrence and incapacitation: Estimating the effects of
criminal sanctions on crime rates. Washington, DC: National Academy of Sciences.
Bulgurcu, H., H. Cavusoglu, and I. Benbasat. 2010. Information security policy compliance: An empiri-
cal study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3):
523–548.
Burns, A.J., and M.E. Johnson. 2015. Securing health information. IT Professional 17 (1): 23–29.
A security risk perception model for the adoption of mobile…

Chen, Y.H., and S. Barnes. 2007. Initial trust and online buyer behavior. Industrial Management & Data
Systems 107 (1): 21–36.
Cheng, L., Y. Li, W. Li, E. Holm, and Q. Zhai. 2013. Understanding the violation of IS security policy
in organizations: An integrated model based on social control and deterrence theory. Computers &
Security 39: 447–459.
Chenoweth, T., R. Minch, R., and T. Gattiker. 2009. Application of protection motivation theory to
adoption of protective technologies. In Proceedings in 42th Hawaii International conference on
system sciences, 1–10, 5 Jan, Hawaii. IEEE.
Conner, M., and P. Norman. 2005. Predicting health behavior. New York: McGraw-Hill International.
Cook, M., and D.T. Campbell. 1979. Quasi-experimentation: Design and analysis issues for field set-
tings. Boston: Houghton Mifflin.
D’Arcy, J., A. Hovav, and D. Galletta. 2009. User awareness of security countermeasures and its
impact on information systems misuse: A deterrence approach. Information Systems Research
20 (7): 9–98.
Davis, F.D. 1986. A technology acceptance model for empirically testing new end-user information sys-
tems: Theory and results. Ph.D. dissertation, Massachusetts Institute of Technology, Boston, MA.
Davis, F.D. 1989. Perceived usefulness, perceived ease of use, and user acceptance of information tech-
nology. MIS Quarterly 13 (3): 319–340.
Efron, E., and R. Tibshirani. 1986. Bootstrap methods for standard errors, confidence intervals, and other
measures of statistical accuracy. Statistical Science 1 (1): 54–75.
Escobar-Rodriguez, T., and M.M. Romero-Alonso. 2013. Modeling nurses’ attitude toward using auto-
mated unit-based medication storage and distribution systems: An extension of the technology
acceptance model. CIN: Computers, Informatics, Nursing 31 (5): 235–243.
Fishbein, M., and I. Ajzen. 1975. Belief, attitude, intention and behavior: An introduction to theory and
research. Psychological Bulletin 84: 888–918.
Fornell, C., and F.L. Bookstein. 1982. Two structural equation models: LISREL and PLS applied to con-
sumer exit-voice theory. Journal of Marketing Research 19 (4): 440–452.
Garg, V., and J. Camp. 2012. End user perception of online risk under uncertainty. In Proceedings in 45th
Hawaii international conference on system sciences, 3278–3287; 4 Jan, Hawaii. IEEE.
Gagnon, M.P., P. Ngangue, J. Payne-Gagnon, and M. Desmartis. 2016. m-Health adoption by healthcare
professionals: a systematic review. Journal of the American Medical Informatics Association 23 (1):
212–220.
Gefen, D., D. Straub, and M.C. Boudreau. 2000. Structural equation modeling and regression: Guidelines
for research practice. Communications of the Association for Information Systems 4 (1): 7.
Hair, J.F., G.T.M. Hult, C.M. Ringle, and M. Sarstedt. 2014. A primer on partial least squares structural
equation modeling (PLS-SEM). London: Sage.
Hair, J.F., G.T.M. Hult, C.M. Ringle, M. Sarstedt, and K.O. Thiele. 2017. Mirror, mirror on the wall: A
comparative evaluation of composite-based structural equation modeling methods. Journal of the
Academy of Marketing Science 45 (5): 616–632.
Henseler, J., T.K. Dijkstra, M. Sarstedt, C.M. Ringle, A. Diamantopoulos, D.W. Straub, and R.J. Calan-
tone. 2014. Common beliefs and reality about PLS: Comments on Rönkkö and Evermann (2013).
Organizational Research Methods 17 (2): 182–209.
Holden, R.J., and B.T. Karsh. 2010. The technology acceptance model: Its past and its future in health
care. Journal of Biomedical Informatics 43 (1): 159–172.
Kim, S., K.H. Lee, H. Hwang, and S. Yoo. 2016. Analysis of the factors influencing healthcare profes-
sionals’ adoption of mobile electronic medical record (EMR) using the unified theory of accept-
ance and use of technology (UTAUT) in a tertiary hospital. BMC Medical Informatics and Decision
Making 16 (1): 12.
Koehler, N., O. Vujovic, and C. McMenamin. 2013. Healthcare professionals’ use of mobile phones and
the internet in clinical practice. Journal of Mobile Technology in Medicine 2 (1S): 3–13.
Kowitlawakul, Y. 2011. The technology acceptance model: Predicting nurses’ intention to use telemedi-
cine technology. Computer Informatics Nursing 29 (7): 411–418.
Lee, M.C. 2009. Factors influencing the adoption of internet banking: An integration of TAM and TPB
with perceived risk and perceived benefit. Electronic Commerce Research and Applications 8 (3):
130–141.
Liang, H., and Y. Xue. 2010. Understanding security behaviors in personal computer usage: A threat
avoidance perspective. Journal of the Association for Information Systems 11 (7): 394–413.
 A. Alexandrou, L.-C. Chen

Liang, H., and Y. Xue. 2009. Avoidance of information technology threats: A theoretical perspective. MIS
Quarterly 33 (1): 71–90.
Ma, M., and R. Agarwal. 2007. Through a glass darkly: Information technology design, identity verifi-
cation, and knowledge contribution in online communities. Information Systems Research 18 (1):
42–67.
Marshall, S. 2014. IT consumerization: A case study of BYOD in a healthcare setting. Technology Inno-
vation Management Review 4 (3).
Mylonas, A., S. Dritsas, V. Tsoumas, and D. Gritzalis. 2011. Smartphone security evaluation—The
malware attack case. In Proceedings of the international conference on security and cryptography
SECRYPT-2011, 1825–1836; 18 Jul Athens, Greece.
Ng, B., A. Kankanhalli, and C.Y. Xu. 2009. Studying users’ computer security behavior: A health belief
perspective. Decision Support Systems 46 (4): 815–825.
Pyszczynski, T., J. Greenberg, and S. Solomon. 1997. Why do we need what we need? A terror manage-
ment perspective on the roots of human social motivation. Psychological Inquiry 8 (1): 1–20.
Richter, N.F., R.R. Sinkovics, C.M. Ringle, and C. Schlaegel. 2016. A critical look at the use of SEM in
international business research. International Marketing Review 33 (3): 376–404.
Rhee, H.S., C. Kim, and Y.U. Ryu. 2009. Self-efficacy in information security: Its influence on end users’
information security practice behavior. Computers & Security 28 (8): 816–826.
Ringle, C.M., M. Sarstedt, and R. Schlittgen. 2014. Genetic algorithm segmentation in partial least
squares structural equation modeling. OR Spectrum 36 (1): 251–276.
Ringle, C.M., M. Sarstedt, R. Schlittgen, and C.R. Taylor. 2013. PLS path modeling and evolutionary
segmentation. Journal of Business Research 66 (9): 1318–1324.
Ringle, C.M., M. Sarstedt, and D. Straub. 2012. A critical look at the use of PLS-SEM. MIS Quarterly 36
(1): iii–xiv.
Rogers, R.W. 1975. A protection motivation theory of fear appeals and attitude change. The Journal of
Psychology 91 (1): 93–114.
Rogers, R.W. 1983. Cognitive and physiological process in fear appeals and attitudes changer: A revised
theory of protection motivation. In Social psychophysiology: A sourcebook, ed. J.T. Cacioppo and
R.E. Petty, 153–176. New York: Guilford.
Rönkkö, M., C.N. McIntosh, J. Antonakis, and J.R. Edwards. 2016. Partial least squares path modeling:
Time for some serious second thoughts. Journal of Operations Management 47: 9–27.
Schifter, D.E., and I. Ajzen. 1985. Intention, perceived control, and weight loss: An application of the
theory of planned behavior. Journal of Personality and Social Psychology 49 (3): 843–851.
Siponen, M., A. Mahmood, and S. Pahnila. 2014. Employees’ adherence to information security policies:
An empirical study. Information & Management 51 (2): 217–224.
Straub, D.W., and R.J. Welke. 1998. Coping with systems risk: Security planning models for management
decision making. MIS Quarterly 22 (4): 441–469.
Sun, Y., N. Wang, X. Guo, and Z. Peng. 2013. Understanding the acceptance of mobile health. Journal of
Electronic Commerce Research 14 (2): 183–200.
Tejaswini, H., and H.R. Rao. 2009. Protection motivation and deterrence: A framework for security pol-
icy compliance in organizations. European Journal of Information Systems 18 (2): 106–125.
Venkatesh, V., T.A. Sykes, and X. Zhang. 2011. Just what the doctor ordered’: A revised UTAUT for
EMR system adoption and use by doctors. In Proceedings in 44th Hawaii international conference
on system sciences, 1–10; 4 Jan Hawaii. IEEE.
Workman, M., W. Bommer, and D. Straub. 2008. Security lapses and the omission of information secu-
rity measures: A threat control model and empirical test. Computers in Human Behavior 24 (6):
2799–2816.
Yarbrough, Amy K., and Todd B. Smith. 2007. Technology acceptance among physicians: A new take on
TAM. Medical Care Research and Review 64 (6): 650–672.
Zhang, J., B.J. Reithel, and H. Li. 2009. Impact of perceived technical protection on security behaviors.
Information Management & Computer Security 17 (4): 330–340.

Publisher’s Note  Springer Nature remains neutral with regard to jurisdictional claims in published
maps and institutional affiliations.
A security risk perception model for the adoption of mobile…

Affiliations

Alex Alexandrou1 · Li‑Chiou Chen1

* Alex Alexandrou
aalexandrou@jjay.cuny.edu
1
Department of Security, Fire, and Emergency Management, John Jay College of Criminal
Justice, 524 W. 59th St, New York, NY 10019, USA