International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 161

Critical Factors of Educational Institutions Adoption for BS 10012: Persional Information Management System Cheng-Yi Liu1, Shan-Shan Yang2, and Iuon-Chang Lin2,3 (Corresponding author: Iuon-Chang Lin) Department of Information Management, TransWorld University1 Yunlin, Taiwan Department of Management Information Systems, National Chung Hsing University2 Department of Photonics and Communication Engineering, Asia University3 Taichung, Taiwan (Email: [email protected]) (Invited Paper)

Abstract of sustainable management. Computer Processing of the Personal Data Protection Personal Information Protection Act has passed in Taiwan Act has been implemented in Taiwan in 1995, but it has a in May, 2010 and relevant policy has been implemented in lot of disadvantage and the protection scope is very narrow, October, 2012. Most of the domestic educational so effectiveness was not as expected. As such the new institutions concentrated on constructing the personal Personal Information Protection Act (PIPA) has passed in information management system and reduced the risk of 2010 which removes restriction and includes the reverse personal information leakage. In this study, diffusion of burden of proof so that the public can supervise innovation theory and TOE framework are proposed to government and enterprises to follow PIPA [4]. BS 10012 evaluate the critical factor that influences the adaption of certification was released by British Standards Institution BS 10012 certification. The key factors, which includes (BSI) in 2009 which provides the standards of personal characteristics of environment, educational institution, information management system (PIMS). This certification personal information management system and etc., are used follows Plan-Do-Check-Act (PDCA) mechanism to provide to determine whether the educational institution has protection of personal information [5, 6]. adopted BS 10012 certification or not. Questionnaire survey is applied to the staff that works in educational In recent year in Taiwan, many organizations consider institution and the analysis result indicates that the adoption of the BS 10012 certification which could help reputation of school, the support of senior staff and the them with compliance of PIPA. However, to introduce a comparative advantage will have more influence on the certification is not a simple thing because it needs a whole adaption of BS 10012 certification. scope of evaluation and consideration. Thus, this study tried to find out the critical factors of consideration for Keywords: BS 10012 certification, diffusion of innovation educational institution before adopting the BS 10012 theory, personal information management system (PIMS), certification and expected that the results could provide personal information protection Act, TOE framework some advice for follow-up study and give decision makers as the guidance. 1 Introduction According to the DataLossDB website 2 Literature Review (http://datalossdb.org/) which aggregates the major leak of data in the world, data leakage incidents have been increasing year by year and 15% of them happened inside 2.1 Personal Information Protection Act (PIPA) the educational institutions [1]. Threat Report of Trend Micro in the first half of 2010 also pointed out that the 50% Personal Information Protection Act has passed in Taiwan of malware-attack targeted on educational institutions [2]. in May, 2010 composed of 6 chapters and 56 clauses. It However, because of the environment diversification, the ameliorates all disadvantages of the old PIPA and the campus cannot restrict all users using Internet which causes improvement is summarized as follows: the leakage awareness of information security [3]. 1) Expand the protection scope: PIPA gets rid of Therefore, educational institutions should construct the “computer-processing” restriction and any types of data protection of personal information, reduce the risk of data should comply with PIPA if it is identified as personal leakage, protect the rights of staff, and achieve the purpose information; International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 162

2) Protect all subjects: in the old PIPA the protection 2.3 Diffusion of Innovation Theory subject only targets on the government and special Rogers proposed the diffusion of innovation theory in 1962 industries, while the new PIPA doesn’t have the restriction which defined innovation as “an individual or unit adopts a of protection subject. In other words, any subject in Taiwan, new concept, object or technology” [9]. This theory is used whether individuals or groups, could be protected by PIPA; to explain and predict the decision or adoption of 3) Strengthen the Code of Conduct: PIPA defines special innovative things in the organization or community [10]. personal information and specifies the restriction. If data Rogers proposed that an innovation includes 5 intrinsic leakage happens, organization should notify spontaneously factors which influence the decision of adoption. These the parties at first time. Also organization should obtain the factors are: written consent of the parties if the personal information is used in additional purpose. Whether obtaining personal 1) Relative advantage: According to the comparison of the innovation and previous generation, the innovation owns information directly or indirectly, organization has the the advantage; obligation to notify the parties before use; 4) Promote public participation: PIPA formulates “class 2) Complexity: Whether the innovation could be easily action” mechanism so that victims could entrust foundation assimilated or not; or corporation by written authorization for litigation to 3) Compatibility: Whether the innovation could match with perform relative action; previous generation or not; 5) Improve liability connotation: The compensation and penalties of data leakage are increased more than the old 4) Trialability: Whether the innovation could be easily PIPA. In addition, PIPA includes the reverse burden of experimented or not; proof which specifies that unintended data leakage should 5) Observability: Whether the innovation could be easily be provided by the organization; observed, discussed, and represented or not [11,12]. 6) Upgrade administrative supervision: The central or municipal government owns administrative competence, such as inspection, sanction, penalties and so on, to 2.4 Technology-Organization-Environment Framework supervise different kinds of industries to draft relevant Tornatzky and Fleischer proposed the TOE framework in plans and specification [7]. 1990, and defined 3 characteristics of innovation adoption [13,14]. The characteristics are: 2.2 BS 10012 Certification 1) Technology: The level of technology owned by the BSI released the BS 10012 certification in May, 2009. The organization, such as the ability of the IT department, the full name of BS 10012 certification is “Data protection - stability of information system, and the fluency of Specification for a personal information management operation and so on [15]; system”, and it provides a specific PIMS to assist 2) Organization: The intrinsic characteristics of the organizations with constructing a perfect protection organization, such as the size of the organization, the extent mechanism. As developed by experts in various fields, it of professionalizing, and the quantity of available resource could be suitable for any institutions and therefore, it is and so on [16]; famous and popular all over the world [8]. BS 10012 certification has 7 chapters. 0 to 2 chapters are standard 3) Environment: The overall surroundings of the description, nouns definition, and scope, while chapter 3 to organization including the parties such as competitors, 6 illustrates PIMS following PDCA mechanism explained suppliers, government, and so on [17]. as follows: 1) Plan: How to plan the PIMS, formulate the policy, and 3 Research Methodology allocate the authority in detail;

2) Do: This is the critical part in BS 10012 certification 3.1 Research Model whish states how to implement and operate the PIMS, such as responsibility assignment, risk assessment, assets According to the literature review, this proposed model measurement and so on; refers to the TOE framework and the innovation characteristics of the diffusion of innovation theory. It 3) Check: How to control and review the PIMS, audit the summarized 6 critical factors on 3 characteristics which implementation and effectiveness, and monitor the process could influence educational institution about the adoption by supervisors; of BS 10012 certification. The proposed model is shown in 4) Act: How to improve the PIMS in order to prevent the Figure 1. incident of data leakage, and keep the PIMS in the up-to- date situation [5]. International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 163

H4. Information security awareness could promote more willingness of BS 10012 certification adoption for educational institution.

3.2.3 PIMS Characteristic Rogers pointed out that the relative advantage of the innovation could facilitate the adoption [30,31]. As BSI Figure 1: Research model points out that BS 10012 certification could contribute 6 advantages: the confirmation of risk control, the 3.2 Research hypotheses accomplishment of PIPA clause, the promotion of competitive advantage, the implementation of the PIMS, the commitment of top management, and the improvement 3.2.1 Environment Characteristic of the PIMS [5], this study proposes: In order to promote the level of personal information H5. Relative advantage of BS 10012 certification protection in Taiwan, the government imitates “Privacy could promote more willingness of BS 10012 certification Mark” of Japan, and develops the Taiwan Personal adoption for educational institution. Information Protection and Administration System Rogers also pointed out that if the innovation could be (TPIPAS). If the organization corresponds with TPIPAS, it assimilated into previous generation, it would facilitate the would be authorized the “Data Privacy Protection Mark” adoption. Similarly, BSI states that BS 10012 certification (DP Mark) [18]. However, the implementation of TPIPAS could be suitable for any organization [30, 32]. Therefore is ineffective, and a lot of organizations used to adopt the this study proposes: certification of BSI. In addition, the BS 10012 certification H6. Compatibility of BS 10012 certification could is considered to correspond with the PIPA. Therefore, this promote more willingness of BS 10012 certification study proposes: adoption for educational institution. H1. Government policy could promote the more willingness of BS 10012 certification adoption for 3.3 Operational Definition educational institution. Percy Williams Bridgman proposed the concept of operational definition in 1927 and defined that any things 3.2.2 Educational Institution Characteristic could be measured and indicated by a specific process The definition of school reputation represents the public which includes measurement of methods, processes, and impression of the school, such as culture, vision, inspection, in order to receiving a result objectively [33,34]. environment, and so on which could influence the Therefore, this study references the review of literature and admission [19,20]. Chen Tsu Wu proposed the concept of defines the operational definition. The definition of betterness education in 1987, and thereafter many research variables is shown in Table 1. educational institutions pursue the operation of betterness education in Taiwan. Some of educational institutions 3.4 Research Design adopt certification, such as ISO 9001, ISO 27001, etc., in order to promote the level of quality [21,22]. Therefore, 3.4.1 Questionnaire Design this study proposes: H2. School reputation could promote more According to literature review, this study constructs the willingness of BS 10012 certification adoption for research questionnaire and uses Likert 5-point scale on the educational institution. measurement of questionnaire. In order to ensure the If top management does not commit the policy and content validity and face validity in the questionnaire, this provide enough resource, the promotion of information study invited 3 experts of information management to security could end in failure [23]. Similarly, an adoption of review and correct it, and the pre-test was also conducted. an innovation also needs the commitment of top The result shows that the questionnaire has achieve content management to support implementation [24,25]. Therefore, validity and face validity. this study proposes: H3. Top management support could promote more 3.4.2 Research Object willingness of BS 10012 certification adoption for The PIPA specifies that whether individuals or groups educational institution. should follow the law and the protection of personal Introducing an innovative management system or a information is the obligation for people in Taiwan. policy would generate considerable impact on the Therefore, the staff of the educational institutions is chosen organization, so adequate education and training for the as the research object on this study. staff is necessary and inevitable [26,27]. If the staff has relative awareness about the policy, the policy would be 3.4.3 Sampling Method introduced more easily and successfully [28,29]. Therefore, this study proposes: International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 164

This study chooses electronic questionnaires and paper conferences in 2012 held by Taichung Roaming Center of questionnaires. The electronic questionnaires were TANet (TCRC) on December 7th and International published in the mySurvey which is a well-known website Professional Management Assembly-Asian Pacific Region and offers the diverse service of managing questionnaire (IPMA-ASIA) on December 19th. The electronic [36]. The paper questionnaires were published in two questionnaires could assist the survey easily and effectively,

Table 1: The operational definition of research variables characteristic variable operational definition reference The school implements the extent of the PIPA and information J. I. Hwang and R. S . Ho (2013) [35] Environment Government policy security law. The school operates and constructs the extent of the culture, L.J. Mao (2006) [19] School reputation research, activity, and infrastructure. Educational Top management The top management of the school concerns about the extent of Premkumar and Ramamurthy (1995) Institution support decision making, promise, and resource allocation. [23]; Eloff and Solms von (2000) [24] Information The staff of the school implements the extent of information Umble, Haft, and Umble (2003) [26] security awareness security training, and basic protection act. BS 10012 certification could contribute to the school about the Rogers (1995) [30] Relative advantage extent of PIPA implementation, awareness promotion, and PIMS PIMS completeness. BS 10012 certification could be assimilated into the school Rogers (1995) [30] compatibility about the extent of operating procedure and work assignment. but it has a potential disadvantage of non-response bias. If 50.99% of respondents understand the PIPA roughly. the respondent does answer the questionnaire, the non- 15.68% of respondents realize the BS 10012 certification response bias would occur. Thus in order to avoid the bias, clearly, and 70.59% of respondents understand the BS this study uses 2 paper questionnaire surveys as alternative 10012 certification more or less. samples. In the characteristics of school, the result showed that 66.67% of schools have the size of 10,000 or more people, 4 Research Methodology 50.98% of schools have operated at least 45 years, 42.11% of schools adopt ISO 27001 certification,58.82% of schools are aware of the BS 10012 certification and 19.61% of 4.1 Sample Characteristics schools are planning and implementing the BS 10012 51 effective samples were collected in the questionnaire certification. survey with the effective response rate of 39.84%. Armstrong and Overton proposed that the samples are 4.2 Analysis of Reliability and Validity clustered by the receiving time, and if the characteristics of Reliability indicates the stability and consistency of the each group have no difference by chi-square test, it has no questionnaire, whilst validity represents the accuracy of the non-response bias in the samples [37]. Therefore, this study questionnaire [38]. This study uses Cronbach’s α approach references this inspection process, and the result shows that on the reliability and factor analysis on the validity. If α < the age of respondent (p=0.513), the degree of education 0.6, the item has no reliability. If the absolute value of (p=0.970), and the years of work (p=0.620), have no factor loading is less than 0.65 and the eigenvalue less than significance so the samples has no non-response bias. 1, validity is not satisfied. If the item is without reliability In the characteristics of respondents, the result or validity it should then be discarded [39,40,41]. The final indicated that 54.50% of respondents work in the university, result of reliability and validity, which discards 2 unreliable 31% of respondents serve in the computer center, 45.10% items of GP_3 and SA_1, is shown in Table 2. of respondents is between 36 to 45 years old, 78.43% of respondents has the degree of Master, 49.02% of 4.3 Analysis of Research Hypotheses respondents has worked at least 10 years in the school and 40.38% of respondents is in the management position. Discriminant analysis could predict the classification of Regarding the awareness of PIPA and BS 10012 certificate, samples by discriminant function from samples. This 49.01% of respondents understand the PIPA clearly while

Table 2: The result of the reliability and validity Characteristic variable item Cronbach‘s α Factor loading Eigenvalue GP_1 0.851 Environment Government policy 0.751 1.891 GP_2 0.844 SI_1 0.730 School reputation SI_2 0.629 0.729 1.730 Educational SI_3 0.816 Institution TP_1 0.886 Top management support TP_2 0.865 0.905 2.370 TP_3 0.876 International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 165

Information security SA_2 0.848 0.609 1.440 awareness SA_3 0.848 RA_1 0.968 Relative advantage RA_2 0.962 0.982 2.790 PIMS RA_3 0.942 CP_1 0.934 compatibility 0.853 1.745 CP_2 0.934

Table 3: The result of discriminant analysis understanding adopted none (n=11) planning (n=7) executing (n=2) variable loading (n=30) (n=1) S S S S S

Government policy 0.614 1.91 1.37 2.44 1.01 2.57 0.54 2.50 0.71 4.00 . School reputation 0.399* 3.82 0.84 4.02 0.71 4.71 0.47 3.33 0.47 4.33 . Top management 0.357* 3.09 0.96 3.71 0.82 4.24 0.62 4.33 0.47 4.33 . support Information security 0.483 3.09 1.13 3.24 1.21 4.07 0.65 3.25 1.77 4.50 . awareness Relative advantage 0.479* 3.79 0.62 4.12 0.64 4.76 0.43 4.00 0.00 5.00 . compatibility 0.602 3.05 0.91 3.55 1.07 3.93 0.63 4.50 0.71 5.00 . *:p < 0.05

Table 4: Classification accuracy prediction total none understanding planning executing adopted None 54.5 27.3 0 9.1 9.1 100.0 Understanding 23.3 70 3.3 3.3 0 100.0 fact Planning 0 0 100 0 0 100.0 Executing 0 0 0 100 0 100.0 adopted 0 0 0 0 100 100.0 Overall accuracy = 72.5% (unit:%)

Table 5: The result of research hypotheses No. hypotheses result

H1 Government policy could promote the more willingness of BS 10012 certification adoption for educational institution. Reject

H2 School reputation could promote the more willingness of BS 10012 certification adoption for educational institution. Accept Top management support could promote the more willingness of BS 10012 certification adoption for educational H3 Accept institution. Information security awareness could promote the more willingness of BS 10012 certification adoption for educational H4 Reject institution Relative advantage of BS 10012 certification could promote the more willingness of BS 10012 certification adoption H5 Accept for educational institution. Compatibility of BS 10012 certification could promote the more willingness of BS 10012 certification adoption for H6 Reject educational institution.

sample of this study could classify 5 groups by intention of According to the research result in this paper, 3 critical adoption on BS 10012 certification [39]. Therefore, this factors, which is “school reputation”, “top management study uses the discriminant analysis in order to verify the support”, and “relative advantage”, are identified that could hypotheses and predict the classification of the samples. influence the adoption of BS 10012 certification on the The Wilk’s Lambda value is 0.115 (X2=86.506, d.f.=60, educational institutions,. This result could provide an p=0.014), it means the discriminant function could classify advice for the operators in the educational institutions and clearly 5 groups of the samples. Hair et al. proposed if the aid policy formulation. If the top management of the school variable has the influence, the absolute value of supports the adoption of BS 10012 certification and discriminant loading should above 0.3. the result of considers that it could promote the school reputation and discriminant analysis is showed in Table 3. According to bring in additional advantages for the institution, the the result, “school reputation”, “top management support”, success of adoption will be foreseen. and “relative advantage” could influence the adoption of BS 10012 certification for the school. The classification References accuracy is showed in Table 4. Finally, the result of [1] DatalossDB, “Dataloss incidents,” DataLossDB, 2012. research hypotheses is showed in Table 5. Retrieved from: http://datalossdb.org/ [2] Trend Micro, “Malicious Web pages are more than 3.5 5 Conclusions billion and the educational institution is in the main attack target (the frist half of 2010 Global Threat International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 166

Report),” Trend Micro, 2011. Retrieved from: [21] B. S. Han, “ISO 9001:IWA2 from the experience of http://www.trendmicro.com/ Nan kai University of Technology,” Evaluation [3] Y. S. Wu, “Enterprise security requirement 7: Bimontlity, vol. 12, 2008. educational institution should strengthen the protection [22] M. H. Chang, The ideal and development of a high- of information security and follow the PIMS,” quality school, Taipei: Psychological Publishing Magazine of Information Security, vol. 74, 2011. corporation, 2004. [4] Ministry of Justice, R.O.C., “Personal Information [23] M. M. Eloff and S. H. Solmsvon, “Information Protection Act,” Ministry of Justice, R.O.C., 2010. Security Management An Approach to Combine Retrieved from: Process Certification And Product Evaluation,” http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode= Computers & Security, vol. 19, no. 1, pp. 698-709, I0050021. 2000. [5] BSI, “BS 10012 Data Protection – Specification For A [24] G. Premkumar and K. Ramamurthy, “The role of Personal Information Management System,” British interorganizational and organizational factors on the Standards Institute, 2009. Retrieved from: decision mode for adoption of interorganizational http://www.bsigroup.com/ system,” Decision Sciences, vol.26, no. 3, pp. 303-336, [6] S. S. Po, “The point of information management about 1995. the innovation and technology: Information Security, [25] D. O'Leary, Enterprise resource planning: Systems, Personal Information Protection, Business Continuity,” life cycle, electronic commerce, and risk, NY: BSI e-Newsletter, vol.75, 2010. Cambridge University Press, 2000. [7] H. C. Chai, “Discuss information and communication [26] E. J. Umble, P. R. Haftam, and M. M. Umble, security based on the Personal Data Protection Act,” “Enterprise resource planning: Implementation National Chung Hsing University Information Security procedures,” European Journal of Operational education and training materials, 2012. Retrieved Research, vol. 2, no. 146, pp. 241-257, 2003. from:http://www.tcrc.edu.tw/data2/seminar101/201205 [27] Board of Science and Technology, Executive Yuan, 17.pdf R.O.C., “Information and Communication Security [8] J. J. Hua, “Preliminary study on BS 10012 White Paper in 2010,” Board of Science and certification,” NetAdmin, vol. 51, 2010. Technology, Executive Yuan, R.O.C., 2010. Retrieved [9] M. E. Rogers, Diffusion of innovations, New York: from:http://www.nicst.ey.gov.tw/Upload/UserFiles/20 Free Press, 1962. 10%E8%B3%87%E9%80%9A%E5%AE%89%E5%8 5%A8%E6%94%BF%E7%AD%96%E7%99%BD%E [10] Y. J. Wu, “A Study of Examing Consumers’ Adoption 7%9A%AE%E6%9B%B8_.pdf Willingness for Digital Cable TV and IPTV Using Extended Technology Acceptance Model,” National [28] Executive Yuan, R.O.C., “the plan of government Chung Hsing University, 2012. agencies (institutions) information security level of responsibility of operating,” Board of Science and [11] M. E. Rogers, Diffusion of innovations (5th), New Technology, Executive Yuan, R.O.C., 2009. Retrieved York: Free Press, 2003. from:http://www.nicst.ey.gov.tw/Upload/UserFiles/%E [12] S. H. Lai, “Investegating the Moderating effects of 6%94%BF%E5%BA%9C%E6%A9%9F%E9%97%9 mobile location-based services on users’ acceptance,” C%E8%B3%87%E5%AE%89%E8%B2%AC%E4%B National Yunlin University of Science and Technology, B%BB%E7%AD%89%E7%B4%9A%E5%88%86%E 2009. 7%B4%9A(2)(1).pdf [13] L. G. Tornatsky and M. Fleischer, the process of [29] T. F. Huang, “the protection of personal information technological innovation, Lexington Books, 1990. by using BS 10012 certification,” iThome Online, [14] W. Y. Hwang, “The Research of the Cloud Service 2010.Retrieved from: Adoptability by Logistics Industry,” National Taipei http://www.ithome.com.tw/itadm/article.php?c=62797 University of Technology, 2012. &s=1. [15] S. H. T. Teo and R. W. King, “Integration between [30] M. E. Rogers, Diffusion of innovations (4th), New business planning and information systems planning: York: Free Press, 1995. an evolutionary-contingency perspective,” Journal of [31] P. J. Laio, “financial industry prefer to adopt BS 10012 Management Information Systems, vol.14, no. 1, pp. certification,” Info security, 2012. 185-214, 1997. [32] L. G. Tornatzky and K. J. Klein, “Innovation [16] P. Poon and C. Wagner, “Critical success factor characteristics and innovation adoption- revisited: success and failure cases of information implementation: a meta-analysis of findings,” IEEE systems for senior executive,” Decision Support Transactions on Engineering Management, vol. 29, no. Systems, vol.30, pp. 393-418, 2001. 1, pp. 28-45, 1982 [17] N. Kshetri and N. Dholakia, “Determinants of the [33] C. G. Hemple, Philosophy of natural science, Teipei: global diffusion of B2B E-commerce,” Electron Yeh Yeh Book Gallery, 1989. Markets, vol.2, pp.120-129, 2002. [34] R. L. Hsu, “the potential problems of the science [18] Ministry of Economic Affairs, R.O.C., “Taiwan teaching in the elementary,” Guidance of Elementary Personal Information Protection and Administration Education, vol. 38, pp. 19-22, 2013. System,” Ministry of Economic Affairs, R.O.C., 2012. [35] J. I. Hwang and R. S. Ho, “the most sever Persoanl Retrieved from: http://www.tpipas.org.tw/index.aspx. Information Protection Act,” CommonWealth [19] L. J. Mao, “A Study on the Relationship between Magazine, vol. 514, 2013. School Image and School Choice by the Vocational [36] mySurvey, “about mySurvey,” mySurvey, Senior High School -An example in central Taiwan 2009.Retrieved from: http://www.mysurvey.tw/ area,” National Chanhua University of Education, 2006. [37] J. S. Armstrong and T. S. Overton, “Estimating nonresponse bias in mail surveys,” Journal of [20] J. W. Hwang, “A Study on the Relationship of Marketing Research, vol. 14, no. 3, pp. 396-402, 1977. Students''s Perception between Public Relation Media and School Image at University of Technology,” [38] S. R. Wu, “A Study of Mobile Phone Consumer National Taipei University of Technology, 2004. Satisfaction,” Chang Jung Christian University, 2001. International Journal of Network Security, Vol.16, No.3, PP.161-167, May 2014 167

[39] F. J. Hair, E. R. Anderson, L. R. Tatham, and C. W. Black, Multivariate Data Analysts (5th), New Jersey, NJ: Prentice-Hall, 1988. [40] F. H. Kaiser, “A second-generation little jiffy,” Psychomettrika, vol. 35, no. 4, pp. 401-405, 1970. [41] K. J. Ford, C. R. MacCallum and M. Tait, “The application of exploratory factor analysis in applied psychology: a critical review and analysis,” Personnel Psychology, vol. 39, pp. 291-314, 1986.

Cheng-Yi Liu is a lecturer in the Department of Information Management at TransWorld University. He received a master’s degree in Business Administration from the National Changhua University of Education in 2001. His current research interests include soft-computing, neural network, and information security.

Shan Shan Yang was born in Kinmen County, Taiwan, in 1988. She received the B.M. degree from National Chung Hsing University (NCHU), Taichung, in 2011 in management information systems. She is currently pursuing the M.S. degree with the Department of Management Information Systems. Her research interests include information security.

Iuon Chang Lin received the Ph.D. in Computer Science and Information Engineering in March 2004 from National Chung Cheng University, Chiayi, Taiwan. He is currently a professor of the Department of Management Information Systems, National Chung Hsing University, Taichung, Taiwan. His current research interests include electronic commerce, information security, cryptography, and cloud computing.