critique

Decision Support Systems 83 (2016) 47–56

Contents lists available at ScienceDirect

Decision Support Systems

journal homepage: www.elsevier.com/locate/dss

Online shopping intention in the context of data breach in online retail stores: An examination of older and younger adults

Rajarshi Chakraborty a, Jaeung Lee a, Sharmistha Bagchi-Sen b, Shambhu Upadhyaya c, H. Raghav Rao d,⁎ a Department of Management Science and Systems, State University of New York at Buffalo, Buffalo, NY, USA b Department of Geography, State University of New York at Buffalo, Buffalo, NY, USA c Department of Computer Science and Engineering, State University of New York at Buffalo, Buffalo, NY, USA d Department of Information Systems and Cybersecurity, University of Texas at San Antonio, San Antonio, TX, USA

⁎ Corresponding author. Tel.: +1 210 458 6300; fax: + E-mail addresses: [email protected] (R. Chakraborty),

[email protected] (S. Bagchi-Sen), [email protected] [email protected] (H. Raghav Rao).

http://dx.doi.org/10.1016/j.dss.2015.12.007 0167-9236/© 2016 Elsevier B.V. All rights reserved.

a b s t r a c t

a r t i c l e i n f o

Article history: Received 24 November 2014 Received in revised form 8 November 2015 Accepted 25 December 2015 Available online 16 January 2016

Data breaches through hacking incidents have become a significant phenomenon in the world of online shop- ping. These breaches can result in loss of personal data belonging to customers. This study builds a research model to examine people's intention to engage in e-commerce in the context of a significant data breach (the Target breach in December 2013). In addition, this paper focuses on the difference in responses regarding post-breach online shopping intent among younger adults (below 55 years) and older adults (senior citizens—above 55 years). Our findings show the importance of internal (self) monitoring of bank transactions in reducing the effect of perceptions of severity of data breaches on post-breach online shopping intent particu- larly for senior citizens. The study also demonstrates that perceptions of severity of a hacking incident are signif- icant drivers of perceived online shopping risk for both age groups. Further, perceptions of severity of a hacking incident are significant drivers of post-breach online shopping intent but only marginally significant for younger adults. Trusting beliefs in online shopping services and attitude toward e-commerce are significant for the older generation for post-breach online shopping intentions and also for younger adults. Gender is significant for se- niors while it is not significant for younger adults. The impact of perceived online shopping risk on post-breach online shopping is significantly different between the two age groups. The implication of this research lies in informing shopping websites the need to prepare better plans for notifying customers about not only data breaches but also their proposed mitigation steps so as to increase trust and reduce perceived risks associated with online shopping.

© 2016 Elsevier B.V. All rights reserved.

Keywords: Online shopping Data breach Trust Perceived risk Internal monitoring Age

1. Introduction

Online shopping has been steadily gaining acceptance around the world, especially in the United States [19]. Online shopping websites have in some instances replaced physical stores (e.g., books and electronics) [53]. The rise in online shopping has partially been attribut- ed to the success of secure payment methods through credit and debit cards. According to recent findings [60], these cards account for over 70% of payment methods used for online shopping. In addition to the increasing payment convenience, time-saving has also been a key factor in the adoption of e-commerce [3]. Online stores have improved the overall shopping experience by mimicking the amenities of a physical shopping experience in a virtual world [69]. One such example would be saving items in a “shopping cart” and checking out at a later point. This workflow is akin to dropping objects in a physical shopping cart

1 210 458 6305. [email protected] (J. Lee), u (S. Upadhyaya),

and walking around the store until it is time to check out. This conve- nience in online shopping experience has reduced the perceived risks towards online shopping that could have been attributed to the lack of physical tangibility [54]. While Amazon has been largely at the fore- front, several traditional retail chains are now active online. Target, Walmart, and Best Buy often experience as much traffic and transac- tions through their websites as they do through their physical stores [5].

The literature on information systems and marketing is rich with studies about the adoption and success of online shopping [12,39,52, 66]. Most of these studies have examined trust, convenience, and priva- cy as antecedents. Trust and privacy concerns, in particular, have remained of sustained interest given the ever-evolving risks and attacks associated with online shopping over the years. According to statistics released by the Identity Theft Resource Center [25], in the first half of 2014, 381 reported data breaches led to the exposure of over 10 million records of individuals in the United States. This presents significant dan- ger to personal and sensitive data stored in millions of websites. The most danger is faced by websites that allow customers to make transac- tions. These include shopping websites where hackers are still able to get past sophisticated firewalls and other security software as was the

48 R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

case with Target in 2013 [68]. In addition to the technical challenges, often personnel in charge of the security of these websites fail to take pro-active actions. Customer names, addresses, email addresses, account numbers, and transaction information are often exposed as a result of many of these breaches [18].

Given that online shopping is an integral part of today's economy, it is important to examine how people's attitude towards it is affected by threats to their personal information. In this paper, we have specified the study's context as the Target data breach [68]. We evaluate the effect of traditionally held notions of trust, security risk, and behavior in online shopping [50]. This paper's contribution is threefold. First, we have incorporated people's internal monitoring to scrutinize artifacts that might be affected by data or other security breaches. We posit that mon- itoring habits mitigate some of the security concerns and placate fears that may arise in the aftermath of security incidents like the Target and Neiman Marcus data breaches. Second, while purchasing intent has been studied in the field of information systems, it has not been explored in the aftermath of a major data breach incident that is likely to alter intent. Third, the perspective of generational differences has not been examined in prior literature. This paper looks at the difference between two age-based demographics—one below 55 and the other above 55 years. Traditionally, the latter is referred to as the “senior citi- zens” generation (older generation) with those between 55 and 60 years representing the first tail of it. The reason for this comparative approach is twofold: (1) research has shown significant differences in privacy concerns between older and younger computer users [27] and (2) testing our hypotheses on a younger sample gives us perspective to interpret the findings from the older population. As our findings will show later in this article, there are significant differences in certain fundamental causality aspects of trust and risk-driven behavior on the Internet between these two broad categories of the U.S. population.

To summarize, this paper focuses on the difference in responses re- garding post-breach online shopping intent among younger adults (below 55 years) and older adults (senior citizens—above 55 years). Findings show the importance of internal (self) monitoring of bank transactions in reducing the effect of perceptions of severity of data breaches on post-breach online shopping intent, particularly for senior citizens. The study also demonstrates that perceptions of severity of a hacking incident are significant drivers of perceived online shopping risk for both age groups, and while they are significant drivers of post- breach online shopping intent for seniors, they are only marginally significant for younger adults. Trusting beliefs in online shopping services and attitude towards e-commerce are significant for the older generation for post-breach online shopping intentions and also for younger adults. Gender and the impact of perceived online shopping risk on post-breach online shopping are significantly different between the two age groups.

In the remainder of this paper, we first discuss recent data breaches serving as the background of our study. Then we present the develop- ment of our research model. After that, the data collection and the anal- ysis are discussed, following which the paper concludes with a focus on the current limitations and the opportunities for future research.

2. Prior literature

According to a report by the Identity Theft Resource Center (ITRC) Dark_Reading [21], 73% (365 respondents out of 500 respondents) an- swered that they may not purchase merchandise from online websites that have experienced security breaches. Such incidents have triggered customers' protective behaviors such as avoiding using online stores, switching to another online store, and using offline stores [41]. Khalifa and Limayem [37] also found that customers will shop on e-commerce sites more frequently if they do not worry about risks of security breaches.

In addition to online shopping cases, offline business research has also provided similar findings. Belanger et al. [7] studied the impact of

security breaches on hotel revisit intention, likelihood of hotel recom- mendation and satisfaction. Their results showed that breaches resulted in negative impacts on all outcome variables. This indicates that consumers are highly concerned about data breaches.

Customers' credit card information and other personal information are some of the most commonly stolen items during data breaches into the systems of shopping websites [57,73]. Upon a breach and an improp- er access to such information, these customers become vulnerable to un- approved purchases. Information like mailing address also has the potential of being misused for exploits. Often, such exploits can be harder to detect and their effects can be felt by victims in the real world. Online transactions are seldom carried out with complete information about privacy protection from the store owner [1]. On the other hand, cus- tomers of online shopping are rarely given the option to choose what in- formation they should provide to the website for the transaction and any additional benefits. For example, storing information about one's favorite local store requires providing one's zip code. Often, a transient piece of information for the completion of a transaction may be enough to put a customer at risk after a data breach. Thus, any data breach into these businesses can potentially lead to identity theft.

Baier [4] defined trust as the “accepted vulnerability to another's possible but not expected ill will toward one” (p. 99). Customers know the kind of risk they are taking; however, the individual customer is often disposed to trust that nothing bad will happen to them. They have positive expectations regarding online shopping websites in their provisioning of shopping services. A fundamental antecedent of tech- nology adoption [22] is the decision to trust a technological artifact. Trusting or distrusting of an artifact is based on an individual's general disposition to trust others [47]. The Web Trust Model (McKnight et al. [47] explains the causality of trust on behaviors in the form of decisions made on the Internet. These decisions usually pertain to actions like shopping and sharing information on the Internet. More recently, how- ever, researchers have started to investigate these decisions in the light of both negative and positive beliefs about the potential outcomes [45]. While most people may trust their frequently visited shopping websites with respect to service quality, repeated stories of breaches may arouse concerns and distrust among them. Media reports about breaches can lead to a significant drop in consumers' trust in the security-related ca- pabilities of shopping websites. Whether trust and distrust are distinct constructs or the opposites of a trust–distrust continuum has been de- bated. Omodei and McLennan [56] proposed that trust and distrust are two ends of the same scale. Luhmann [43] posited that while trust and distrust are essentially the same construct, they are distinct functional equivalents. Therefore, in our paper, we considered trust and distrust (as a lack of trust) in the same construct.

Disposition to trust has been constantly changing through genera- tions [38,51,67]. For instance, around 1996, Internet through the Web (i.e. the Mosaic Web browser) became mainstream. People at that time who were in their late 30s (i.e. 55 and above at the present time) were the last generation to whom Internet was introduced as a niche technology. Studies about differing perceived usefulness of IT across age groups have shown that the general perception about the Internet is different among people above 55 and those below [49]. According to [64], younger Americans are less trusting of fellow human beings than their older counterparts. [59] have shown that there is no signifi- cant difference between younger baby-boomers and older baby- boomers in terms of most behavioral variables. Also, traditionally, the age of 55 years has been shown to be an important lower bound for studying Internet behavior in the older population [70]. The fundamen- tal concepts of trust and risk-taking are the differentiators between younger adults and people over 55. In the context of online shopping, given the importance of security and privacy, awareness about security hazards can also be a significant differentiator. Grimes et al. [30] have shown that older adults are generally less aware of security hazards on the Internet compared to their younger counterparts. Also, older adults tend to be generally more risk-avoiding than younger adults,

49R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

regardless of the domain [63]. In a similar vein to the above-mentioned literature, we take a perspective of generational differences to explore the relationship between risk and trust on online shopping decisions.

Of course, trust is not the sole predictor of online shopping behavior. People may make a risky online purchase without trust or with a low level of trust. For instance, other antecedents such as attitude towards e-commerce may influence customers in their decisions regarding on- line transactions. According to [65], attitude is a function of online stores' privacy policy where the organizations disclose their intentions on how they will use their customers' information. In the e-commerce setting, the level of privacy protection perceived by customers can counteract the negative effect of level of uncertainty in a transaction [2]. For customers, it would be easier to accept and use the electronic distribution channel when level of perceived attitude towards e-commerce site is high.

The lack of transparency, especially in the immediate aftermath of a security breach, often contributes to strains in the relationships between shopping websites and their customers [29]. Customers may discover identity theft and fraud through some irregularities or suspi- cious transactions in their bank statements, especially if the banks do not use sophisticated fraud detection systems. Other potential signals of fraud may include getting locked out of one's accounts and specula- tive reports from the news media. If the bank of the affected payment method fails to detect a fraud over a prolonged period after the breach, then it is possible for a customer to feel repercussions through future identity theft incidents. For every kind of potential fraud borne through a data breach, proactive measures to stay alert can help.

Internal monitoring is an important element for online shoppers to safeguard themselves against data breach, fraud, and identity theft. One of the benefits of e-commerce and online banking is that customers can check their accounts online at any time of the day from any location in the world. This service is usually free of charge and can be an advan- tage in coping with potential frauds. Checking one's bank statements regularly effectively gives customers a transparency to potential vulner- abilities. According to [48], often individuals do not consider tracking the credit report (a form of internal monitoring) as a preventative mea- sure, in part, because of a lack of awareness. Since most purchases over the Internet are done using credit cards, communications programs from retail stores can be an important factor to alert consumers to be watchful of, and monitor their credit records [58].

Thus, we consider monitoring and age demographics to be important issues in the discussion of online decisions that are significantly influ- enced by trust and risk perceptions. Monitoring is an active form of awareness that, to our knowledge, has typically not been studied in ex- aminations of phenomena about Internet and security, and is much more important today since data breaches are commonplace now. On the other hand, information asymmetry can reduce trust and increase perceived risks about online shopping in the current security environ- ment [50]. In this study, we investigate how security threats such as data breaches, in spite of the opportunities to monitor, can potentially impact a person's intention to conduct business with a shopping website.

3. Research model

A person will have less concern about protecting information that she/he does not deem valuable. Credit/debit cards and other personal information are critical to customers' well-being as their misuse can cause material stress. When a shopping store's database or any other in- ternal system is breached, several information nuggets are at risk of being exposed to hacker(s). These often include the username and pass- word and several other personally identifiable information necessary for shopping activities. Most people tend to reuse their passwords across different online properties [35]. Hence, data breaches at a single store can often expose several other online accounts of these customers. Banks today are capable of alerting their customers about suspected se- curity breaches and fraudulent uses of payment cards. In response to

such events, retail banks would usually either lock down the account or cancel the payment card. Thus, for the customers, concerns pertain more to the misuse of other information that hackers can get through these data breaches.

Buffett et al. [9] have shown that not all individuals value the same type of information equally. For instance, person A may not treat her cell phone number as a sensitive information as much as person B does. Person A is expected to feel less outraged than person B at an un- authorized sharing of her cell phone number. In other words, not every person should be expected to perceive the same level of severity of the outcome of a data breach. Perceived severity in our study is a proxy for the level of “seriousness” of a security issue at a shopping store, as per- ceived by an individual. According to [55], a user's perception of severity about these outcomes should lead to behavior that prevents such out- comes from materializing. In the context of our study, that implies stop- ping or reducing e-commerce transactions with online stores that share characteristics with Target. We thus hypothesize the following:

H1. Perceived severity of security breaches has a negative effect on post- breach shopping intent.

Perceived severity of any kind of data breach in an e-commerce sys- tem reduces the likelihood of shopping online. A similar impact is pos- sible on engagement in activities that improve the shopping experience. Such activities include saving payment information on the website. We argue here that such fears can be countered by being pro- active about security. This phenomenon is often seen in general Web browsing. People are aware of hackers and their malicious activities exploiting vulnerabilities. However, many of them tend to have that fear reduced by proactively taking steps like installing anti-virus and anti-spyware and often configuring firewalls. We argue there is a paral- lel between this scenario and the one about shopping. The difference is that anti-virus software blocks a security threat directly while being alert about spending activities is part of a best-effort action to cope with and monitor security threats indirectly. The recent spate of attacks against stores like Target was not directed at specific customers. To cope with the repercussions of these attacks, a specific customer can monitor unusual spending since her payment method(s) may have been ex- posed to malicious groups of people. This coping mechanism should mitigate the “seriousness” aspect of the attack and affect her desire to shop again. We thus hypothesize the following:

H2. Internal monitoring reduces the impact of perceived severity of securi- ty breaches on post-breach shopping intent.

In the context of online shopping, these risks can arise in the context of security, privacy, and quality of shopping service. The focus of our study is the consequences of data breaches to customers of online shopping stores. In that context, it is apparent that when a customer will sense a sig- nificant risk of an online service being disrupted by malicious people, thus possibly putting her personal information at a risk, she will tend to engage less with such a website. This could be true in spite of her faith in the shopping service-related attributes of the very same website. This con- cern is magnified when several shopping websites, especially the high- profile ones like Target, face disruptions and breaches. A magnified sense of security risk faced by online stores is thus expected to reduce the desire to pursue online shopping to an even greater degree.

In his classic article, Bauer [6] mentioned that perceived risk has components of uncertainty—the likelihood of unfavorable outcomes, and consequences—the importance of a loss [11]. This sense of risk is a strong manifestation of the misgivings that a customer has in the secu- rity of shopping websites in general, which we operationalize through a construct called perceived online shopping risk (POSR). POSR stems from the uncertainty of data breach resulting in potential post-purchase financial loss through potential violation of private information. Person- al or financial information may be stolen from the websites' database by hackers. Consumers may not engage in online shopping, if personal

50 R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

information might be at risk and monetary loss can be a possible out- come [42]. This reasoning leads us to the following hypothesis:

H3. Perceived online shopping risk has a negative effect on post-breach shopping intent.

In the consumers' mind, perceived severity of security breach mani- fests itself in the fear of potential consequences of an event. Consumers are afraid of the consequences that may create personal problems for them. Consumers would have negative feelings towards these severities when they know that one of the websites that they regularly visit to shop online has suffered data breaches. For instance, [50] found that In- ternet users' top-three concerns with regard to online shopping were privacy loss, system security breaches from third parties (due to faulty technological security), and security breaches that included fraudulent online retailer behavior. Personal information leaks, hackers' intention to harm the consumers, and banking information leaks due to the website's breached data storing system were all concerns of consumers.

Survey results cited by [7,33] support that consumers' often referred to reasons for rejecting online transactions were their concerns about the lack of information privacy and the potential loss of control over confidential information. Because e-services are based on the continual transmission, processing, and storage of often sensitive financial or personally identifiable information, many consumers may reject using an e-service due to perceptions of risk [24]. A shopper's belief about shopping websites' security vulnerabilities is a strong indicator of inher- ent cynicism about online security in general. Thus, it is evident that consumers' perception about security beach in a website makes them nervous about all the perceived risks associated with it. This brings us to the following hypothesis:

H4. Perceived severity of security breach has a positive impact on per- ceived online shopping risk.

E-commerce involves the primary activity of purchasing products and services through a website by using an electronic payment method like a debit/credit card. In order to engage in this activity, one has to get comfortable with several components that collectively form one's shop- ping experience. The most important would be the fundamental idea that one can buy something without walking into a store. Engaging in transactions in the virtual world eliminates the opportunity to interact face to face with store employees and to possibly test the product in per- son. That can create a certain level of discomfort especially in generations that did not grow up with such virtual shopping experiences. In addition to the virtual aspect, payment and personal information are often han- dled in unprecedented ways. In order to expedite the checkout process, most shopping websites give the customers the opportunity to save per- sonal information like name, address, email address, phone number, and payment methods like credit or debit card information on the website. For generations that grew up with cash transactions, this is sometimes an unsettling experience, especially if the entity that is asking for such in- formation does not have a human face to it. We operationalize this comfort-level with some of the key aspects of e-commerce as E- Commerce Attitude (EA). Attitude towards online shopping has previ- ously been shown to be a strong indicator of actual online shopping be- havior [52]. Knowledge about data breaches can reduce the keenness on shopping online or affect the habit of saving important information on websites. However, since attitude is one of the key indicators of behav- ioral intention in online shopping [52], we suggest that a person demon- strating a higher comfort level with most e-commerce attributes will be less likely to be affected. We can thus hypothesize the following:

H5. E-commerce attitude has a positive influence on post-breach shopping intent.

Online shopping-related risks include security risk and privacy risk [23], which decrease the overall utility (benefit) the consumer obtains from shopping on the Internet. The higher the consumer's perception

of the risk associated with shopping on the Internet, the higher their perception of the variance or uncertainty in the benefits derived would be. If the consumers think shopping on the Internet is highly risky, they would expect a large variance in the utility from shopping on the Internet [8]. Once consumers have learned that online shopping could produce negative consequences, they will avoid those conse- quences by decreasing online shopping activity [16]. Consumers implic- itly evaluate the relative worth or importance of benefits against the cost (perceived shopping risk) of e-commerce to form a value assess- ment. When such value assessment results in a perception of decreased utility, it would have an impact on consumers' attitude towards e-commerce. Therefore, we propose the following relationship:

H6. Perceived online shopping risk has a negative effect on e-commerce attitude.

Trust has been established as a strong predictor of attitude towards many online behaviors, specifically online shopping [71]. With the increased improvement in encryption technology, more shopping sites are offering information storage options for customers both for the pur- pose of improving their shopping experience and to increase their like- lihood of returning. Those who feel most comfortable with these information storage options are deemed to have a more positive atti- tude towards e-commerce in general. Quality of shopping service, on the other hand, may comprise of the browsing capabilities on the website, the transaction process and finally the matching of the quality of the delivered product or service to that what the customer expected. When a shopping site scores high on all of these quality-related attri- butes, it is natural for the customer to have a higher trusting belief in that website and the store in general. This positive belief and expecta- tion should naturally increase the comfort level of customers with a spe- cific website as well as online shopping in general. Based on this reasoning, we hypothesize the following:

H7. Trusting belief in shopping services has a positive effect on e-commerce attitude.

A consumer's trust in shopping websites can stem from her experi- ence with the overall service being offered by the store even though the website is simply a gateway to it. This trust is often a strong indicator for the return of customers to the website for future purchases. Most of the successful shopping stores that operate both through a website as well as through a physical store have good reputation for conducting their business ethically given the enforceable customer-protecting legal frameworks in play today. With this reality, it is seldom a trend where multiple customers over a prolonged period feel “ripped off” or come out dissatisfied with the service of a shopping store. As for the on- line version of this experience, customers feel their trust in the service quality is often reduced by the experience of browsing the website and/or from the dissatisfaction with the product bought or the handling of the payment. Often these service quality-related factors compete strongly with security and privacy concerns about the retail outlet for that service, especially since for many people, security or privacy as- pects do not completely define the shopping experience. In fact, a website could potentially reduce the quality of the shopping experience by implementing a security or privacy feature that may hinder the workflow of the customers. When a website, that one does not neces- sarily shop at, gets impacted by a security incident, a consumer is less likely to be affected by security principles. Given that literature [72] has shown that trusting beliefs are a major indicator of adoption of tech- nology, we hypothesize the following:

H8. Trusting belief in shopping services has a positive effect on post-breach shopping intent.

The constructs involved in the proposed hypotheses are operational- ized by the variables defined in Table 1. The following section describes

Table 1 Variables for the research model.

Variable name Definition of variable Measurement

1 Post-breach online shopping (PBOS) Likelihood of continuing shopping and showing favorability towards a shopping website like Target.com in the light of the data breach at Target.com

[34]

2 Perceived severity (PS) What would be at stake for a person if one of her shopping websites faced a hacking incident [55] 3 E-commerce attitude (EA) General comfort level with practices and habits commonly associated today with online shopping Self-developed 4 Perceived online shopping risk (POSR) Perceived risks that shopping websites and online shoppers in general face today [17] 5 Trusting beliefs in shopping services (TBSS) Trust that a user may have in the quality of shopping service offered by shopping websites in general [40] 6 Internal monitoring (MON) Person's frequency of checking her bank statement(s) Self-developed

51R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

how these variables were measured. The variable relationships taken together explain the underlying social and environmental conditions that “cause” a certain social behavior to happen. The research model is depicted in Fig. 1.

4. Data collection

The data were collected one month after the massive Target data breach attack that happened in mid-December 2013.1 We created a survey and got IRB permission to launch it. We collected data through an online survey conducted by Qualtrics. Qualtrics found eligible re- spondents (young adult b55 and senior citizen ≥55) based on a random sampling of their national database and distributed the survey to each group. Specifically, Qualtrics contacted individuals through email an- nouncements in their database that matched our criteria. Each individ- ual respondent could choose the time and place to respond. Moreover, respondents could withdraw from the survey any time without any penalty. As we were interested in differences between below 55-year- old and above 55-year-old (senior citizens) groups of the U.S. popula- tion, we conducted two surveys. The sample size from the former was 159 while that from the senior citizens' category was 205. Henceforth, in the remainder of this paper, we shall refer to the two datasets as the “younger” and the “senior (or older) citizens” datasets, respectively, for convenience. For both the samples, we used a filter that screened respondents—they must have shopped online at least once in their life. Not satisfying this filter would have rendered the rest of the survey instrument meaningless and not applicable to this study.

The online survey was utilized to empirically test the research hy- potheses presented above. The constructs were measured based on self-reported scores through the online questionnaire. Most of the items used to measure the constructs in the model were borrowed/or adapted from literature and all variables were measured on a 5-point Likert scale. Items for perceived online shopping risk (POSR) [17] as well as those for trusting beliefs in shopping services (TBSS) [40] were adapted to the context of online shopping. Perceived severity (PS) was measured by adapting items for online shopping from [55]. We mea- sured internal monitoring (MON) through two self-developed 5-point Likert scale questions. In order to develop internal monitoring measure- ments, we conducted interviews with two information security profes- sionals in a local bank. Based on the interviews, we created two measurements. (1) I sign up for spending alerts for all my payment cards and (2) I track the charges on my bank statement. However, only one of them turned out to load significantly both in factor analysis and PLS (described later). The significantly loading item for MON mea- sured the frequency of checking one's bank statements, which was used as a proxy for wanting to stay aware of misuse of credit or debit cards. The dependent variable, post-breach online shopping (PBOS) intent, measured intent of continuing online shopping activities as usual, by using items directly from [34].

In each of the online surveys, the items for the dependent variable, PBOS, were presented on a screen immediately after the subjects were shown a sample email sent from a prominent bank (name disguised)

1 https://corporate.target.com/about/shopping-experience/payment-card-issue-faq

to its customers right after the Target data breach of 2013. The e-mail alerted customers of the bank about the Target breach and that the bank was monitoring customer accounts for suspicious activity. Respon- dents were asked to answer the PBOS items keeping this incident and a retail chain/store in mind that operates like Target (i.e. allows shopping both through a website as well as through physical stores). Right after the survey items, the respondents were asked to verify which website they had in mind when responding to the PBOS items. We called this item TAR. As will be shown in the results of our PLS analysis later, con- trolling for TAR showed that a significant difference in the scores for our dependent variable for both the datasets.

A majority of the senior citizens respondents were in the 65– 69 years age group (27%), while in terms of gender the dataset was evenly split (51% females). Among the younger group, a majority of the responses came from the range 18–30 year olds (40%), with gender equally split there as well. All respondents had engaged in online shop- ping at least once in their life. While a few of the younger subjects (13%) had not heard of the Target data breach (others had, thanks to the media coverage), only 5 out of 205 senior citizens respondents were not aware of this incident. That was reflected in the fact that 32.7% of the younger subjects and 47.8% of the senior citizens subjects confirmed that they had assumed Target as an example store when responding to items measuring PBOS.

We found that 29% of the younger and 24% of the senior citizens sub- jects had shopped at a website that at least once faced a hacking inci- dent. Among the younger subjects, 13% had fallen victim to Internet scams in general and 14% were victims of some form of identity theft. The numbers on the senior citizens side were a little on the higher side (i.e. 19% and 17%, respectively). The difference between these two broad age groups in terms of computer courses and workshops taken was slightly different. A total of 45% of the younger population had par- ticipated in such courses while for the senior citizens, that number was 39%.

5. Analysis and results

The research model (Fig. 1) proposed earlier was evaluated using partial least squares (PLS) [13]. This method has been shown to be robust to reasonable sample sizes [10] and lack of normality for most variables in a dataset [15]. PLS regression was conducted on the two groups of survey-generated datasets (young and senior citizens) using SmartPLS [62], a tool that has been widely adopted by both information systems [44,61] and marketing [32] researchers. For each variable in the path model, we chose a reflective measurement model [20,28]. Table 4 in Appendix A presents survey items what we used for our path model. In addition, as seen in the tables (Tables 5 and 6) in Appendix B, both analyses resulted in satisfactory quality criteria (i.e., AVE, communality, composite reliability, and Chronbach's alpha) [31]. In addition, the out- put in both cases satisfied the Fornell–Larcker condition [26] demon- strating the discriminant validity of our survey instrument. While the overall quality of both the models was satisfactory, the path coefficients and the R2 values of the endogenous variables were found to be quite different. The path coefficients of the PLS analysis for both the models along with their significances are given in Table 2 below. The same

Fig. 1. Research model.

52 R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

has been depicted on the path analysis diagrams in Appendix B. (Figs. 2 and 3).

In the third to the last row of Table 2, we have included the path co- efficient from a variable called TAR to our dependent variable PBOS. In the PLS analysis with both datasets, we found a statistically significant negative influence of TAR on PBOS. TAR is an indicator variable confirming if the respondent kept Target in mind when responding to the questions measuring PBOS. This was a way of verifying that the sam- ple email from the bank was a reminder of the Target data breach that was strong enough to influence the respondent to think about her cur- rent shopping activities with respect to Target. We found, as the table and the diagrams in Appendix B show, that for both age groups, there would be a significant reconsideration taking place in the minds of the respondents had they placed themselves in the shoes of a Target cus- tomer. This finding perhaps shows the effect of empathy on shopping intent. We used the following controls: education level (measured on a 1–4 level, with 1 being high school), gender, and assumed target.

We analyzed the model with respect to each age group (i.e. below 55 against above 55) in our research model. This effect was examined using multigroup analysis in PLS [14,36]. This method performs a t-test between the pair of corresponding path coefficients for the groups. For example, the coefficients of the path representing hypothesis 1 (PS → PBOS, Table 2) for the older and the younger adults were used in a t-test. The t-value and its corresponding p-value indicate the statis- tical significance of the difference between the two path coefficients. The formula [14] for computing this t-value is as follows:

t ¼ Pathsample1−Pathsample2ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi m−1ð Þ2

m þ n−2 •s:e: 2 sample1 þ

n−1ð Þ2 m þ n−2 •s:e:

2 sample2•

ffiffiffiffiffiffiffiffiffiffiffiffiffi 1 m

þ 1 n

rs ∼tmþn−2

where m is the sample size of sample 1 (i.e. older adults) and n is the sample size of sample 2 (i.e. younger adults). The t-value thus computed has a degree of freedom.

m + n − 2. “s.e.” refers to the standard error for the particular path under consideration in each sample. These values are obtained from the re-sampling procedure called bootstrapping implemented in SmartPLS which gives the standard error for each path. Based on the datasets ob- tained through our online survey, Table 3 shows the outcome of the pairwise multigroup analysis of our research model between senior citizens and younger adults.

The results in Table 3 show that the two populations are distinct in some ways. Significant differences between the two populations pertain to perceived online shopping risk (POSR). This implies that someone who is fearful of risks associated with online shopping is more affected by actual incidents. Thus, it appears that younger adults who have gen- erally been less worried about risks may have decided to engage in

online shopping for other reasons than older adults. Perceived severity and risk are thus more important drivers of online shopping behavior after incidents for the older generations. The path coefficient is larger (in absolute value) for senior citizens for H3 (POSR → PBOS). In addition, the effect of gender was significantly different on post-breach online shopping behavior between two groups. For younger adult groups, gen- der did not show any statistically significant difference on PBOS. How- ever, for the senior citizen group, gender showed significant results. Especially, on average (for older adults), the female group had 0.164 higher PBOS than the male group.

6. Discussion

In this section, we discuss the findings, the rejection of certain hy- potheses in both age groups, and the dissimilarity in significance of path coefficients between the two. To summarize, the results tell us that the research model we proposed explains an older adult user's re- sponse to Target and other breaches much better than it does for people below the age of 55.

One of the key areas where younger people differed from their older counterparts is the rejection of hypothesis H2. This hypothesis implies that monitoring habit negatively influences effect of perceived severity on shopping intent after being reminded about the Target incident. As per our discussions earlier, monitoring, measured by regularity of keep- ing an eye on bank statements, is an indicator of security consciousness that is supposed to mitigate the feeling of threat and uncertainty. The latter arises not only when a shopping website cannot be transparent about the shopping experience, but also when news of data breaches in retail chains is floating around. It appears from the PLS output that se- curity consciousness or simply monitoring (MON) cannot temper this fear in younger people. We can speculate here that this is an indicator, in turn, of their awareness of the relative lack of usefulness of monitor- ing in trying to actually curb threats. In other words, monitoring can give one person a mental satisfaction but people familiar with the work- ings of shopping and the Web in general may realize that breaches are often inevitable or not easily stoppable.

Prior literature [17,46] has demonstrated the negative impact of perceived risks to security, privacy, and service on intentions related to online shopping. This negative impact is significant among the older generations as opposed to their younger counterparts. To under- stand this difference, we need to draw attention to the actual construct being evaluated here as a dependent variable. PBOS intent is measured in the context of a massive data breach and in the light of its potential impact on Target's customers whereby a bank had to send out mass email alerts. This knowledge can very well orient the thought process of a respondent towards a more risk-averse position regarding online shopping. We did not see significant negative effect of the perceived

Table 2 Results from SmartPLS.

Senior citizens (≥55) Younger (b55)

Hypotheses R2 R2 Hypotheses

H1(−): PS → PBOS −0.168* PBOS 0.390 PBOS 0.181 −0.185^ (−): PS → PBOS H2(−): MON → H1(−) −0.215* −0.036 (−): MON → H1(−) H3(−): POSR → PBOS −0.100^ 0.064 H3(−): POSR → PBOS H4(+): PS → POSR 0.201* EA 0.243 EA 0.178 0.405*** H4(+): PS → POSR H5(+): EA → PBOS 0.333*** 0.246* H5(+): EA → PBOS H6(−): POSR → EA −0.146* −0.159* H6(−): POSR → EA H7(+): TBSS → EA 0.441*** POSR 0.040 POSR 0.164 0.372*** H7(+): TBSS → EA H8(+): TBSS → PBOS 0.151* 0.137^ H8(+): TBSS → PBOS TAR → PBOS −0.181* −0.144* TAR → PBOS EDU → PBOS −0.013 −0.042 EDU → PBOS GEN → PBOS 0.164* −0.007 GEN → PBOS

^p b 0.10, * p b 0.05, ** p b 0.01, *** p b 0.001. PS, perceived severity; MON, internal monitoring; POSR, perceived online shopping risk; PBOS, post-breach online shopping; EA, e-commerce attitude; TBSS, trusting beliefs in shopping services; TAR, assumed target; EDU, education; GEN, gender.

53R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

risk on the dependent variable for young adults. However, this was sig- nificant for the older generations.

The final aspect where the output from the two samples differed was the impact of trusting beliefs of shopping services (TBSS) on PBOS. In traditional trust literature, this relationship is well known. However, our data shows that when the end result is a behavior in the aftermath of a security threat, this relationship may not hold especially with a modern Internet-savvy population A high level of trust in the shopping service offered by a website does not automatically translate to intended purchase and other shopping-related activities especially with sites that resemble Target.com, now that so many data breaches have come to the public's knowledge. The finding from the analysis with the senior citizens dataset indicates the opposite—i.e. senior citi- zens treat shopping service and security aspects separately. This differ- ence between the two age categories deserves further investigation.

The practical implication of this study lies in its application in policy- making. One of the findings from our survey is that perceived online shopping risk is a stronger determinant of post-breach shopping inten- tions in older adults. This implies that in the event of any large-scale data breach at a popular organization, one of the tasks to undertake is for breached organizations to convince their older clientele about the security measures that can prevent any such future breach. Such steps would help ensure continued business and transactions from this demography. The importance of internal monitoring also implies that e-commerce organizations can benefit by promoting campaigns about the value of staying alert about online transactions. The increased prac- tice of doing so in the form of checking bank statements would again help ensure continued engagement even after a breach has occurred. This would presumably be more than likely to be true with senior citi- zens. In addition, for the relationship between PS and PBOS, we found

Table 3 Multigroup analysis between senior citizens and younger adults.

Path t-statistic 2-sided p-value Significance

H1 PS → PBOS 0.310 0.757 NS H2 MON → (PS → PBOS) 0.841 0.401 NS H3 POSR → PBOS 2.103 0.036 5% H4 PS → POSR 1.505 0.133 NS H5 EA → PBOS 0.617 0.538 NS H6 POSR → EA 0.161 0.872 NS H7 TBSS → EA 0.446 0.656 NS H8 TBSS → PBOS 0.015 0.988 NS

TAR → PBOS 0.340 0.734 NS EDU → PBOS 0.230 0.818 NS GED → PBOS 2.275 0.024 5%

NS, not significant; PS, perceived severity; MON, internal monitoring; POSR, perceived on- line shopping risk; PBOS, post-breach online shopping; EA, e-commerce attitude; TBSS, trusting beliefs in shopping services; TAR, assumed target; EDU, education; GEN, gender.

significant effect for older adults and marginally significant effects for young adults groups. That means the customers' perception of severity (PS) is significant when it comes to their likelihood to continue online shopping even after a data breach. The result of younger adult groups is interesting. We hypothesized that PS had a negative impact on PBOS. Readers would be somewhat surprised to see this finding that perceived severity of younger adults group is only marginally significant on PBOS. Our recommendations and implications could apply more di- rectly to online shopping and retail organizations that happen to have a brick-and-mortar presence.

7. Conclusion

This study has a few limitations, one being that we were not able to conduct a longitudinal study whereby we could have tested the online shopping intent (PBOS) both before and after a certain data breach. While it is not possible to anticipate a particular data breach incident, these incidents keep happening often. A longitudinal study is thus in- deed possible where a post-event survey would be conducted as soon as a breach has been announced on some of the media outlets. A pre– post study would also be possible to be conducted entirely after the breach if we can select appropriate samples to control for the awareness of a certain breach. This was not possible with something as mainstream as the Target breach.

Further, we have divided the entire population into two broad age- based categories. This type of grouping glosses over the uniqueness that may be associated within certain age-based cohorts. While we have theorized our model from an age perspective (senior citizens against others), that is still too broad given that not every cohort within either category were introduced to computers and the Internet at the same time. However, this richness can be elicited only from a much larg- er sample that can guarantee sufficient power within each age cohort and this was something that could not have been achieved at this time due to resource constraints. One more aspect about sampling that limits our study is that we did not ensure to pick both Target and non-Target customers in equal measures in order to control for the per- sonal stake in the fallout from the data breach at that chain. This objec- tive is difficult to fulfill as we cannot anticipate which store's website will be breached.

Other limitations include not considering the income or socio- economic status of our subjects for the model. Before making a decision about online shopping, a customer may do a cost–benefit analysis. This analysis may differ from person to person depending on her economic status and on the price and value of the product(s). We plan to test this aspect in a future study. Internal monitoring in our study is essen- tially the frequency of keeping track of charges. This requires a cognitive burden and in the survey, we did not ask questions that would elicit such burdens. The lack of constructs and items measuring the extent

Fig. 2. Path analysis result for young adults.

54 R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

and nature of online shopping is a limitation in our study. Including such items, however, would have increased the length of our survey ques- tionnaire. Long questionnaires have been shown to evoke less thought- ful responses.

To summarize, in this paper, we have presented a very topical inves- tigation of attitude and intentions about online shopping activities under the awareness of recent large-scale data breaches at major retail stores like Target and Neiman Marcus. While privacy and security concerns have been historically studied as some of the key antecedents to the adoption of online shopping, in a 21st century environment, that adop- tion has almost crossed the tipping point. It is thus now important to un- derstand how the adoption will change given the spate of attacks that online properties around the world are facing from organized and indi- vidual cybercriminals. Our investigation has practical implications due to its focus on the generational difference in perception of these modern security risks and how they are channeled towards altering shopping- related decisions. By incorporating personal actions like bank account monitoring, though limited in its usefulness, we have put forward a richer understanding of the security and privacy focus in the online shopping context. Our research model was built on top of extant literature and pieced together from fundamental theories about trust and risk. This model has been validated using data collected from an online survey and the striking differences observed between the senior citizens gener- ation and the rest of the U.S. population should serve as a foundation for further age-based technology adoption research.

Acknowledgement

The authors would like to thank the SE and review team for critical comments that have greatly improved the paper. This research was funded by the National Science Foundation (NSF) under grants 0916612 and 1227353. We would like to thank Md Shamim Akbar for research assistance. The usual disclaimer applies.

P M E P P

Fig. 3. Path analysis result for senior citizens.

Table 5 PLS model overview for data from young adults (b55).

Ave. Composite reliability Cronbach's alpha Communality

POSR 0.628191 0.871060 0.804686 0.628191 MON 1.000000 1.000000 1.000000 1.000000 EA 0.660752 0.853814 0.753090 0.660751 PBOS 0.741735 0.934877 0.913401 0.741735 PS 0.717978 0.883998 0.802111 0.717978 PS * MON 0.775660 0.911751 0.890022 0.775662 TAR 1.000000 1.000000 1.000000 1.000000 TBSS 0.617098 0.827235 0.704771 0.617098

Appendix A

Table 4 Survey instrument.

Post-breach online shopping (PBOS) [34]: PBOS1: I am likely to make another purchase from that website in the next year. PBOS2: I intend to continue using that website rather than discontinue its use. PBOS3: I will recommend that website to my friends. PBOS4: I will recommend that website to my family. PBOS5: I would reconsider saving any payment-related information on any shopping website in general.

Internal monitoring (IM): IM1. I track the charges on my bank statement.

Perceived severity (PS) [55]: If a website where I do online shopping faced a hacking incident, it would… PS1: …be a serious problem for me. PS2: …have a negative effect on my shopping activities. PS3: …have a negative effect on my payment card (credit/debit) use.

Perceived online shopping risk (POSR) [17]: POSR1: Online shopping websites are vulnerable to hackers who may steal customers' information. POSR2: Online shopping customers often face damaging and harmful behavior from hackers. POSR3: Customers' information stored at online shopping websites is not safe. POSR4: Customers are vulnerable in online shopping websites that had incidents of hacking.

Trusting beliefs in shopping services (TBSS) [40]: TBSS1: I believe online shopping websites provide services as expected. TBSS2: I have positive expectations regarding online shopping websites in their provisioning of shopping services TBSS3: I am able to use online shopping services with confidence.

E-commerce attitude (EA): I am comfortable ____________… EA1: …shopping on the Internet. EA2: …saving credit/debit card information on a shopping website.

EA3: …saving any personal information on a shopping website. Website assumed (TAR): TAR1: Which shopping website did you have in mind when you answered the questions on the previous screen?

Appendix B. PLS results

PLS path model for data from young adults (b55) (Sample size: 159)

Table 4 (continued)

PLS path model for data from senior citizens (≥55). (Sample size: 205).

Table 6 PLS model overview for data from senior citizens (≥55).

Ave.

Composite reliability

Cronbach's alpha

Communality

OSR

0.663836

0.944608

0.837023

0.663836

ON

1.000000

1.000000

1.000000

1.000000

A

0.656210

0.851100

0.747802

0.656209

BOS

0.741735

0.944608

0.926726

0.773296

S

0.773296

0.898658

0.830632

0.747314

T

55R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

able 6 (continued)

P TA

Ave.

Composite reliability

Cronbach's alpha

Communality

S * MON

0.714017

0.881973

0.800875

0.714017

R

1.000000

1.000000

1.000000

1.000000

SS

0.740742

0.895368

0.826951

0.740742

TB

References

[1] A. Acquisti, J. Grossklags, Privacy and rationality in individual decision making, IEEE Security & Privacy 2 (2005) 24–30.

[2] L. Aksoy, A. van Riel, J. Kandampully, R.N. Bolton, A. Parasuraman, A. Hoefnagels, N. Migchels, S. Kabadayi, T. Gruber, Y. Komarova Loureiro, Understanding generation Y and their use of social media: a review and research agenda, Journal of Service Management 24 (3) (2013) 245–267.

[3] P.L. Alreck, G.R. DiBartolo, M. Diriker, H.F. Dover, K.A. Passyn, R.B. Settle, Time Pressure, Time Saving and Online Shopping: Exploring a Contradiction, Journal of Applied Business Research 25 (5) (2011).

[4] A. Baier, Moral Prejudices: Essays on Ethics, Harvard University Press, 1995. [5] S.a.F.,.D. Banjo, Stores Confront New World of Reduced Shopper Traffic, The Wall

Street Journal (2014). [6] R.A. Bauer, Consumer Behavior as Risk Taking, Dynamic Marketing for a Changing

World (398), 1960. [7] F. Belanger, J.S. Hiller, W.J. Smith, Trustworthiness in electronic commerce: the role

of privacy, security, and site attributes, The Journal of Strategic Information Systems 11 (3) (2002) 245–270.

[8] A. Bhatnagar, S. Misra, H.R. Rao, On risk, convenience, and Internet shopping behavior, Communications of the ACM 43 (11) (2000) 98–105.

[9] S. Buffett, M. Fleming, M. Richter, N. Scott, B. Spencer, Determining Internet Users' Values for Private Information, 2004.

[10] C. Cassel, P. Hackl, A.H. Westlund, Robustness of partial least-squares method for es- timating latent variable quality structures, Journal of Applied Statistics 26 (4) (1999) 435–446.

[11] E.-C. Chang, Y.-F. Tseng, Research note: E-store image, perceived value and per- ceived risk, Journal of Business Research 66 (7) (2013) 864–870.

[12] T.L. Childers, C.L. Carr, J. Peck, S. Carson, Hedonic and utilitarian motivations for on- line retail shopping behavior, Journal of Retailing 77 (4) (2002) 511–535.

[13] W.W. Chin, The partial least squares approach to structural equation modeling, Modern methods for business research 295 (2) (1998) 295–336.

[14] W.W. Chin, Frequently Asked Questions—Partial Least Squares and PLS-Graph, 2000 (Retrieved September 2, 2014, from http://disc-nt.cba.uh.edu/chin/plsfaq.htm).

[15] W.W. Chin, B.L. Marcolin, P.R. Newsted, A partial least squares latent variable model- ing approach for measuring interaction effects: results from a Monte Carlo simula- tion study and an electronic-mail emotion/adoption study, Information Systems Research 14 (2) (2003) 189–217.

[16] C.M. Chiu, E.T. Wang, Y.H. Fang, H.Y. Huang, Understanding customers' repeat pur- chase intentions in B2c E-commerce: the roles of utilitarian value, hedonic value and perceived risk, Information Systems Journal 24 (1) (2014) 85–114.

[17] J. Cho, The mechanism of trust and distrust formation and their relational outcomes, Journal of Retailing 82 (1) (2006) 25–35.

[18] P.R. Clearinghouse, 2012 from http://www.privacyrights.org/data-breach/new. [19] CMO, 15 mind-blowing stats about online shopping. 2014 from http://www.cmo.

com/articles/2014/5/6/Mind_Blowing_Stats_Online_Shopping.html. [20] T. Coltman, T.M. Devinney, D.F. Midgley, S. Venaik, Formative versus reflective mea-

surement models: two applications of formative measurement, Journal of Business Research 61 (12) (2008) 1250–1262.

[21] Dark_Reading, ITRC study: loss of credit card information and merchant data breach cited as priority concerns to consumers. 2010 Retrieved 10/10, 2015, from http:// www.darkreading.com/risk/itrc-study-loss-of-credit-card-information-and- merchant-data-breach-cited-as-priority-concerns-to-consumers/d/d-id/1134204?.

[22] F.D. Davis, Perceived usefulness, perceived ease of use, and user acceptance of infor- mation technology, MIS Quarterly (1989) 319–340.

[23] B. Doolin, S. Dillon, F. Thompson, J.L. Corner, Perceived risk, the Internet shopping experience and online purchasing behavior: a New Zealand perspective, Journal of Global Information Management 13 (2) (2005) 66–88.

[24] M.S. Featherman, A.D. Miyazaki, D.E. Sprott, Reducing online privacy risk to facilitate E-service adoption: the influence of perceived ease of use and corporate credibility, Journal of Services Marketing 24 (3) (2010) 219–229.

[25] Forbes, Data breach bulletin: Brazilian banks lose $3.75 billion because of Boleto malware. 2014 from http://www.forbes.com/sites/katevinton/2014/07/07/data- breach-bulletin-brazilian-banks-lose-3-75-billion-because-of-boleto-malware/.

[26] C. Fornell, D.F. Larcker, Evaluating structural equation models with unobservable variables and measurement error, Journal of Marketing Research (1981) 39–50.

[27] A. Goldfarb, C. Tucker, Shifts in privacy concerns, The American Economic Review 102 (3) (2012) 349–353.

[28] O. Götz, K. Liehr-Gobbers, M. Krafft, Evaluation of structural equation models using the partial least squares (PLS) approach, Handbook of Partial Least Squares, Springer 2010, pp. 691–711.

[29] S. Grabner-Kraeuter, The role of consumers' trust in online-shopping, Journal of Business Ethics 39 (1–2) (2002) 43–50.

[30] G.A. Grimes, M.G. Hough, E. Mazur, M.L. Signorella, Older adults' knowledge of Inter- net hazards, Educational Gerontology 36 (3) (2010) 173–192.

[31] J.F. Hair, C.M. Ringle, M. Sarstedt, PLS-SEM: indeed a silver bullet, The Journal of Marketing Theory and Practice 19 (2) (2011) 139–152.

[32] J.F. Hair, M. Sarstedt, C.M. Ringle, J.A. Mena, An assessment of the use of partial least squares structural equation modeling in marketing research, Journal of the Academy of Marketing Science 40 (3) (2012) 414–433.

[33] D.L. Hoffman, T.P. Novak, M. Peralta, Building consumer trust online, Communica- tions of the ACM 42 (4) (1999) 80–85.

[34] I.B. Hong, H.S. Cha, The mediating role of consumer trust in an online merchant in predicting purchase intention, International Journal of Information Management 33 (6) (2013) 927–939.

[35] B. Ives, K.R. Walsh, H. Schneider, The domino effect of password reuse, Communica- tions of the ACM 47 (4) (2004) 75–78.

[36] M. Keil, B.C. Tan, K.-K. Wei, T. Saarinen, V. Tuunainen, A. Wassenaar, A cross-cultural study on escalation of commitment behavior in software projects, Mis Quarterly (2000) 299–325.

[37] M. Khalifa, M. Limayem, Drivers of Internet shopping, Communications of the ACM 46 (12) (2003) 233–239.

[38] A. Kumar, H. Lim, Age differences in mobile service perceptions: comparison of generation Y and baby boomers, Journal of Services Marketing 22 (7) (2008) 568–577.

[39] G.-G. Lee, H.-F. Lin, Customer perceptions of E-service quality in online shopping, In- ternational Journal of Retail & Distribution Management 33 (2) (2005) 161–176.

[40] J. Lee, J.-N. Lee, B.C. Tan, Antecedents of cognitive trust and affective distrust and their mediating roles in building customer loyalty, Information Systems Frontiers (2012) 1–17.

[41] M. Lee, J. Lee, The impact of information security failure on customer behaviors: a study on a large-scale hacking incident on the Internet, Information Systems Fron- tiers 14 (2) (2012) 375–393.

[42] K.C. Ling, L.T. Chai, T.H. Piew, The effects of shopping orientations, online trust and prior online purchase experience toward customers' online purchase intention, International Business Research 3 (3) (2010) 63.

[43] N. Luhmann, Trust and Power. 1979, John Wiley & Sons, 1979. [44] G.A. Marcoulides, W. Chin, C. Saunders, Foreword: a critical look at partial least

squares modeling, Management Information Systems Quarterly 33 (1) (2009) 10. [45] D.H. McKnight, N. Chervany, Trust and distrust definitions: one bite at a time, Trust

in Cyber-societies (2001) 27–54. [46] D.H. McKnight, V. Choudhury, Distrust and trust in B2c E-commerce: do they differ?

ACM (2006) 482–491. [47] D.H. McKnight, V. Choudhury, C. Kacmar, Developing and validating trust measures

for E-commerce: an integrative typology, Information Systems Research 13 (3) (2002) 334–359.

[48] G.R. Milne, How well do consumers protect themselves from identity theft? Journal of Consumer Affairs 37 (2) (2003) 388–402.

[49] T.L. Mitzner, J.B. Boron, C.B. Fausset, A.E. Adams, N. Charness, S.J. Czaja, K. Dijkstra, A.D. Fisk, W.A. Rogers, J. Sharit, Older adults talk technology: technology usage and attitudes, Computers in Human Behavior 26 (6) (2010) 1710–1721.

[50] A.D. Miyazaki, A. Fernandez, Consumer perceptions of privacy and security risks for online shopping, Journal of Consumer Affairs 35 (1) (2001) 27–44.

[51] M.G. Morris, V. Venkatesh, Age differences in technology adoption decisions: impli- cations for a changing work force, Personnel Psychology 53 (2) (2000) 375–403.

[52] M.H. Moshrefjavadi, H.R. Dolatabadi, M. Nourbakhsh, A. Poursaeedi, A. Asadollahi, An analysis of factors affecting on online shopping behavior of consumers, Interna- tional Journal of Marketing Studies 4 (5) (2012) 81.

[53] A. Nanji, Online Shopping Trends 2013: Most Popular Categories, Top Purchase Drivers, MarketingProfs (2013) (from http://www.marketingprofs.com/charts/2013/12195/ online-shopping-trends-most-popular-categories-top-purchase-drivers).

[54] M.V. Nepomuceno, M. Laroche, M.-O. Richard, How to reduce perceived risk when buying online: the interactions between intangibility, product knowledge, brand fa- miliarity, privacy and security concerns, Journal of Retailing and Consumer Services 21 (4) (2014) 619–629.

[55] B.Y. Ng, A. Kankanhalli, Y.C. Xu, Studying users' computer security behavior: a health belief perspective, Decision Support Systems 46 (4) (2009) 815–825.

[56] M.M. Omodei, J. McLennan, Conceptualizing and measuring global interpersonal mistrust–trust, The Journal of Social Psychology 140 (3) (2000) 279–294.

[57] K.K. Peretti, Data breaches: what the underground world of carding reveals, Santa Clara Computer & High Tech LJ (25) (2008) 375.

[58] N.L. Piquero, M.A. Cohen, A.R. Piquero, How much is the public willing to pay to be protected from identity theft? Justice Quarterly 28 (3) (2011) 437–459.

[59] T. Reisenwitz, R. Iyer, A comparison of younger and older baby boomers: investigat- ing the viability of cohort segmentation, Journal of Consumer Marketing 24 (4) (2007) 202–213.

[60] I. Retailer, How Consumers Pay Online, 2014 from http://www.internetretailer.com/ trends/consumers/.

[61] C.M. Ringle, M. Sarstedt, D.W. Straub, Editor's comments: a critical look at the use of PLS-SEM in MIS Quarterly, MIS Quarterly 36 (1) (2012) iii–xiv.

[62] C.M. Ringle, S. Wende, A. Will, SmartPLS 2.0 (Beta), 2005 (Hamburg, Germany). [63] D.R. Roalf, S.H. Mitchell, W.T. Harbaugh, J.S. Janowsky, Risk, reward, and economic

decision making in aging, The Journals of Gerontology Series B: Psychological Sci- ences and Social Sciences (2011) gbr099.

[64] R.V. Robinson, E.F. Jackson, Is trust in others declining in America? An age-period- cohort analysis, Social Science Research 30 (1) (2001) 117–145.

[65] H.J. Smith, T. Dinev, H. Xu, Information privacy research: an interdisciplinary review, MIS Quarterly 35 (4) (2011) 989–1016.

[66] D.G. Soopramanien, A. Robertson, Adoption and usage of online shopping: an empir- ical analysis of the characteristics of buyers, browsers and non-Internet shoppers, Journal of Retailing and Consumer Services 14 (1) (2007) 73–82.

[67] M. Sutter, M.G. Kocher, Trust and trustworthiness across different age groups, Games and Economic Behavior 59 (2) (2007) 364–382.

56 R. Chakraborty et al. / Decision Support Systems 83 (2016) 47–56

[68] N. Times, Target Missed Signs of a Data Breach, 2014 from http://www.nytimes. com/2014/03/14/business/target-missed-signs-of-a-data-breach.html.

[69] T. Verhagen, C. Vonkeman, F. Feldberg, P. Verhagen, Present it like it is here: creating local presence to improve online product experiences, Computers in Human Behav- ior 39 (2014) 270–280.

[70] S. Vuori, M. Holmlund-Rytkönen, 55+ people as Internet users, Marketing Intelli- gence & Planning 23 (1) (2005) 58–76.

[71] T.-L. Wang, Y.-F. Tseng, A study of the effect on trust and attitude with online shop- ping, International Journal of Digital Society 2 (2) (2011) 433–440.

[72] H. Xu, H.H. Teo, B.C.Y. Tan, Predicting the Adoption of Location-Based Services: The Role of Trust and Perceived Privacy Risk, 2005.

[73] T. Zeller, Black Market in Stolen Credit Card Data Thrives on Internet, New York Times), 2005.

Rajarshi Chakraborty Rajarshi Chakraborty received his PhD in Management Science and Systems at the University at Buffalo (UB). His doctoral dissertation topic was on online privacy for older adults. His other research interests include cyber security, in- formation processing in disaster management, and cloud computing. He is a member of the International Federation for Information Processing (IFIP) Working Group 8.11/11.13 (Information Systems Security Research). Rajarshi has published in the proceedings of the Americas Conference on Information Systems, AIS SIGSEC's Work- shop on Information Security and Privacy IEEE IT Professional and Decision Support Systems.

Jaeung Lee Jaeung Lee is a PhD candidate in the Department of Management Science and Systems at the State University of New York at Buffalo. His primary areas of research inter- ests include information security, emergency response management systems, and re- quirements management. His research has appeared in Information Systems Frontiers (ISF) and conference proceedings such as AMCIS 2015, Web 2015, SKM 2014, WMSC 2011, and IRM 2011.

Sharmistha Bagchi-Sen Sharmistha Bagchi-Sen is a Professor and the Chair of the Depart- ment of Geography at the University at Buffalo (SUNY). Her research interests are Urban and Regional Analysis International Business: Foreign Direct Investment, High Technology

and Regional Innovation Biotechnology and Pharmaceutical Sectors, Labor and Societal Impacts of Information Technology, and Labor Market and the Aging Workforce. Her stud- ies focus primarily on the United States and South Asian countries. She is also currently a visiting professor at the University of Gothenburg, Sweden. In the past, she has been a co- director of the Institute for Research and Education on Women and Gender at the Univer- sity at Buffalo. Sharmistha has published in several outlets of her research interests includ- ing European Planning, Applied Geography, and Computers in Human Behavior.

Shambhu Upadhyaya Shambhu J. Upadhyaya is Professor of Computer Science and Engi- neering at the State University of New York at Buffalo where he also directs the Center of Excellence in Information Systems Assurance Research and Education (CEISARE), desig- nated by the National Security Agency. Prior to July 1998, he was a faculty member at the Electrical and Computer Engineering Department. His research interests are informa- tion assurance, computer security, fault diagnosis, fault tolerant computing, and VLSI test- ing. He has authored or coauthored about 250 articles in refereed journals and conferences in these areas. His current projects involve insider threat modeling, intrusion detection, se- curity in wireless networks, and protection against Internet attacks. His research has been supported by the National Science Foundation, Rome Laboratory, the U.S. Air Force Office of Scientific Research, DARPA, National Security Agency, IBM, Intel Corporation, and Harris Corporation. He is a senior member of IEEE.

H. Raghav Rao Professor Rao is AT&T Chair Professor at University of Texas at San Antonio, on leave from UB as a SUNY Distinguished Service Professor of MSS at UB, USA and was WCU Visiting Professor of GSM at Sogang University, S. Korea. His interests are in the areas of management information systems, decision support systems, e-business, emergency response management systems, and information assurance. He has also received the Ful- bright Fellowship in 2004. He is an advisory editor of Decision Support Systems, co-editor- in-chief of Information Systems Frontiers, AE of ACM Transactions in MIS, and senior editor at MISQ. Dr. Rao also has a courtesy appointment with Computer Science and Engineering as adjunct Professor.