Educating Students ’ Privacy Decision Making through Information Ethics Curriculum

Increasingly sophisticated technologies nowadays have equipped powerful capabilities to obtain and exploit consumers’ information privacy on the Internet. The contemporary privacy protection techniques seem fail to guard information privacy. Besides of the technological protections, information ethics education is described as the ideal way to increase people’s consciousness. This study proposes a privacy decision making model which posits that attitudes toward privacy protection, privacy self-efficacy for protection, and privacy self-efficacy for non-acquisition are critical factors essential to behavioral intention. Further, a longitudinal model explores whether information ethics education plays a role in influencing students’ concepts of protecting information privacy. A survey of 111 senior-level undergraduate students in the department of Information Management was conducted to test the hypothesized model. The findings exhibit important insights: through information ethics education, students demonstrate significant model paths changes in the relationships of attitude, privacy self-efficacy for protection, and privacy self-efficacy for nonacquisition to intention. The implications to the ethics curriculum concerning information privacy are discussed.


Introduction
The rapidly technological developments have enhanced our life, which brings much convenience and efficiency to data collection, and data processing to generate data value proliferation.While these computing technologies become more powerful and sophisticated, the issue of privacy has surfaced to become one of the most critical concerns.For example, the confidentiality and anonymity are battered by using data analytics algorithm, individuals preferences can be easily derived from various online sources (i.e.personal website, blogs, social networking sites, etc.).A recent study by Kosinski, Stillwell, & Graepel (2013) show that Facebook "Likes" can be used to automatically predict sensitive personal attributes, such as religious and political views, even family connections.The privacy loss in the information age is significant, confirmed by the United States' President's Council of Advisors on Science and Technology (PCAST) report 1 about "Big Data and Privacy": "big data analytics have the potential to eclipse long-standing civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace" (House, 2014).
Nowadays, the public have perceived a ubiquitous threat from information technologies, which are equipped with enhanced capabilities for surveillance, storage, retrieval, and transmission of personal information (Clarke, 1988;Mason, 1986).Looking back the contemporary privacy protection technologies, the existing protection methods and techniques seem fail to achieve this goal in guarding information privacy.In addition to technological protections, we are calling for an essential way to raise people's consciousness of information privacy.Moreover, while this study conducts in Taiwan, the term "privacy" under Chinese culture is a fragile and vague perception, which traditionally is treated as a right that authority owns; those disadvantaged minorities often have to sacrifice their privacy to gratify the authority's interest.Under such circumstances, arousing the consciousness of privacy is valuable and needed.According to a recent study by Lin & Chou (2014) that investigated ethics-related courses related to information ethics in Taiwan 118 universities during 2010 to 2012, the results showed that the information ethics curricula has not yet prevalent offered in the universities, therefore calling for the necessity of higher education on information ethics.
This study aims at cultivating one's privacy decision making through a semester information ethics education.The theory of self-efficacy is adopted from the social-psychological perspective, the main construct of privacy self-efficacy is examined to see the vignette decisions related to information privacy change before and after lectures.In the proposed model, this study tries to demonstrate whether information ethics education can significantly influence students' attitudes toward privacy protection, two kinds of privacy self-efficacy (protection and non-acquisition), and privacy intention.The values of this study will be helpful for understanding individuals privacy self-efficacies, and schools/educators should consider cultivating consciousness of information privacy issues in IS professional ethical curriculum.Two research issues are listed: RQ1: The constructs of attitude toward privacy protection, and privacy self-efficacy are hypothesized to have significant roles as direct determinants of privacy intention.
RQ2: Significant differences have been recognized between pre-education and post-education IS students in the relationships that the attitudes, and privacy self-efficacy have impacted on behavioral intention.

The Necessity of Information Ethics Education
Technological advances in the information age have led many people to believe that the coverage of ethics in universities is the best way for students to form their perceptions of ethics, and preparing students to deal with ethical issues in information society.Ethics training or ethics education concerning information systems are not a "one time" inoculation.No matter the school education and on the job training concerning information ethics issues have been proven to increase the probability, individuals will practice more ethical behaviors on the job.For example to the ethical education, Smith, Fryer-Edwards, Diekema, & Braddock (2004) claimed that ethical education arouse students' recognition of common ethical dilemmas.Almagno & Carbo (2001) introduced a series information ethics courses to bachelor, master, and doctoral level students.After taking the course, the graduates report that the courses have had a much greater effect on their personal and professional lives than other courses.As for the example about ethical training in practices, codes of ethics have been found to effectively deter unethical behaviors and provide more specific guidance to computing professionals (Oz, 1992); the work by Harrington (1996) has also demonstrated that ethical rules written specifically to deal with software issues have positive effect on computer abuse judgments and intention.
In the computer science domain, several main professional institutions have drawn up explicit codes of ethics The reason these professional associations draw up explicit codes and incorporate ethical issues as a part of the standard curriculum is to educate students and IT workers knowing information systems professional responsibility about ethics issues, further helping handling conflicts when facing ethical dilemmas.Just as the ethical curriculum of CSAB requirements, four clearly goals are listing: 1) to aid students in becoming computer professionals; 2) to help students accept the responsibilities associated with being an IT professional; 3) to encourage students to formulate and express their views on social and legal issues; and 4) to raise students' awareness of the impact computing has on society.However, a recent study by Lin & Chou (2014) investigated information ethics-related courses in Taiwan and showed that the information ethics curricula has not yet prevalent offered in the universities, it is of necessity calling for higher education on information ethics.

Self-Efficacy Theory
Self-efficacy refers to one's belief that he or she has the capability to execute a particular action, which is a major determinant of what activities people will choose, how much effort they will expend, and how long they will sustain the effort in dealing with stressful situations (Bandura, 1997).The concept of self-efficacy has been widely studied and proven to be a critical predictor of human conduct in various settings, such as learning, health-promoting behavior, clinical functioning, athletic achievement, and career and occupational development.
It is an important element of Social Cognitive Theory (SCT), which adopts a cognitive interactionist perspective to personal behavior.In this framework, people's efficacy beliefs play an important role in mediating their goal setting, thought patterns, emotional states, and strategies and actions chosen.
In the ethics domain, Bandura (1991) has elaborated the "Social Cognitive Theory of Moral Thought and Action" and has presented the view that an explanation of the relation between ethical reasoning and conduct must specify the psychological mechanisms by which moral standards get translated into actions.SCT asserts that moral conduct is motivated and regulated mainly by the ongoing exercise of self-regulatory efficacy.Effective self-regulation of conduct requires not only obvious self-regulatory skills but also a strong belief in one's own capabilities to achieve personal control.Therefore, people's beliefs in their efficacy to exercise control over their own motivations, thought patterns, and actions play important roles in the exercise of human agency (Bandura, 1986).The stronger the perceived self-regulatory efficacy, the more persevering are people in their self-controlling efforts, and the greater is their success in resisting social pressures to behave in ways that violate their standards; on the contrast, a low sense of self-regulatory efficacy heightens vulnerability to social pressures for transgressive conduct (Bandura, 1991: p. 69).
The robustness of self-efficacy has been established through many applications and replications across a broad range of behavioral domains, including information systems (Bandura, 1997;Marakas, Yi, & Johnson, 1998).Several empirical studies found that self-efficacy would play an even greater role if IS professionals were required to be aggressive in challenging organizational information privacy policies (Korzaan, Brooks, & Greer, 2009;Smith, 1993;Smith, Milberg, & Burke, 1996).Moreover, researchers in IS-related studies have explored how the expectation of computer self-efficacy may impact decisions concerning technology acceptance and usage (Compeau & Higgins, 1995;Gist & Mitchell, 1992;Henry & Stone, 1999).For the reasons given above, this research relies on Bandura's self-efficacy theory to address whether strengthening perceived self-efficacy will increase IS students' capability concerning protecting information privacy.

Research Model
Previous theories such as theory of reasoned action (TRA) and theory of planned behavior (TPB) have theorized that attitudes and intentions are the best predictors of specific behaviors (Ajzen, 1991(Ajzen, , 2002;;Ajzen & Fishbein, 1980).In this study, perceived self-efficacy is included as an attempt to strengthen the individual's behavioral intentions, the importance of self-efficacy as a predictor of behavior is greater in activities in which the person has only variable or limited control over behavior (Ajzen, 2002).Based on the work by Kuo, Lin, & Hsu (2007), two kinds of privacy self-efficacy are covered to simultaneously see the impact on individual's privacy intention.Therefore, this research posits a privacy decision making model that attitude toward privacy protection, privacy self-efficacy for protection, and privacy self-efficacy for non-acquisition are critical factors essential to behavioral intention (see Figure 1).
In this model, three basic hypotheses are examined: [H1] There is a significant relationship between attitude toward privacy protection and privacy intention.
[H2] There is a significant relationship between privacy self-efficacy for protection and privacy intention.
[H3] There is a significant relationship between privacy self-efficacy for non-acquisition and privacy intention.
In addition, this study aims at exploring the role of information ethics education in influencing students' concepts concerning information privacy.Therefore, a semester longitudinal model is compared: Time 1 represents the period before students have had formal education in information ethics, and Time 2 (a semester later) represents the period after students have mastered the information ethics course.This design is intended to see whether the model paths for Time 1 (before information ethics education) significant difference from those paths for Time 2 (after education).Therefore, three extended hypotheses are proposed: [H4] There is a significant path difference between pre-education and post-education students in the relation between attitude toward privacy protection and privacy intention.
[H5] There is a significant path difference between pre-education and post-education students in the relation between privacy self-efficacy for protection and privacy intention.
[H6] There is a significant path difference between pre-education and post-education students in the relation between privacy self-efficacy for non-acquisition and privacy intention.

Research Procedure
Every student was asked to fill out the questionnaire at the beginning of the information ethics course (Time 1).During the information ethics course, the course design are described in the following: First, the teacher lectured fundamental knowledge concerning a wide range of information ethics topics, including basic ethical principles and information ethics issues (information privacy, information property rights, freedom of speech, and so on).Second, teaching strategies cover problem-based instruction to raise students' moral imagination, and casebased instruction to have students open discussions on ethical dilemmas.Finally, the values clarification strategy is used to conclude by teacher.
Through information ethics education, students are situated in the vignettes concerning information privacy (and other information ethics topics).Vignettes feature ethical dilemmas among competing ethical principles that can be addressed, which are meant to be a kind of teaching tools, more specific, the vignettes create a problem-solving approach to call for students taking part in how to make ethical decision making.After the vignettes discussions, students have to document the decision-making process as the case assignments.At the end of the semester, all students were asked to fill out the second questionnaire at the end of the semester (Time 2).

Vignette Design
A scenario-based field survey was adopted for conducting the present study.Due to the sensitive nature of ethical conduct, vignettes have the advantages of providing a quasi-way to respond to sensitive issues and offering realistic scenarios that place the subject in a decision-making role.Such vignettes are commonly used in ethics research (Banerjee, Cronan, & Jones, 1998;Harrington, 1996).
In this study, to reflect the research issue concerning information privacy, the design of the scenario used in this study adapts privacy case IV.1 from the American Federation of Information Processing Societies (AFIPS) scenario collection (Parker, Swope, & Baker, 1990), the case describes a the scenario concerning revealing a system's inadequate protection of privacy.The subjects were placed in decision-making roles for the targeted privacy protection behavior; that is, whether to fix the back-door deficiency of the computing system even though customers may not aware the possible invasion of personal information.

Constructs and Operationalization
Three constructs, which used multiple-item scales, were measured in this study.The constructs "attitude toward privacy protection" and "privacy intention" were referenced from (Ajzen, 2002).The construct of "attitude toward privacy protection" refers to the individual's feeling for the behavior to fix the back-door deficiency of the computing system, which consists of two items, an example item from this scale was "The decision is beneficial to the companies."The construct of "privacy intention" refers to the individual's decision to fix the back-door deficiency of the computing system, which consists of two items, an example item from this scale was "If I were the IS employee in this story, I would plan to behave the same as he did."The measurement items used to construct privacy self-efficacy were referenced from Kuo et al. (2007).The construct of "privacy self-efficacy for protection" refers to whether an individual can take the necessary courses of action for guarding accidental disclosures of information in a public environment, which consists of two items, an example item from this scale is: "If you happen to find that some customers' privacy information is revealed on the network, how confident are you to protect this information immediately?"As for the construct of "privacy self-efficacy for non-acquisition" refers to whether a person has the self-confidence to refuse to acquire and use privacy information before he or she obtains the necessary authorization or permission to do so, which consists of six items, an example item is: "If you have the means to access the privacy information concerning your customers beyond the delegated situation, how confident are you not to take advantage of this situation?"All the research construct items used a seven-point Likert scale anchored between "strongly disagree (=1)" and "strongly agree (=7)".

Participants
As the amount of businesses and individuals information continue to grow and the access to that information by IT personnel increases, ethics cognition and value judgments by IT professionals becomes more important.Especially for those students who major in information systems, an obligation to understand the responsibility that goes with their IS profession is imperative.Their values concerning information privacy will affect how they write programs, manage privacy and security issues, and handle critical software and computing.
Therefore, the students who majored in the department of information management are chosen as the participants in this study.All participating students were senior-level undergraduate students from the universities in the south of Taiwan.In-class paper-and-pencil survey was administered to the subjects at their information ethics course.A total of 150 students from three classes voluntarily agreed to participate in the study.The 111 subjects completed both Time 1 and Time 2 surveys constitute a 74% valid dataset.The subjects were at this time taking the information ethics course; therefore, they shared the same demographics that ages ranged from 18 to 25 years, 58% are male students and 42% are female students.

Reliability and Validity
Exploratory factor analyses were used to assess convergent and discriminant validity.The results showed that values for the factor loadings were between 0.587 -0.931.All factor loadings were greater than 0.5 and all were statistically significant at p < 0.01, suggesting that the measures satisfied convergent validity.All eigenvalues associated with the factors exceeded the required level of 1.0, varying from 1.14 to 3.73.Principal components analysis was used as the extraction method for factor analysis with Varimax rotation.As shown in Table 1, the overall factor structural solution had an appropriate loading pattern and explained 68.94 percent of the variation.
An analysis of variance (ANOVA) of the four research variables shows that significant differences exist between the "before" and "after" information ethics education groups for the following variables: attitude toward privacy protection, and privacy self-efficacy for non-acquisition, yet there is no difference in privacy selfefficacy for protection and intention.More specific, through a semester long course teaching, students raise their concept about attitude toward privacy protection and privacy self-efficacy for non-acquisition (see Table 2).Table 3 shows the values of composite reliability (CR), and average variance extracted (AVE).The reliability CRs exceeded the level of 0.50 recommended by Fornell (1982); their values varied from 0.560 to 0.816, confirming the internal consistency of the constructs' items.The AVE estimates, ranged from 0.710 to 0.899, exceeded the 0.50 lower limit recommended by (Fornell & Larcker, 1981), supporting convergent validity.In addition, the correlation between each pair of research constructs were less than the AVE estimate of each construct (Segars & Grover, 1998), therefore supporting discriminant validity.

Hypothesis Testing
In this research, we have assessed our first four hypotheses by using the structural equation modeling (SEM) due to its ability to validate causal relationships.We have chosen Smart PLS 2.0.M3 for this analysis (Ringle, Wende, & Will, 2005).As recommended by Chin (1998), bootstrapping with 500 subsamples was performed to test the statistical significance of each path coefficient using the t-test.The structural model results of path coefficient and t-value are shown in Table 4.These results indicate that hypotheses H1 and H3 are supported, whereas hypothesis H2 is partially supported in the model of post-education.
The path coefficients show some interesting findings.The relationship between attitude and intention (H1: from 0.213 to 0.461), between privacy self-efficacy for protection and intention (H2: from 0.104 to 0.151), and between privacy self-efficacy for non-acquisition and intention (H3: from 0.222 to 0.278) have significant increases, which demonstrates the value of information ethics education.Regarding the R 2 of the research model, before information ethics education, the model explains 10.1% of the variation of privacy intention; after information ethics education, the model explains 27.3% of the variation of privacy intention.The significant R 2 change of privacy intention shows that a semester long information ethics education plays a role.
A path comparative analysis is employed to test the last three hypotheses, the statistical effect can be tested by using the formula provided by Sarstedt, Henseler, & Ringle (2011).A statistical comparison t-test shows that hypothesis H4, H5, and H6 are supported, as shown in Table 5.The findings exhibit an important insight: through information ethics education, students demonstrate significant model paths changes in the relationships of attitude, privacy self-efficacy for protection, and privacy self-efficacy for non-acquisition to intention.

Conclusion
From the findings of this study, the hypotheses are supported and confirmed that the necessity of information ethics education helps nurturing students' privacy decision making.Specifically, results from the study shed light on interesting or subtle differences in information ethics education.It is a semester long information ethics course that helps IS students strengthening the relationships between attitudes, two kinds of privacy self-efficacy and privacy intention.This study specific explores two kinds of privacy self-efficacy for both "protection" and "non-acquisition" which will influence one's behavior when individual faces with information privacy dilemmas in the workplace.Findings of this study generally support the results of previous studies on self-efficacy theory.
Corresponding the findings of this study with the four goals of CSAB requirements, this study demonstrates that information ethics course helps students to be situated in the vignettes concerning information privacy (and other information ethics topics), as a result, this study confirms that the benefits of information ethics education are to encourage students to articulate and express their views on social and legal issues concerning information society; also, the scenario-based case discussion places students in the situation concerning the impact of computing on the information society to help raising their introspection.Especially for those students who major in information systems, an obligation to understand the responsibility that goes with their IS profession is imperative.Therefore, the information ethics course also aids students in becoming qualify information systems professionals; and helps students accepting the responsibilities associated with being information systems professionals.In the long run, it is expected that those students who were equipped with information ethics literacy would behave more ethically and choose not to act unethically.
Nowadays, most information privacy invasions are not dramatic or visible; they creep up slowly, especially true for the online environment.Students need to sharpen their sensibilities in recognizing the hazards of invasion of privacy or violation of privacy rights of others.The findings of this study strongly recommend that the information ethics course can be the professional ethics training in school, which should be a mandatory subject in IS curriculum.Especially a high percentage of college students in the department of information management will work as the information workers after they graduate.Therefore, increasing students' consciousness of IS knowledge and ethics constitutes an important strategy to coach students in dealing with quandaries in the business environment.

Table 1 .
EFA loading structures for antecedent research constructs.

Table 2 .
ANOVA test for the significance between groups before and after education.

Table 3 .
Reliability and validity among constructs.

Table 4 .
Structural model results.

Table 5 .
Differences before and after information ethics education.