A security risk perception model for the adoption of mobile devices in the healthcare industry

  • Alex AlexandrouEmail author
  • Li-Chiou Chen
Original Article


Within the past few years, we have seen increasing use of mobile devices in the healthcare environment. It is crucial to understand healthcare practitioners’ attitudes and behaviors towards adopting mobile devices and to interacting with security controls, while understanding their risks and stringent regulations in healthcare. This paper aims to understand how healthcare practitioners perceive the security risks of using mobile devices, and how this risk perception affects their intention to use the devices, and to adopt the security controls that are required. To facilitate such understanding, we propose a theory-grounded conceptual model that incorporates subjective beliefs, perception of security risk, and behavioral intentions to both use mobile devices and comply with security controls. Furthermore, we studied the behavioral intentions under two scenarios among practitioners, when healthcare institutions provided the mobile devices, called hospital-provided devices, or when practitioners used their own devices, bring-your-own-devices. Based upon our conceptual model, we conducted an empirical study, recruiting 264 healthcare practitioners from three hospitals and their affiliated clinics. Our study provided several practical implications. First, we confirmed that it is critical in healthcare institutions to have safeguards on mobile devices that are convenient for practitioners to adopt. Second, to promote security policy compliance in mobile devices and safeguard medical information, healthcare administrators must take different approaches to security depending on how they provide mobile devices to practitioners. Third, the security training for devices should deliver different messages to different occupational groups. Last but not the least, our proposed model offers new perspectives towards a better understanding of integrating perceived security risk, behavioral intention to adopt a technology, and behavioral intention to comply with security control in the healthcare industry.


Mobile devices Healthcare Bring-your-own-devices (BYOD) Security risk perception Behavioral intention Security controls Electronic medical records (EMR) 



  1. Ajzen, I. 1985. From intention to actions: A theory of planned behavior. In Action-control: From cognition to behavior, ed. J. Kuhl and J. Beckman. New York: Springer.Google Scholar
  2. Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (2): 179–211.Google Scholar
  3. Astani, M., K. Ready, and M. Tessema. 2013. BYOD Issues and strategies in organizations. Issues in Information Systems 14 (2): 195–201.Google Scholar
  4. Blumstein, A., J. Cohen, and D. Nagin. 1977. Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington, DC: National Academy of Sciences.Google Scholar
  5. Bulgurcu, H., H. Cavusoglu, and I. Benbasat. 2010. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3): 523–548.Google Scholar
  6. Burns, A.J., and M.E. Johnson. 2015. Securing health information. IT Professional 17 (1): 23–29.Google Scholar
  7. Chen, Y.H., and S. Barnes. 2007. Initial trust and online buyer behavior. Industrial Management & Data Systems 107 (1): 21–36.Google Scholar
  8. Cheng, L., Y. Li, W. Li, E. Holm, and Q. Zhai. 2013. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security 39: 447–459.Google Scholar
  9. Chenoweth, T., R. Minch, R., and T. Gattiker. 2009. Application of protection motivation theory to adoption of protective technologies. In Proceedings in 42th Hawaii International conference on system sciences, 1–10, 5 Jan, Hawaii. IEEE.Google Scholar
  10. Conner, M., and P. Norman. 2005. Predicting health behavior. New York: McGraw-Hill International.Google Scholar
  11. Cook, M., and D.T. Campbell. 1979. Quasi-experimentation: Design and analysis issues for field settings. Boston: Houghton Mifflin.Google Scholar
  12. D’Arcy, J., A. Hovav, and D. Galletta. 2009. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20 (7): 9–98.Google Scholar
  13. Davis, F.D. 1986. A technology acceptance model for empirically testing new end-user information systems: Theory and results. Ph.D. dissertation, Massachusetts Institute of Technology, Boston, MA.Google Scholar
  14. Davis, F.D. 1989. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13 (3): 319–340.Google Scholar
  15. Efron, E., and R. Tibshirani. 1986. Bootstrap methods for standard errors, confidence intervals, and other measures of statistical accuracy. Statistical Science 1 (1): 54–75.Google Scholar
  16. Escobar-Rodriguez, T., and M.M. Romero-Alonso. 2013. Modeling nurses’ attitude toward using automated unit-based medication storage and distribution systems: An extension of the technology acceptance model. CIN: Computers, Informatics, Nursing 31 (5): 235–243.Google Scholar
  17. Fishbein, M., and I. Ajzen. 1975. Belief, attitude, intention and behavior: An introduction to theory and research. Psychological Bulletin 84: 888–918.Google Scholar
  18. Fornell, C., and F.L. Bookstein. 1982. Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. Journal of Marketing Research 19 (4): 440–452.Google Scholar
  19. Garg, V., and J. Camp. 2012. End user perception of online risk under uncertainty. In Proceedings in 45th Hawaii international conference on system sciences, 3278–3287; 4 Jan, Hawaii. IEEE.Google Scholar
  20. Gagnon, M.P., P. Ngangue, J. Payne-Gagnon, and M. Desmartis. 2016. m-Health adoption by healthcare professionals: a systematic review. Journal of the American Medical Informatics Association 23 (1): 212–220.Google Scholar
  21. Gefen, D., D. Straub, and M.C. Boudreau. 2000. Structural equation modeling and regression: Guidelines for research practice. Communications of the Association for Information Systems 4 (1): 7.Google Scholar
  22. Hair, J.F., G.T.M. Hult, C.M. Ringle, and M. Sarstedt. 2014. A primer on partial least squares structural equation modeling (PLS-SEM). London: Sage.Google Scholar
  23. Hair, J.F., G.T.M. Hult, C.M. Ringle, M. Sarstedt, and K.O. Thiele. 2017. Mirror, mirror on the wall: A comparative evaluation of composite-based structural equation modeling methods. Journal of the Academy of Marketing Science 45 (5): 616–632.Google Scholar
  24. Henseler, J., T.K. Dijkstra, M. Sarstedt, C.M. Ringle, A. Diamantopoulos, D.W. Straub, and R.J. Calantone. 2014. Common beliefs and reality about PLS: Comments on Rönkkö and Evermann (2013). Organizational Research Methods 17 (2): 182–209.Google Scholar
  25. Holden, R.J., and B.T. Karsh. 2010. The technology acceptance model: Its past and its future in health care. Journal of Biomedical Informatics 43 (1): 159–172.Google Scholar
  26. Kim, S., K.H. Lee, H. Hwang, and S. Yoo. 2016. Analysis of the factors influencing healthcare professionals’ adoption of mobile electronic medical record (EMR) using the unified theory of acceptance and use of technology (UTAUT) in a tertiary hospital. BMC Medical Informatics and Decision Making 16 (1): 12.Google Scholar
  27. Koehler, N., O. Vujovic, and C. McMenamin. 2013. Healthcare professionals’ use of mobile phones and the internet in clinical practice. Journal of Mobile Technology in Medicine 2 (1S): 3–13.Google Scholar
  28. Kowitlawakul, Y. 2011. The technology acceptance model: Predicting nurses’ intention to use telemedicine technology. Computer Informatics Nursing 29 (7): 411–418.Google Scholar
  29. Lee, M.C. 2009. Factors influencing the adoption of internet banking: An integration of TAM and TPB with perceived risk and perceived benefit. Electronic Commerce Research and Applications 8 (3): 130–141.Google Scholar
  30. Liang, H., and Y. Xue. 2010. Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems 11 (7): 394–413.Google Scholar
  31. Liang, H., and Y. Xue. 2009. Avoidance of information technology threats: A theoretical perspective. MIS Quarterly 33 (1): 71–90.Google Scholar
  32. Ma, M., and R. Agarwal. 2007. Through a glass darkly: Information technology design, identity verification, and knowledge contribution in online communities. Information Systems Research 18 (1): 42–67.Google Scholar
  33. Marshall, S. 2014. IT consumerization: A case study of BYOD in a healthcare setting. Technology Innovation Management Review 4 (3).Google Scholar
  34. Mylonas, A., S. Dritsas, V. Tsoumas, and D. Gritzalis. 2011. Smartphone security evaluation—The malware attack case. In Proceedings of the international conference on security and cryptography SECRYPT-2011, 1825–1836; 18 Jul Athens, Greece.Google Scholar
  35. Ng, B., A. Kankanhalli, and C.Y. Xu. 2009. Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46 (4): 815–825.Google Scholar
  36. Pyszczynski, T., J. Greenberg, and S. Solomon. 1997. Why do we need what we need? A terror management perspective on the roots of human social motivation. Psychological Inquiry 8 (1): 1–20.Google Scholar
  37. Richter, N.F., R.R. Sinkovics, C.M. Ringle, and C. Schlaegel. 2016. A critical look at the use of SEM in international business research. International Marketing Review 33 (3): 376–404.Google Scholar
  38. Rhee, H.S., C. Kim, and Y.U. Ryu. 2009. Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security 28 (8): 816–826.Google Scholar
  39. Ringle, C.M., M. Sarstedt, and R. Schlittgen. 2014. Genetic algorithm segmentation in partial least squares structural equation modeling. OR Spectrum 36 (1): 251–276.Google Scholar
  40. Ringle, C.M., M. Sarstedt, R. Schlittgen, and C.R. Taylor. 2013. PLS path modeling and evolutionary segmentation. Journal of Business Research 66 (9): 1318–1324.Google Scholar
  41. Ringle, C.M., M. Sarstedt, and D. Straub. 2012. A critical look at the use of PLS-SEM. MIS Quarterly 36 (1): iii–xiv.Google Scholar
  42. Rogers, R.W. 1975. A protection motivation theory of fear appeals and attitude change. The Journal of Psychology 91 (1): 93–114.Google Scholar
  43. Rogers, R.W. 1983. Cognitive and physiological process in fear appeals and attitudes changer: A revised theory of protection motivation. In Social psychophysiology: A sourcebook, ed. J.T. Cacioppo and R.E. Petty, 153–176. New York: Guilford.Google Scholar
  44. Rönkkö, M., C.N. McIntosh, J. Antonakis, and J.R. Edwards. 2016. Partial least squares path modeling: Time for some serious second thoughts. Journal of Operations Management 47: 9–27.Google Scholar
  45. Schifter, D.E., and I. Ajzen. 1985. Intention, perceived control, and weight loss: An application of the theory of planned behavior. Journal of Personality and Social Psychology 49 (3): 843–851.Google Scholar
  46. Siponen, M., A. Mahmood, and S. Pahnila. 2014. Employees’ adherence to information security policies: An empirical study. Information & Management 51 (2): 217–224.Google Scholar
  47. Straub, D.W., and R.J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22 (4): 441–469.Google Scholar
  48. Sun, Y., N. Wang, X. Guo, and Z. Peng. 2013. Understanding the acceptance of mobile health. Journal of Electronic Commerce Research 14 (2): 183–200.Google Scholar
  49. Tejaswini, H., and H.R. Rao. 2009. Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems 18 (2): 106–125.Google Scholar
  50. Venkatesh, V., T.A. Sykes, and X. Zhang. 2011. Just what the doctor ordered’: A revised UTAUT for EMR system adoption and use by doctors. In Proceedings in 44th Hawaii international conference on system sciences, 1–10; 4 Jan Hawaii. IEEE.Google Scholar
  51. Workman, M., W. Bommer, and D. Straub. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior 24 (6): 2799–2816.Google Scholar
  52. Yarbrough, Amy K., and Todd B. Smith. 2007. Technology acceptance among physicians: A new take on TAM. Medical Care Research and Review 64 (6): 650–672.Google Scholar
  53. Zhang, J., B.J. Reithel, and H. Li. 2009. Impact of perceived technical protection on security behaviors. Information Management & Computer Security 17 (4): 330–340.Google Scholar

Copyright information

© Springer Nature Limited 2019

Authors and Affiliations

  1. 1.Department of Security, Fire, and Emergency ManagementJohn Jay College of Criminal JusticeNew YorkUSA

Personalised recommendations