CCE Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


College of Computing and Engineering


Ling Wang

Committee Member

James N. Smith

Committee Member

Martha M. Snyder


extended UTAUT2 with risk, information assurance, information systems, information technology, privacy, risk


Information technology security policies are designed explicitly to protect IT systems. However, overly restrictive information security policies may be inadvertently creating an unforeseen information risk by encouraging users to bypass protected systems in favor of personal devices, where the potential loss of organizational intellectual property is greater.

Current models regarding the acceptance and use of technology, Technology Acceptance Model Version 3 (TAM3) and the Unified Theory of Acceptance and Use of Technology Version 2 (UTAUT2), address the use of technology in organizations and by consumers, but little research has been done to identify an appropriate model to begin to understand what factors would influence users that can choose between using their own personal device and using organizational IT assets, separate and distinct from “bring your own device” constructs. There are few organizations with radical demarcations between organizational assets and personal devices. One such organization, the United States Intelligence Community (USIC), provides a controlled environment where personal devices are expressly forbidden in workspaces and therefore provides a uniquely situated organizational milieu in that the use of personal devices would have to occur outside of the organizational environment. This research aims to bridge the divide between these choices by identifying the factors that influence users to select their own devices to overcome organizational restrictions in order to conduct open-source research.

The research model was amalgamated from the two primary theoretical frameworks, TAM3 and UTAUT2, and is the first to integrate these theories as they relate to the intention to use personal or organizational systems to address the choices employees make when choosing between personal and organizational assets to accomplish work related tasks. Using survey data collected from a sample of 240 employees of the USIC, Partial Least Squares Structural Equation Modeling (PLS-SEM) statistical techniques were used to evaluate and test the model, estimate the path relationships, and provide reliability and validity checks.

The results indicated that the Perception of Risk in the Enterprise (PoRE) significantly increased the Intention to Use Private Internet and decreased the Intention to Use Enterprise devices, as well as increasing the Perceived Ease of Use of Private Internet (PEUPI). The results of this study provide support to the concept that organizations must do more to balance threats to information systems with threats to information security. The imposition of safeguards to protect networks and systems, as well as employee misuse of information technology resources, may unwittingly incentivize users to use their own Internet and devices instead, where enterprise safeguards and protections are absent. This incentive is particularly pronounced when organizations increase the perceived threat of risk to users, whether intentional or inadvertent, and when the perception of the ease of use and usefulness of private Internet devices is high.