Social media surveillance: A personality-driven behaviour model

social media surveillance via third-party apps by evaluating the combined influence of personality type and awareness.


Introduction
For many Internet users, participating in social networking has become a daily routine (Hallam & Zanella 2017;Li, Lin & Wang 2015). Such participation allows users not only to share content with friends and family (Chen, Sharma & Rao 2016) but also to accumulate social capital whilst developing psychosocial networks (Hallam & Zanella 2017). With more than 2 billion active users (Jafarkarimi et al. 2016), Facebook and social networks in general have become lucrative commercial environments for businesses because of the ability to market to a large captive audience with relative ease (Vladlena et al. 2015). For example, targeted advertising no longer relies on the completion of lengthy and time-consuming consumer surveys. Rather, corporates use location-based services (LBS) to pinpoint the places users frequent. When combined with data related to a social media profile, corporates like Facebook can create rich descriptions of their users' behavioural patterns. Not only are the resultant data assemblages (combination of location and profile data) useful for improving the services delivered by Facebook but also they are useful as a commodity -one that can be sold to third-party organisations as a form of information misuse (Fuchs 2012).
http://www.sajim.co.za Open Access this data set was combined with their Facebook profile (they had to sign in with their Facebook credentials) and the resultant data assemblage was misused. As such, it seems that users are unaware of how their personal information may be used by not only social media sites but also the third-party apps they elect to link to their social media profiles.
Given that the behaviour of a user is influenced by his or her personality (Moore & McElroy 2012) and users are seemingly unaware of how their personal information is used (Wagner et al. 2018), this article sets out to explore how personality types and awareness influence a user's behavioural intent to make use of third-party apps on social media -Facebook in particular. The article contributes by developing a research model that can be used to ascertain how susceptible an individual is to social media surveillance (SMS). To determine this, the model evaluates both the influence of a user's personality type and awareness of SMS on their attitude towards the use of third-party Facebook apps. Because the research model evaluates human behaviour, it is based on the Theory of Planned Behaviour (TPB).
The article is structured as follows: firstly, the reader is presented with a discussion on the extent of Facebook surveillance, followed by a discussion on the methodological approach used in this article. This is followed by a review of related studies detailing the findings of other researchers who have studied behavioural information security by investigating the influence of personality types and awareness. From the preceding discussion, we create two propositions and illustrate them on an adapted version of TPB in the form of a research model.

Extent of Facebook surveillance
As one of the largest social media websites, Facebook has made extensive commercial use of its users' profile data over a number of years (Lyon 2014;Mamonov & Benbunan-Fich 2018). Such data are not only used to improve its service offerings but also to fund its operations. With a daily user count of 1.52 billion active users (as of December 2018), Facebook has access to large amounts of data related to user behaviour (Chang & Chen 2014). For example, with the widespread adoption of mobile devices, Facebook has made extensive use of LBS to leverage such data sets. Everything users post and do on the platform is commodified and although such interactions enrich the Facebook experience, they raise a myriad of information privacy concerns (Chang & Chen 2014).
These concerns include privacy settings that are a challenge to use, the creation of algorithm-driven data assemblages by third-party apps, users not taking adequate responsibility for their personal information and a general lack of awareness of the aforementioned issues (Jeong & Kim 2017;Jordaan & Van Heerden 2017;Lee, Hansen & Lee 2016;Symeonidis et al. 2018;Taneja, Vitrano & Gengo 2014). For example, Symeonidis et al. (2018) found that such inadequate privacy settings, as well as suboptimum server communications made it easy to retrieve personal information via a third-party app. Using the AppInspect data set, Symeonidis et al. (2018) demonstrated that app developers can not only extract data from one app but also combine the data of a single Facebook user across several apps -mainly because most app developers usually own and operate more than one app. A case in point is Telaxo, which operates 118 apps, with more than 10 000 users actively using these apps. Over and above directly accessing the personal information of Facebook users, these app providers are able to gain indirect access to the Facebook users' friends. One example is TripAdvisor, which collects information on the user's location, residence and 'likes'. This information is then inadvertently also available to the user's friends to keep track of locations they may have both visited in the past. Collating such information allows TripAdvisor to better understand not only travel behaviour but also the common personal traits of the individuals who visited a specific location of interest. Even Facebook-based games are used in this manner. For instance, Symeonidis et al. (2018) found that if a user installs Candy Crush Saga, the app not only collects the user's profile name but also his or her profile picture and country of residence. Like TripAdvisor, the app collects the user's entire friend list. Most importantly, the users are unaware of this.
Facebook users' lack of responsibility could also be exploited when viewing social media sites as environments where users only engage in a personal capacity. Rather, users rarely assume responsibility, to the extent that the privacy consequences are assessed at an organisational level, which is where information is often misused by third parties (Barth & De Jong 2017). This is confirmed by Chang and Chen (2014), who found that users of both Socialight and Foursquare (both LBS platforms) were more interested in the ability to strengthen social relations than assessing the information privacy concerns at an organisational level. Similar results are reported by Tariq et al. (2017), who found that many Facebook users voluntarily adjust their privacy settings to keep track of their friends' whereabouts, as well as to stay open to additional contacts. Further (and more recent) evidence is provided in the form of the sheer magnitude (300 million, circa 2017) of personal photos that are shared by Facebook users on a daily basis (Mamonov & Benbunan-Fich 2018). This happens despite the number of information security breaches that have occurred since January 2017 (i.e. Adidas, Macy's, Kmart, Delta Airlines and Under Armour), which in some instances resulted in the loss of users' personal information (Green & Hanbury 2018). Thus, the collection and distribution of personal information on social media sites (via third-party apps) exceed what users assume, expect and are aware of.

Research methods and design
To select relevant literature, we used a systematic approach. Specific search phrases were selected to conduct initial searches on several academic databases. Phrases such as theory of planned behavior/behaviour, awareness, personality type/trait and individual differences were used in various combinations on a number of academic databases, which included the likes of ScienceDirect, Sabinet, Scopus, ACM, AISLnet, Google Scholar (via Publish or Perish) and the IS Senior Scholars Basket of Journals. All the searches were conducted in the last week of April 2018 and included any publications (published between 2000 and 2018) that matched the search phrases listed above. After excluding publications based on relevance (title and abstract only), we ended up with an initial collection of 65 publications.

Qualitative data analysis: Phase 1
These publications (65) were subsequently imported into a qualitative data analysis software (QDAS) package called Atlas.ti to quantify the qualitative data (i.e. selected publications). Atlas.ti performs analyses of textual data by associating pieces of text (quotes in Atlas.ti) with one or more codes. Within the context of Atlas.ti, codes are short phrases that can be used to logically group one or more quotes from a variety of textual sources (called documents in Atlas.ti). For example, the code called ++qdas:limitations was used to logically group quotes from a number of textual data sources (publications in this context). Using QDAS packages in this manner allowed us to collectively analyse a large set of data in a structured manner. This often leads to the discovery of latent themes (Albertus, Ngwenyama & Brown 2015).
In addition to the discovery of latent themes, we also focused on identifying areas of theoretical overlap (called co-occurrence in Atlas.ti). This was achieved by visualising the codes (Hwang 2008;Knigge & Cope 2006) and their associated quotes in such a manner that we were able to see the instances of co-occurrence on an Atlas.ti network, as illustrated in Figure 1.
For example, the code findings:awareness is coded in such a manner that it co-occurs with the code findings:personality influence on behaviour. Here, the quote (labelled 24:23) is associated with both of the aforementioned codes. The same applies to quote 24:27. These areas of overlap in turn allowed us to identify theoretical relations, which led to the creation of our propositions. For example, Figure 1 was used to support the proposition that awareness influences behaviour. Additionally, such a structured approach enabled us to create synthesised narratives by combining multiple perspectives on a theme or code (Bandara, Miskon & Fielt 2011).
Although software packages, such as Atlas.ti and NVivo, facilitate analyses by providing a set of software functions to collate and code data, the onus is still on the researcher(s) to analyse and interpret the data (Paulus et al. 2017). In other words, QDAS packages should not overshadow the methodological approach by imposing software-specific behaviour, but rather complement it (Knigge & Cope 2006). For example, Bandara et al. (2011) suggest that researchers create an a priori coding framework before engaging with the software. To this end, we created our own coding framework by adding codes unique to our study to those suggested by Bandara et al. (2011).
Following this, all 65 publications were read in detail to ascertain whether they would be useful within the context of this article. This resulted in the exclusion of 30 publications (i.e. articles that are not relevant). After deciding on our final set of publications, we deductively coded the remainder of the publications by using the initial coding framework. This resulted in the creation of 827 coded quotes, which concluded phase 1 of the content analysis.

Qualitative data analysis: Phase 2
Although the second phase of our content analysis still made use of the initial framework, its main focus was on coding for relevant content in an inductive manner. As such, certain codes were merged into what Atlas.ti calls code groupshenceforth referred to as themes. This process led to the discovery of additional themes which increased the number of coded quotes to 1360. In this manner, three themes were created, as guided by the study objectives, namely, influence of awareness on behaviour, influence of personality on behaviour and use of theory. Together, these three themes contained 36 merged codes and although this formed the focus of the study, a number of additional code groups were created. These additional groups assisted in the creation of a suitable introduction, literature review and provided support for certain arguments. Together, these code groups guided not only the theoretical development of the propositions but also the resultant narratives.

Theoretical development and propositions
In this section, we first provide an outline of how the TPB (amongst others) has been used in related studies, followed by a two-part discussion detailing the development of the propositions to be evaluated.

Use of behavioural theories
The TPB, an adapted version of the theory of reasoned action (TRA), suggests that an individual's intention to behave in a certain way is determined by three factors: attitude, subjective norms and perceived behavioural control  (Ajzen 1991). Within this context, attitude is defined as the extent to which an individual either positively or negatively values performing a behaviour. Thus, if a Facebook user displays a positive attitude towards sharing information (possibly unaware of surveillance), they may be more likely to use third-party apps (Taneja et al. 2014). Perceived behavioural control largely determines how likely an individual perceives himself or herself to execute the intended behaviour, as determined by the resources at their disposal. Such resources include any of the following combinations: information, beliefs about self-efficacy, time and money, amongst others (Tariq et al. 2017). Thus, if a Facebook user has access to the required resources to such an extent that he or she believes they are able to use third-party apps effectively, it will influence their intention to do so. Furthermore, given that an individual has access to the aforementioned resources and has a positive attitude towards the behaviour in question, subjective norms dictate an individual's perception about what others deem he or she should do (Jafarkarimi et al. 2016).
It is exactly this focus on general motivational factors that makes it possible to use this theory to assess the behavioural intent of any voluntary activity (Armitage & Conner 2001). In a study on cyber-slacking, Taneja et al. (2014) used TPB to evaluate students' intent to engage in this form of distracting behaviour and used the factors as described above. Their results indicated that both subjective and descriptive norms have a significant effect on a student's intent to participate in cyber-slacking. To better understand the antecedents that influence employees' attitudes towards information security policy compliance, Bulgurcu, Cavusoglu and Benbasat (2010) also adapted TPB by combining it with rational choice theory (RCT). In general, RCT explains the choices individuals make to achieve a specific goal (Taneja et al. 2014). Some authors, such as Hallam and Zanella (2017), have also suggested the use of construal level theory (CLT) to assist researchers in understanding the differences in users' perceived value of performing a behaviour. They argue that such a value-laden understanding may go a long way towards explaining the existence of the privacy paradox, which is defined as the difference between users' intended and actual privacy-related behaviour. Other theories, such as cognitive deficiency theory (CDT), make the argument that it is not the value of privacy outcomes, but rather the lack of privacy protection knowledge that determines behaviour (Hallam & Zanella 2017). However, according to Gordon (2004), CDT cannot adequately explain why the so-called knowledgeable users (those working in the IT industry) perpetuate information privacy beliefs that tilt the scales in favour of the privacy paradox.
As opposed to specifying the motivational factors upfront, certain theories such as the uses and gratification theory (UGT) attempt to understand the needs and associated motives for making use of media (Lee et al. 2016). Hence, Lee et al. (2016) used this theory to evaluate the influence of previously determined motives such as social relations, interactions, time management, entertainment value, self-expression and purpose. Although Lee et al. made specific reference to individual differences (such as personality types), their focus on identifying rather than using motivational factors made it unsuitable in the context of this article. The same holds for theories that evaluate trust, such as the socio-cognitive theory (SCT), which Wang and Drake (2015) used to understand the relationship between job applicants and placement agencies.
To calculate the likelihood of performing a specific behaviour, authors have also made use of privacy calculus. In essence, privacy calculus argues that a user will assess the risks of performing a behaviour in relation to the benefits. When viewed in the context of exchanging personal information, a user may elect to share such information with the understanding that he or she will receive something in return. Therefore, users are making a rational choice based solely on the aforementioned benefit and risk assessment (Li et al. 2015). Although privacy calculus will give some insights as to why users make use of third-party apps (their perceived benefit), it does not take awareness or personality types into account. Similarly, concerns for information privacy (CFIP) theory primarily considers the privacy of personal information from an organisational perspective (Kusyanti et al. 2017). As such, CFIP would not adequately capture factors such as attitude and awareness. The same applies to the use of Internet users' information privacy concerns (IUIPC), as applied by Kusyanti et al. (2017) in their study on teens' information privacy concerns. Although Jiang et al. (2016) used TPB, they did so within a Chinese microblogging environment with a specific interest in the effect of self and social identity on behavioural intent. Conscientious individuals are characterised as organised, careful, hardworking, persistent and reliable, possessing an innate desire to succeed (James et al. 2017;Pentina et al. 2016). This is mirrored in a study on the use of mobile leisure apps, where the authors confirmed that conscientious individuals are less likely to make use of them as these apps are viewed as a hindrance to the pursuit of success (Xu et al. 2016).

The influence of personality type
Individuals high in agreeableness are often considerate and display high levels of self-control, compliance and trust http://www.sajim.co.za Open Access (Koban et al. 2018;Shropshire et al. 2015). Studies have found that such users not only disclose less personal information but also make use of fewer social media security features (Koban et al. 2018). Moreover, users high in agreeableness are more likely to adopt security software and possess greater concern for the security of their personal information (McCormac et al. 2017).
On the contrary, individuals high in openness to experience use their imagination, have a wide array of interests and make use of newer technologies (Amichai-Hamburger & Vinitzky 2010; Skues et al. 2012). As such, they are often characterised as early adopters of social media, prefer to experiment and are adept at avoiding risk (Shropshire et al. 2015).
Neurotic individuals tend to experience higher levels of emotional stress and anxiety (Koban et al. 2018;Pentina et al. 2016). They also tend to use technology to avoid social contact and rather engage with other individuals in a technological manner (Shropshire et al. 2015). It has also been found that individuals high in neuroticism are less likely to use Facebook with the intent to share personal information. However, when such individuals post information, they prefer to make use of features that facilitate various levels of control, such as posting on a Facebook wall (Skues et al. 2012). It is thus likely that neurotic individuals may adopt a positive attitude to thirdparty apps, as they are likely to share personal information on social media.
Individuals high in extraversion are typically more sociable, outgoing, affectionate and talkative (Warkentin et al. 2012). They prefer the company of others, and although such individuals may like others, they are not always likeable (James et al. 2017). It is these traits that cause extroverted individuals to take more risks (McCormac et al. 2017).

The behavioural influence of personality
Literature makes specific reference to studies where other researchers have also endeavoured to measure the influence of personality types. For example, Guido, Capestro and Peluso (2007) found that introverted individuals are more likely to do shopping as a utilitarian exercise, as opposed to the hedonic shopping behaviour of individuals high in extraversion. Although neuroticism and extraversion are considered direct opposites, Gohary and Hanzee (2014) found that they both exhibit hedonic behaviour when shopping. Another area that has been explored using personality types is cybersecurity compliance (Bulgurcu et al. 2010) and training, where researchers have provided evidence that individuals who exhibit high levels of conscientiousness and agreeableness are more likely to display compliant behaviour. To further this argument, Warkentin et al. (2012) conducted a survey to understand how these personality types influence threat and coping appraisal, as well as their perspective on sanctions. Their results indicate that individuals behave differently in similar conditions, which suggests that effective cybersecurity training should take such differences into account if it is to be truly effective. From the evidence provided, it is thus plausible that an individual's personality type influences his or her behaviour. We therefore propose the following: Proposition 1: An individual's personality type will influence his or her intent to make use of third-party apps on Facebook.

The influence of awareness
In this article, we argue that an individual's awareness of SMS influences his or her intent to make use of third-party Facebook apps. We define SMS as the monitoring and capturing of personal information when making use of social media-based third-party apps -Facebook in particular. From the literature it is known that although organisations believe information security awareness is important, they openly admit that not enough resources are allocated to furthering such efforts (Kruger & Kearney 2006). Moreover, those organisations that conduct awareness training do not adequately address individual differences (including personality), which ultimately influence information security behaviour. For example, when individuals are faced with the decision to comply with an organisation's information security policy (ISP), it has been found that awareness directly influences not only their beliefs on the possible outcomes, but more importantly their attitude towards compliance (Tsohou, Karyda & Kokolakis 2015), thus acting as an antecedent of their intent to comply. In a similar study on privacy behaviour in students, Van Schaik et al. (2018) found that although there was little relation between their privacy attitudes and the information they shared on Facebook, users were concerned that the shared information could be identified.
Other studies have found that individuals' incorrect assumptions about information security are indicative of the role played by information security awareness and trust (Van der Schyff & Krauss 2014). In such instances, individuals cited that they were not knowledgeable enough to make informed information security decisions.
However, awareness of privacy settings alone has been shown to have no effect on how information is provisioned, as younger adults tend to assume that the necessary legal structures are in place to protect their personal information (Miltgen & Peyrat-Guillard 2014). In a similar study, Junger, Montoya and Overink (2017) found that users make a number of assumptions as to what type of information cybercriminals find appealing. For example, in the experiments they conducted, many of the users did not understand how the information they were asked to provide (an email address) could be misused in a phishing campaign.
When individuals are equipped with sufficient knowledge (and are thus more aware), their attitude towards information security improves. One example is the study conducted by Mamonov and Benbunan-Fich (2018) where the authors found a positive increase in the attitudes of individuals towards password strength. Similar effects in the attitude http://www.sajim.co.za Open Access towards information security are reported by Karwatzki et al. (2017), who found that an increase in transparency features (thus raising awareness) had a positive influence on information security behaviour, with users sharing less personal information. Conger, Pratt and Loch (2013) provide a similar argument, stating that individuals are likely to change their security behaviour once they become aware of the extent of secondary data use. We therefore propose the following: Proposition 2: An individual's information security awareness of SMS will positively influence his or her attitude towards the use of third-party Facebook apps.

Discussion
In Figure 2, we illustrate our research model -an adapted version of the TPB. We specifically replaced the construct perceived behavioural control with information security awareness of SMS for which we provide support in the previous section (as per Proposition 2). In this model, the five personality types take the form of independent variables, with information security awareness of SMS and attitude towards SMS acting as moderating variables. Together, both the independent and moderating variables influence the dependent variable, namely, actual use of third-party apps. Note that this article does not provide arguments for the inclusion of the construct named subjective norms. We also omit arguments for the link between information security awareness of SMS and intent to use third-party apps. Together, these form part of the limitations of this article.
This research model allows one to evaluate the influence of a user's personality type on his or her attitude towards using third-party apps on Facebook. This corresponds to the first proposition which is illustrated as P1 in Figure 2. Because attitude influences behavioural intent (as per TPB) and the first proposition wishes to evaluate the influence of personality types on a user's intent to use third-party apps, we have aligned this relationship with P1. In this regard, our content analysis suggests that conscientious users are one of the most important personality types to evaluate -mostly because of their cautious nature (Shropshire et al. 2015). Conscientious Facebook users are thus less likely to use third-party apps unless they are fully aware of their impact on the security of their personal information. Even when they are fully aware, such users may elect not to use certain third-party apps. In turn, this makes them the least susceptible to SMS. The same applies to agreeable users who display high levels of concern for the security of their personal information and are thus likely to adopt a cautious attitude towards the use of third-party apps on Facebook. As conscientious and agreeable users become more aware of the information security implications of SMS when making use of third-party apps, they are likely to re-evaluate their attitude towards SMS in general.
As awareness is not usually part of the TPB, substituting it for perceived behavioural control warrants some explanation. Theoretically, perceived behavioural control is defined as the relative ease of performing a specific behaviour. As such, it is considered to be an important predictor of behavioural intent. One might ask on which information or factors individuals rely when making such an assessment. We argue that one such means of attaining said information is by educating individuals about the risks of disclosing personal information on social networks in general and third-party apps in particular. It is exactly this lack of expertise that affects security-unaware individuals (Siponen 2001). It is thus possible that an educated individual (cybersecurity specific) will find it easier to effectively manage and make decisions related to the security of his or her personal information accessed via third-party apps. Even knowledge acquired from one's circle of influence could sufficiently educate an individual and thus increase self-efficacy (Heinze 2008  influences individuals' motivation to act on their level of selfefficacy, one could posit that neurotic individuals will most likely perceive themselves as ineffective at managing the security of their personal information. This may make them rely more on the default security settings when making use of third-party apps, as any changes made by themselves might be perceived as incorrect or insecure. Conversely, confident individuals (i.e. extroverts) are most likely to perceive the ease of securing their personal information as a trivial matter. If the central tenet of awareness within this context is education, it might be beneficial to also consider academic performance (i.e. appetite for learning). For example, De Feyter et al. (2012) found that agreeableness has a positive influence on academic performance. Given that these individuals place a strong emphasis on what others think and that learning increases awareness, it is plausible that those individuals high in agreeableness will exhibit higher levels of security awareness. In turn, if significant others display a positive attitude towards SMS, these agreeable individuals' level of awareness may also positively influence their attitude towards SMS.
On the other hand, low levels of emotional stability -especially amongst women and younger individuals -often lead to the increased use of not only Facebook but also the Internet as a whole (Amichai-Hamburger & Ben-Artzi 2003). These individuals need to both control information and feel a sense of belonging. This is important, as it furthers the argument that personality exerts a behavioural influence in general online, which may extend to the use of third-party apps in particular. Let us consider the use of Spotify (a music streaming app) by neurotic Facebook users (i.e. they have logged on with their Facebook credentials). The aforementioned users are likely to continue using the app not only because they are influenced by others who think they should use it, but also because they are able to 'follow' other users via play-lists and thus feel a sense of belonging. Being aware that their personal information is accessible by Facebook may only be an issue if they are sufficiently educated (thus aware); however, theory suggests that the aforementioned sense of belonging and the need of self-assurance are core (even overriding) individual differences within neurotic individuals. As such, awareness may influence attitude to a lesser extent amongst these individuals. The influence of awareness within the context of this article corresponds to the second proposition (P2), as illustrated in Figure 2.
Evaluating these propositions will allow organisations to modify existing security education training and awareness (SETA) campaigns to take the personality types of users into account. For example, training efforts could be tailored to focus more on users that display higher levels of extraversion, and openness to experience who have a higher propensity to take risks on and explore Facebook rather than first gaining some knowledge (and thus becoming more aware) regarding activities, such as SMS. From a practical perspective, this research model could also be used on other platforms, such as those provided by Google. Corporates that wish to increase levels of consumer trust could incorporate these results in the descriptions of the apps they offer so as to aid transparency. Given that individuals are usually aware of their personality type (Gosling, Rentfrow & Swann 2003), a raised level of awareness with regard to SMS would allow them to make an informed decision when selecting third-party apps on Facebook.

Limitations
The approach outlined in this article is limited on three fronts. Firstly, the codes and subsequent interpretations are influenced by the researchers' own thoughts and worldviews on the topic of SMS. As such, other researchers' models on the same topic may differ based on their views. For example, some researchers may view the value of information to be of particular importance and thus elect to rather use privacy calculus as opposed to the TPB. Secondly, because this study used a structured approach, the resultant inductively deduced model is based on a specific subset of literature. It stands to reason that a different search string (thus subset) may have also influenced the resultant analysis. Thirdly, we only provided arguments to support the links between a portion of the constructs contained in the full TPB and not all the relationships from the original model are illustrated. For example, the link between information security awareness of SMS and intent to use third-party apps is not argued here because of space concern.

Conclusion
In this article, we argued that both personality types and awareness influence behaviour. Using a structured approach, we selected a number of publications that explored behavioural aspects of information security. These publications were coded in two phases, leading to the identification of three main themes. From these themes we derived two propositions, which were used in our research model -an adapted version of the TPB.
Our research model makes use of information security awareness of SMS instead of perceived behavioural control; therefore, future research is required to explore the influence of both attitude and subjective norms. Similarly, researchers could also evaluate the influence of individual cultural differences instead of personality types by adopting an approach similar to that of Srite and Karahanna (2006). In addition to the influence of culture and personality, more work is required to ascertain the influence of value, responsibility, assumption and ignorance from a South African perspective. Moreover, such research should not only illustrate theory development but also make inferences based on empirical data.