Extending unified theory of acceptance and use of technology with ISO/IEC 27001 security standard to investigate factors influencing Bring Your Own Device adoption in South Africa

flexibility, which allowed employees to use their privately owned devices for work purposes, whilst companies have been able to save some costs of acquiring computer assets (Romer 2014). Background: As the use of mobile computing devices such as smartphones increase in developing countries, some employees in organisations prefer using their privately owned mobile devices for work purposes by following the Bring Your Own Device (BYOD) practice. However, the actual factors that influence the adoption of this practice are limited. Aim: This study aimed to investigate the factors that positively influence the employee’s behavioural intention to adopt the BYOD practice in organisations. Setting: The focus of the study is workers in various industries in South Africa. Method: A model is proposed which extends components of the Unified Theory of Acceptance and the Use of Technology (UTAUT) model by certain elements of the ISO/IEC 27001 security standard and an organisational factor. It is a quantitative study. Through a snowball method, a sample of 130 South African workers participated in the study by completing an electronic survey where 106 valid responses were received. Results: The data analysis was conducted through the SPSS data analysis tool. The results revealed that performance expectancy, effort expectancy, awareness and training, and policy existence positively influence the behavioural intention to adopt the BYOD Practice. Conclusion: The outcome of this study will benefit practitioners considering the implementation of BYOD and also researchers seeking to expand the scope of existing technology adoption frameworks.


Introduction
As a tradition, organisations of different business practices have provided employees with the necessary business tools such as mobile computing devices to perform their jobs. This practice allowed organisations to retain ownership of mobile devices and the information contained therein, as information is regarded as a valuable asset by most organisations (Madzima, Moyo & Abdullah 2014). This model of information asset management had its affordances and shortcomings for employees and organisations alike. Organisations often struggled with the financial burden to acquire, insure, maintain and replace the computing devices. For this reason, some organisations have adopted the Bring Your Own Device (BYOD) practice. In certain instances, employees use their privately owned devices out of convenience, which often leads to unreasonable expectations by employers for employees to stay available for work purposes even though it may come at a cost. The employers' expectations regarding the employee's use of personally owned devices, if unmanaged, could negatively affect the behavioural intention to adopt BYOD by employees. The BYOD practice has over the years allowed for some flexibility, which allowed employees to use their privately owned devices for work purposes, whilst companies have been able to save some costs of acquiring computer assets (Romer 2014).
According to Hovav and Putri (2016), BYOD is defined as an environment that permits its employees the use of their privately owned devices to access corporate network to perform their tasks. Another definition emphasises bringing a user's device to the workplace for official business use (Vignesh & Asha 2015). The common theme with both these definitions is that the user/employee privately owns the device. According to Morrow (2012), the 'D' in BYOD refers to more than the physical device. It extends to employees accessing Outlook Webmail and SharePoint, and other applications that are hosted on the cloud.
In this research's context, BYOD refers to employees using their privately owned devices such as cell phones, laptops, tablets to access work information and store such information on personal cloud storage.
According to Dang-Pham and Pittayachawan (2015), the increased risks of malware and information security incidents make implementing BYOD practices an option that must be thoroughly investigated to minimise any security vulnerabilities. Furthermore, because cybercrime is a global problem affecting various countries worldwide, companies stand to have their information stolen, destroyed or altered because of cybercrime. Therefore, any access to company information needs to be safeguarded.
Different types of cyber-attacks can be experienced when a device is exposed to unsafe environments when downloading software from untrusted sources. The BYOD devices are vulnerable to cyber threats when not configured securely based on the organisation's security standards (Yang, Hong-Chao & Guo-Zhen 2019). It poses more significant risks to the organisation's information when BYOD is ungoverned from the point of view of policy, strategy, and technical controls. Employees can use their devices to access company information through unsafe means.
The BYOD empirical studies in the past have focused on BYOD adoption from other framework dimensions which did not necessarily look at the factors that influenced the behavioural intention (BI) to adopt BYOD with a combination of factors emanating from a scholarly perspective and the practitioner side (Musarurwa, Flowerday & Cilliers 2018). This study aimed to look at the factors that positively influence employees' BIs to adopt BYOD in organisations. The unified theory of acceptance and use of technology (UTAUT) model and the International Organization for Standardisation (ISO)/International Electrotechnical Commission (IEC) 27001 security standard will be used as a lens in the study. The study was conducted using South African participants working in different industries. As South Africa is one of the developing countries, the results of this study will give insights into the level of awareness regarding BYOD practices by employees in organisations and the factors that drive BYOD adoptions in organisations.
This article makes the following contributions: • It adds to the existing body of knowledge regarding the factors affecting BYOD practices in developing countries. • It makes a significant theoretical contribution to the existing technology adoption frameworks. • Organisations will get to understand the factors that influence employees to adopt BYOD in corporate environments.
The remainder of the article has been structured as follows: The second section is literature review, the third and fourth sections focus on research design and methodology, the fifth section presents the findings and discussion, and the sixth section concludes the study.

Literature review Background
The adoption of BYOD policy is a strategic decision, which an organisation may formally choose to undertake for various reasons. Some of these reasons include: cost savings, improved efficiency and productivity (ISACA 2020). There are many aspects, which ought to be considered when organisations adopt a BYOD programme.
The strategy must cover all dimensions, which must be translated into a plan to operationalise the strategy. The policies, procedures and standards must be developed to ensure governance of BYOD (Fani, Von Solms & Gerber 2016). The other aspect is the technology and also the risks related to the multi-sharing of devices. The adoption of BYOD policy in an organisation is usually associated with introducing privacy and security risks because of a lack of information security awareness among employees and BYOD policy (Alotaibi & Almagwashi 2018).
Various studies have been conducted around developing relevant organisational BYOD policies to adequately address risks associated with the use of personally owned devices for work purposes (Herrera, Ron & Rabadao 2017). However, there is another aspect to BYOD implementation, which many researchers rarely discuss that is, whether BYOD practices are formalised from a policy governance perspective. The SysAdmin, Audit, Network and Security (SANS) institute conducted a study where they surveyed companies to establish their view of BYOD.
The results of the survey revealed that 97% of the 1000 surveyed companies deemed BYOD important. However, a further study revealed that 36% of these organisations stated that BYOD policies are not formalised, 23% of the companies do not allow BYOD, and 14% confirmed that they inform their employees to secure and monitor their devices (Vignesh & Asha 2015). The proposed study gives a view in terms of the South African industries where BYOD is adopted.

Bring Your Own Device risks and associated breaches
There are various benefits that organisations stand to gain from implementing the BYOD programme, such as cost reductions and improved productivity. However, there are also certain risks associated with the use of BYOD in organisations. Risk is the combination of the likelihood of an event and its consequence.
Risks such as security misconfiguration of devices and failure to restrict URL access are prevalent in BYOD environments (Lennon 2012).

Security breaches
The BYOD has both advantages and disadvantages. One of its shortcomings is that it can lead to many data security breaches, such as device theft or malicious data deletions. The use of personal devices to access emails, social media platforms and the downloading of different applications can potentially open doors to cybersecurity attacks. Security mistakes that happen in a non-work context could adversely compromise the security of information in an organisation. It is thus paramount that before an organisation adopts BYOD, a proper risk assessment is done to determine the existence of adequate controls (Dang-Pham & Pittayachawan 2015).
The corporate information that is stored on personal cloud storage services such as iCloud and Dropbox stand to be exposed if such services are compromised. For example, in 2016 Dropbox was hacked, and usernames and passwords were exposed and if employees store company information at their discretion in such platforms, such information can get exposed during a hack (Gibbs 2020).

Malware attacks
There are many risks related to the use of BYOD. According to (Dang-Pham & Pittayachawan 2015; Ameen et al. 2020), Malware is a common risk faced by any institution that seeks to implement BYOD. Malware refers to malicious software that gains access to the user's machines through phishing scams, email attachments and file sharing.

Data leakage
The risk of data leakage increases with the use of personal devices for work purposes. Data leakage risk is worsened because most devices are exposed to many dangers through private use when users access platforms such as the Internet and social media. Data leakage can result in reputational damages in an organisation. Some of the devices might not have more robust security controls such as encryption, which could help minimise data leakage risk. In organisations, such as tertiary institutions, where BYOD affects a higher number of users, insecure volumes of endpoints have to be considered when determining the impact of potential risk.
By adopting BYOD, an organisation is merely undertaking that even the mistakes that can happen outside the working environment can ultimately impact the organisation's online safety because of its opening. Measures such as awareness and training (AT) often minimise the risks associated with data security attacks (Bauer, Bernroider & Chudzikowski 2017;Dang-Pham & Pittayachawan 2015). Other major drawback concerning BYOD include the invasion of privacy. An organisation can monitor the use of a user device without the user being aware and this could result in some of their personal information also being monitored (Bann, Singh & Samsudin 2015).

Theft of mobile device
When personally owned devices get stolen with no controls to enable remote data wiping, the corporate information is likely to be exposed, which could ultimately cause reputational damage (Bongiovanni 2019).
Downer and Bhattacharya (2015) identified several other challenges associated with BYOD. They include technical issues such as the compatibility of privately owned devices and policy challenges that could arise as a result of the lack of policies and standards which regulate the use of BYOD devices in organisations. It is important for the organisations that seek to adopt BYOD to consider these issues methodically.

Benefits of Bring Your Own Device
Despite the risks posed by the introduction of BYOD in an organisation, there are various benefits that the organisations and employees can expect to gain. The reduction in the purchases of computer devices such as laptops, cell phones and tablets can be expected by the companies that adopt and implement BYOD policy. This financial saving can be channelled into other areas where financial resources are most needed. Other benefits include increased productivity and efficiency, mobility, job satisfaction and reduced information, communication and technology (ICT) support (Vignesh & Asha 2015). In organisations where there is no compensation in the form of allowances to employees for the use of BYOD, some employees may refuse the financial burden of BYOD and use the company-owned devices for business purposes which potentially affects their behavioural intention to adopt BYOD. It is when the benefits of implementing BYOD are seen to outweigh any risks that it gets implemented (Baillette, Barlette & Leclercq-Vandelannoitte 2018).
The gap in the existing literature regarding BYOD is that only a few empirical studies have been conducted on BYOD adoptions to identify factors that influence adoption. A study conducted by Lennon (2012), focused on employee attitudes towards using BYOD devices. Still, it is a study with specific gaps, that is, it is unclear how many participants took part in the survey. Another study by Ameen et al. (2020) focused solely on the employee's intention to comply with the BYOD policy, but it does not include evaluating factors that influence BYOD adoption holistically. A study that identified key traits for the behavioural intention to adopt BYOD was conducted to propose a BYOD intentional model (Musarurwa et al. 2018). The study's limitation is that it only focused on participants from one organisation and looked at BYOD controls and not necessarily adoption.

Theories and hypothesis development Theoretical background
There are various frameworks that have been used in the past to determine the adoption of multiple technologies. Models such as the motivational model, theory of planned behaviour, social cognitive, motivation diffusion theory and the unified theory of acceptance are some of the models which have been used in technology adoption related studies (Rahi, Ghani & Ngah 2019).
This study investigates the factors that hold from the UTAUT, ISO/IEC 27001 security standard and the organisational requirement perspective that positively influences BYOD adoption in the South African context. The UTAUT was deemed the most appropriate framework to use because it comprehensively looked at the factors that are important to consider from a behavioural perspective.

Unified theory of acceptance and use of technology
The UTAUT is a model used across various research studies that sought to investigate or identify the factors that impacted BYOD adoption in different research settings. It has been used to determine the factors that influenced the adoption of technologies and services, such as internet banking and mobile banking (Baishya & Samalia 2020). The UTAUT consists of the following elements: performance expectancy (PE), effort expectancy (EE), social influence (SI) and user behaviour which impact or influences the BI. In a study by Boonsiritomachai and Pitchayadejanant (2018), UTAUT was combined with Technology Acceptance Model (TAM) to identify the most important factors determining mobile banking adoption. The results revealed that the hedonic aspects were the most critical determinants for mobile banking adoption by generation Y. The original UTAUT Framework is depicted in Figure 1.

International Organization for Standardisation/ International Electrotechnical Commission 27001 security standard
The ISO/IEC27001 is an information security techniques standard, which like many ISO standards, often get revised to align with the developments within the ICT industry. The ISO/IEC 27001:2015 version consists of seven main clauses with the first clause being the one that requires a full definition of the context in so far as information security is concerned. Based on the requirements of this security standard, an organisation must have a policy which governs information security. In addition to that requirement, employees need to be made aware of the content of such a policy. It is from those requirements that the policy and AT constructs were selected for this study as BYOD would need such aspects to be included as security requirements embedded in the practice. Other ISO/IE 27001 clauses include: leadership, planning, support, operation, performance evaluation, and ensuring continual improvement. Leadership support is vital for security governance because leadership provides direction and resources for planning information security initiatives in an organisation. The support clause looks at the activities necessary to operationalise the information security strategy; performance evaluation focuses on reviewing the effectiveness of the key security processes so that any weaknesses can be identified to ensure continual improvement.
The ISO/IEC 27001:2015 is combined with the UTAUT to produce the proposed model as depicted in Figure 2. The main aim of incorporating this standard is to look at the specific security related aspects which mobile technology users should be aware of when using their personal devices to access their corporate work information.
The proposed model consists of the following parts, that is, UTAUT and the ISO/IEC 27001:2015 and an additional construct named organisational requirement which emanates from the literature. The constructs and hypothesis statements are further detailed in the following section.

Hypothesis development
There are a number of factors which contribute to employees using their privately owned devices or cloud storage services for work purposes. In this section, six (6) hypothesis statements are formulated for the six constructs which emanate from the proposed model as depicted in Figure 2.

H1-Performance expectancy positively influences the behavioural intention to adopt BYOD
When technology is deployed, it is expected to perform at a certain level which will satisfy the user's needs. The better the performance, the more likely the technology is going to be used. Performance expectancy has previously been linked to technology adoption in different studies such as mobile banking adoption. It has thus been hailed as a driving force to technology adoption (Cao & Niu 2019). This hypothesis aims to confirm: if PE positively influences the behavioural intention to adopt BYOD.

H2-Social influence expectancy positively influences the behavioural intention to adopt BYOD
Social influence measures the external impact that users could have from their peers, colleagues, friends, and anyone within their circle of influence. The greater the level of SI, the more likely the technology will be adopted. There will be a lot of people out there to learn from and offer support and motivation regarding technology use. In other studies, individuals have been influenced by their social cycles in adopting certain technologies (Wang, McGill & Klobas 2020). In this study, it has been hypothesised that SI positively influences the behavioural intention to adopt BYOD.
H3-Effort expectancy positively influences the behavioural intention to adopt BYOD Different technologies require different effort levels. Effort expectancy refers to the expected effort required to use the technology. The effort is usually evaluated based on the following elements: the perceived ease of use and complexity (Patil et al. 2020). The less complicated the technology is, the more likely it will be adopted. Effort expectancy has positively impacted the adoption of certain technologies; hence this hypothesis has been developed.

H4-Awareness and training positively influences the behavioural intention to adopt BYOD
The support clause of the ISO/IEC standard requires that AT be conducted to support entrenchment of an information security policy. Awareness and training are regarded as essential elements in providing support from a policy compliance perspective as per the requirements set out in the support section of the ISO/IEC 27001:2015 security standard. Users of information technology need to be aware of the risks involved with personally owned devices for work purposes.
Previously, researchers have used the ISO/IEC 27001:2015 security standard in various studies because of its best practice controls used to mitigate the BYOD related risks (Bounagui, Mezrioui & Hafiddi 2019;Hajdarevic, Allen & Spremic 2017).
Awareness and training are essential aspects that contribute to making employees aware of the adoption of technologies and how they work (Musarurwa et al. 2018). Bann et al. (2015) posited that the lack of awareness on the policies has often led to abuse of data as the users are not usually aware of information security risks. Based on this, the hypothesis on AT has been formulated to determine the employee's BI to adopt BYOD.

H5-Policy existence positively influences the behavioural intention to adopt BYOD
A policy that outlines management direction regarding the use of personally owned devices for work purposes has not been specifically looked at in the previous BYOD adoption studies. This research aims to determine if this construct influences BYOD adoption; hence this hypothesis formulation.
The leadership clause sets out the requirement that management of an organisation must give direction in terms of their information security stance regarding BYOD adoption from a strategic perspective. Consequently, an information security policy must be developed for an organisation and communicated to the relevant parties through AT on the support clause.
For this study, a BYOD security policy will be used as a model construct to determine if the existence of a BYOD policy influences the BI to adopt BYOD or not. The use of mobile devices and personal cloud services in the workplace can pose severe challenges if there is no guiding policy that helps manage the environment (Kadimo et al. 2018).

H6-Organisational requirements positively influences the behavioural intention to adopt BYOD
The BYOD can be implemented by employees deciding to do so because of the organisation's lack of guidance on the adoption strategy. Retrospectively BYOD can also be adopted as a result of organisational requirements (OR_OR) (Fani et al. 2016;Ruxwana, Msibi & Mahlangu 2018). For instance, because of the COVID-19 outbreak, some organisations in South Africa required their employees to work from remote locations using their privately owned devices.
Suppose an organisation requires its employees to use their personally owned devices for work purposes. In that case, this hypothesis will confirm if such requirements are the only way employees can adopt BYOD or only through their preferences.

Research design
A quantitative research approach was used in this study, and the IBM SPSS software was used for statistical data analysis.
The survey monkey online tool was used to develop an electronic survey for data gathering. The snowball method was used for the identification of participants and the distribution of the survey questionnaire. The survey link was e-mailed, sent to professional contacts on the LinkedIn website, and distributed via WhatsApp messages. The contacts were further requested to send to other relevant participants in their circle of influence.

Sampling
In South Africa, BYOD is implemented in various organisations, and it was not practical to identify the actual population of all the companies or employees who have adopted BYOD. Instead, a guideline of sample size selection in line with Krejcie and Morgan (1970) was used. A sample of 130 professional workers from different industries participated in the study. Only 106 responses were valid. Table 1 consists of the participant's demographic information.

Results discussion
The majority (56%) of the survey participants were over 40 years old with the younger respondents were between the ages of 19 and 25, making 6.6% of the participants. Participants worked in diverse industries such as health, construction and mining. The majority of the respondents were from unspecified sectors, followed by participants who worked within the health sector. The mining and the wholesale sectors were the least represented, with only 2.8% of the responses emanating from there, respectively.
The correlation analysis was conducted to determine the correlation between two variables also referred to as the bivariate correlation where the relationship can either be positive or negative. The Pearson correlation co-efficient ranges between -1 and 1. The outcome of this analysis is outlined in Table 2, where the assessment of correlation of the following attributes: PE, BI, Pex, OR_OR, AT, EE and SI was conducted.
According to the results reflected in Table 2, the BI to adopt BYOD is highly correlated with the following constructs as r is a lot closer to 1: PE (r = 0.854, n = 106, p < 0.01), AT (r = 0.68, n = 106, p < 0.01), EE (r = 0.63, n = 106, p < 0.01) and moderately correlated to Pex (r = 0.45, n = 106, p < 0.01) and has a lower correlation with OR_OR (r = 0.239, n = 106, p < 0.05) and SI (r = 0.259, n = 106, p < 0.01). The results of hypothesis test are depicted in Table 4 and Figure 3. Only four out of the six hypothesis statements were supported The diagrammatical representation of the final model is illustrated in Figure 3, showing the results of hypothesis tests 1-6.
Based on the results depicted in Table 4 and Figure 3, it is evident that OR_OR and SI do not positively influence workers' decision to adopt BYOD in their organisations.
Performance expectancy in a bring your device context does have a strong influence in professional workers behavioural intention to adopt BYOD.
Performance and EE is dependent on several factors. The amount of effort required to use personally owned devices has also been found to influence the employee's BI to adopt BYOD. In terms of effort, the easier it is to use their privately owned mobile devices, the more likely the BI to adopt BYOD.
It is evident that with PE being strongly supported compared to the other three constructs, employees enjoy using a personally owned device for work purposes because they are used to the functionality hence they can perform their tasks optimally.
Awareness and training was also tested in the model was found to influence BYOD's BI to adopt by workers.
Policy existence was also found to be of positive influence in making workers adopt BYOD in their organisations. Social factors were not found to have any influence on the worker's decision's to adopt BYOD.
Based on the outcome of H6, it is evident that OR_OR have a negative influence on the employee's BI to adopt BYOD.
These results offer insight into the key constructs, which are important to be considered in order to promote BYOD adoption in different organisations. On the other hand, a balance is required when setting out OR_OR for BYOD adoption as these can discourage employees from adopting BYOD. It appears that employees would prefer to use their personally owned devices for work purposes instead of being forced into BYOD adoption.

Conclusion
This study aimed to investigate the factors influencing BYOD adoption using UTAUT and ISO/IEC 27001 security standard as a base plus an additional factor, the organisational requirement -a construct drawn from the reviewed literature. The factors investigated are PE, SI, EE from the UTAUT model and AT, policy existence (Pex) from the ISO 27001 security standard. Six hypotheses statements were formulated based on the proposed model constructs, and four were supported, and two were not supported as depicted in Table 4 and Figure 3 The factors that positively influence employee's BI to adopt BYOD in South African organisations are PE, EE, AT, and Pex. The PE had the most decisive influence on employee's BI to adopt BYOD, which clearly shows that professional workers choose to adopt BYOD because they firmly believe that they will perform exceptionally well in their jobs. The SI construct did not influence the employee's decision to adopt BYOD in this context. The OR_OR construct that may be in the form of stipulated requirements by organisations to adopt BYOD proved to negatively impact if BYOD adoption was to be a voluntary practice.
Notwithstanding this study's outcome, the outcome is beneficial in practice as it gives guidance regarding the drivers of BYOD adoption from UTAUT and ISO/IEC 27001 perspective. The novelty of the proposed framework, as depicted in Figure 2, is that it contributes academically by expanding the UTAUT framework with an industry practice security standard, ISO27001. Future research should focus on investigating factors which positively influence BYOD adoption using other technology adoption frameworks or by expanding the scope of UTAUT.
The model can be extended to include other variables such as privacy and constructs from other models such as TAM or Technology-Organisation-Environment (TOE). The sample size can be increased, and the participants from other countries can be used to test the model and see if it yields the same or different results. The moderating effect of variables can also be tested to determine their impact on the endogenous variable.
Limitations of the study are that participants were from South Africa, which could constrain the generalisability of the results. In addition, it was a quantitative study that might have limited certain views that participants could have given if it were a qualitative study.
The findings of this study can assist management of various organisations to identify strategies that can assist in encouraging employees to adopt BYOD, which will see employees benefit as well.