The PNR data and personal health data can be considered as broadly falling under the category of personal identifiable information (PII), where a user can be identified using a combination of available information and by piecing together data that can distinguish and be traced back to a specific individual (Venkatadri et al. 2018). Many see the sharing of PII data such as PNRs and other personal data on online platforms as posing an information security risk. According to a survey conducted by Grobler, Jansen van Vuuren and Zaaiman (2011), the South African level of personal security awareness of their PII is low, with many sharing PII unknowingly using smartphones (Li & Chen 2010).

Notwithstanding personal security concerns, PII has been of benefit to many companies who have found ways to leverage this for commercial purposes. Studies have shown that PII can be monetised and have commercial value (Da Veiga & Swartz 2016). Companies can use PII for targeted marketing campaigns, improved business intelligence and strategic advantage (Zenda, Vorster & Viega 2020). Personal identifiable information is considered a tradable commodity, and new markets are emerging to trade such valuable information (Spiekermann et al. 2015). In 2018 the European Union launched its General Data Protection Regulation (GDPR), which is now considered to be the world standard for information security and controlling how PII is used or commercialised. The GDPR provides the user with the power to control PII that is collected by organisation (Satariano 2018). In South Africa, there was legislation promulgated on the 19th of November 2013, known as the Protection of Personal Information (POPI) Act, meant to protect individual PII collected, stored and processed by both public and private companies, which took effect in 2021 with the grace period elapsing in 2022 (Taplin 2021). The POPI Act prohibits companies from using PII for direct marketing without consent (Zenda et al. 2020). The POPI Act takes cognisance of personal information such as users’ gender, health, race, sex, religion, disability, age and education (Mabeka 2018). The POPI Act is regulated through the Information Regulator, a government body that has oversight on the misuse of personal information and will discipline a violation of the Act (Sekgweleo & Mariri 2019).

Many systems and processes in current use in South Africa have evolved in manner and mode regarding how PII is collected, stored and processed. In the advent of the COVID-19 pandemic, South Africans have witnessed data PII collection initiatives stemming from the pandemic mitigation measures. From swabs taken for COVID-19 testing to vaccines, modern technology has required that PII records be mapped for swabs and PII for each specific person uniquely. Each health record is easily retrievable from a quick response (QR) code that can be carried by the person, either in print form or on an electronic device such as a phone. The QR system has had the advantage of fast readability and great storage, and therefore it is easy for companies to retrieve PII quickly and easily. It is this (albeit controversial) system that has popularised PII for control, such as institutionalised vaccination policies where PII health records can quickly be retrieved.

There have been a lot of changes since Grobler’s et al. (2011) study and survey on awareness of personal security of PII data and the impact this has had on both people and companies. This research work, therefore, builds on Grobler et al.’s (2011) work. This research is unique because it introduces the concept of personal information security (PIS) as a mitigating measure for security threats to PII. Personal information security is a construct of security awareness that considers how public and private companies use PII that is deemed very sensitive and must be protected. Sensitive PII can be distinguished from other PII because unauthorised use of sensitive PII can be hazardous and will endanger personal security and property, damage personal reputation or cause mental health issues or embarrassment because of identity theft or blackmail (McCallister 2010).

There is a justifiable need to address perspectives regarding PII elicited from South African users, many of whom might be oblivious of the risk of oversharing PII across online platforms. The research objective is to therefore consider how South African users perceive PII and to draw from literature constructs that inform this perception. The constructs drawn from literature can then be tested with results informing policymakers on how to manage PIS better whilst making the often-overlooked personal privacy and security measures great (again) from a user perspective. Following on the research objective, we deconstruct how PII has evolved because of the changes in business operations and argue that it is necessary to determine the current understanding of PIS in light of the dangers articulated when sensitive PII falls into the wrong hands. By addressing user perspectives of PIS within the South African context, we can gain deeper insights into managing PII better and complying better with regulations such as the POPI Act.

To meet the stated research objective, we present the research as follows: the introduction has set contexts for the concerns around PII and, importantly, why it is necessary to protect personal information and encourage PIS. A review of literature then follows after the introduction section and points to the ongoing discourse regarding PII and PIS in the case of South Africa. The methodology section that follows the literature review outlines how we elicited user perspectives surrounding PIS and provides an account of how we developed a theoretical model that is anchored on literature for testing. We present quantitative methods and show how these methods are applied in research. The data analysis section points to how data were collected and analysed to test the model using computerised software, with the implication of results being discussed in the penultimate sections. The conclusion is provided in the last paragraph, followed by an acknowledgement of participants who contributed to this research work.

Widespread cyberattacks use PII in the form of phishing attacks where untrained and unwitting users whose personal data have already been compromised are tricked by a well-orchestrated plan that implores and takes advantage of trust. The key denominator is to persuade the cybervictim to click on a link which, in many circumstances, is the channel through which malicious software (malware) enters the targeted user’s computer. Often emails may be perceived as genuine but are not (Gupta, Singhal & Kapoor 2016). Users’ PII may be likely compromised when cyberattackers look for information that users are sharing on their online platforms, such as Facebook and LinkedIn. Information elicited from these platforms (such as where they spend time off work or who they socialise with) can be aggregated to build a user profile, which then serves as a basis for a targeted phishing attack because, over time, the cyberattacker has painted a picture of the user. Personal identifiable information can then be used to craft a specific email deliberately designed to manipulate the user and make them think it is genuine Bier and Prior (2014). At times, the use of PII can be adverse when the cyberattack leads to identity theft or social engineering to exploit the user’s emotions to gain information (Abawajy 2014). Social engineering often occurs when an attacker manipulates or persuades users by using psychology to give confidential information unintentionally or intentionally (Aldawood & Skinner 2018). Employees are often perceived as weak links in the information security chain and many do not observe PIS at the level expected (Guhr, Lebek & Breitner 2019). The South African National Standard (SANS) has proposed standards that companies can use as guidelines for instituting bespoke information security awareness programs. SANS states that “a very important aspect is lacking, which is the human control of a human firewall” (Murire et al., 2021, p 1). The South African National Standard considers that the smaller the company is, the more likely that it may not institute information security awareness campaigns for its employees. Indeed, smaller companies may most likely have only one employee multitasking in creating controls, who may be constrained to make follow-ups if controls placed are violated. For larger companies, training and awareness have been observed to leverage PIS. It is from this understanding that we propose the following hypothesis.

H1: Training of users will influence personal information security positively.

The proliferation of social media platforms has created numerous forms of business opportunities from commerce and recruitment to online services such as LinkedIn. According to Da Veiga and Swartz (2016), when a user purchases a product or service, shares information on online services or even enters a competition, their personal information is collected and used by the various companies. Therefore, users have little to no control over their information regarding how it is stored or used. A study by Poushter, Bishop and Chwe (2018) identified that over 50% of adults own a smartphone capable of accessing and transacting on the Internet, with about 43% of adults actively using social media sites. The same study showed that South Africans aged over 18 and under 60 presented the most significant percentage of mobile Internet users.

A study (Arthur 2021) showed that young South Africans concluded that students’ knowledge of the acceptance of legislation such as the POPI Act or the regulatory requirements such as the Regulation of Interception of Communication Act (RICA) was not of great importance. Whilst Arthur (2021) reported that 95% of South Africans were RICA registered, many were unaware of RICA requirements. We therefore propose the following hypothesis:

H2: Interest by users will influence personal information security positively.

Nenungwi and Garaba (2022) postulate that knowledge management awareness is lacking amongst public sector organisations (PSOs), many of which are ‘unable to adapt to the rapidly changing society surrounding them’ (p. 1). Despite the apparent benefits of modern and evolving technologies and infrastructure, the potential cybersecurity threats have evolved in tandem, leaving users unaware of these new emergent threats. Users constantly engage with activities online, and with the added pressure of disclosing PII, their vulnerability has increased as they share more information online. Cybercriminals can harvest such information for nefarious reasons. Abawajy (2014) has argued that practices such as excessive sharing of information may compromise even the strongest of the information security initiatives and could be the weak link in the information security chain. Attackers will exploit this weak link to gain access and compromise the internal network. User awareness regarding PII protection has not seemed to progress at the same rate as the evolution and use of technology. Studies on awareness as a construct of behavioural influencers were first highlighted by Rogers (1975), who developed the protection motivation theory (PMT), which predicted peoples’ engagement in risk prevention. Building on the works of Rogers’ PMT, Hanus and Wu (2016) studied the impact of user awareness on desktop security awareness using PMT. They found that security awareness significantly affects elements of PMT. From these studies, much emphasis has been placed on designing security awareness programmes that can be designed from PMT. Whilst most studies have considered awareness at the general institutional level, we extend this thinking to users at a personal level and postulate that awareness can be a construct to consider when the focus is given to PIS and propose the following:

H3: Awareness will influence personal information security positively.

Many South African companies are shifting towards adopting cloud computing. One of the reasons given is adopting a new work model, such as working from home, in the advent of the COVID-19 pandemic. Remote working is now popular with many companies. Even though South Africa is steadily easing restrictions, companies have realised that hybrid models that incorporate onsite and work-from-home prove to be popular and cost-efficient. As hybrid models become popular, users find that they store more PII on the cloud to save storage space on their home devices. Although it is often implied that cloud computing has many benefits, some question the total privacy and confidentiality of data that is stored in the cloud. As pointed out, the critical risk is the human actions that lead to the use of cloud computing resources, notably described as the weakest link (Aleem, Wakefield & Button 2013). Human activity has an array of elements, including errors and mistakes made and inadvertent omissions of tasks that ultimately may lead to security risk, not only to the companies but also to employees:

H4: Actions of users will influence personal information security positively.

From the given discussions, we have developed a theoretical framework that points to the possible factors that would lead to a better PIS posture. The theoretical framework is shown in Figure 1.

The research used a deductive positivist approach to answer the ‘what’ and ‘why’ quantifiable types of questions (Hjalmarson & Moskal 2018). The research was also descriptive in the sense that the population and situations were objectively elicited and accurately and systematically tested.

The population sample was centred on employees using IT across the city of Johannesburg, considered the most prominent commercial hub in South Africa, which attracts those working with IT systems. The online survey research method was used, targeting over 100 employees around Johannesburg in two phases. Online surveys were useful because advancements in technology enabled these to be deployed online. The LinkedIn platform focusing on IT professionals was used to solicit responses. The first phase solicited help from 30 participants and the second phase solicited help from 70 participants after a preliminary review of feedback obtained from the first phase. The second phase assured the importance of incorporating experts in possession of specialists’ skills and knowledge in IT and information security to provide valuable data (Creswell & Creswell 2017). We computed the sample size using online scientific software developed by Raosoft (2004) that followed the following criteria:

Our population size N was used to determine our sample, from a margin of error E. Our estimate of E used a 5% margin of error, and using a fraction of responses (r), we were interested in obtaining Z and critical value for the confidence interval (c) of 95%; thus, we were able to estimate our sample size of 100.

As pointed out earlier, our closed-ended questionnaire used a 5-point Likert scale that was distributed online using Google Forms. The questionnaire consisted of the following sections:

Section 1 was used primarily to filter out vulnerable participants who, for purposes of meeting and addressing the ethical requirements for the study, needed to be protected. In this regard, only participants meeting the requirements of being more than 18 years of age and those not older than 65 years of age were incorporated in the study. The questions asked were all original and pertained to the four constructs drawn from the literature that helped us formulate these original questions. Whilst Krause (2002) suggested that questions may essentially come from three sources, namely from existing scales, modified scales or from scratch, in our case, our questions were developed from scratch. As our objective was to elicit various user perspectives relating to how they understood PII and the effect this had on PIS, the questions were designed accordingly.

Whilst we acknowledged that there would have been many methods that would have been ideal for collecting data, we restricted ourselves to adopting the above-discussed methods deemed appropriate for a quantitative methodology study. The data obtained were analysed using the Statistical Package for the Social Sciences (SPSS) software tool. The software allowed the data collected from Google Forms to be analysed because it was easy to import it into SPSS without incurring any errors.

Ethical clearance was granted by the university where the study was domiciled. A web link was given to study participants for consent to be obtained before commencement. All participants were informed prior to the study that their involvement was voluntary in the cover letter issued to them. No participant was forced to complete the questionnaire. Each participant was also informed that the data collected from the study was to be strictly kept confidential between the researcher and participant.

The first section of the questionnaire sought to obtain the participant’s demographic profile. The distribution of the gender shows that men comprised 60% of participants, whilst women comprised 36.67% of participants. The participants’ age demographics was also considered, and the findings showed that the majority of the participants were aged between 19 and 29 years (53.33%). Those aged between 30 and 39 years comprised 16.67% of participants whilst those aged between 40 and 59 comprised 30% of participants. The study participants were also questioned about their qualifications, and participants holding bachelor’s degrees comprised the majority of participants with 43.33% of the sample size. Those with a South African matric qualification comprised 30% of the sample whilst few held a diploma, comprising 26.67% of the sample.

The second part of the questionnaire elicited insights regarding participants’ predispositions regarding PIS. The questions ranged from how active they were online to whether they conscientiously shared information that would reveal details about themselves online. Table 2 points to how the participants responded.

We carried out an exploratory factor analysis to identify relationships between constructs as suggested by (Fabrigar & Wegener 2011). We present results in Table 3. From the results, we then carried out reliability analysis using Cronbach’s alpha to measure the closeness and significance of relationships the constructs had with each other (Bland & Altman 1997). Generally, acceptable levels of reliability should show Cronbach’s alpha values between 0.6 and 0.8 or higher, indicating good levels (Bland & Altman 1997). Values for our constructs’ tests fell within this range, suggesting good levels.

The Kaiser–Meyer–Olkin (KMO) carried out on the constructs reflected a significant level of less than 0.05, indicating that the constructs to be tested were useful, and is shown in Table 4.

We observed that the participants had operational risk awareness regarding posting PII on social platforms, but more worrisome was that these were in the minority. The majority did understand that they needed to take precautionary measures to use social media responsibly, but calls for reliable protection of PII went unheeded. For instance, 46% of participants said they were interested in information security knowledge and skills, with 86.7% holding a wrong belief that friends and family would not send anything malicious through email or by sharing external hard drives.

This part of the research examined the proposed model and interpreted regression results carried out using SPSS, a statistical software. Guided by Dhakal (2018), we carried out a multiple linear regression with personal information security as a dependent variable and training, interest, awareness and action as independent variables to infer a causal relationship with these variables. The results are shown in Table 5, and we discuss these in the discussion section that follows.

Figure 2 is a visual representation of the regression analysis.

There have been many studies that guide South African organisations on the best information security management measures to be taken on risk prevention methods. However, few studies have focused on fostering interest amongst users regarding PIS. We bring this important theoretical understanding to the fore whilst adding this to the body of knowledge. By shedding light on the level of interest participants have in PIS, we believe better information security strategies can be designed.

The model provides guidance to organisations within and outside of South Africa to prioritise the construct of interest as the main hindrance to effective information security practices. By understanding interest it is possible to approach information security management differently whilst encouraging users and employees to be co-creators of policies that keep their and their organisations’ information secure.

We believe that whilst the study was more quantitative, with the testing of constructs, we believe the limitations of the quantitative approach can be complemented by a study that applies qualitative methods. The qualitative approach can delve deeper and provide deep insights into the reasons why people overshare information on social media platforms and why they are disinterested in PIS.