
Designing E-commerce Sites with the Focus on Security and Privacy of Online Customers

Isaac J. Gabriel
Department of Computer Science and Information Sciences, 
School of Business, Public Administration and Information Sciences,
Long Island University
Brooklyn, NY  11201 USA

Abstract

Rapid growth of electronic commerce increases the competition among e-commerce firms.  These firms need to attract new and retain existing customers.  In order to do that, their web sites must be usable and user-friendly.  Therefore, web site designers and developers need to be well educated in the human-computer interaction (HCI) field.  The development of various checklists contributes to better education of web site designers and developers.  As a result, web site designers and developers would follow checklists while designing/re-designing sites improving their usability.

One of the most important issues related to usability of e-commerce sites is security and privacy of customers’ information.  These issues prevent many people from shopping online.  E-commerce firms need to make customers feel secure.   In this paper, we present a checklist that would help web developers and designers to improve usability of sites with regards to customer security and privacy.  As a result, sites would be more usable, hence, would attract more customers.  This, in turn, will enable e-commerce firms to survive the competition.

Keywords: Electronic Commerce, Security, Privacy, Site Design, Design Evaluation


1.   INTRODUCTION
Rapid growth of electronic commerce increases the competition among e-commerce firms.  Nielsen (2000a) stated that in a web environment, all competitors are a mouse click away.  In order to survive the tight competition, they must be able to not only attract new customers but also to retain existing ones.  In order to do that, web site designers and developers need to be well educated in the human-computer interaction (HCI) field.  However, educational institutions do not provide adequate training in HCI.  In fact, Gabriel (2005) confirmed that designers and developers are lacking HCI-related education.  Therefore, various checklists need to be constructed based on HCI guidelines and best practices.  These checklists can be used to supplement web designers’ and developers’ formal education.  As a result, web site designers and developers would follow checklists while designing/re-designing sites improving their usability.  
One of the most important issues related to usability of e-commerce sites is security and privacy of customers’ information.  These elements affect the firm’s credibility and establish a customer’s trust in an e-commerce firm.  Inadequate security or lack of privacy may prevent many people from shopping online (Tilson, Dong, Martin, and Kieke, 1998a).  Studies conducted by Ahuja, Gupta, and Raman (2003) revealed that around 30% of people do not shop online due to security and privacy concerns.    These concerns include misuse and unauthorized distribution of customers’ personal information, credit card numbers, addresses, and other sensitive information (Becker and Mottay, 2001).  Therefore, in order to succeed, e-commerce firms need to make customers feel secure (Tilson, et al., 1998a).  
In this paper we identified a set of factors that affect security and privacy of e-commerce sites’ customers and created a survey to obtain customers’ opinions about the importance of these factors.  Based on the survey results, we developed a checklist to be used by web developers and designers.  This checklist would help web developers and designers to improve usability of sites with regards to customer security and privacy.  As a result, sites would be more usable, hence, would attract more customers.  This, in turn, will enable e-commerce firms to survive the competition.    
2.   FACTORS AFFECTING SECURITY AND PRIVACY
We have identified six primary factors that affect customers’ security and privacy in an e-commerce environment.  These factors include logins of existing customers and registrations of new users, availability of privacy policy statements, recovery of forgotten passwords, an ability to log off at the end of a session, availability of alternative payment methods, and secure transmissions of provided information. 
2.1 Logins of Existing Customers and Registrations of New Users
Many sites require existing users to login and new users to register upon entering the site.  Users are frustrated when they have to register or log-in just to view products, prices, etc. (Selvidge, 1999).  They are uncomfortable with sharing their personal information as they enter sites.  Registrations of new customers or login of existing customers should take place only when is absolutely necessary.  Users should be able to browse through the site without logging in (Fang & Salvendy, 2003).  However, if login is required, the reason should be clearly expressed and the process should be made simple (Rohn, 1998).  
Moreover, users are not comfortable sharing their social security number, mother’s maiden name, or other personal information related to the security of their personal finances (Rohn, 1998).  This results in post-purchase uncertainties.  These uncertainties may negatively affect e-commerce industry as customers may choose to visit conventional stores instead of shopping online (Araujo & Araujo, 2003).  Therefore, sites should not be asking users to provide this type of information unless absolutely necessary.  A collection of a customer’s personal information must be justified (Araujo & Araujo, 2003; Barnard & Wesson, 2004).  Only personal information that is relevant to placing an order should be collected (Barnard & Wesson; Vora, 2003).  Tilson, Dong, Martin, and Kieke (1998b) rated the importance of asking for a limited amount of personal information as 5.81 on a seven-point scale.
2.2 Privacy Policy Statement
Very often users are asked to provide personal information.  At that time, a written privacy policy explaining the use of provided personal information must be available for user’s review (Araujo & Araujo, 2003; Barnard & Wesson, 2004; Egger, 2000; Perzel & Kane, 1999; Rohn, 1998).  It is important to assure users that the personal information they provided will not be sold to other parties like mailing list organizations, etc. (Rohn, 1998).  Sites that provide policy statements addressing users’ privacy concerns will end up having more user registrations, that in turn, result in increased sales as users’ willingness to share personal information increases.  In fact, over 72% of users would provide personal information if a site provides a statement on how this information will be used (Perzel and Kane, 1999).
2.3 Recovery of Forgotten Passwords
Typical internet users have numerous accounts with various online vendors, and, therefore, have numerous passwords.  Very often users forget the exact password they use for a particular account.  An e-commerce site should provide an easy-to-use utility for users to recover forgotten passwords (Rohn, 1998).    
2.4 An Ability to Log Off at the End of a Session
At the end of the session, many users need to see a logoff button and be able to click on it.  This assures customers that their personal information cannot be accessed by unauthorized parties when they leave the site (Nielsen, 2000b).
2.5 Alternative Payment Methods
Due to security-related worries, most purchases are not finalized online.  This is especially true at the checkout phase.  Therefore, customers should be given an option to complete their orders via phone or fax as well (Rohn, 1998).
2.6 Secured Transmission of Information
E-commerce sites should notify customers of any secure means of information transmission utilized by the firm.   Brajnik (2000), Rose, Khoo, and Straub (1999), Shneiderman (2000), and Vora (2003) noted that the disclosure of means of achieving security and privacy is critical.  Very often firms use the Secure Socket Layer (SSL) technology that is generally displayed as an image of a key and a lock in the right bottom corner of a browser. 
3.   SURVEY
Based on the factors discussed in the previous section, we composed a survey to obtain customers’ opinions about the importance of the identified factors.  The survey questionnaire is presented in Table 1.  
The survey was administered to 148 undergraduate and graduate students via email.  Only 15 students replied, resulting in a response rate of 9.87%.  Even though the sample contained only students, it represented the target audience for this research.  The selected groups of people represent typical e-commerce users.  First of all, students represent people of various age groups.  In addition, targeted students had different educational levels, from undergraduate freshmen to master degree candidates.  Moreover, there is an adequate gender mix in the student population.  Yet another reason is that students represent various nationalities and, therefore, have different cultural backgrounds.  Furthermore, generally, students are experienced web users.  Schaffer and Sorflaten (1999) stated that typical web users are experienced users.  Schaffer and Sorflaten cited the Spring 1998 GVU 9th WWW User Survey and reported that 88% of web users are using the web on daily basis.  
4.   DATA ANALYSIS
More than a half of participants (60%) were experienced users with more than 3 years of online shopping experience, while 27% had between 1 and 2 years of e-commerce experience.  The remaining 13% were novice online shoppers.  
Almost everyone (87%) indicated that they will leave the site if asked as new customers to register prior to searching for products and/or reviewing a company’s information or policies.  Therefore, we can conclude that a site should not ask new users to register prior to searching for products and/or reviewing company’s information or policies.  With regards to mandatory logins of existing customers prior to searching for products and/or reviewing company’s information or policies, 60% of participants indicated that they will leave the site if asked to do so while a third of participants do not mind to login only if an e-commerce site provided reasons why login is required at the time it is requested.  Therefore, existing customer logins prior to searching for products and/or reviewing company’s information or policies should be optional.  In addition, benefits of logging in should be displayed at the time the login is requested.
A vast majority of participants (87%) stressed the importance of the login process to be intuitive and easy-to-follow.  Therefore, we can conclude that it is critical for the login process to be intuitive and easy-to-follow.  
With regards to providing personal information related to the security of personal finances such a social security number, mother maiden name, etc., almost half of participants (46%) indicated their unwillingness to do so.  However, the remaining 54% of participants have no problems sharing this information as long as it is requested when absolutely necessary such as at the time of checkout, transaction confirmation, account information access, etc. and/or a written privacy policy explaining the use of provided personal information is available for users’ review.  As a result, if a site asks users to provide personal information related to the security of personal finances it should be requested only when absolutely necessary such as at the time of checkout, transaction confirmation, account information access, etc.  Moreover, a written privacy policy  explaining   the   use   of   provided    personal information should be available for customers’ review.  
Table 1: Survey Questionnaire
No
Survey Question
1
How many years of E-commerce experience do you have?
A. less than 1 yr
B. 1-2 years
C. 2-3 years
D. more than 3 years	

2
An e-commerce site requires new customers to register prior to searching for products and/or reviewing company’s information or policies. 
A. I will leave the site
B. I will register as a new user and will continue browsing through the site	

3
An e-commerce site requires you to login prior to searching for products and/or reviewing company’s information or policies.
A. I will leave the site
B. I will login only if an e-commerce site provided reasons why login is required at the time login is requested
C. I will login anytime a site asks me and will continue browsing through the site

4
The login process is not intuitive and easy-to-follow.
A. I will leave the site
B. I will login anyway

5
A site asks you to provide your personal information related to the security of your personal finances (such a social security number, mother maiden name, etc.).	
A. I will leave the site
B. I will provide personal financial information only if a written privacy policy explaining the use of provided personal information is available for my review
C. I will provide personal financial information only if it is requested when absolutely necessary (i.e., at the time of checkout, confirmation of transaction, accessing account information, etc.)
D. B and C
E. I will provide personal financial information whenever a site asks me and will continue browsing through the site

6
You forgot your password and the site does not provide means of recovering or resetting one.
A. I will leave the site
B. I will try to recover a password by any means and continue using the site

7
At the end of the session, you are not able to explicitly logoff by clicking on the logoff button or link.
A. I will not be using the site anymore
B. I will be visiting the site in the future

8
At the time of checkout, you are concerned about providing your payment information over the internet.  However, a site does not offer an option to complete your orders via phone or fax.
A. I will leave the site and will abandon the shopping cart
B. I will provide requested information only if an e-commerce site discloses technologies utilized by the firm to securely transmit collected data 
C. I will provide requested information and will complete the transaction online anyway
Most of participants (87%) believe that a site should provide means for users to recover or reset forgotten passwords.  Otherwise, they will leave the site.  Therefore, a site should provide means for users to recover or reset forgotten passwords.  
Majority of participants (80%) expect to see a logoff button or link.  If not, they will leave the site and will not be coming back in the future.  As a result, we can conclude that a site should provide a logoff button or link.
Finally, 73% of participants are willing to provide payment information online only if technologies utilized by the firm to securely transmit collected data are disclosed.  Otherwise, users abandon their shopping cart and leave the site.  Therefore, a site should disclose technologies utilized by the firm to securely transmit the collected data.
5.   TESTING FOR THE NON-RESPONSE BIAS
Testing for the non-response bias was conducted by comparing the first 33% of responses with the last 33% of responses and determining whether any significant differences exist between the two groups.  A non-existence of non-response bias can be declared when there are no significant differences between early responders and late responders (Armstrong and Overton, 1977).  ANOVA tests were performed on each variable to test for the non-response bias with 95% confidence level.  The results are presented in Table 2.  Results of ANOVA tests suggest that there are no significant differences between early responders and late responders.  Hence, non-response bias is not present in this study.
6.   CHECKLIST
Based on the results of the survey, we composed a checklist to be used by web developers and designers (Table 3).  Web developers and designers would evaluate design of their site against each item in the checklist.  Any checklist item that was answered negatively indicates a flow in the design.  
7.  CONCLUSION
We have analyzed factors that affect customers’ security and privacy in an e-commerce environment and obtained customers’ opinions about the importance of these factors.  Based on the collected data, we composed a checklist for evaluation of customer security and privacy aspects of a site’s design.  The checklist addresses issues associated with login of existing customers and registrations of new users, availability of privacy policy statements, recovery of forgotten passwords, an ability to log off at the end of a session, availability of alternative payment methods, and secure transmissions of provided information.  Web developers and designers would evaluate design of their site against each item in the checklist.  Any checklist item that was answered negatively indicates a flow in the design.  This checklist would help web developers and designers to improve usability of sites with regards to customer security and privacy.  As a result, sites would be more usable, hence, would attract more customers.  This, in turn, will enable e-commerce firms to survive the competition.    
Table 2: Results of ANOVA Tests for Non-Response Bias Testing
Variable
F
P-value
New customers’ registration prior to searching for products and/or reviewing company’s information or policies (Survey Question #2)

1
0.346
Logging-in prior to searching for products and/or reviewing company’s information or policies (Survey Question #3)

1.5E-15

1
Intuitiveness and easiness of the login process (Survey Question #4)

2.67
0.14
Sharing of the personal information related to the security of personal finances (Survey Question #5)

0.21

0.658
Recovery or reset of forgotten passwords (Survey Question #6)

1
0.346
Explicit logoff button or link (Survey Question #7)

1.1E-15
1
Alternative payment methods (Survey Question #8).
1.1E-15
1
8.   FUTURE RESEARCH
Future research opportunities may expand this study to investigate factors that affect customer’s security and privacy more thoroughly, identify additional factors, and incorporate them into a survey.  In addition, similar studies may be conducted using larger sample sizes to confirm generalization of the results.  Finally, future studies may be conducted using samples containing international representatives to factor in cultural differences.
Table 3: Checklist for Evaluation of Customer Security and Privacy Aspects of a Site’s Design.
No
Checklist Item
1
New users are not being asked to register prior to searching for products and/or reviewing a company’s information or policies.	

2
Existing customer logins prior to searching for products and/or reviewing company’s information or policies is optional.  

3
Benefits of logging in are displayed at the time the login is requested.

4
The login process is intuitive and easy-to-follow.  

5
A site asks users to provide personal information related to the security of personal finances only when absolutely necessary such as at the time of checkout, transaction confirmation, account information access, etc.  

6
A written privacy policy explaining the use of provided customers’ personal information is available for users’ review.

7
A site provides means for users to recover or reset forgotten passwords.  

8
A site provides a logoff button or link.

9
A site discloses technologies utilized by the firm to securely transmit the collected data.
9.   REFERENCES

Ahuja, M., Gupta, B., & Raman, P. (2003). An empirical investigation of online consumer purchasing behavior. Communications of the ACM, 46 (12), 145-151.

Armstrong, J. & Overton, T. (1977). Estimating Nonresponse Bias in Mail Surveys. Journal of Marketing Research, 14, 396-402.

Araujo, I. & Araujo, I. (2003). Developing Trust in Internet Commerce. Proceedings of the 2003 Conference of the IBM Center for Advanced Studies Conference on Collaborative Research Held in October 6-9, 2003, Toronto, Canada, 1-15.

Barnard, L. & Wesson, J. (2004). A Trust Model for E-commerce in South Africa Usability in Web Applications. Proceedings of the 2004 Annual Research Conference of the South African institute of Computer Scientists and Information Technologists on IT Research in developing countries Held in 2004, Stellenbosch, Western Cape, South Africa, 23-32.

Becker, S.A., & Mottay, F.E. (2001). A Global Prospective on Web Site Usability. IEEE Software, 18(1), 54-61.

Brajnik, G. (2000). Automatic Web Usability Evaluation: What Needs to be Done? Proceedings of the 6th Human Factors and the Web Conference Held in June 19, 2000, Austin, TX.

Egger, F.N. (2000). “Trust Me, I’m an Online Vendor”: Towards a Model of Trust for E-commerce System Design. Proceedings of the CHI 2000 Conference on Human Factors and Computing Systems Held in April 1-6, 2000, The Hague, The Netherlands, 101-102.

Fang, X. & Salvendy, G. (2003). Customer-Centered Rules for Design of E-Commerce Web Sites. Communications of the ACM, 46(12), 332-336.

Gabriel, I.J. (2005). Do Students Receive Adequate Training in HCI Field? Information Systems Education Journal, 3(16).

Nielsen, J. (2000a). Designing Web Usability: The Practice of Simplicity. Indianapolis, Indiana: New Riders Publishing. 

Nielsen, J. (2000b). Security & Human Factors. Retrieved May 2, 2006, from http://useit.com/alertbox/20001126.html.

Perzel, K. & Kane, D. (1999). Usability Patterns for Applications on the World Wide Web. Proceedings of the Pattern Languages of Programming Conference Held in August 15-19, 1999, Monticello, IL.

Rohn, J.A. (1998). Creating Usable E-Commerce Sites. StandardView. 6(3), 110-115.

Rose, G., Khoo, H., & Straub, D.W. (1999). Current Technological Impediments to Business-To-Consumer Electronic Commerces. Communications of the Association for Information Systems. 1(16), 2-48.

Schaffer, E., & Sorflaten, J. (1999). Web Usability Illustrated: Breathing Easier with Your Usable E-commerce Site. The Journal of Economic Commerce, 11(4), 158-166

Shneiderman, B. (2000). Designing Trust Into Online Experiences. Communications of the ACM, 43(12), 57-59.

Selvidge, P. (1999). Reservations About the Usability of Airline Web Sites. Proceedings of the CHI 1999 Conference on Human Factors and Computing Systems Held in May 15-20, 1999, Pittsburgh, PA, 306-307.

Tilson, R., Dong, J., Martin, S., & Kieke, E. (1998a). A Comparison of Two Current E-commerce Sites. Proceedings of the ACM 16th Annual International Conference On Computer Documentation Held in September 23-26, 1998, Quebec, Canada, 87-92.

Tilson, R., Dong, J., Martin, S., & Kieke, E. (1998b). Factors and Principles Affecting the Usability of Four E-commerce Sites. Proceedings of the 4th Conference on Human Factors and the Web Held in June 5, 1998, Basking Ridge, NJ.

Vora, P.R. (2003). Designing Friction-Free Experience for E-commerce Sites. In Ratner, J. (Ed.), Human Factors and Web Development (2nd ed.). Mahwah, NJ: Lawrence Erlbaum Associates, Publishers.