Proceeding of the 3rd International Conference on Informatics and Technology, 2009

EVALUATING MEASUREMENT MODELS FOR THE ACCEPTANCE OF SMART CARD TECHNOLOGY:

SECURITY ASPECTS
1 1 2 2
Maslin Masrom , Zuraini Ismail , Rabiah Ahmad , Hamed Taherdoost
1
College of Science and Technology,
University Technology Malaysia, 54100 Kuala Lumpur, Malaysia. Email: maslin@ic.utm.my
2
Centre for Advanced Software Engineering,
University Technology Malaysia, 54100 Kuala Lumpur, Malaysia.

ABSTRACT

Security has become significant in information technology, especially in those application involving data sharing and
transactions through the internet. This study is mainly to evaluate measurement models for smart card technology
acceptance, which reflects a tendency of attitudes and behaviors toward the use of smart cards from security
aspects. Four dimensions of smart card’s security are proposed based on a literature review, including (1) Privacy:
the act of ensuring the nondisclosure of data between two parties from third party; (2) Integrity: the assets can only
be modified or deleted by authorized parties in authorized ways; (3) Non-Repudiation: the creation of documentary
proof such that no party to a transaction or transfer can ever subsequently dispute his/her part therein; (4)
Authentication: the process of confirming a claimed identity. The method of Structural Equation Modeling (SEM) is
adopted to verify the internal quality of the proposed measurement.

Keywords: smart card, technology, security, measurement model, structural equation modeling

1.0 INTRODUCTION

Smart card is a simple plastic card, just as the size of a credit card, with a microprocessor and memory chip
embedded inside a smart card [1]. The chip holds data with appropriate security. This data is associated with either
value or information or both and is stored and processed within the card's chip, either a memory or microprocessor.
Beside its tiny little structure it can has many functions such as storing data, making calculations, processing data,
managing files, and executing encryption algorithms. Smart cards provide maximum security and convenience, and
also data portability. It makes possible sophisticated and portable data processing applications, and has proven to be
more reliable than magnetic strip cards. The interest in smart card technologies worldwide is driven by several
factors, including security against identity theft, web fraud, efficiency of service delivery and user convenience.

Governments, financial services, transportation, telecommunication, healthcare, education, retail, and many other
industries are planning to or already using smart cards as a means of providing better security and improved services
to its’ customers or users. In fact smart cards greatly improve the comfort and security of any transaction. With the
advancement in the smart card technology, the smart cards inevitably will replace cash, identification cards,
passports, airline tickets, licenses, medical records for patients and credit cards. This all is achievable due to
increased memory capacity and better security using data encryption [2].

Assume that a student at a university may use the university identification card (ID card) as a basic form of
identification to gain access to the university’s library and facilities, purchase meals or decrease value from a meal
plan, purchase materials and supplies from the university’s store, or use university’s vending machines. In addition,
some smart cards may also be used to access the university’s computer systems, network, intranet or internet. In this
situation, there is a likelihood that the contactless reader cannot detect the smart card.

The use of multi-application on a single ID card can reduce card issuance and administrative costs, and provide
users with the convenience of a single access ID credential. An example of a multi-application card is the student
campus ID card. But the point is that, the students should accept the new technology otherwise developing new
technology will not be successful. It is important to note that consumer acceptance and confidence are vital for the
further development of smart card technology or in other words, acceptance has been viewed as a function of user
involvement in smart card system development. Generally, acceptance is defined as an antagonism to the term
refusal, namely it means the positive decision to use an innovation [3]. Several theories and models have been
developed to describe and analyze user acceptance, and each of these models determines different factors to
explain user acceptance. Therefore, the purpose of this study is to evaluate measurement models for smart card’s
security in order to understand the factors contributing to smart card users’ acceptance. Structural Equation Modeling
(SEM) and AMOS 16.0 are used to analyze the data collected from questionnaires.

©Informatics '09, UM 2009 RDT6 - 170

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

2.0 LITERATURE REVIEW

2.1 What is Smart Card

Smart card is called ‘smart’ because it contains a computer chip. Indeed, smart card is often referred to as ‘chip card’
or ‘integrated circuit card’. The smart card looks like a credit card but acts like a computer [1]. Smart card has many
uses and wide range of applications from phone cards to digital identification of the individuals. These applications
could be identity of the customer, library card, e−wallet, to gain physical access to facilities such as buildings, rooms,
and gates, and to gain access to computers (through a card reader), and it also can be used for digital signature on
e-mail and documents. Private information is protected by two-factor security first with something that user has (the
smart card) and second something that user knows (the smart card password). Smart cards are secure devices that
enable positive user identification and they are multi-functional, cost effective devices that can be easily adapted for
both physical and logical access. Logical access control concerns such familiar principles as password checking or
the more sophisticated cryptographic mechanisms for authentication such as windows logon, virtual private network
(VPN) access, network authentication, biometric storage and others. Physical access control relates to ID badges
and building access control. Importantly, smart cards technology includes a wide range of applications and additional
physical forms, than just plastic cards. Other major examples of applications for smart card technologies include
health and services cards, banking (such as auto-teller machine (ATM) cards), network authentication, telephone
(calling) cards, identification (including government identity (ID) cards, employee ID badges and membership cards),
telecommunication (mobile phone subscriber identification and administration), transport ticketing and tolling,
electronic passports, and physical access control.

2.2 Security of Smart Card

Smart cards are mostly used in security applications. Smart cards offer much higher security compared to basic
printed cards, and even magnetic stripe cards. Smart cards are often used to prove identity, control access to
protected areas, or guarantee payments. The reason for high security in smart cards is due to the fact that the users
of the system are given access to the smart card. The security element is put into the hands of the users, and is
therefore open to attacks from hackers, clever outsiders, malicious insiders, or even dedicated and well funded
enemies. The memory technology used in smart cards has an influence on security, both in the card and in the
overall system. Some memory technologies have characteristics that make them particularly secure or insecure.
Smart cards also include other security measures such as holograms, security overlays, guilloche printing, micro-
printing, optically variable printing and others.

Some studies have reported that users’ concern about security has increased, and it has been known as one of the
most significant factors for technology acceptance. In this study, security is defined as the degree to which a person
feels that security is important to them and believes that using smart card is secure (Vijayasarathy, 2004). Whitman
and Mattord (2003) have suggested that the increase in system security strength would protect the overall quality of
the system perceived by users. By protecting the integrity, availability and confidentiality of the content in the system,
security controls could help to protect the overall content quality of the system (Whitman and Mattord, 2003). Content
quality is a major determinant of overall information system quality (Liaw and Huang, 2003) which has a positive
effect on individual’s perceived ease of use of information systems. Furthermore, Adams and Sasse (1999) found that
users’ understanding of security issues and awareness of security threats greatly affect their perception of the
usefulness of security mechanisms and the overall secured system.

2.2.1 Security Dimensions

There are several reasons one requires security in a smart card system. The dimensions or principles being enforced
are: (i) Privacy; (ii) Integrity; (iii) Non-repudiation; and (iv) Authentication.

Privacy

The act of ensuring the nondisclosure of data between two parties from third party is privacy. More research on
privacy and security is needed before such a card comes into being, since more personal and varies the information
stored on an individual’s smart card, the greater the potential for privacy loss when that card is accessed. But even in
their current incarnation, smart cards support an impressive variety of applications, and are expected to support more
as they become smaller, cheaper and more powerful [4].

Integrity

Errors and tampering in electronic communications are too many. Cryptographic techniques confirm the correctness
of message that transmitted from the original to the recipient this is known as data integrity. In fact, integrity assures
that only those authorized can access or modify the information. A data integrity service guarantees the correctness
of message content sent to the users [8].

©Informatics '09, UM 2009 RDT6 - 171

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

Non-repudiation

Non-repudiation confirms that the origin of data is exchanged in transaction. Certain transaction, that is performed,
never could be denied by party. A certain message that sent form a sender could never be denied by receiver. And
receiver never can deny this message. Non-repudiation of the transaction is ensured by cryptography.

Authentication

Authentication is the process which specifying identity of person. In fact it specifies that someone or something is who
or what it is claims to be. For example, before Ali accepts a message from Ahmad, he wants to be assured that
Ahmad is the owner of key. This needs a process by the name of authentication.

3.0 Research Model

Based on related literatures review, three constructs are established in this research. They are Security, Attitude
Toward Use and Adoption/Acceptance of Smart Card. Fig. 1 shows a research model. But, in this study the focus is
on the evaluating measurement models for security construct.

Security
• Privacy
Attitude Toward
• Integrity Use Adoption
• Authentication
• Non-Repudiation

Fig. 1: Research Model

4.0 Data Analysis

4.1 Data Analysis Process

The data analysis process in this research is to introduce the analysis method, namely Structural Equation Modeling
(SEM) and results obtained using SEM. This study collected data samples by online survey aiming at university’s
students as smart card users. The purpose of selecting university students for the study is that the students are
usually among the most informed group of people in the society and aware of use of IT [2]. Two hundred and thirteen
samples (including undergraduate and graduate students) from a university in Iran were collected. All the thirteen
items (security measures) were used to run factor analysis by SPSS 16.0 for Windows. Principal components were
adopted to select those with eigen values bigger than 1, and Varimax was used to turn the axle. The result of
Exploratory Factor Analysis (EFA) supports the fitness of the factor structure proposed in this study. The value of
Cronbach’s alpha (α) is above the 0.7 level and thus satisfy the reliability requirement.

4.3 The Measurement Model

According to the measurement scales developed in this study, two measurement models for smart card’s security
construct were proposed as shown in Fig. 2 and Fig. 3 below. In Model 1, a single factor - SECURITY is used to
represent all thirteen items. In Model 2, three independent factors (PSEC – Perceived Security; INTEG - Integrity;
AUTHEN - Authentication) are adopted. In Model 3, these three factors are made to be correlative to each other;
Model 4 shows a structure with a single second-order factor.

©Informatics '09, UM 2009 RDT6 - 172

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

1 1
e13 psec1 e3 psec1
1 1
e12 psec2
e2 psec3 PSEC
1 1
e11 psec3 1
e1 psec5
1
e10 psec4
1
1
e8 integr1
e9 psec5
1 1
e8 integr1 e7 integr2
1 1
e7 integr2 SECURITY e6 nrepu INTEG
1 1
e6 nrepu e5 privac1
1
1 1
e5 privac1
e4 privac2
1
e4 privac2 1
1
1 e11 auth1
e3 auth1
1 1
e10 auth2 AUTHEN
e2 auth2 1
1 1
e1 auth3 e9 auth3

Fig. 2: Model 1: Single first-order factor Fig. 3: Model 2: Three uncorrelated first-order factor

1 1
e3 psec1 e3 psec1
1 1
e2 psec3 PSEC e2 psec3 PSEC
1 1
1 1
e1 psec5 e1 psec5

1 1
e8 integr1
e8 integr1
1
1 e7 integr2
e7 integr2
1
1 e6 nrepu INTEG SECURITY
e6 nrepu INTEG 1
1 e5 privac1 1
e5 privac1 1
1
1 e4 privac2
e4 privac2
1
1 e11 auth1
e11 auth1 1
e10 auth2 AUTHEN
1 1
e10 auth2 AUTHEN 1
1 e9 auth3
1
e9 auth3

Fig. 4: Model 3: Three correlated first-order factor Fig. 5: Model 4: Single second-order factor

Through Confirmatory Factor Analysis (CFA), SEM tests the validity of each questionnaire item by evaluating the
convergent validity and discriminant validity in two parts: (1) whether all the regression coefficients are significant? (2)
whether the measurement model itself is sufficient to explain the data variations? The significance of coefficients can
be decided by examining if the t-values are greater than 1.96 at the significant level of 0.05. The values of the factor
loading between all latent variables and their first observable variables are fixed as 1 for the purpose of
standardization. The overall fitness degree of the measurement model and real data can be accessed by
Comparative Fit Index (CFI) [5]. The measurement model is accepted when the CFI value is greater than 0.95 [6,7].
The fitness of the whole model may also be judged by means of other indicators. As shown in Table 1, after
goodness-of-fit-index analysis, Model 1 and Model 2 failed the empirical data test, whereas Model 3 and Model 4
satisfied some of the evaluation standards, with significantly better goodness-of-fit. This indicates that Model 3 and
Model 4 can both be used as measurement models for smart card technology acceptance studies.

Table 1: The Result of Measurement Models

χ χ / df
2 2
df CFI NFI GFI AGFI PGFI RMSEA
Recommended <3 >0.95 >0.90 >0.80 >0.80 >0.50 <0.08
Value
Model 1: 353.524 65 5.439 0.778 0.774 0.779 0.691 0.557 0.145
(Single First-Order

©Informatics '09, UM 2009 RDT6 - 173

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

Factor)

Model 2: 355.866 44 8.088 0.664 0.689 0.783 0.675 0.522 0.183

(Three Uncorrelated
First-Order Factor)
Model 3: 154.536 41 3.769 0.887 0.854 0.893 0.827 0.555 0.114
(Three Correlated
First-Order Factor)
Model 4: 154.536 41 3.769 0.887 0.854 0.893 0.827 0.555 0.114
(Single Second-
Order Factor)

5.0 Conclusions and Recommendations

This research evaluate measurement models of smart card’s security construct. The results indicate that the three
correlated first-order factor model (Model 3) and single second-order factor model (Model 4) proposed in this study
satisfy some of the goodness-of-fit requirement. Based on our research results, we propose the following
recommendations:
(i) Further analysis on Security construct need to be conducted since not all requirement of the goodness-
of-fit have been satisfied. Other dimension such as Authorization need to be included in the
measurement model for Security.
(ii) Measurement models for other constructs such as Attitude Toward Use and Adoption of smart card
using same approach as Security construct need to be conducted to see their representation as
variables for the research model proposed in this study.
(iii) After all measurement models have been analyzed and identified, the structural model for the study
then can be developed.

REFERENCES

[1] T. Kilicli, “Smart Card HOWTO,” 2001.

[2] A. I. Al-Alawi, & M.A. Al-Amer, “Young Generation Attitudes and Awareness Towards the Implementation of
Smart Card in Bahrain: An Exploratory Study”. Journal of Computer Science, Vol. 2 No. 5, 2006, pp. 441-446.

[3] B. Simon (2001). Wissensmedien im Bildungssektor -Eine Akzeptanzuntersuchung an Hochschulen,

Dissertation. Wirtschaftsuniversität Wien. Vienna, 2001.

[4] K. M. Shelfer & Procaccino, J., D. Procaccino, (2002). Smart card evolution. Communications
of the ACM, 2002, Vol. 45 No.. 7, pp. 83-88.

[5] K. Joreskog, D. Sorbon, LISREL 8: User’s Reference Guide. Scientific Software International. Chicago, 1993.

[6] P.M. Bentler, “On the Fit of Models to Covariance and Methodology to the Bulletin”. Psychological Bulletin,
1992, 112, pp. 400-404.

[7] P.M. Bentler, EQS Structural Equations Program Manual. Encino, California: Multivariate Software Inc., 1995.

[8] M. Vandenwauver, Introduction to Cryptography, Katholieke Universiteit Leuven, Laboratorium ESAT-Groep

COSIC, 1994.

BIOGRAPHY

Maslin Masrom is a senior lecturer at Department of Science (Computer Science Unit), Universiti Teknologi Malaysia.
Her research areas include information security and ethics, security management, IT/IS adoption and structural
equation modeling. She is also a professional member of Association for Computing Machinery since 2004.

Zuraini Ismail is a senior lecturer at Department of Science (Computer Science Unit), Universiti Teknologi Malaysia.
Her research areas include information security policy, computer ethics, IT outsourcing and security management.

Rabiah Ahmad is a senior lecturer at Centre for Advanced Software Engineering, Universiti Teknologi Malaysia. Her
research areas include information security, risk analysis, and security management.

©Informatics '09, UM 2009 RDT6 - 174

 Proceeding of the 3rd International Conference on Informatics and Technology, 2009

Hamed Taherdoost is a post graduate student at Centre for Advanced Software Engineering, Universiti Teknologi
Malaysia. His research areas include information security and smart card technology acceptance.

©Informatics '09, UM 2009 RDT6 - 175