**Developing a Theoretical Framework for the Adoption of Biometrics in M-Government Applications Using Grounded Theory**

Thamer Alhussain1 and Steve Drew2 *1King Faisal University, 2Griffith University, 1Saudi Arabia 2Australia* 

#### **1. Introduction**

182 Security Enhanced Applications for Information Systems

Papadopoulos, G., (2009), *Sun CTO: Cloud computing is like the mainframe,*  Itknowledgeexchange.techtarget.com. 2009-03-11. Retrieved 2010-08-22 Pariseau, B., (2008) , *EMC buys Pi and forms a cloud computing group*, Searchstorage.

Vaquero, L.M. et al.,(2009) *A break in the clouds: towards a cloud definition*, Newsletter ACM

Wei,Y., Blake, M.B., (2010) *Service-Oriented Computing and Cloud Computing: Challenges and* 

SIGCOMM Computer Communication Review, Volume 39 Issue 1, TechPluto.

*Opportunities".* IEEE Internet Computing, vol. 14 no. 6, pp. 72-75 Retrieved 2010-

Reese, G.(edit.), (2002), *Database Programming with JDBC and Java*, O'Reilly & Associates. Schofield, J. (2008), *Google angles for business users with 'platform as a service'*, London:

Sosinsky, B., (2011), *Cloud Computing Bible*, Wiley, 2011, ISBN-13: 978-0470903568

techtarget.com. 2008-02-21. Retrieved 2010-08-22

Guardian.

12-04

Retrieved 2010-09-14

Mobile devices have become the world's most common means of interpersonal communication; and, the growing marketplace for new software, or "apps", enriches an already burgeoning array of purposes to which mobile technology can be lent. We are thus witnessing the advent of conditions for a range of mobile technology enabled information systems. According to the latest statistics produced by the Central Intelligence Agency (CIA), there were 5.3 billion mobile subscriptions worldwide in 2010 out of a world population of about 7 billion people (World Fact Book 2011). With the advancements in mobile technologies, several governments have started looking to provide their services via wireless and mobile devices. Mobile government (m-government) is a new delivery channel using Information and Communication Technology to deliver and improve government services that complements current e-government (Antovski and Gusev 2005). Currently, a number of m-government applications exist in several countries around the world. With the growth of m-government services, the importance of security for its acceptance and adoption has been noted in many studies (NECCC 2001; Al-khamayseh et al. 2006; Clarke and Furnell 2005, 2007). Requirements for user acceptance lead to a greater need for user and government authentication to protect data, services, and the promotion of public trust. The negative security perception is a serious issue that citizens have regarding the use of mobile services which may affect their adoption of the technology for critical applications (Chang and Kannan 2002).

This chapter will describe an enquiry into how biometric technology, which can provide reliable user authentication, can play an integral role in providing secure m-government services. We use Grounded Theory methodology to understand reality from the point of view of the participants including mobile users, service providers, and network operators in order to develop a substantive theory for the adoption of biometric authentication in mgovernment security. In the field of information systems, Urquhart et al. (2009) indicated that Grounded Theory has been proved to be extremely useful in this field which led them to recommend its application to help generate theories in information systems.

Developing a Theoretical Framework

for the Adoption of Biometrics in M-Government Applications Using Grounded Theory 185

and password are the most commonly used methods for authentication in information systems (Scott et al. 2005), such secret-knowledge approaches unfortunately have longestablished problems, with weaknesses often being introduced by the authorized users themselves. These are most clearly documented in relation to passwords, with bad practices including the selection of weak and easily guessable strings, sharing passwords with other people, writing them down where others can find them, and never changing them (Clarke

A security token is a physical entity or item that an individual possesses to establish personal identification, such as a passport, ID card, or credit card (Jain et al. 2000). This token based approach is approximately similar to the secret knowledge approach, as it basically relies upon the user remembering to bring along something to ensure security whereby the token needs to be physically present (Clarke and Furnell 2007). Therefore, secret knowledge and token based authentication approaches are unsatisfactory methods of achieving the security requirements of information systems, as they are unable to differentiate between an authorized and an unauthorized person who fraudulently acquires the knowledge or token of the authorized person (Jain et al. 2000). On the other hand, biometric authentication relies upon the unique physiological and behavioural

The current security method in mobile phone based m-government applications is based on the use of 4 to 8 digit Personal Identification Numbers (PINs). This method can be applied to both the mobile device and the user's Subscriber Identity Module (SIM) which is a removable token containing the cryptographic keys required for network authentication. As mentioned above, the PIN is an approach providing low level authentication, as it is based on something the user knows. However, the existing SIM card, a token based approach, can be physically removed from the mobile device when not in use; however, users usually leave it inside the mobile device for convenience as well as to avoid loss or damage (Clarke and Furnell 2007). Thus, the PIN and SIM card approached carry the risk of loss or theft which can compromise the security of information, especially with the inclusion of sensitive personal information which confirms the need of advanced approach for ensuring and

Providers of second generation (2G) and third generation (3G) mobile networks deliver smartcards with pre-installed symmetric keys which are used by the network to authenticate the mobile device and, in the 3G case, for the mobile device to authenticate the access network. The authentication system is based on the trust relationship that exists between the access network provider and the service provider via a roaming agreement, and between the user and the service provider via the service subscription. The symmetric session keys for data confidentiality and integrity sent over the airwaves are derived during the authentication process. However, data confidentiality and integrity extending over the whole path between the communicating parties is not provided by the access network security of second and third generation systems which has to be provided on the network at application levels for end-to-end security (Dankers et al. 2004). With this in mind, Public Key Infrastructure (PKI) combined with biometric authentication may present a suitable

and Furnell 2005). Consequently, these approaches are the easiest targets for hackers.

characteristics of an individual; hence, it cannot be forgotten, lost or stolen.

**2.2 The current authentication system in m-government** 

enhancing the security of data in mobile devices.

integrated solution to achieve end-to-end m-government security.

This chapter provides unique perspective on investigating the adoption of biometric authentication in the context of mobile government applications, taking into account requirements and opinions of the people involved in m-government including mobile users, service providers, and network operators. This chapter addresses a gap in the literature regarding the factors influencing the adoption of biometric authentication in m-government security. The main contribution of this chapter is the development of a new substantive theory that provides a theoretical framework for the factors influencing this technology's adoption. Thus, it provides rich insights and increased understanding of the concerns and perceptions of the abovementioned stakeholders regarding the application of biometric authentication to mobile devices for government services. Moreover, this chapter provides a new example of the application of Grounded Theory methodology to qualitative information systems research.

This chapter is structured as follows. It begins with a brief background relating to the information security and mobile government. Next, the chapter discusses the adoption of biometric technology within the context of electronic and mobile government. The chapter then explains and justifies the methodological choices along with the description of Grounded Theory methodology. The chapter also explains the context of the study presented in this chapter in addition to the data collection procedures. The application of Grounded Theory is then detailed and described. Finally, the paper concludes by developing a new theoretical framework for factors influencing the adoption of biometric authentication in m-government security and providing several considerations for the adoption of biometrics in m-government applications.

#### **2. Information security and m-government**

The primary entities of m-government are mobile phone users, government agencies as service providers, and the network operators. Although they have several different requirements, they share security as one of the most important system requirements. As mentioned above, security is the most important issue facing m-government applications and it is a basic feature of the mobile communication infrastructure. Specifically, security has five features that need to be considered, which are user authentication, data integrity, service availability, information confidentiality, and non-repudiation of user participation in transactions. A biometric system enhances the identification, authentication and nonrepudiation of the information's user to support facets of information security. It can help "to provide identity-based access control and to authenticate integrity of information with respect to subject involved" (Vielhauer 2006, p. 18).

#### **2.1 Authentication strategies**

There are three general categories of authentication as follows:


The Personal Identification Number (PIN) is a secret-knowledge authentication method and consequently relies upon knowledge that only the authorized user has. Although the PIN

This chapter provides unique perspective on investigating the adoption of biometric authentication in the context of mobile government applications, taking into account requirements and opinions of the people involved in m-government including mobile users, service providers, and network operators. This chapter addresses a gap in the literature regarding the factors influencing the adoption of biometric authentication in m-government security. The main contribution of this chapter is the development of a new substantive theory that provides a theoretical framework for the factors influencing this technology's adoption. Thus, it provides rich insights and increased understanding of the concerns and perceptions of the abovementioned stakeholders regarding the application of biometric authentication to mobile devices for government services. Moreover, this chapter provides a new example of the application of Grounded Theory methodology to qualitative

This chapter is structured as follows. It begins with a brief background relating to the information security and mobile government. Next, the chapter discusses the adoption of biometric technology within the context of electronic and mobile government. The chapter then explains and justifies the methodological choices along with the description of Grounded Theory methodology. The chapter also explains the context of the study presented in this chapter in addition to the data collection procedures. The application of Grounded Theory is then detailed and described. Finally, the paper concludes by developing a new theoretical framework for factors influencing the adoption of biometric authentication in m-government security and providing several considerations for the

The primary entities of m-government are mobile phone users, government agencies as service providers, and the network operators. Although they have several different requirements, they share security as one of the most important system requirements. As mentioned above, security is the most important issue facing m-government applications and it is a basic feature of the mobile communication infrastructure. Specifically, security has five features that need to be considered, which are user authentication, data integrity, service availability, information confidentiality, and non-repudiation of user participation in transactions. A biometric system enhances the identification, authentication and nonrepudiation of the information's user to support facets of information security. It can help "to provide identity-based access control and to authenticate integrity of information with

The Personal Identification Number (PIN) is a secret-knowledge authentication method and consequently relies upon knowledge that only the authorized user has. Although the PIN

information systems research.

adoption of biometrics in m-government applications.

**2. Information security and m-government** 

respect to subject involved" (Vielhauer 2006, p. 18).

There are three general categories of authentication as follows:


**2.1 Authentication strategies** 

and password are the most commonly used methods for authentication in information systems (Scott et al. 2005), such secret-knowledge approaches unfortunately have longestablished problems, with weaknesses often being introduced by the authorized users themselves. These are most clearly documented in relation to passwords, with bad practices including the selection of weak and easily guessable strings, sharing passwords with other people, writing them down where others can find them, and never changing them (Clarke and Furnell 2005). Consequently, these approaches are the easiest targets for hackers.

A security token is a physical entity or item that an individual possesses to establish personal identification, such as a passport, ID card, or credit card (Jain et al. 2000). This token based approach is approximately similar to the secret knowledge approach, as it basically relies upon the user remembering to bring along something to ensure security whereby the token needs to be physically present (Clarke and Furnell 2007). Therefore, secret knowledge and token based authentication approaches are unsatisfactory methods of achieving the security requirements of information systems, as they are unable to differentiate between an authorized and an unauthorized person who fraudulently acquires the knowledge or token of the authorized person (Jain et al. 2000). On the other hand, biometric authentication relies upon the unique physiological and behavioural characteristics of an individual; hence, it cannot be forgotten, lost or stolen.

#### **2.2 The current authentication system in m-government**

The current security method in mobile phone based m-government applications is based on the use of 4 to 8 digit Personal Identification Numbers (PINs). This method can be applied to both the mobile device and the user's Subscriber Identity Module (SIM) which is a removable token containing the cryptographic keys required for network authentication. As mentioned above, the PIN is an approach providing low level authentication, as it is based on something the user knows. However, the existing SIM card, a token based approach, can be physically removed from the mobile device when not in use; however, users usually leave it inside the mobile device for convenience as well as to avoid loss or damage (Clarke and Furnell 2007). Thus, the PIN and SIM card approached carry the risk of loss or theft which can compromise the security of information, especially with the inclusion of sensitive personal information which confirms the need of advanced approach for ensuring and enhancing the security of data in mobile devices.

Providers of second generation (2G) and third generation (3G) mobile networks deliver smartcards with pre-installed symmetric keys which are used by the network to authenticate the mobile device and, in the 3G case, for the mobile device to authenticate the access network. The authentication system is based on the trust relationship that exists between the access network provider and the service provider via a roaming agreement, and between the user and the service provider via the service subscription. The symmetric session keys for data confidentiality and integrity sent over the airwaves are derived during the authentication process. However, data confidentiality and integrity extending over the whole path between the communicating parties is not provided by the access network security of second and third generation systems which has to be provided on the network at application levels for end-to-end security (Dankers et al. 2004). With this in mind, Public Key Infrastructure (PKI) combined with biometric authentication may present a suitable integrated solution to achieve end-to-end m-government security.

Developing a Theoretical Framework

effective company (Ashbourn 2004).

(Scott et al. 2005).

and facial recognition data (Scott et al. 2005).

**3.1 Technology adoption factors among empirical studies** 

for the Adoption of Biometrics in M-Government Applications Using Grounded Theory 187

properly and invest in any organisation as long as that organisation has an identity as an

Biometric technology is also used in the identification of citizens by e-governments. If they choose, every nation should ethically be able to identify its citizens and non-citizens by using national identification cards, visas, and passports. As a result, e-governments are in a position to identify its citizens in the production of these documents, hence reducing the issue of illegal immigration. A good example is the United States whereby, since the events of September 11 2001, it has widely adopted biometric technology. Two laws, relating to identification of transport workers and to immigrants, were made in the United States triggering a mass deployment of biometrics. Now, seven million transportation employees in the United States have biometrics incorporated into their ID cards. Moreover, in order to closely control visitors who enter and leave the country, all foreign visitors are required to present valid passports with biometric data; consequently, over 500 million U.S. visitors have to carry border-crossing documents which incorporate biometrics (Ashbourn 2004). Several European governments have also started to implement the use of biometrics. The U.K. government has established issuing asylum seekers with identification smart cards storing two fingerprints. General plans have also been made to extend the use of biometric technology throughout the visa system in the U.K. as well as in France, Germany and Italy

E-governments use the various types of biometric identification in order to control certain illegal behaviour. For example, the Japanese government plans to use biometric technology in passports to tackle illegal immigration and to enable tighter controls on terrorists. This will be applied within a computer chip which can store biometric features like fingerprints

Other e-governments are using the biometric technology to secure access to certain defence bases and similarly secure areas. Biometrics can also provide potential for security cost savings. For instance, hand recognition has been used at the Scott Air Force Base to save more than \$400,000 in manpower costs through their metro-link biometric access gate (Frees 2008).

Empirical studies related to the acceptance and adoption of mobile phones and electronic services via the Internet have mostly applied models based on the use of Diffusion of Innovation (Rogers 1995), the Technology Acceptance Model (Davis 1989), or the Unified Theory of Acceptance and Use of Technology (UTAUT) (Venkatesh et al. 2003). For instance, Jahangir and Begum (2008) introduced a conceptual framework that considered perceived usefulness, ease of use, as well as security and privacy as important factors that influence users' acceptance and adoption of electronic banking services. Another study by Tassabehji and Elliman (2006) highlighted trust and security as major factors affecting e-government adoption. Moreover, AlShihi (2007) indicated that trust has a wide impact on m-government acceptance. Lee et al. (2002) found that social influence and self-efficacy variables significantly affect perceived usefulness and perceived ease of use for user acceptance of the mobile Internet. Moreover, Teo and Pok (2003) found that social factors including perceptions of relative advantage play a significant role in influencing intentions for the adoption of Wireless Application Protocol WAP-enabled mobile phones amongst Internet

## **2.3 Biometrics and m-government**

Integrating biometric authentication into mobile devices can be done in two different ways. The first technique is to store the biometric template in an external database (Giarimi and Magnusson 2002). In this case, the biometric data have to be sent over the network every time the user wants to be verified and, during that process, the data are encrypted, which forms the external database for storage rather than security. The problem is that the users have no control over their own biometric pattern once it leaves the device. Furthermore, it can potentially take a long time to perform verification when data are being sent over the mobile network due to traffic overload and the number and size of the files in transit. However, it does not take up much memory in the mobile device. The second technique is to store the biometric template in the device or particularly on the smart card which will enable users to control their biometric pattern (Giarimi and Magnusson 2002). The biometric verification should take place when the users want to log in to their mobile device and when they want to perform a government service. Moreover, this can be integrated with the Public Key Infrastructure, as mentioned earlier, to provide a more secure authentication system.
