1. Introduction
Identity management (IDM) is the first security barrier of a digital system that consists of
identification and
authentication of users to mitigate security breaches. Identification labels each user with an identifier, while authentication allows them to prove they are who they claim to be [
1]. However, just about all authentication methods (such as passwords, biometrics, tokens, etc.) can be compromised since they have known vulnerabilities that could be exploited [
1]. When users’ credentials are compromised, the security of every system relying on them to authorise access is also compromised [
2]. Multi-factor authentication is perceived to overcome this issue and offer better identity proofing [
3]. Nevertheless, organisations still experience data breaches. Personal identifiable information (PII), from “billions of email account details to millions of credit and identity data”, can now be found on the internet [
4]. A growing tendency suggests that the centralised architecture used in today’s IDM systems might be problematic [
5].
Traditional centralised IDM systems embed the critical vulnerability of a single point of failure (SPOF) [
6] because they use a server to store users’ credentials and related identity data. This data is exposed when the server is compromised, violating the security of the system on the one hand and users’ privacy on the other hand [
7]. Balancing security and privacy in organisations is an increasingly challenging task, if not an IDM dilemma. Organisations must know “as much as possible about their (potential) customers” as part of their customer diligence requirements [
8] (p. 22). Yet, they need to preserve users’ privacy in compliance with government regulations, such as the Protection of Personal Information Act (POPIA) in South Africa.
Meanwhile, internet growth has resulted in dozens of digital accounts per user for different online services they subscribe to, forcing many to adopt insecure behaviour like reusing the same credentials with various services [
9]. Others have been using weak credentials, so they are easier to remember, making it easier for imposters to guess them [
2]. Secure and reliable IDM has also proven to be among “the greatest challenges facing cloud computing today” [
10] (p. 724), being essential to achieving the requisite ‘secure cloud’ [
11] (p. 91). ‘Secure IoT’ (Internet of Things) is another crucial IDM challenge, requiring organisations to effectively identify and authenticate interconnected ‘things’ interacting with people on a digital system [
12,
13]. ‘Things’ include software, smartphones, robots, automobiles, appliances, entertainment devices, etc.
Innovative IDM systems like BDIDM are emerging to deal with some of the above IDM challenges [
6]. Despite its immaturity [
14], BDIDM is reported to have no SPOF vulnerability [
15] thanks to its decentralised and disintermediated architecture. Typical BDIDM models like SSI are claimed to be privacy-preserving [
7] and dissolve the need for multiple accounts by enabling identity interoperability among different online services [
16]. SSI might also facilitate ‘secure cloud’ and ‘secure IoT’ [
4] in the form of distributed ID-as-a-Service [
17]. Thus, organisations might consider adopting BDIDM to avoid potential competitive disadvantages.
Beyond organisations’ legitimate need to address IDM issues, there is more that might affect the likelihood of them adopting such innovation. The technology, organisation, and external environment (TOE) model depicts a comprehensive context of enterprise adoption of innovation. TOE is claimed to explain how an organisation “identifies the need, searches, and adopts new technologies” [
18] (p. 232). Therefore, this research investigates how TOE factors might predict organisations’ adoption behaviours toward BDIDM to determine the most critical predictors and examine their effect. TOE theory is also claimed to have “broad applicability” across various technological, industrial, and national/cultural contexts [
18] (p. 151). This study also seeks to verify this claim by assessing TOE-BDIDM’s effectiveness and appropriateness in investigating the phenomenon of organisation’s adoption behavior in the context of IDM.
The few studies on blockchain adoption mainly focus on its individual rather than enterprise adoption. This study contributes to the body of knowledge about perceptions of blockchain applications in the enterprise context to address the lack of empirical research on the topics. Knowing how organisations perceive the value proposition of BDIDM will inform scientific enquiries for more realistic blockchain design theories, which will in turn impact the practice. The findings could also inform IDM policymaking in organisations and inspire future research. Theoretically, this study contributes to extending the TOE theory. It advocates for a more comprehensive theory, TOEU, that includes the User context to better explain organisations’ adoption behaviour toward disruptive technologies like SSI. This enterprise-level theory of innovation adoption has not been given much attention like other related theories yet.
The rest of the introduction gives additional background necessary to understand the topic and the TOE-BDIDM model.
1.1. The ‘Ideal’ BDIDM Model for Organisations
The implementation of any blockchain application includes answering three fundamental questions: (i) who can join the network (public vs. private); (ii) whether a validator will be needed (permissioned vs. permissionless); and (iii) what type of consensus protocol (such as Raft, Federated, Proof of Authority, Proof of Work, Proof of Stake, etc.) will regulate interactions among participants [
19]. Combined answers to these questions result in three types of blockchains: public permissionless, public permissioned, and private permissioned [
20]. In BDIDM terms, public permissionless blockchains are not restricted. Anyone can join to get their DID and self-manage it. They have full control over it and can use it wherever they wish. Public permissioned blockchains are somewhat restricted. Some users can join to get their DIDs and self-manage them as they also have full control over them. Private permissioned blockchains are completely restricted to known and trusted users only. The validator known as “Trust Anchor” [
21] (p. 46) has control over users’ DIDs and could, for instance, block a particular DID if necessary.
Some researchers support the notion that public permissioned blockchains are ideal for implementing typical BDIDM models like SSI [
16] since they are perceived as more balanced versions of blockchains [
22]. They are more decentralised, scalable, efficient [
23], and offer “privacy protection and high transparency” [
24] (p. 21573). Others argue that private permissioned blockchain might be the perfect implementation for ‘enterprise BDIDM’ because it endorses a service-centric approach by giving total control of the system to the identity provider, i.e., Trust Anchor [
21]. However, a private permissioned blockchain would not differ much from traditional centralised models, from which organisations might want to move.
A different view suggests that the choice of the ideal BDIDM implementation ought to depend on trust assumptions [
25]. From the outsider-threat perspective of cybersecurity theory [
1], this implicit trust means that any type of BDIDM would be unnecessary for ‘trusted users’ (staff members accessing corporate systems from the intranet); permissioned BDIDM would make sense for ‘semi-trusted users’ (clients, suppliers, partners, etc., accessing corporate systems from the extranet)
; and permissionless BDIDM would be perfect for ‘untrusted users’ (visitors or any unknown user accessing corporate systems from the internet) [
25]. However, the National Institute of Standards and Technology (NIST) highlights the new tendency to shift from this traditional implicit trust framework to a Zero Trust (ZT) security architecture. ZT tends to support the insider-threat cybersecurity theory that indirectly advocates for even more radical BDIDM, like SSI. ZT theory suggests that all entities ought to be untrusted, and prevented from accessing corporate systems by default: all should rigorously prove the authenticity of their identity in order to gain access [
26].
These diverging views around the ideal blockchain implementation for enterprise BDIDM amplify the challenges of adoption and suggest the criticality of blockchain type on BDIDM adoption decision making in organisations. The findings shall reveal which blockchain type organisations might prefer the most and whether that is associated with their adoption behaviour toward BDIDM.
1.2. The Sustainability of the SSI Model in Organisations
SSI is a BDIDM model famous for maintaining users’ privacy and thus enhancing sustainable management of identities on digital systems. Organisations’ use of a privacy-respectful mechanism in identifying and authenticating users could mitigate data breaches, especially PII leaks [
27,
28]. However, there are controversies about SSI sustainability for organisations since the traditional centralised logic of IDM might be hostile to privacy. SSI adoption might involve solving the conflict between privacy and trust [
29].
SSI for enterprise could be illustrated with the scenario of a newly recruited employee. The new employee, Alice, would not need to disclose any PII to their employer, nor create any digital account with them. Thus, there are no additional password/s for Allice to recall. Alice would simply invite their new employer to verify their already existing DID to access the corporate digital assets. Consequently, the employer has no control over that DID and Alice’s privacy is preserved [
30]. From the perspective of traditional information security principles, this scenario is disruptive for organisations. An organisation would not trust Alice’s DID, because it is external [
25]. The organisation would question whether participants in the blockchain storing Alice’s DID are trustworthy. The organisation would be concerned about potential risks involved when Alice’s DID gets hacked, or wonder whether an imposter was behind Alice’s DID to spy on the company’s business [
1]. It would be nearly unacceptable for the organisation to lose control over Alice’s DID since it is used to access its confidential information [
2].
SSI opponents stress blockchain’s weaknesses at its endpoints [
31]. The PII anonymisation not only means that there is no central authority to block an account in case of identity theft or misbehaviour but also that “each user must themselves safeguard against forgetting (or losing) the private key” [
32] (p. 5). SSI is risky because the user is the only one responsible for managing all the cryptographic keys protecting their DIDs [
7]. Some researchers even question whether further adoption of blockchain-based solutions ought to be encouraged and whether the overall potential for change “could be [a] net positive” [
33] (p. 447). However, others recommend proactive planning instead of fear of the unknown, arguing that “reluctance to adopt disruptive technologies may be a significant competitive disadvantage for an organisation” [
14] (p. 34).
Indeed, blockchain technology offers a paradigm shift in developing next-generation cybersecurity barriers. Blockchain-based solutions like BDIDM ensure data integrity due to cryptography and non-reliance on passwords. A blockchain is, by design, resilient to SPOF and “assumes the presence of adversaries in the network”, making tampering with it extremely difficult (but not impossible) [
6] (p. XIII). The identity self-management feature of SSI could lead to reduced costs of transactions for both users and organisations [
7]. Users benefit from the reduced costs of identity theft and PII leaking. Organisations benefit from the exemption from protecting any PII and replicating it among interested services, reducing related costs of privacy infringements. The cost savings in password management ranges in the millions of dollars [
34]. Yet, one would argue that organisations would still prefer to pay these costs than lose control over users.
These divergences make BDIDM adoption in organisations even more daunting. The study findings shall reveal the extent to which organisations are likely to adopt BDIDM. The findings shall especially reveal organisations’ adoption behaviour toward SSI. As mentioned earlier, other factors are involved in predicting organisations’ adoption behaviour toward BDIDM. This study chose to classify them all according to the TOE theory as technological, organisational, and environmental factors. These factors form the basis of the TOE-BDIDM model.
1.3. The TOE-BDIDM Research Model
The TOE-BDIDM model in
Figure 1 is a particularised version of the TOE model initially developed by Tornatzky and Fleischer in 1990 as part of
The Processes of Technological Innovation then updated later by Jeff Baker in 2011 [
18]. The model is operationalised to guide empirical investigation of the enterprise BDIDM adoption phenomenon [
30]. The present study (i) develops ten alternative hypotheses, H
a1 to H
a10, represented by the arrows between the independent variables (The nine first-order constructs) and the dependent variable (adopt or not adopt BDIDM) as shown in
Figure 1. The study then (ii) tests the associated null hypotheses H
01 to H
010, and then (iii) assesses the TOE performance in the BDIDM context. The sub-sections of technological factors, organisational factors, and environmental factors detail the hypotheses’ development to anticipate organisations’ adoption behaviour toward BDIDM.
1.3.1. Technological Factors
Technologies in use and those existing in the marketplace but not yet adopted can affect how organisations adopt an innovation [
18]. In the case of BDIDM, legacy centralised technologies may constrain its adoption due to their incompatibility with a distributed architecture [
21]. BDIDM might lead to a complete rebooting of the organisation’s Information Technology (IT) infrastructure [
35]. Since a poorly designed blockchain could be disastrous, its adequate implementation requires new competencies, which are still rare [
36]. Thus, we posit that
IT infrastructure and competencies have a statistically significant effect on organisations’ adoption behaviours toward BDIDM (Ha4).The market is now offering some BDIDM products, providing insight into BDIDM readiness in terms of its governance and standardisation [
37]. However, there are inconsistencies in updating blockchain’s fundamental rules [
37]. Consensus-based rules involve all nodes, “which can be any device” [
38] (p. 242). This seems problematic for organisations following centralised-IDM logic and could disrupt the accountability and management of the network [
39]. Therefore, we hypothesise that
BDIDM readiness (for the enterprise context) has a statistically significant effect on organisations’ adoption behaviours toward BDIDM (Ha3).Innovation’s characteristics, i.e., the extent of the change it brings, also affect organisations’ adoption decision making. BDIDM is a radical innovation. It does not increment or synthesise existing technologies but tends to reboot them in a radical manner through distributed computing [
40]. Such innovations produce “discontinuous change” and have higher adoption risks, yet can “enhance competitive standing in an organisation” [
18] (p. 232). Technology characteristics relevant to BDIDM adoption include trialability, observability, compatibility, and complexity [
41]. Another key BDIDM characteristic is the security construct. The CIA triad theory states that security balances confidentiality, integrity, and availability; thus the acronym CIA [
1]. The Trust Service Framework (TSF) adds a fourth item of privacy [
42]. This extension means that security without privacy is problematic, just as a four-legged table cannot balance if one leg is missing [
30]. This principle seems to be what BDIDM, especially SSI, advocates for. All these dynamics lead to hypothesising that
BDIDM characteristics have a statistically significant effect on organisations’ adoption behaviours toward BDIDM (Ha1).Blockchain types might be another essential facet of BDIDM characteristics. It seems there are underlying diverging views in the literature around the ideal BDIDM implementation for enterprises, which might signal significant differences among blockchain types associated with BDIDM adoption decision making in organisations. Therefore, we anticipate that statistically, blockchain types are significantly different and associated with organisations’ adoption behaviours toward BDIDM (Ha2).
Another relevant technological construct is “technical know-how” [
43] (p. 7), made up of the availability of skills, consultants, and vendors of BDIDM. However, this study chooses to view these items as external to the organisation and thus identifies them under environmental factors [
18].
1.3.2. Organisational Factors
The organisational factors include a firm’s characteristics that can affect organisations’ adoption behaviour, typically through its structure and communication processes [
44]. Organisational structures like formal and informal mechanisms linking different organisation units may promote innovation [
18]. Organisations with an organic and decentralised structure may cope well with the BDIDM adoption phase. Those with formal reporting relationships, centralised decision-making, and clearly defined roles for employees may instead cope well with the implementation phase [
18]. Communication processes or channels like “top management support” [
45] (p. 1457) can either promote or constrain the adoption since it is key to preparing a corporate culture that welcomes change. The support would typically include describing the BDIDM value proposition, rewarding related initiatives, and building “a skilled executive team” that can cast a compellingly firm vision [
46] (p. 233). Thus, we posit that
organisation characteristics have a statistically significant effect on organisations’ adoption behaviours toward BDIDM (Ha5).
Another organisational factor consists of organisations’ readiness in terms of (financial) resources and awareness. BDIDM upfront implementation cost is perceived as high financially and requires highly skilled labour [
36]. Blockchain technology was initially designed for “an investment rather than a traditional business use with an expected return on investment” [
14] (p. 37). Moreover, organisations tend to be hostile to strongly privacy-flavoured BDIDM like SSI [
45]. BDIDM’s relative newness raises the importance of organisations’ awareness, preparedness, and cultural adaptation [
39] for such change as opposed to their “reluctance to change” or “fear of unknown technology” [
14] (p. 37). We, then, hypothesise that
organisation readiness has a statistically significant positive effect on organisations’ adoption behaviours toward BDIDM (Ha6).Organisation size is considered a minor organisational factor, as there have not been many empirical studies confirming its link to innovation adoption [
18]. However, due to the implementation cost involved [
14], SMEs may be less likely to adopt BDIDM than larger organisations [
45]. Small businesses and startups would not be able to afford such expensive and disruptive technologies [
14]. Therefore, we speculate that
statistically, organisations’ sizes (means they) are significantly different and thus are associated with organisations’ adoption behaviours toward BDIDM (Ha7).
1.3.3. Environmental Factors
Environmental factors that could affect organisations’ adoption behaviour include the industry’s characteristics (like competition, dominant firms, etc.), the availability of service providers, and whether the regulatory environment, such as government regulations, exists [
18]. The industry life cycle can also affect innovation adoption: firms in rapidly growing industries tend to innovate more quickly than those in mature or declining industries. Similarly, the availability of supportive infrastructure, skilled labour, and consultants may affect the adoption [
18,
43]. Thus, we propose that
industry and market environment have a statistically significant effect on organisations’ adoption behaviours toward BDIDM (
Ha8). Likewise,
support environment has a statistically significant effect on organisations’ adoption behaviours toward BDIDM (Ha9).Additionally, BDIDM adoption in organisations may be affected by the need to comply with government regulations for protecting users’ privacy, like POPIA in South Africa, and some security codes of best practices, like ISO/IEC 27001/2 and NIST [
47]. Moreover, the lack of blockchain-specific firm regulations, guidelines, and policies for its adequate standardisation could heavily affect its adoption in organisations [
14,
36]. For this reason, we posit that
regulatory environment has a statistically significant effect on organisations’ adoption behaviours toward BDIDM (Ha10).The rest of the paper is organised into four sections.
Section 2 discusses the methodology followed by executing the research.
Section 3 reports the research results, followed by
Section 4 discussing the result’s implications. The last section,
Section 5, concludes the study, highlights major limitations, and provides hints for future research.
2. Materials and Methods
This section elaborates on the methodology followed to do this cross-sectional research. The study considered the positivism philosophy, focusing on what could be objectively measured without researchers’ interference [
48]. It followed a deductive approach since it aimed to test the appropriateness and effectiveness of an existing theory, TOE, for the BDIDM context. Baker [
18] claimed that TOE is cross-industry, technology, and context. The study utilised the survey strategy, because it deals with ‘what’ and ‘how’ research questions, aligning well with the study’s purpose and approach. Awa et al. [
43] proved that a survey can be successfully used with the TOE theory. Surveys mitigate the chances for researchers to influence participants by avoiding direct interaction and limiting interference to preserve objectivity [
48].
2.1. Data Collection
The targeted population to which the study attempts to generalise its results consists of every organisation in the world. Thus, the study’s unit of analysis is organisation per se. The research sample consisted of South African organisations, due to the country’s proximity to researchers and high exposure to data breaches. Statistics report that Africa has one of the highest rates of cybercrimes and financial losses, with South Africa in the lead in this regard due to its high connectivity rate when compared to the rest of the continent [
49].
All qualified participants were targeted. The selection was random, but was limited by the algorithm embedded in the search engine of the medium used (LinkedIn) and restricted to the sample frame. Since identity management is primarily a domain of InfoSec management [
1], participants were InfoSec practitioners. However, this population was declared unknown by the Institute of Information Technology Professionals South Africa. The sample frame included different managerial levels of InfoSec to ensure the population representativeness. InfoSec managerial levels are often classified into security officers, managers, and technical staff. Security officers lead digital transformation and set the InfoSec policy in an organisation. They might play a decisive role in adopting BDIDM in their respective enterprises. Security managers are responsible for the security of a specific area of the organisation. They might have distinct perceptions of BDIDM adoption. Technical staff are responsible for implementing, maintaining, and monitoring security measures according to the InfoSec policy. They might have a pragmatic perspective on BDIDM adoption [
1,
2].
The data collection instrument was rooted in TOE-BDIDM. The online questionnaire translated every TOE-BDIDM item into a specific close-ended question and was built using Microsoft Forms. Three sections of the questionnaire measured the three main constructs and independent variables of the TOE-BDIDM model, namely: Technology, Organisation, and Environment. The fourth section measured the dependent variable of the TOE-BDIDM model, namely: BDIDM Adoption. The fifth section captured some background information about the sample.
Table 1 defines items retained to measure each construct and the independent variable while providing the type of scales used to observe each item.
Data collection took place from February to August 2021. A pilot was conducted for the 15 first records to test the instrument. Requests for participation were regularly sent via LinkedIn direct messages to all 884 prospective participants identified, 15 to 20 participants at a time to allow smooth troubleshooting. This troubleshooting consisted of proving the legitimacy of the research to participants who wished to establish that the participation request was not a disguised cyber-attack. This limitation was expected to constrain the sample size since InfoSec practitioners tend to be ‘reserved’ due to the nature of their jobs [
1].
2.2. Data Analysis
Statistical-paradigm-underlined data analysis was performed using three software applications: Microsoft Excel, the IBM Statistical Package for Social Science (SPSS) version 27.0, and the IBM SPSS analysis of moment structures (AMOS) version 24.0. The study’s confidence level was set to 95%, with a subsequent margin of error of 5 percent.
The analysis consisted of three main statistical tests: (i) Structural Equation Modelling (SEM) of the measurement model, known as confirmatory factor analysis (CFA), to test the model fitness and some types of validity and reliability; (ii) binary logistic regression modelling to test the null hypotheses involving variables measured on interval scales and assess the model’s predictive accuracy; and (iii) chi-squared tests of goodness-of-fit and association to test null hypotheses involving variables measured on nominal scales. Other important analysis activities included analysing different types of reliability and validity, as well as normality testing and data cleaning.
CFA is often used in social science research [
51] to test the fitness of a model with latent variables to particular data. The TOE-BDIDM had latent variables at three levels. The lower level had the security construct; the middle level had BDIDM Characteristics, BDIDM Readiness, Infrastructure and Competencies, BDIDM Characteristics, BDIDM Readiness, Market and Industry, Support Environment, and Regulatory Environment constructs; and the upper level had Technology, Organisation, and Environment constructs. These levelled latent variables lead to a “higher-order CFA” [
52] (p. 287) [
53] (p. 288).
Table 2 describes the fitness indices and their level of acceptance. In the absolute-fit category, Chisq should be insignificant, i.e., with a
p > 0.05, for a better fit. A significant Chisq indicates a significant difference between the hypothesised model and the actual variance matrices, thus a poorer fit. In addition to testing the model fitness, CFA facilitates the assessment of some reliability and validity measurements [
54].
Table 3 describes the level-of-acceptance of reliability and validity indexes. The internal reliability of scales was estimated using Cronbach’s alpha and parallel forms techniques.
A binary logistic regression modelling “aims to see whether a value of the binary dependent variable can be predicted by the score of an independent variable” [
55] (p. 319). In this study, the test sought to see if scores in the TOE factors, i.e., the eight middle latent variables, could predict adopters (‘1’ value) and non-adopters (‘0’ value) in the Adopt Indicator dependent variable. Binary logistic regression analysis was more suitable than path analysis mainly because the dependent variable’s scale is dichotomous. Path analysis involves linear regression [
56] and requires that the dependent variable be measured on a ratio [
57] or interval scale [
58].
In IBM Amos SPSS, the binary logistic regression test involves an omnibus test, Hosmer–Lemeshow goodness-of-fit test, and Cox–Snell R-Squared (R
2) values to estimate the explanatory strength of the latent variables. The significance of the regression depends on the significance of the omnibus test (
p < 0.05) and the insignificance of the Hosmer–Lemeshow test (
p > 0.05). Wald statistics also accompany the test to determine the significance of each factor of the logistic regression. A classification table displays the number of observed cases the model predicted accurately and their percentages [
55,
58]. This test was appropriate for all the null hypotheses except H
02 and H
07.
H
02 and H
07 involve nominal variables, which were tested separately using the chi-squared test of goodness-of-fit and association. The chi-squared test of goodness-of-fit compares expected and observed frequencies of the categories of a variable to assess whether there is a significant difference between them [
58]. The chi-squared test of association seeks to “compare two different sets of frequency counts to see” if they are associated [
55] (p. 13).
3. Results
This section reports the study’s findings based on statistical tests performed on data as predesigned. The survey recorded 115 responses out of 884 requests sent, indicating a participation rate of 13%. The survey was set to only record valid responses to anticipate data cleaning. Thus, no missing data were found in the dataset. However, four records were excluded because they were beyond the sample frame or ethics requirements: two respondents were outside South African organisations, and two were younger than 18. This led to a sample size of 111. This sample size is arguably acceptable given the good internal consistency and exceptional “missing data level” of 0, though it led to 4.8 responses per parameter, close to the minimum requirement of five responses per parameter [
69] (p. 2223). The distributions were visualised in boxplots to indicate the five extreme values as outliers. Records with outliers were not deleted to avoid unnecessary shrinking of the sample size. Except for nominal variables, all outliers were replaced by the average values of the respective distributions.
3.1. Demographic Information
The 111 InfoSec practitioners had various backgrounds, but their profiles aligned well with the sample frame as shown in
Table 4: 14 officers, 16 managers, and 78 technical staff. The executive level was not anticipated but aligned well with the targeted profiles. Respondents could enter their job titles when they could not pick one which was representative of their position from the list provided. The table also shows that all four organisation sizes were represented in the sample. The organisation’s sizes were determined by the number of employees as estimated by each respondent: above 250 employees for large enterprises, 51 to 250 employees for medium enterprises, 11 to 50 employees for small enterprises, and below 10 employees for micro-enterprises. Of the 111 respondents, 70 belonged to large enterprises and 41 belonged to SMEs. The pie chart in
Figure 2 describes organisation sectors represented in the sample according to the Statistics South Africa department classification (stats-sa, inedi). Most of the respondents’ organisations fall under information and communication technology (47 respondents, accounting for 42.3 % of the sample) or financial and insurance (30 respondents, accounting for 27 % of the sample) sectors.
Table 5 gives additional background information, including age group, IDM system existence, awareness of BDIDM, blockchain type, and the intention to adopt BDIDM.
3.2. Assessing Internal and Parallel-Forms Reliabilities
In
Table 6 column ‘α’ shows that all constructs had good internal consistency. A good percentage of the variance observed in the constructs is accurate and reliable: 78% for security, 72% for BDIDM Characteristics, 65% for BDIDM Readiness, 69% for IT Infrastructure and Competences, 78% for Organisation Characteristics, 83% for Organisation Readiness, 78% for Support Environment, 89% for Industry and Market Environment, and 78% for Regulatory Environment. The security variable part of BDIDM Characteristics was computed as the average of its constituents as predesigned according to the CIA triad theory. The Cronbach’s alpha test suggested that Awareness1 be excluded from the Organisation Characteristics construct to improve its internal consistency to 0.83 from 0.45. However, before excluding it, the test of the parallel form was performed to assess any possibility of combining it with Awareness2.
The questionnaire had some parallel questions (i.e., different questions measuring the same items) set intentionally to anticipate internal reliability. The parallel-form reliability estimates the correlation between such variables to test the consistency of answers [
70]. The Spearman’s correlation test showed that Blockchain Type1 and Blockchain Type2 correlated absolutely since the
p-value was 0.0. Thus, the study’s observation about Blockchain Type for the enterprise context is accurate and reliable. Blockchain Type2 was chosen for the rest of the analysis because it was more reliable. The Pearson correlation test shows that Awareness1 and Awareness2 were not correlated, as the
p-value was 0.06. The survey questions might not have been semantically identical enough and thus measured distinct aspects of awareness. Thus, Awareness1 and Awareness2 could not be combined. Awareness2 was chosen over Awareness1 because it was far more reliable.
3.3. SEM of the Measurement Model—CFA
The higher-order CFA shown in
Figure 3 represents TOE-BDIDM’s measuring model performed on data using IBM Amos SPSS. Directional arrows indicate causal relationships, bidirectional arrows indicate covariance relationships, and circles measure error on each ‘caused’ variable. Numbers on directional arrows indicate the factor loadings and those on bidirectional arrows indicate covariance rate between constructs. Rectangles represent indicators or items. Ovals in the middle represent first-order constructs (the eight latent variables), while those on the right-hand side represent second-order constructs (the three contexts of the TOE model). It is important to recall that Organisation Size and Blockchain Type items are excluded from CFA because they are nominal scales.
Table 7 reports the fitness indices for the hypotheses’ BDIDM model as illustrated in
Figure 3 and the modified TOE-BDIDM model.
Fitness indices of the hypothesised model suggested a poor fit for this data. The model was modified to improve the fit by (i) excluding items with a poor factor loading of ʎ < 0.5, (ii) adding some covariances between errors as suggested by improvement indices of the test, and (iii) solving a suspected ‘redundancy’ signalled by a very high covariance of 0.95 between Technology and Environment constructs. The Environment construct appeared more problematic because only one of its constituents, Sup_Env, was strongly loaded with ʎ = 0.98. The rest were unusually weak. The three constituents (Ind_Mark, Sup_Env, and Reg_Env) do not share a fair portion of variance with the Environment construct they intended to measure. Unexpectedly, Sup_Env was also strongly loading on the Organisation construct with ʎ = 0.95, causing it to be redundant with Environment. The problem was solved by moving Sup_Env into the Organisation construct and isolating the remaining variables.
Nevertheless, this change did not affect further binary logistic regression analysis since it only involved the first-order constructs. The suggestion of solving redundancy by either “combining the highly correlated variables through principal component analysis, or omitting a variable from the analysis that associated with another variable (s) highly” [
68] (p. 5) was not applicable. The redundancy happened at the higher level of the model, making it unreasonable to combine or omit such constructs. Moreover, the collinearity test performed earlier using linear regression analysis in SPSS suggested no case of multicollinearity.
Table 8 shows that all items’ and constructs’ tolerance values were greater than 0.1, and their respective VIF values less than 10. Therefore, the items and first-order constructs of the hypothesised model are distinctive, fulfilling the requirement of discriminant validity.
Table 8 reports good construct reliability of the hypothesised model as nearly all of the CR values for both first- and second-order constructs were greater than 0.6, except for the Technology construct which was entirely below this threshold. This result means that an overall good proportion of variance is shared between indicators and the constructs they measured.
Of the nine first-order constructs,
Table 8 shows that eight did more-or-less meet the acceptable level of convergent validity as their AVE values are greater than 0.5, even though BDIDM_Read and Org-Char’s values are just about that threshold while BDIDM_Char’s is remarkably low. BDIDM-Char’s AVE value did not improve after excluding poorly loading factors. The modified model reported AVE values of 0.39 for BDIDM_Char, 0.49 for BDIDM_Read, and 56 for Org-Char. Therefore, Sec and Obs items were reconsidered in the binary logistic modelling. This choice was also motivated by BDIDM_Char’s excellent internal consistency of α = 0.72 and good construct reliability of CR = 0.68 in the hypothesised model.
Of the three second-order constructs, only the Environment’s AVE value met the threshold of greater than 0.6. The modification done on the model did not improve this result, as the Technology and Organisation’s AVEs were still below 0.6, moving from 0.11 to 0.12 and from 0.13 to 12, respectively. However, the CFA indicated that nearly all regression weights of the hypothesised model were statistically significant. Therefore, the convergent validity of the hypothesised model is arguably acceptable. In other words, the variation in the constructs is reasonably explained by their respective item constituents. However, the hypothesised model did not fully meet the requirement concerning construct validity since the CFA suggested that it did not perfectly fit the data. The modified model offered a better fit.
3.4. Normality Testing
Any regression analysis requires data to be normally distributed. Normality testing only relied on boxplot visualisation, skewness, and kurtosis [
71]. The Shapiro and Kolmogorov tests are often difficult to pass for a sample size below 300 [
72]. A common rule in skewness and kurtosis assessment suggests that the statistic’s ratio on the test’s standard error should be less than the Z-distribution’s critical value of 1.96 [
73]. Another rule adds that the skewness statistic should be less than 0.8 [
74]. The tests performed on the eight distributions revealed that only Org_Read and Reg_Env had their skewness critical value greater than 1.96. However, their skewness and kurtosis statistics were mostly less than 0.8. Therefore, the eight distributions are approximately normally distributed and fit further analysis.
3.5. Binary Logistic Regression Analysis
Binary logistic regression analysis considered the hypothesis model over the modified since it has no redundant items or first-order constructs. The study’s hypotheses concern the direct relationship between the eight latent variables and the dependent variable without any moderation. The latent variables were computed as the average of their respective items. The binary logistic regression modelling was performed using IBM Amos SPSS and utilised the ‘Enter’ method. The enter method means the factors were simultaneously inserted together in the regression model in Step 1 to see their overall interaction. No factor was delayed or privileged over others.
The test showed a significant omnibus result of χ
2 = 31.15, df = 8,
p = 0.0 and an insignificant Hosmer result of χ
2 = 8.48, df = 8,
p = 0.39. These results indicate that the binary logistic regression was significant. The variance observed in the Adopt Indicator dependent variable was due to the variance observed in the TOE factors (the eight latent variables), rather than randomness. Therefore, there is a relationship between the TOE factors and organisations’ adoption behaviours toward BDIDM. The test reported a Cox–Snell R
2 of 0.245 to 0.351. Since the study’s confidence level is 95%, this interval meant that if the data collection was repeated 20 times, 19 would have 24.5 to 35.1% of the variance observed in the Adopt Indicator due to the variance in the TOE factors. The classification table in Block 1 (see
Table 9) shows that the hypothesised model has an overall predictive accuracy of 79.3%, a higher percentage than that of the basic model in Block 0, which displayed 72.1 percent. The hypothesised model was exceptionally accurate in predicting BDIDM adopters, more so than non-adopters: 92.5% of adopters were accurately predicted compared to only 45.2% of non-adopters accurately predicted.
Wald statistics in
Table 10 show the significance of each of the eight factors included in the regression, with the values of the ‘B’ column representing the values each could predict. A Yes value is predicted with positive values and a No value with negative values. It can be seen that only Org_Read factors could predict a ‘Yes’ in the Adopt Indicator. Thus, it has a positive effect on BDIDM adoption. The rest of the factors could predict a ‘No’ value in the Adopt Indicator. Thus, they have a negative effect on BDIDM adoption.
However, the column ‘Sig’ of the table reveals that only BDIDM_Char’s effect is statistically significant since it is the only factor displaying a p-value of less than 0.05 (Wald = 5.415, df = 1, Sig. = 0.02). Therefore, BDIDM characteristics, which is made up of Security, Trialability, Complexity, Observability, Compatibility, and Integration items, constituted the most significant factor that negatively affects the likelihood of adopting BDIDM in an organisation. The data provided enough evidence supporting that the more BDIDM is insecure, uncontrollable, user-unfriendly, complex, incompatible with other systems, and challenging to integrate into the enterprise ecosystem, the less likely an organisation would be to adopt it.
As a result, of the eight underlying null hypotheses, only H01 was rejected, which confirmed the study’s alternative hypothesis Ha1, stating that BDIDM Characteristics have a statistically significant effect on BDIDM Adoption.
3.6. Chi-Square Tests of Goodness of Fit and Association
Chi-squared tests were intended to test H
02 and H
07, as these were not part of the above logistic regression due to their nominal nature. This test was done in two steps: Chi-squared test of goodness-of-fit and Chi-squared test of association. The chi-squared test of goodness assessed the significance of the difference between categories for both Blockchain Type and Organisation Size variables, represented by H
02.
1 and H
07.
1, respectively. The test reported a
p-value of less than 0.05 for both Blockchain Type and Organisation Size variables, suggesting that the categories were indeed different. The chi-squared test of association assessed whether the outcome in the Adopt Indicator dependent variable was associated with the categories for both Blockchain Type and Organisation Type variables, represented by H
02.
2 and H
07.
2, respectively. As shown in
Table 11, the test reported
p-values of more than 0.05 for Organisation Size and less than 0.05 for Blockchain Type variables. These results suggest that only the Blockchain Types are associated with BDIDM adoption. Therefore, an organisation can decide whether to adopt BDIDM or not to based on the blockchain types involved.
Table 12 summarises the outcome of all hypothesis-testing activities. The study failed to reject the null hypotheses H
03, H
04, H
05, H
06, H
08, H
09, and H
010. This means there is not enough statistical evidence to support H
a3, H
a4, H
a5, H
a6, H
a8, H
a9, and H
a10. Only H
01 and H
02 were rejected, which confirmed the study’s alternative hypothesis H
a1 and H
a2.
3.7. Summary of Findings
The binary logistic regression analysis confirmed the relationship between the TOE factors and BDIDM adoption decision making. The factors predict whether an organisation would fall under the BDIDM Adopters or Non-Adopters category. The effect of each of the TOE factors was either positive or negative. A positive predictor suggests that positive growth in its score results in an increased likelihood of an organisation adopting BDIDM. A negative predictor suggests that negative growth in its score results in a decreased likelihood of an organisation adopting BDIDM. BDIDM Characteristics happened to be the only statistically significant factor in the regression.
The Chi-squared tests, on one hand, confirmed the notion that blockchain types are associated with organisations’ adoption behaviour toward BDIDM and, on the other hand, refuted the notion that organisation sizes are not associated with the behaviour.
SEM of the measurement model reveals that TOE-BDIDM is highly effective in predicting adopters of BDIDM, more so than non-adopters, accurately predicting 92.5% of adopters but only 45.2% of non-adopters. TOE-BDIDM tends to be faulty on construct validity since it did not perfectly fit the data. However, the model displays excellent internal reliability, good construct reliability, and arguably reasonable convergent and discriminant validity. Hence, the general view is that the model is relatively appropriate for the context of enterprise BDIDM adoption.
5. Conclusions
This study primarily sought to explain the predictive effect of TOE factors on organisations’ adoption behaviours toward BDIDM to determine the most critical predictors and examine their effect. Technology Characteristics happened to be the most critical factor and predicted BDIDM non-adopters the most. The more BDIDM is insecure, uncontrollable, user-unfriendly, complex, incompatible with other systems, and challenging to integrate into the enterprise ecosystem, the less likely an organisation would be to adopt it. Blockchain Type, which is an item within the Technology Characteristics construct, was confirmed to be associated with organisations’ adoption behaviour, supporting the notion that an organisation can adopt BDIDM because of the type of blockchain involved. The association between organisation sizes and BDIDM adoption happened to be statistically insignificant, supporting that SMEs are as likely to adopt BDIDM as larger organisations.
The majority of respondents intended to recommend BDIDM to their organisations yet, paradoxically, preferred private permissioned blockchain type the most, revealing resistance to decentralised and privacy-preserving BDIDM models like SSI. The latter might be utopian or impractical for organisations. Consequently, blockchain technology might not necessarily dissolve intermediation in IDM in organisations but rather transform it to maintain centralisation.
Regarding the TOE performance, the general view is that the TOE model is relatively appropriate for the context of enterprise BDIDM adoption. However, TOE’s flexibility appears to accommodate certain ambiguities. The TOE theory is arguably ‘incomplete’, as it does not include individual aspects of adoption, which seems critical for adopting disruptive technologies like BDIDM, especially SSI, in organisations. Therefore TOE should be extended to TOEU to include the User factors.
5.1. Limitations
A reflection on the research process identified some limitations linked to methodology, theory, and researchers’ experience.
At the methodological level, the first limitation was the philosophical choice of positivism and quantitative methods, which did not allow for deeper insights into the current state of BDIDM adoption in the South African context. Although this was due to the relative newness of the technology, which made the study prioritise prediction over history, a different approach would yield different results. The second limitation concerned data analysis. It was impossible to test the structure model of TOE-BDIDM using path analysis, as suggested by the SEM framework. This was due to the dichotomous nature of the dependent variable as intentionally set according to the study objective.
At the theoretical level, the key limitation was that the TOE theory was found to be, to some extent, incomplete. Although it was more suitable for the context than other theories found in the literature, it did not accommodate measures of the individual aspects of BDIDM adoption in organisations, which might be essential for the smooth adoption of this disruptive technology.
At the researchers’ experience level, there were some inconsistencies due to human error. The most noticeable limitation in this category was that the User Privacy item was missing from the interval-scaled data because it was unintentionally omitted in data collection. Hence, privacy was only measured on a binary scale, making it impossible to be part of the regression analysis and SEM of the measurement model.
5.2. Future Research
Given the limitations highlighted above, methodological, theoretical, and topical measures could be adopted for further research on the topic or in the field.
From a methodological perspective, as blockchain technology evolves, further research might consider using a different approach, including combining quantitative and qualitative data collection and analysis methods, to accommodate both depth and accuracy. Alternatively, one might want to record the actual state of BDIDM adoption in a specific context, for instance, using a case study or grounded theory research strategy rather than a survey.
From a theoretical perspective, future investigation of the adoption of disruptive technologies like BDIDM-SSI might consider combining TOE with another theoretical framework, such as TAM, to include the individual aspects of adoption in organisations. Alternatively, one might use any other theory, or develop one, that provides for all four contexts, namely: Technology, Organisation, External Environment, and ‘User’ (TOEU).
From a topical perspective, the reflection led to an understanding that BDIDM adoption might be beyond silos of adoption. It was learnt that, given its relatively high disruptiveness, BDIDM might perhaps be impractical for sole organisations to adopt without a national strategy supporting or enforcing the adoption. For a more sustainable adoption, a government might need to be actively involved in, if not initiate, the adoption. This is especially important in the case of national BDIDM. Therefore, future research might rather study the national adoption of BDIDM, or the broader institutionalisation of blockchain.