CHAPTER THREE - LITERATURE REVIEW

CHAPTER THREE:
LITERATURE REVIEW

CHAPTER THREE:

LITERATURE REVIEW

Overview

The literature review process started with a search around digital identity and the risks pertaining to online interactions. The search resulted in more than 300 articles; some were relevant to the topic, and some were not. After careful consideration of the articles from the search, a handful was selected as the base to build the foundation of the literature review by looking at the relevant articles describing digital identity and its risks.

The process of the search started with using different keywords in the Proquest ABI/INFORM Global search platform; the keywords and keyword combinations are: “digital identity,” “digital identity AND risks,” “online personal data,” “online personal data AND risks.” The preliminary search was conducted through ABI/INFORM using the stated keywords, performing an abstract, peer-reviewed, full-text search. Then, articles were sorted through and filtered appropriately. The rest of the literature sources came from second-hand references within the first set of articles found in the search as well as cybersecurity industry known sources and articles found in different academic and practitioner conferences attended.

After selecting the appropriate academic articles as well as finding sources commonly used by practitioners in the cybersecurity industry, the next step was to perform an analysis of the themes of the articles found in the literature search to find overarching, common themes to categorize and illustrate in my literature review.

The analysis of the themes found helped synthesize the findings that constitute this literature review. The goal of synthesizing findings was to prioritize and filter through the appropriate themes and topics that appeared in the literature as relevant to this research. To conclude, gaps pertinent to the findings in the literature were highlighted to justify the reason for conducting this study and its important contribution to academia and practice.

The figure below depicts the process followed for the literature review.

Figure 3. Literature Review Process.

Themes from the Literature

Seven themes, illustrated in figure 4, were discovered during the literature review process that tell a very intriguing story. The story debuts with how the wide use of the internet caused an increase in the use of digital identity, which led to the creation of different ways to mitigate the risks this spike has caused.

The full story that the themes found in the literature review convey starts with the increased usage of the internet that created a gap that needed to be filled by personal online identifiers and digital identity to facilitate the expansion and ease of use of the online medium. There have been many definitions of digital identity. The broadest term definition is synonymous with the physical identity but in the digital world, along with a series of attributes that make it more valid and unique. With the rise of digital identity and online personal data, there weredifferent thoughts and perspectives that sprouted to try to justify and promote the use of digital identity. With more usage over time, personal identifiers online created a plethora of privacy risks that affected people and their digital identity as well as physical properties and value-based personal property. To mitigate those privacy risks, governments and private organizations tried to establish a set of rules and regulations to support and help protect people’s privacy and personal data. That set of rules and regulations created the need for a group of best practices and appropriate training. The training in the workplace and best practices published for end-users made people unconsciously acquire habits and form behaviors in their risk-based decisions when using the internet and its peripherals or internet of things (IoT) devices. Those newly formed habits and best practice behavior needed to be complemented and enabled with a series of tools and training to help support and make the end-user more aware of the risks and mitigations available on the market to safe-keep personal digital information.

The seven themes from the literature review findings are illustrated in the figure below:

Figure 4. The Seven Themes from the Literature Review.

Theme 1: Increased Use of the Internet

The increase in internet usage enabled the facilitation of daily life tasks. According to Mueller and Sullivan, participating in societal activities requires people to use the internet in some way, shape, or form to facilitate everyday life (Mueller et al., 2006; Sullivan, 2014). This increased usage of the internet created a need for an enabler in the form of a unique identifier of people, and thus, digital identity came to be (Mueller et al., 2006). The internet has created theneed for a medium to help in managing people’s digital identity and online interactions. Hence, it caused the creation of digital identity as a solution to enable the boost of the full use of the capabilities of the internet (Sullivan, 2014).

As technology became an integral part of life, whether people are waiting at the doctor’s office, in a public area for a friend, or for a football game to start, people tend to want to be connected through mobile phones or other IoT devices (Colbert, Yee, & George, 2016). With this increased usage of the internet and IoT devices came the increase of digital interactions and the need for digital identity. To enable this unavoidable medium called the internet, people have to use some sort of a unique identifier, like a username and password, to be able to be authenticated online and use email, bank accounts, bill payment platforms, and different services available online (Mueller et al., 2006). This increased internet usage caused the rise of risks and challenges to maintain information privacy (Sullivan, 2014). The rapid expansion and wide use of the internet, and every peripheral attached to it called IoT, caused new challenges to privacy and security protection (Choi et al., 2020). People knowingly or unwittingly disclose their personal information, but whether they are aware of the risks is further discussed in this study.

To help in solving the problems that sprouted from the use of digital identity, a proper definition is needed to help understand digital identity.

Theme 2: Definition of Digital Identity

To properly define digital identity, there is a common consensus among academics and practitioners that properly bridging between the physical and digital worlds is very important (Camp, 2004; Papangelis et al., 2020). To authenticate that connection, the digital has to be associated with the appropriate physical identity to validate that connection. Similar to digital identity, physical identity has a series of identifiers and attributes that associate with an individual (Mueller et al., 2006). To use the internet safely, there needs to be authentication and continuous authorization in place, between the physical and the digital, to mitigate some of the risks in wrongfully associating the proper physical person to their digital identity (Camp, 2004).

The way we identify a digital object as being what it purports to be and the criteria to continuously identifying it over a period of time is essential to maintain its credibility in the digital world; it is an ongoing authentication process (Allison, Currall, Moss, & Stuart, 2005). To understand the composition of digital identity, as illustrated in figure 2, there needs to be a betterdefinition of identifiers, attributes, and digital relationships.

An identifier is something specific and uniquely associated with an individual. In some cases, identifiers can be a Social Security number, a birth certificate, a passport number, or any other type of identifier that is unique to the individual and can distinctly identify a person if that identifier is disclosed (Camp, 2004). Identifiers are only valid and meaningful when they areassociated with the person they identify. A set of identifiers can be associated with an individual. In most cases, identifiers are difficult or impossible to alter (Mueller et al., 2006).

An attribute is a characteristic associated with an individual. Some of those characteristics involve hair color, eye color, vehicle identification number (VIN), make and model of vehicle driven, and home address. Any other group or series of behaviors attributed to an individual are also part of attributes. The series of behaviors can be the act of merely visiting the same websites daily in a particular sequence, credit card purchasing patterns, or a group of places frequently visited (Camp, 2004).

There is a common perspective that a person and his or her identity have a onedimensional relationship (Gunasinghe et al., 2019). A person’s privacy directly relates to the privacy of his or her identity; this uniform relationship between the privacy of the person and the privacy of the person’s identity creates multiple levels of complication in privacy protection efforts. Three different levels emerge in the literature when defining identity (Alashoor et al., 2016); the first level is the individual; the second level is the relationships associated with the individual, and finally, the relationship of the individual to a group. The individual can be placed within the identifiers’ category, and the other two under the attributes category. To manage the different types of identities; there is a relationship between the physical, the personal, the social, and digital identities that should be considered and are essential to understand the relationship of privacy between the different layers (Alashoor et al., 2016).

The different definitions found of digital identity from the perspective of academics and practitioners manifest in the association of the physical to the digital world, taking into consideration the different identifiers, attributes, and behaviors of the individual. After identifying the basis of what is digital identity, there is a need to understand how people and organizations perceive digital identity and its impact on privacy.

Theme 3: Perspectives on Digital Identity and Privacy

With the increased and wide use of digital identity, there was a consensus among academics and practitioners that digital identity had impacted people’s lives as well as organizations and governments. Digital identity impacted the privacy of people, organizations as well as societies and governments, notably from a reputation and financial aspect with potentiallegal repercussions.

Sullivan, a prominent researcher on the matters of digital identity and law from Georgetown University Law Center, states that the misuse of digital identity attributes affects the integrity of digital identity. That impact can cause long term damage to a person’s reputational, legal, and commercial standing, online as well as offline (Sullivan, 2016). To help in understanding the potential implications of a digital identity compromise, it is helpful to understand the categories of personal information.

As part of digital identity, online personal information got segmented into three categories that are notably identified and discussed in the industry. Personal identifiable information, or PII, is a category associated with unique information about an individual (U.S. Department of Labor [DOL], 2020). Some Digital identity attributes, as well as identifiers, fall within this category. Another major category is personal protected health information, or PHI, which deals with the health records of individuals (U.S. Department of Health & Human Services [HHS], 2015). Finally, financial information is covered under the category of personal financial information, or PFI, which is mainly a category that includes unique personal information on individuals’ banking information, data of credit, debit, or other transactional payment related personal data available online (Federal Trade Commission [FTC], 2012). The compromise of PII, PHI, and PFI can have a very undesirable effect on people’s lives.

Hence, people are wary about using the internet. There is a common perspective among people that their online personal data, activities, and behavior are being tracked by unwanted parties. Whether it is from hackers, organizations, or governments, people are wary that their online data and digital identity are being misused, and they feel that they cannot do much about it (Auxier et al., 2019). Organizations realized that the cybersecurity threats they constantly deal with are, in one aspect, tied to their employees.

As individuals, for the most part, are associated with organizations that they belong to. Whether their workplace or some other organizations they are affiliated with, the digital identity and online interactions attributed to individuals indirectly affect the organization (Horn et al., 2015). Therefore, organizations started to take action and put together a set of rules and guidelines for their members, affiliates, or employees to try to give them guidance, awareness, and best practices on how to behave online to reduce the risk that can impact those organizations from a reputational or financial perspective (Paulsen, McDuffie, Newhouse, & Toth, 2012). As a result, governance plays a role in managing the risks pertaining to digital identity.

As digital identity is further adopted, governments from around the world are using it to leverage the increased usage of e-government applications to streamline their services (Sullivan, 2016). Countries from around the world, like the United States, Estonia, and several others, started initiatives to switch most of their services to e-government platforms to facilitate the access and ease of the usage of government services (Dutil, Howard, Langford, & Roy, 2007). This effort will reduce the levels of corruption in countries facing that problem. With the increased usage of online services, there is an increased need for privacy and tighter security to protect people’s data and keep it secure (Woodhouse, 2007).

Privacy becomes essential as digital identity use widens (Sullivan, 2014). Digital identity is impacting the way the government and the private sector operate. Introduced by Sullivan, The term “transaction identity” surfaced as using digital identity as a medium of digital transactions between individuals and governments as well as companies in the private sector (Sullivan, 2016). Transactional identity is important in leveraging digital identity as a medium to authenticate andvalidate the different parties involved in a transaction (Sullivan, 2016).

Just like any information system, using digital identity for conducting transactions online and trusting those transactions requires understanding its ontology to reduce the risks (Alsaedi, Stefanidis, Phalp, & Ali, 2019). The ontology of trusting personal data and digital identity in cyberspace is a subject that scholars, like Katzan (2011), have explored. For information to be secured and trusted for its authenticity in cyberspace, the CIA triad security model is identified in the IT security industry as a framework to keep personal data secure. The balance between the three focuses, confidentiality, integrity, and availability of data (known as the CIA triad), is important to maintain information security (European Union Agency for Cybersecurity, 2020). Confidentiality relates to the limitations on information access and disclosure. Integrity refers to the controls that limit information modification. Availability is timely and reliable access to information whenever it is needed on a system (Katzan, 2011). With identities migrating to digital platforms, organizations and citizens need to be able to transact with reduced friction as more counter-bound services move to online delivery (Wolfond, 2017).

Digital identity created some legal concerns for maintaining online privacy. To help frame the problem to solve it better, practitioners segmented personal data into PII, PHI, and PFI in order to address the concerns in a more structured, efficient approach. This structure created an understanding and helped appease people who are always afraid that their personal data is continuously tracked online by unwanted parties. The increase in electronic government services created a demand for a more secure digital identity and raised privacy concerns as well. To ensure that online data is secure, confidentiality, integrity, and availability are essential characteristics of ensuring information accessibility, privacy, and security. Once the ontology of trusting digital identity in cyberspace is understood, privacy risks need to be explored further.

Theme 4: Privacy Risks

The different perspectives discussed in the literature with regards to digital identity privacy and the more widespread use of digital identity and online personal data sprouted a wave of risks and concerns around securely using the web and interacting with online platforms while limiting privacy risks.

To put online privacy risks in context, academics like Daeen Choi (2020) stated that the concern of online privacy risks created a substantial need for defining and measuring privacy risks. Practitioners, including Chen, Beaudoin, and Hong (2017), define online privacy risk by who you are, what you do on the internet, and the risks associated with who you are and what you do that impacts your digital behavior negatively. When measuring risk, practitioners like Rossi (2007) try to quantify it in a way that can be measured tangibly. Risk is calculated using the formula of the probability of the risk occurring multiplied by how much it would cost in damages to mitigate against the risk. Properly measuring risk is a step towards building awareness to adequately form mitigation measures. Even without proper measurement of risks, people do not seem to be deterred by the threats to digital identity.

Researchers like Hsu and Lin (2016) agree that privacy and security risks do not appear to influence consumers’ behavior in purchasing internet-connected devices. People will still perform risky actions online, even if they know the harm (Choi et al., 2020). The challenges in privacy-related decision making related to being misinformed about privacy risks make privacy and security protection difficult. The lack of cognitive ability and various cognitive biases regarding privacy risks also pose a threat to proper risk mitigation (Choi et al., 2020). Digital identity risks can be caused by multiple avenues online, with online social networks being a major cause of concern.

Some researchers (Kim, Baskerville, & Ding, 2018) assert that the owners of online social networks do not hold much data that cause risk with regards to the privacy of the individuals or the social groups they are affiliated with. Others (Granville, 2018) disagree with this assertion because of recent events from multiple social media platforms, including Facebook, that sold their users’ data to unwanted, undesired parties that misused people’s information and caused worldwide scandals. Also, some risks are caused by bad actors online.

In addition to people’s information being shared online by different online platforms, risks arise from hackers stealing people’s information from the various online platforms; this information includes credit card information, Social Security numbers, and personal health records. Practitioners express that this information can be sold on the dark web, which equates to the illegal online trading or commerce medium and can sometimes total several thousands of dollars, depending on the value of the information and who it belongs to (Stack, 2017).

Individuals can get their identity stolen online; as a repercussion, they can incur financial, reputational losses or cause harm to others via the groups they are associated with, likeorganizations they work for or belong to. The goal of some hackers is to steal personal information of important people via compromising other individuals who belong to the same group as those public figures. Sometimes, these risks can cause significant damage to organizations as well as nations (Kahn & Liñares-Zegarra, 2016).

As a consequence of the manifested risks, governments like the United States and the European Union had to ask the people in charge of online social media platforms, Facebook being the most notable, to testify and justify what they are doing, to the extent of imposing hefty fines to offset their wrongdoings (“US fines,” 2019). In 2018, Amazon, one of the world’s largest companies, launched an internal investigation into some of its employees, offering subscribers’ data to some merchants to help them increase their sales on the website without subscribers’ consent (Emont, Stevens, & McMillan, 2018).

According to researchers, consumers did not change their behavior after learning that some of their online interactions can cause them harm. Hence, people’s perspectives regarding their digital identity created a need for the industry to define and measure personal privacy risks. A contradiction of opinions between academics sprouted regarding the risks related to online social networks while considering the scandals that Facebook and Amazon encountered by misuse of people’s personal data. A gamut of other risks, including financial and reputational risks, come into play when considering personal digital identity. Many of the most prominent companies in the world were reprimanded by governments like the United States and European Union for mistreating people’s personal online data. Governments in various countries passed a range of laws to help protect people and organizations against online risks.

Theme 5: Laws and Regulations Relating to Privacy and Digital Identity

Due to the various privacy risks that emerged from the misuse of digital identity, as well as online identifiers, governments had to react to provide some guidelines in the form of laws, rules, and regulations to help protect people’s privacy. Multiple governments around the world, including the United States and the European Union, started to establish rules and regulations that would limit the abuse of people’s personal data and give individuals more leverage by consenting to those organizations to disclose their personal data (Schwartz, 2013). With the increase of electronic government services and transactions, governments had to intervene and solidify their positions with laws that help create some standards for rules of engagement toreduce the compromise of the integrity of an individual’s digital identity (Sullivan, 2015).

A notable initiative from a government organization is the European Union general data protection regulation (GDPR). For years, the European Union (EU) data protection laws have been ahead of the rest of the world. In 2016, the European Union adopted GDPR as an upgrade to their previous Data Production Directive, which was adopted in the early stages of the internet. At its launch, GDPR gave the different EU members until May 2018 to comply.

GDPR increases the level of an individual’s privacy protection with regards to how the data is collected, stored, processed, and used by different online platforms and organizations (European Union, 2016). GDPR gives individuals more control over their online data by emphasizing the need for transparency when companies retain personal data; it also gives individuals the right to obtain confirmation that their data is being used. Additionally, the GDPR provides individuals more control over the personal data that organizations store on their behalf.These organizations would not be able to use the data without the individual’s consent, or details are provided to individuals regarding how their data was used, and their approval is obtained on how it was used. GDPR is definitely a step forward towards a more user-centric internet (Sobolewski, Mazur, & Paliski, 2017).

The U.S. government also passed laws to protect privacy. The first law with regards to data privacy was passed and published in 1974; it was the U.S. privacy act of 1974 (Privacy Act, 2014). This law was geared towards data held by U.S. government agencies and the right of U.S. citizens to access that data as well as limitations on sharing data with other federal and nonfederal agencies. Then, the government passed HIPAA, which is the Health Insurance Portability and Accountability Act, in 1996; it was targeted towards the regulation of health insurance as well as ensuring the privacy and protection of individual’s health records. HIPAA had some important sections on data privacy and security as well as defining PHI in its Privacy Rule section.

In the late 1990s, the Gramm-Leach-Bliley Act (GLBA) passed through legislation; it was mainly geared towards banking and financial institutions’ regulations. The GLBA protects nonpublic personal information or personal identifiable information (PII). The GLBA forced banks and other financial institutions to regularly mail out privacy notifications to their customers along with special opt-out instructions if they do not like their personal information being shared with non-affiliated third parties (Gramm-Leach-Bliley Act, 2002).

As a supplement to many federal laws, some states, like California, took the initiative to create their own regulations. One example is the California Consumer Privacy Act (CCPA), which was signed into law in 2018. The CCPA gives consumers additional rights for privacy protection and holds businesses accountable to not sell personal information of their clients without providing a disclosure notice and giving them the opportunity to opt-out (California Consumer Privacy Act, 2018). Similar to the GDPR, the CCPA includes a “right to delete” clause, which allows people to request their data to be deleted or removed from certain online platforms. Other states, like Massachusetts, New York, Hawaii, and Maryland, have followed suit and passed their own laws to help protect individuals’ online data and privacy as well as their digital identity (Green, 2019).

From a best practices guidance perspective, online personal data privacy became such an issue that NIST established a privacy framework that serves as a guide for organizations in helping them ensure their cybersecurity posture is robust enough to help protect individuals’ online personal data (Legal Monitor Worldwide, 2020). This approach is a double-edge, where if organizational data gets compromised, that impacts the individuals associated with that organization, whether they are employees or customers, and vice versa. If employees or customers get their data stolen, it might affect organizations they belong to or interact with(Legal Monitor Worldwide, 2020). The National Institute of Science and Technology also published the cybersecurity framework, which gives guidelines to organizations on how to protect their data and the data of their employees and customers. Some of the main domains of this framework are the use of cybersecurity training and awareness to keep employees from compromising their company systems, which indirectly compromises their personal data and the personal data of customers. Some training is referred to as phishing protection training, password best practices, and proper cybersecurity behavior online (NIST, 2018a).

To protect people’s digital identity and privacy, governments and the private sector have created a series of laws, regulations, and rules to help people know the right behavior and what is inappropriate to act on and disclose online. The hope is to set a benchmark for governments, organizations, and individuals to operate on with regards to personal online data and digital interactions.

Theme 6: Individuals Behavior and Habits

People have developed habits and expected behaviors that are formed from their regular use of the internet. That behavior is not always geared towards the best of their interest and the highest level of risk mitigation techniques, even after governments and private organizations issued guidelines and best practices for people to abide by. People normally struggle with changing their previous habits to adapt to new behavior to conform to best practices, rules, and regulations.

Over time, people who do not have a system to maintain and keep track of their multiple online accounts tend to forget how many accounts they have opened (Brown, Bracken, Zoccoli, & Douglas, 2004). People tend to forget online accounts that they do not continuously use and maintain. Every account opened online tends to have a username and a password associated with it (Gaw & Felten, 2006). Those unique identifiers are aimed to identify the individual users of the different platforms uniquely. As people forget the accounts they have online; there is a tendency to forget the passwords set up for the various online accounts (Florencio & Herley, 2006).

If they are not aware of the risks of clicking unsafe links online, people’s online behaviors default to being overly trustworthy and clicking on phishing scams through their emails or different social media (Dhamija, Tygar, & Hearst, 2006). Phishing attacks happen when hackers target users with emails and other messages as a mechanism for stealing people’s personal information as well as login credentials. Phishing scams can be very harmful and damaging to people’s digital identity (Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010).

People have formed habits with regards to their online interactions. Like many other habits people form, some are to their best interest, and some aren’t, which end up causing them financial or reputational loss. Privacy attitudes impact the kind of decisions individuals make regarding disclosing their personal information online and their willingness to use and interact with technologies that invade their privacy and share personal information with unwanted third parties. Why people continue to do so remains an uncharted topic (Bélanger & Crossler, 2011).

Theme 7: Tools and Training Enabling Digital Identity Management

To enable the proper use of the online medium and ensure the most amount of privacy and the least amount of risk to online personal information, a set of tools and essential training are needed to help users manage their online interactions with the proper behavior and an adequate toolset available to help properly manage their digital interactions.

For the internet to reach its full potential and enhance people’s lives, practitioners like Charney agree that an enhanced end-to-end trust in digital interactions is needed, as illustrated in the figure below.

Figure 5. The End-to-End Trust Model in the Interactions Between the Digital and Physical Worlds.

The trust in online interactions and experiences is key to a thriving private, secure digital world (Charney, 2009). A consensus exists among scholars and practitioners around the need for transparency and more control. Personal information management efforts in the digital world must be established through better awareness and tools to support the initiatives (Brunk, Mattern, & Riehle, 2019; Olivero & Lunt, 2004). Personal information available online should be treated as personal belongings. People need to deal with them with caution and care, which is where the need for tools to help with managing digital identity become essential (Zastrow, 2014).

Existing tools that help increase people’s awareness are lacking; therefore, better methods for measuring privacy risks on an individual level to try to mitigate the risks are needed (Choi et al., 2020). The surge in technological innovations as well as the use of authentication technologies similar to blockchain for identity authentication and verification, create the need for regulated channels and laws for governing these types of new technologies that can help eliminate geographical boundaries and shift to a more global citizenship (Sullivan, 2018).

Digital identity is a major enabler for electronic government applications. Smart identity cards, similar to credit cards with an embedded programmable microchip, may serve as secure tokens that connect digital and physical identity, create trustworthy environments, and strengthen confidence in online transactions critical to the growth of the digital economy. Proper digital identity management and the user-centricity of the solutions are definitely needed to manage theonline medium (Al-Khouri, 2014).

Many of the tools and training available on the market as well as research on information privacy tools and technologies, were started and conducted in isolation from the actual future users of the tools (Bélanger & Crossler, 2011). Hence, some of the tools and training solutions on the market do not consider the concept of user-centricity to facilitate and accelerate the adoption of these tools to enhance the experience of the digital interaction (Bélanger & Crossler, 2011).

In industry, tools and training emerged among practitioners as a way for risk mitigation or risk reduction regarding the use of online platforms and applications (Cooper, 2017). Thesetools include the use of strong passwords to leveraging multi-factor authentication techniquesfor adding an extra layer of security to passwords to using tools like password managers to facilitate and better track the use of username and passwords in a different online platform. These are some of the many ways the cybersecurity industry has reacted to add an extra layer of protection to online personal data and protect digital identity (Dourish, Grinter, Delgado de la Flor & Joseph, 2004).

To manage user credentials, the recommended industry best practices with regards to strong passwords involve a combination of uppercase and lowercase letters with a minimum of eight characters, including numbers (Brown et al., 2004). For an added layer of security, strong passwords need to be accompanied with some sort of a multi-factor authentication system for added security. A multi-factor authentication system enables the security of access to a platform with a minimum of two or more forms of validation. The first is usually a password, and the second is token validation that the user alone possesses; i.e: a number sent to a cell phone, a randomly generated number from a code generator similar to the Google Authenticator tool, or any other device measuring the biological aspect of the user (Anakath, Rajakumar, & Ambika, 2019). The use of password management systems integrated within internet browsers or mobile phones is becoming a technology solution to help keep track of the different usernames and passwords that people use and keep them centrally readily available whenever needed while the user only has to memorize one password to access all of their other passwords used for the different online platforms (Alkaldi, Renaud, & Mackenzie, 2019).

From a training perspective, practitioners have created a series of training and best practices for individual’s consumption that train users on how to identify when hackers are trying to scam them to gain access to their data; the method is also known as phishing (Dhamija et al., 2006). Phishing training and awareness were created to make people more aware of hackers trying to get to their online data for harmful purposes (Higashino et al., 2019).

To reinforce the best practices and guidelines created by the different government and organizational initiatives around online data privacy, several sets of tools and training emerged to help in the proper use of the internet. There remains a lack of training available to the majority of online users and the adequate user-friendly tools being used to help minimize the risks of online interactions (Nurse, Creese, Goldsmith, & Lamberts, 2011).

Summary of Findings

Table 1 summarizes findings in the literature and categorizes them into themes that connect the literature together and sets the stage for a compelling argument that supports the need for this study.

Digital identity is the association of the physical to the digital world, taking into consideration the different identifiers, attributes, and behaviors of the individual. The increase in the use of digital identity created a plethora of concerns for maintaining online personal privacy. While dealing with online data, confidentiality, integrity, and availability are essential characteristics to ensure privacy and security. People’s perspectives regarding their digital identity created a need for the industry to define and measure personal privacy risks. To protect people’s digital identity and privacy, governments and the private sector have established a series of laws, regulations, and rules to help people know the right behavior and what is inappropriate to act on and disclose online. People have formed habits with regards to their online interactions. Like any other habit people form, some are to their best interest, and some are not, which end up causing them financial or reputational loss. To reinforce the best practices and guidelines created by the different government and organizational initiatives around online data privacy, tools, and training emerged to help in the proper use of the internet. Questions emerged after going through the literature, from academics and practitioners. These questions pointed to a gap in the literature and formed the justification and motivation of this study.

This study aims to understand what people know about the risks pertaining to their digital identity and online interaction as well as explore how they are behaving and understand why they behave the way they do. The methodology followed to conduct this study is described in the next chapter.

Table 1. Literature Review Summary of Findings.

Theme 1: Increased Internet Usage
Findings	- Increase in internet usage created a need for digital identity - Digital identity was a boost to the proper usage and interaction in the online medium
Supporting references	(Colbert et al., 2016; Choi et al., 2020; Mueller et al., 2006; Sullivan, 2014)
Theme 2: Digital Identity Definition
Findings	- Bridging between physical and digital identity was essential to validate and authenticate online interactions - Digital identity constitutes online identifiers and attributes - Digital identity can have three levels of association: 1. The individual 2. Relationships associated with the individual 3. The individual's association to a group
Supporting references	(Alashoor et al., 2016; Allison et al., 2005; Gunasinghe et al., 2019; Camp, 2004; Papangelis et al., 2020)
Theme 3: Perspectives on Digital Identity Privacy
Findings	- Digital identity impacted people, organizations, societies, and governments - Online personal data is categorized under PII, PHI, and PFI - People feel that they are always being tracked online - Governments are ramping up the deployment of digital identity initiatives - There is a need for increased security to keep people's data secure and ensure privacy - Confidentiality, integrity, and availability are important to keep personal data secure
Supporting references	(Alsaedi et al., 2019; Auxier et al., 2019; DOL, 2020; Dutil et al., 2007; FTC, 2012; HHS, 2015; Horn et al., 2015; Katzan, 2011; Paulsen et al., 2012; Sullivan, 2016; Wolfond, 2017)
Theme 4: Privacy Risks
Findings	- People will still perform risky things even if they know the self-harm - Online social platforms hold limited personal information - Conflicting opinion to the previous bullet; online social platforms are a major cause for online personal data compromises - People's personal data can end up being sold on the dark web - Governments like the United States and the European Union are taking action against online social platforms to limit the privacy risk to the individuals
Theme 4: Privacy Risks
Supporting references	(Choi et al., 2020; “US fines," 2019; Emont, Stevens, & McMillan, 2018; Hsu & Lin, 2016; Granville, 2018; Kim et al., 2018)
Theme 5: Laws and Regulations Emerged to Support Online Privacy and Digital Identity
Findings	- Multiple governments around the world started passing laws and regulations to protect online personal data and digital identity - GDPR in the European Union - Privacy Act of 1974, HIPAA, Gramm-Leach-Bliley Act, California Consumer Privacy Act in the United States of America - National Institute of Science and Technology put together several frameworks to help support the privacy of online data and to help with guidance on best practices of online behavior
Supporting references	(Green, 2019; NIST, 2018a; Legal Monitor Worldwide, 2020; Sobolewski et al., 2017; Sullivan, 2015; Sullivan, 2018)
Theme 6: Individuals Behaviors and Habits
Findings	- People tend to forget their online accounts that are open and their passwords - Phishing attacks are on the rise - People can sometimes be over trustworthy with messages sent to scam them online - People are willing to disclose their information even when they know that some platforms will invade their privacy
Supporting references	(Bélanger & Crossler, 2011; Dhamija et al., 2006; Florencio & Herley, 2006; Sheng et al., 2010)
Theme 7: Tools and Training for Digital Identity Management
Findings	- There needs to be a system that ensures end to end trust in the digital world - Existing tools and training are lacking - Multiple hardware and software solutions are surfacing to try to meet the need to secure digital identity - People need a system to keep track of their online data - People need proper cybersecurity training to know how to safe keep their data and mitigate some of their online interaction risks
Supporting references	(Alkaldi et al., 2019; Al-Khouri, 2014; Anakath et al., 2019; Bélanger & Crossler, 2011; Brown et al., 2004; Cooper, 2017; Choi et al., 2020; Dourish et al., 2004; Higashino et al., 2019; Nurse et al., 2011; Charney, 2009; Zastrow, 2014)