Enhancing privacy protections in national identification systems: an examination of stakeholders’ knowledge, attitudes, and practices of privacy by design

National Identification Systems (NIDS) are a key component of identity management used to store and manage sensitive information about citizens, ranging from basic information such as names and birth dates to more complex biometric data [1]. Their primary role is to establish a unique, reliable and secure way of verifying an individual’s identity [1, 2]. NIDS play a transformative role across various sectors, facilitating access to financial services, healthcare services and humanitarian response [3, 4]. These system strengthening governmental administrative capabilities and promote timely and efficient services to citizens [5].

This multifaceted roles of NIDS necessitates the involvement of a diverse spectrum of stakeholders in the development, management, and continual improvement of NIDS. According to definition provided by the World Bank [6], NIDS stakeholders^{Footnote 1} are a diverse group of actors typically involved in establishing, maintaining, and using an NIDS throughout the identity lifecycle. NIDS stakeholders includes governments agencies acting as regulatory and administrative bodies to provide oversight for NIDS, private companies innovating and supplying requisite technology and infrastructure and non-government entities like NGOs that represent civil interests around national IDs.

Given the central role of NIDS in societal frameworks, their implementation has not achieved universal acceptance. Advocates of NIDS argue that these systems enhance national security by exposing potential criminals and terrorists as well as aid in combating identity fraud, to name a few [7]. However, those who are not in favor of deploying NIDS express significant concerns that the sensitivity of the data involved and the vast scale of these systems can lead to primary privacy concerns [5, 8]. Their concerns arise from the fear that such extensive data collection and management could result in unauthorized access or misuse and thus jeopardizing individual privacy [9,10,11]. Maintaining user privacy of systems that process (i.e., collect, store, use, and disseminate) personal data is a fundamental concern for NIDS.

Privacy by design (PbD) [12] is a well-established concept that aims to address the need of embedding privacy principles into every stage of systems development. PbD aims to ensure a high level of privacy protection throughout a system’s entire development lifecycle. It offers a proactive and comprehensive approach to embed privacy considerations and principle into the design and operation of systems rather than treating them as an afterthought [12, 13]. However, despite PbD has been widely recognized and studied by researchers and professionals, the practical integration of PbD continues to be complex and its adoption remains limited. This is due to various factors including lack of knowledge, insufficient implementation guidelines, and inadequate awareness of the benefits of PbD [13,14,15,16,17,18]. Systems stakeholders have a major influence on how personal data is presented and how the personal data processing is undertaken. Therefore, for privacy to be fully integrated into the design and development process of the system and ultimately into the organization’s operations, it is essential for all system stakeholders to embrace and have a thorough understanding of PbD [19,20,21].

The development of NIDS represents a critical scenario in which principles of PbD are both highly relevant and often challenging to implement [22]. Research studies [13, 14, 16, 18,19,20, 23,24,25,26,27,28,29] reveal that most systems stakeholders in general lack formal knowledge and understanding of the concept of informational privacy. Besides, most of systems stakeholders have insufficient knowledge of how to develop privacy practices such as PbD [13]. Systems stakeholders additionally find it difficult to understand privacy requirements by themselves [24] and require significant effort to estimate privacy risks from a user perspective in order to relate privacy requirements to privacy techniques [21].

Moreover, systems stakeholders have trouble evaluating whether they have successfully embedded PbD strategies into the system design. Another challenge is the tension between privacy considerations and other business priorities, such as functionality, cost, and time-to-market. Managers and developers have difficulties to balance privacy with other competing priorities such as quality, usability, performance, or scalability as well as evaluating whether they have successfully embedded PbD strategies into the system design [30, 31]. In addition, there is often a lack of guidance or standardization on how to integrate PbD practices effectively [28, 32, 33]. This can lead to inconsistency in privacy practices across organizations and sectors and a lack of clarity about how to evaluate the effectiveness of PbD measures. Furthermore, PbD is naturally affected by different disciplines [34]. Systems stakeholders from technical, legal, software practitioners and other business domains should work together and have a role to play to deliver products and services that take privacy into account from the start of the system development lifecycle.

With that in mind, it is crucial to study the factors that influence NIDS stakeholders’ adaption of PbD and investigating the problems they face when embedding PbD into system development and providing solutions to those problems is important to enable the development of privacy preserving NIDS systems. Therefore, this study investigates the Knowledge, Attitudes, and Practices (KAP) of PbD among these defined NIDS stakeholders, particularly focusing on government agencies and ID system suppliers. In the context of integrating PbD principles in NIDS, this study can play a crucial role to serve as the cornerstone for designing and implementing educational or interventional programs aimed at enhancing understanding and application of PbD in NIDS.

1.1 The need for the study

Initiated in June, 2021, the ongoing collaboration between the Multidisciplinary Research group on Privacy and data protEcTion (MR PET) at Norwegian University of Science and Technology, the Secure Identity Alliance (SIA), and the Open Standard Identity APIs (OSIA) aims to foster multidisciplinary research on privacy and data protection. Specifically, the collaboration seeks to bridge the gap between privacy frameworks and their practical setting in NIDS.

NTNU and SIA collaboration work road-map

Full size image

As outlined in Fig. 1, the collaboration involves a comprehensive framework that comprised of two work packages (WP): a privacy impact assessment (WP1) and an empirical study (WP2). The goal of WP1 is to conduct a privacy impact assessment to identify potential privacy risks in NIDS implementations and setting the stage for identifying the gaps for future research on privacy-enhancing interventions [35]. Contrary to our initial hypotheses (integrating the PbD in NISD will improve the protection of personal data), the findings from WP1 led us retain the null hypothesis. These results indicate that the primary concern does not reside in the process of integrating PbD into NIDS . Instead, it highlights the need for understanding and more refined practices related to PbD principles within the NIDS stakeholder.

The key conclusion from WP1 was the importance of bridging the gap between the knowledge and practices of integrating PbD in NIDS that prompted the creation of WP2. In response, WP2 aims to fill the identified gap by conducting a thorough gap analysis to identify the lack of Knowledge, Attitudes, and Practices (KAP) for integrating PbD into NIDS. The guiding hypotheses for WP2 is that there exists a significant difference in the mean KAP scores when it comes to incorporating PbD into NISD systems. Therefore, in this study, we aimed to examine the KAP of NIDS stakeholders involved in the NIDS lifecycle to assess their level of KAP related to PbD principles. Through a mixed-methods approach, incorporating both a quantitative survey and qualitative focus group discussions, the study seeks to uncover the underlying relationships between KAP and identify potential barriers and enablers to PbD implementation. The findings revealed significant gaps in NIDS stakeholders’ KAP related to PbD. Also, in light of these findings, we propose a roadmap for improving the integration of PbD principles in NIDS development to bridge the KAP gap and enhance privacy protection. Our roadmap includes recommendations for enhancing NIDS stakeholder education and awareness, establishing clear policies and guidelines, and promoting a culture of privacy within NIDS development teams.

1.2 Paper structure

The remaining part of this paper is organize as following. Section 2 provides a brief background about the privacy and NIDS, integration of PbD in system design, the KAP study and presents summary of related works. Section 3 discusses the methodology of this study including hypotheses development and study methods and design. Section 4 presents the findings from our survey and provides qualitative insights obtained from focus group discussions. Section 5 includes an in-depth discussion and recommendations, covering insights from hypothesis testing, the significance of improving KAP concerning PbD as well as actionable recommendations for both practice and future research. Finally, Sect. 6 concludes the paper and discusses its limitations.

2.1 Integration of PbD in system design

Privacy is a fundamental human right that enables individuals to maintain control over their personal information and protect themselves from potential misuse, surveillance, or unauthorized access [36]. In an increasingly digitalized world, privacy has become a paramount concern for individuals and organizations alike [11, 37,38,39]. One of the essential aspects of privacy protection is identity management that encompasses the systems and processes which are used to manage and safeguard individuals’ identities and their associated data [8, 10]. The extensive collection and handling of personal and sensitive information in NIDS raise serious privacy concerns. Potential risks include unauthorized access that may lead to identity theft or fraud, data misuse by government agencies or third parties that may lead to discrimination, surveillance, or other infringements on civil liberties as well as unauthorized or unnecessary data sharing with other countries or international organizations that may lead to complexities in ensuring adequate privacy protections. These concerns underscore the need for strong privacy controls within NIDS to balance the objectives of efficiency and security with the individual’s right to privacy [40].

Privacy by Design (PbD) [12] offers a proactive approach to embedding privacy into the design and operation of systems. It guides systems stakeholders to apply inherent solutions to ensure privacy protection for individuals [13]. PbD has rapidly evolved into a widely recognized framework for privacy across various sectors of the information industry [14]. Its principles and practices have found significant applications in diverse fields such as healthcare systems [41], the Internet of Things (IoT) [42,43,44], and big data analytics [45,46,47]. However, the adaptation and implementation of PbD into an organization’s operational practices have proven to be challenging [14,15,16, 19, 30, 33, 48]. Despite its recognized importance, translating PbD principles into tangible actions within the daily workflow of an organization requires overcoming various technical, organizational, and cultural barriers. Some experts and researchers claimed that the term PbD is too vague to be recognized by several systems stakeholders who design, create and maintains applications of systems [13, 14, 49].

Integrating PbD principles into systems is a multifaceted challenge that demands coordination across various systems stakeholders and disciplines [34]. This integration necessitates alignment between technological design, adherence to regulatory guidelines, compliance with both national and international practices as well as meeting the diverse expectations of various systems stakeholders [34]. Achieving alignment with PbD principles requires integration of privacy measures and specific technological design and solutions that safeguard privacy without compromising functionality at the design phase itself. This includes adopting data minimization, encryption and access control measures, to name a few, that are embedded within the system architecture. The design must also be flexible enough to adapt to new privacy laws and best practices. Moreover, different jurisdictions have varying privacy laws and regulations that dictate how personal information can be collected, stored, and shared. This includes regulations such as the General Data Protection Regulation (GDPR) in Europe [50] or the California Consumer Privacy Act (CCPA) in the United States [51]. Adhering to these legal mandates is paramount. Also, compliance with the rules and regulations requires constant monitoring and making updates to accommodate changes in legislation. Furthermore, NIDS must align with both national and international privacy standards or/and guidelines. The need for harmonization between local laws and international standards may necessitate complex legal and technical adaptations. These complexities can challenge uniform implementation across different jurisdictions, particularly if there are conflicting requirements.

The situation can be further complicated by the technical complexities involved as well as misalignment in levels of KAP among NIDS stakeholders. According to Word Bank Group [6], NIDS stakeholders can range from being government agencies, private companies, civil rights organizations to individual citizens. Each NIDS stakeholder group might have unique expectations and concerns related to privacy, accessibility and efficiency. On the one hand, balancing these expectations while upholding privacy principles is an complicated task that requires continuous dialogue, transparency and collaboration. On the other hand, such misalignment can lead to resistance or failure in balancing NIDS stakeholders expectations and the integration of PbD. For instance, there may be a lack of awareness or misunderstanding of privacy laws that may lead to non-compliance with privacy principles. Also, the attitudes of NIDS stakeholders towards privacy can also impact how rigorously PbD principles are implemented and adhered to.

Integrating PbD into NIDS requires a holistic approach that recognizes and addresses the multifaceted interdependencies between technology, laws and guidelines, practices, NIDS stakeholder expectations, as well as human factors. In this study, we focus on the NIDS stakeholders’ Knowledge, Attitudes, and Practices (KAP) to assess their level of understanding and alignment with PbD principles. By examining the connections and potential misalignments related to KAP among various NIDS stakeholders, we aim to shed light on key areas that require attention. Effective implementation calls for a concerted effort that encompasses legal expertise, technological innovation, continuous education, collaboration, and a strong commitment to privacy principles at all phases of the system development life cycle.

2.2 Study of knowledge, attitude and practices

The study of KAP towards PbD is an important area of research. KAP studies reveal misconceptions or misunderstandings that may represent obstacles to the activities that we would like to implement and potential barriers to behavior change. Also, it provides organizations with valuable insights into the factors that influence systems stakeholders’ behavior and their ability to integrate PbD into their practices. In this study, KAP aims to reveal the existing levels of KAP towards PbD among stakeholders involved in NIDS.

• Knowledge refers to the NIDS stakeholders’ understanding and awareness of the concepts, principles and best practices related to the integration of PbD into the NIDS design and development. The knowledge can include an understanding of the benefits of PbD, the challenges and barriers to its implementation and the resources and expertise needed to effectively incorporate PbD into the NIDS design and development processes.

• Attitudes refer to the NIDS stakeholders’ perception (e.g., beliefs, values, opinions) about the importance of PbD in NIDS development life cycle. Positive attitudes towards PbD may suggest a belief in the importance of protecting privacy, commitment to ensuring privacy protection and a willingness to allocate resources and expertise towards its implementation. Negative attitudes towards PbD may suggest a belief that it is too difficult or costly to implement or NIDS stakeholders may prioritize other business considerations over privacy.

• Practices refers to the actual actions, processes, and techniques that NIDS stakeholders use to integrate PbD into the NIDS design and development. Good practices in PbD implementation involve following established best practices, laws and guidelines; while poor practices may involve ignoring privacy considerations or implementing them in a non-compliant manner.

2.3 Related works

This section provides summary of the current state of current research landscape and academic contributions within the wider community of software and systems development with a focus on privacy integration. It does not focus specifically on the domain of NIDS industry.

In research and academic circles, numerous studies [15, 26, 55,56,57,58,59] have extensively investigated systems stakeholder’ knowledge and awareness of data collection, along with their attitudes and perceptions towards privacy within a variety of digital contexts. Many of these studies have primarily focused on areas such as privacy in web or online contexts, mobile technologies, and emerging technologies. Others have taken a more narrowed focus onto specific domains such as digital applications and social media platforms. However, to the best of our knowledge, there has been a significant gap in the literature concerning the systems stakeholders’ knowledge, attitudes, and practices relating to the integration of PbD principles in systems development.

Several studies (summarized in Table 1) have been undertaken to understand how systems stakeholders (e.g., software developers, managers, system engineers and users) manage privacy in operational systems. Approaches such as survey-based studies, interview-based research, and systematic reviews have been utilized in capturing systems stakeholders’ attitudes, perceptions, behavior, responsibilities, and overall experiences regarding privacy.

For instance, studies by Senarath & Arachchilage [18], Hadar et al. [13], and Sheth et al. [24] point towards the significant gaps in systems stakeholders’ (i.e., developers) understanding of privacy requirements and the formal privacy concepts like PbD. Such a lack of awareness tends to influence the systems stakeholders to prioritize personal opinions and other system functionalities over privacy, leading to weak or non-existent privacy safeguards in developed applications. Moreover, systems stakeholders (i.e., developers) seem to conflate privacy and security, as supported by Hadar et al. [13], Ayalon et al. [52], and Peixoto et al. [53]. This recurring misconception underscores the need for targeted educational and training programs, a view also supported by Iwaya et al. [15]. Likewise, studies by Dalela et al. [30] and Arizon Peretz et al. [53] suggest that the problem is not merely an individual one. There exists an organizational gap and misalignment between developers and management to incorporate privacy considerations. Arizon-Peretz et al. [53] pointed out that mixed signals from management can confuse developers’ understanding of privacy priorities, thereby increasing the challenges that developers face. This is a critical issue that needs to be addressed to enable more effective privacy implementations.

Trujillo et al. [28] and Andrade et al. [32] extend the discussion to academic circles. The focus here is the underdevelopment of PbD in software engineering and the lack of methodological frameworks, guidelines and standards supporting models, processes, and tools available for developers to incorporate privacy throughout the software development lifecycle. This concern is shared by Canedo et al. [33], who identify a need for automated tools to aid in the privacy-centric system design. This reflects a significant research-practice gap in the field of privacy engineering as further highlighted by Iwaya et al. [15]. Aljeraisy [54] and Alhazmi and Arachchilage [29] direct the conversation towards the issues of legal compliance and regulatory considerations. Alhazmi and Arachchilage, in particular, explore why the developers often find it hard to integrate privacy principles into their systems. They identify a lack of familiarity with the regulations and an overall prioritization of functional requirements over privacy considerations as key obstacles.

Bu et al. [14] propose that an effective incentive mechanism is crucial for encouraging engineers to adopt and successfully implement PbD principles. This perspective adds a new dimension to our understanding and suggests that the road to better privacy practices may also lie in adjusting the reward and punishment structures in organizations. Dias et al. [26] and Senarath and Arachchilage [21] offer valuable insights into the gaps in skill and knowledge among ICT practitioners and developers. The findings reinforce the need for organizations to take proactive steps in educating their teams, not just about the ’how’ but also the ’why’ of privacy. Lastly, Senarath and Arachchilage [21] also highlight the misalignment between developers’ assumptions about user expectations and the actual user needs. This points towards the necessity of adopting a more user-centric approach in the design and development process to ensure that privacy features align well with user expectations.

In the literature concerning privacy in software development, it becomes apparent that while numerous studies have been undertaken to understand the complexities surrounding privacy in software development, the field is far from reaching a standardized or universally accepted approach. There is a compelling need for multidisciplinary efforts that bridge these diverse but interconnected challenges. This study aims to contribute to this ongoing conversation by focusing on the KAP of NIDS stakeholders involved in the design and implementation of NIDS. By doing so and based on our collaboration with SIA (Sect. 1.1), this study hopes to provide actionable insights that can improve both the understanding and practical application of privacy considerations.

3.1 Hypotheses development

Drawing from a literature review (Table 1) and theoretical frameworks highlighting the role of KAP in PbD implementation, we propose the following hypotheses:

Hypothesis 1

(Knowledge and Practices) There is a significant positive correlation between the depth of NIDS stakeholders’ knowledge of PbD principles and their PbD integration practices in NIDS development. This hypothesis is informed by the premise that a thorough understanding of PbD principles enhances the implementation of these principles.

Hypothesis 2

(Knowledge and Attitudes) NIDS stakeholders with a comprehensive understanding of the ethical, legal, and practical implications of PbD (quantified through a knowledge assessment scale) will exhibit a more favorable attitude towards PbD integration. This relationship is anticipated because an enhanced awareness of PbD’s benefits is expected to foster a positive perception of its importance in the NIDS development lifecycle.

Hypothesis 3

(Attitudes and Practices) The positive correlation between stakeholders’ favorable attitudes towards PbD and their actual implementation practices is moderated by organizational support (e.g., training, availability of resources, and management support). Stakeholders with positive attitudes towards PbD, when supported by conducive organizational environments, are more likely to implement PbD principles effectively in NIDS development.

These hypotheses are grounded in the potential relationships between NIDS stakeholders’ KAP concerning PbD. The first hypothesis is centered around the relationship between knowledge and practices. We assumed that NIDS stakeholders with a higher level of understanding of PbD are more likely to integrate these principles into their work. This hypothesis is grounded in the assumption that knowledge acts as a foundation for informed decision-making and application of PbD measures in practice. The second hypothesis probes the influence of knowledge on stakeholders’ attitudes. We assumed that participants with solid understanding of PbD principles will demonstrate more positive attitudes towards its integration in NIDS development. This hypothesis is grounded in the assumption that a strong understanding of the underlying concepts and benefits of PbD will foster positive attitudes towards its implementation. Finally, the third hypothesis investigates how positive attitudes towards PbD, when facilitated by an enabling organizational context, translate into practical implementation actions. This hypothesis is based on the notion that positive attitudes serve as a motivating factor for individuals to apply and implement PbD measures effectively.

3.2 Study methods and design

This study used a quantitative survey and qualitative focus group discussions to comprehensively understand stakeholders’ KAP regarding PbD integration in NIDS.

3.2.1 Survey design and participants

The survey aimed at examining the KAP of participants towards integrating PbD in the development of NIDS. The survey was conducted using an online platform^{Footnote 2} and was distributed to a diverse NIDS stakeholders sample including government agencies (24.6% of the respondents) that manage/issue digital credentials and companies (75.4% of respondents) - suppliers of most ID system components and infrastructures. The participants were asked a series of questions to assess their knowledge of PbD, their attitudes towards PbD integration in the NIDS design and development and their practices in implementing PbD. The questions were designed to be easy to understand and answer. Also, they were presented in a multiple-choice format with options ranging from "Strongly Agree" to "Agree," "Neutral" and "Disagree" to "Strongly disagree." The online survey methodology was chosen as a convenient and cost-effective means of gathering data from a large and diverse sample of participants. The distribution of the survey was through emails contacts of Secure Identity Alliance (SIA). Also, the survey link was shared via LinkedIn platform. The survey was open from 17\(^{th}\) November 2022 to 20\(^{th}\) January 2023. The data collected from Nettskjema Forms was exported to Microsoft Excel. The data were statistically analysed using SPSS software and Microsoft Excel. The data collected were summarised using correlation coefficient between variables of KAP and organizational profile, roles and years of experience. A significance level of \(\text {p }\)-value \(<0.05\) was used to determine the statistical significance of the results.

3.2.2 Focus group discussions

To further enrich the data collected from the survey, we conducted a workshop for focus group discussions. The workshop provided an opportunity for a more in-depth exploration of participants’ views, experiences, and perceptions. The inclusion of 11 participants in the discussion ensured a robust and comprehensive perspective. A discussion guide was prepared with open-ended questions and topics designed to prompt thoughtful dialogue. An experienced facilitator guided the discussions, encouraging and ensuring that the conversation remained focused on the research objectives.

3.3 Ethical considerations for the survey and the workshop

The survey and the focus group workshop was designed and implemented with the highest ethical standards and principles, taking into account the well-being and rights of participants as well as ensuring the anonymity and confidentiality of the participants as well as the integrity of the data collected. The following ethical considerations were considered for this study:

1. 1.

   Consent: Participants were asked to tick an option at the beginning of the online survey if they agreed to participate.

2. 2.

   Confidentiality and anonymity: No identifiable data such as name, email etc. were collected and survey data was kept confidential and anonymous.

3. 3.

   Data integrity: The data collected was handled with integrity and analyzed using appropriate statistical methods (e.g., SPSS) to ensure its validity and reliability.

4. 4.

   Deception: No deception was used in the study and participants were well informed of the true nature of the study and its objectives.

4.1 Survey results

The section present the main findings from the survey.

4.1.1 Characteristics of survey participants

The characteristics of the participants are as summarized in Table 2. A total number of 203 participants consisting of managerial and technical roles from government agencies and companies responded to the questionnaire among which 153 (75.4%) of them were from companies and 50 (24.6%) of the participants were from government agencies. The participants were also grouped according to their roles in the organisation and 68 (42.4%) of them hold technical roles and 117 (57.6%) hold managerial roles. Also, 143 (70.4%) of the participants have more than 10 years of experience, 17 (8.4%) of the participants have between 5 to 10 years of experience, 31 (15.3%) of the participants have between 1 to 5 years of experience, and 12 (5.9%) of the participants have less than a year of experience in their roles.

The distribution of the participants based on their experience shows that the majority (70.4%) of them have more than 10 years of experience. This suggests that the sample is relatively experienced in their respective roles in the organizations. It is important to keep in mind that the findings of the study may not be representative of the KAP of all individuals involved in NIDS development; especially those who are less experienced. Nonetheless, the relatively experienced sample provides valuable insights into the current state of PbD integration in NIDS design and development and help inform efforts to bridge the KAP gap in this area.

4.1.2 Hypotheses testing results

The correlation matrix shown in Table 3 represents the relationship between the variables of KAP and the demographic characteristics shown in Table 1. The Pearson Correlation results show that there is a weak positive correlation between "Knowledge" and "Practices" with correlation coefficient \(r=.043\). The \(p =.542\) for this correlation indicating that the relationship is not statistically significant. The weak correlation and high p-value indicate that increased knowledge and understanding of PbD does not necessarily facilitate PbD integration into the NIDS. The data suggests that participants who have more experience in the field are more likely to be knowledgeable about PbD, yet this knowledge is weakly associated with their practices towards integrating PbD in the NIDS development lifecycle. Although knowledge was found to have a minimal influence on practices, the vast majority of the participants (98%) demonstrated good practices towards PhD integration in NIDS (Fig. 2), even without necessarily having a comprehensive understanding of PbD. While the direction of correlation aligns with the predicted positive relationship between knowledge and practices from Hypothesis 1, the lack of statistical significance suggests we cannot confidently support Hypothesis 1 with these results. The data does not provide strong enough evidence to conclude that increased knowledge of PbD impacts its integration into the NIDS. This outcome shows that while knowledge might inform practices, other factors may be influencing the successful implementation of PbD.

Participants’ knowledge versus practices towards PhD

Full size image

Participants’ knowledge versus their attitudes

Full size image

Role and years of experience versus participants’ attitude towards PhD

Full size image

Moreover, the correlation results indicate a significant negative correlation (\(r = -.207, p =.003\)) between knowledge and attitudes toward PbD integration in NIDS development. Interestingly, participants who are more knowledgeable about PbD are more likely to hold negative attitudes towards its integration as depicted in Fig. 3. This contradicts the hypothesis 2 suggesting a possible complexity in integrating PbD principles into NIDS and leading knowledgeable participants to have a neutral or negative attitude. Out of the 203 participants, 93 (45.81%) exhibited positive attitudes towards PbD integration while 110 (54.19%) held negative attitudes.^{Footnote 3} Figure 4 shows that participants in managerial roles with more than 10 years of experience had the average percentage of positive attitudes towards PbD with 27 out of 63 (42.9%) participants in companies and 11 out of 18 (61.1%) in government agencies.

Role and years of experience versus participants’ knowledge about PhD

Full size image

The discrepancy between Hypothesis 2 and our actual findings could potentially be attributed to the intricate complexities associated with the integration of PbD into NIDS. One possible explanation for the negative correlation between knowledge and attitude is that as participants become more knowledgeable about the challenges and complexities of integrating PbD in the NIDS development process, they may become more aware of the potential costs and trade-offs involved. Such awareness may lead them to have a more critical or cautious attitude towards PbD integration as they may perceive it as being difficult to implement or potentially disruptive to the development or business process. Conversely, participants who are less knowledgeable about PbD may hold more optimistic or idealistic attitudes towards PbD integration without fully taking into consideration the challenges involved. This unexpected outcome emphasizes the need to deepen our understanding of the interconnection between knowledge and attitudes towards PbD. It also highlights the importance of effectively communicating the practical aspects and advantages of incorporating PbD to all relevant stakeholders.

On the other hand, a weak positive correlation was found between "Attitude" and "Practices" (\(r =.130, p =.064\)) indicating that a positive attitude towards PbD is associated with better integration practices in NIDS development among participants. Thus, Hypothesis 3 is somewhat supported by this result. The positive correlation suggests that a participants who view PbD positively are more likely to engage in practices that reflect their positive attitude towards PbD such as actively seeking to integrate it in the NIDS development process.

Additionally, according to the Pearson Correlation results (Table 2), there is weak positive correlation between year of experience and knowledge \((.145, p =.040)\). Figure 5 describes the current status of PbD knowledgeability among participants based on their role and year of experience. The results indicate that participants with more than 10 years of experience (64.53%) are more knowledgeable about PbD principles compared to those with less than 1 year of experience. Poor knowledge (35.46%) was observed particularly in response to questions related to the legal bases of processing personal data and trade-offs between security and privacy during NIDS development.

Regarding the role in the organization, participants in managerial roles tend to have higher levels of knowledge about PbD principles compared to those in technical roles. For example, among participants with more than 10 years of experience those in managerial roles had knowledge about PbD principles compared to those in technical roles.

The majority of participants with positive attitudes towards PbD principles were found in managerial roles with more than 10 years of experience both in government agencies and companies. In contrast, participants with negative attitudes and poor practices were mostly found in technical roles with less experience (less than 5 years).

4.2 Qualitative insights from focus group discussion

In order to deepen our understanding of the KAP related to PbD integration NIDS, we conducted a workshop for focus group discussions with experts. The workshop was held on 14\(^{th}\)April 2023, comprising of 11 participants representing stakeholders including technical and managerial roles involved in IDs system design, data protection etc. The main objective of the workshop is to discuss the survey results regarding the stakeholders’ KAP of PbD principles and PbD integration in NIDS. Moreover, discussions during the workshop were structured around a set of use cases which were designed to facilitate targeted dialogue and to capture insights. These cases, detailed in Sect. 4.2.1, served as the launching points for our exploration of the practical implications and challenges of PbD integration in NIDS. Further, we intended to use the discussions to generate recommendations for enhancing the implementation of PbD in NIDS.

4.2.1 Conducting the experts workshop

It is important to note that correlation presented in Sect. 4.1.2 does not necessarily establish a causal relationship between the KAP variables and it is possible for KAP variables to be associated with each other without one of them causing the observed behavior in the other [60]. Therefore, to better understand the survey results, we have adopted a case-based approach (Table 4) to allow us to examine the unique circumstances surrounding each participant and gain a deeper understanding of the factors that contribute to his her level of knowledge, attitudes, and practices towards integrating PbD in NIS development. By analyzing each case individually (Table 4), we can draw insights and make recommendations that are tailored to the specific needs and challenges faced by different groups of participants.

Case 1 (the novices): Represents two participants who have no knowledge, no positive attitude and no good practices towards PbD integration in the NIDS development lifecycle. It is lower number among the survey’ participants. However, it is likely that these participants are either not aware of PbD or they do not consider it relevant to their work. Additionally, they may not have received sufficient training on PbD or its importance in ensuring privacy in the development of NIDS. This lack of KAP towards PbD may result in a lower level of protection for personal data and may pose a significant risk to the privacy of the NIDS. During our workshop discussion, we attributed this deficiency in KAP primarily to the participants’ unfamiliarity or inexperience with the subject matter. For instance, the respondents in cases 1 could be new to the organization, a young professional or individuals who have just embarked on their career journeys within the organization. The absence of comprehensive onboarding training that covering critical areas such as GDPR, privacy, and related themes might account for the lack of knowledge. While not all introductory programs explicitly address PbD, they typically underscore the importance of sensitivity of personal information and cybersecurity.

The focus group discussion concurred that the primary remedy for this issue is the implementation of training for all employees when join an organization, supplemented by recurrent reminders of their privacy-related responsibilities. This approach seeks to ensure employees’ awareness of the practices, foster their understanding of how to initiate the PbD implementation journey and eventually progress towards Case 8 which represents a comprehensive understanding and implementation of PbD principles

Case 2 (the practitioners): Represents 13.3% of the participants who demonstrate good practices towards integrating PbD in the NIDS development lifecycle. However, they lack both knowledge and a positive attitude towards PbD. In our focus group discussion, the possible explanation for this scenario was that the participants have been adhere to certain standards, procedures or guidelines that require them to implement PbD practices without necessarily understanding the rationale or importance behind them. Also, it was postulated that these individuals likely learned good practices through hands-on experience without prior exposure or training. It is possible that the participants have not received sufficient training or education on PbD principles resulting in a lack of knowledge and a neutral attitude towards PbD. It is also possible that the participants do not perceive any benefits of integrating PbD in NIDS and therefore do not prioritize knowledge or attitude towards it. Case 2 highlights the importance of not only implementing good practices but also ensuring that the participants have sufficient knowledge and a positive attitude towards PbD to maximize the effectiveness of PbD implementation. Without a proper knowledge, participants may not fully appreciate the importance of PbD practices and may not be motivated to continue implementing them in the future. Also, if there are changes in the standards, procedures or guidelines, participants without adequate knowledge or attitude may struggle to adapt to the change and may not continue implementing PbD practices effectively.

Nevertheless, during the focus group discussion, it was recommended that these individuals should also be equipped with the reasoning and purpose underlying their practices. This additional layer of understanding should enable them to perceive the bigger picture. By understanding the full architecture of PbD and the impact of their actions, these individuals can develop a positive attitude and feel integrated into a comprehensive approach to PbD implementation. This ensures they are not merely "Practitioners" but rather evolve into more engaged and informed stakeholders in the process of PbD integration.

Case 3 (the enthusiasts): Representing a scenario where participants has a positive attitude towards PbD but lack both knowledge and good practices. Since the survey data showed no participants falling into this case, one might wonder about the circumstances that might lead to such a situation. A positive attitude towards PbD could potentially be born out of a general belief in the importance of privacy without necessarily understanding the principles of PbD or how to implement them in practice. Individuals in such a case might not have been exposed to formal education or training on PbD, leading to a gap in knowledge and skills necessary for effective implementation. Another contributing factor could be the organizational culture or environment where the individual operates. If the organization does not provide necessary resources, support, or incentives for PbD implementation, even an employee with a positive attitude towards PbD may not be able to translate this attitude into good practices.

Even though there were no participants in Case 3 in our study, understanding such potential scenarios can help in developing strategies for PbD education and implementation. A positive attitude, when coupled with the right knowledge and resources, can be a powerful driver for effective implementation of PbD practices. As such, efforts should be made to leverage positive attitudes towards PbD by providing appropriate training and resources to ensure knowledge and practices match the positive attitudes.

Case 4 (the autodidact): Represents 21% of the participants with a positive attitude towards PbD and good implementation practices despite their lacking of knowledge. This situation could arise when an individual personally value the importance of privacy and data protection that lead to a positive attitude towards PbD. The participant may have also learned and adopted good practices through their work experience and exposure to existing guidelines and standards. However, a lack of knowledge about PbD could result in an incomplete understanding of the rationale or theoretical foundations behind these practices. It is important to note that while this case shows good practices, it is still crucial for participants to receive proper education and training to fully appreciate the importance and benefits of PbD practices.

During focus group discussion about Case 4, the concept of a positive attitude proved to be a potentially more important factor for implementing good practices than knowledge. This highlights the necessity of transforming negative attitudes into positive attitudes to encourage the adoption of good practices. However, it was also recognized that understanding the root causes of variations in attitudes and practices is essential. Potential segmentation factors were identified to help determine these root causes. Considered factors included:

• Generational gap: The age of participants might influence their attitudes and practices. The survey (discussed in Sect. 4) did not consider age, only years of experience were taken into account.

• Ideological context: The context in which participants work or live could shape their attitudes. Differences in privacy policies and enforcement across countries or organizations could affect participants’ perspectives.

• Hierarchical position: The position of participants within their organizations could have an impact on attitudes and practices. Top managers can impose a vision influencing practices throughout the organization.

By understanding these underlying causes for variations in attitudes and practices, we can better design effective strategies for PbD implementation. Identifying the factors behind good practices allows organizations to create targeted interventions for improving PbD adoption. Ultimately, the "autodidact" group represented by Case 4, with a positive attitude and good practices, might transform into fully informed and empowered "PbD champions (Case 8)," given the right knowledge and training interventions.

Case 5 (the theoreticians): Represents a scenario where two participants have the knowledge of PbD, but lack a positive attitude and good practices for PbD integration in the NIDS development processes. One possible explanation for this could be a lack of understanding or appreciation for the benefits of PbD practices. Despite possessing knowledge, these individuals might not value or understand the significance of PbD, resulting in a lack of positive attitude.

During the focus group discussion, several potential reasons emerged for why participants might exhibit neutral or negative attitudes and not good practices towards implementing PbD practices in NIDS. One possibility is that these participants have not experienced any negative consequences from not implementing PbD practices or have not seen any positive outcomes from implementing them. Another reason could be a lack of resources or support for implementing PbD practices such as time constraints, budget limitations, or lack of necessary tools or technologies. Alternatively, it could be that the participants prioritize other aspects of NIDS development over PbD practices and do not see them as a priority. Moreover, there could also be structural or organizational obstacles to the translation of knowledge into practice. For instance, a lack of organizational support or leadership buy-in, resource constraints, or ineffective processes could deter the implementation of good practices, despite the individual’s knowledge. Furthermore, this scenario could be due to a resistance to change or a lack of motivation. Even when individuals have knowledge, they may be resistant to changing established routines and processes. This could be due to complacency, fear of making mistakes, or an underestimation of the potential benefits of PbD. Whatever the reasons, efforts to enhance PbD integration should, therefore, involve not just education but also interventions aimed at improving attitudes and removing barriers to implementation. The insights gathered from the focus group discussion thus provided a more clear understanding of the factors influencing attitudes towards PbD and informed our decision to consider neutral responses (Sect. 4.1.2) as reflective of potential passive resistance or barriers to implementation.

Case 6 (the implementers): Represents the largest proportion (39.91%) of survey who have gained good knowledge of PbD principles and are actively implementing good practices. However, they maintain a neutral or negative attitude towards PbD. This observation aligns with the noted weak correlation between attitude and practice. During the focus group discussion, this scenario raised a fascinating question during the focus group discussion – why would individuals uphold good practices in spite of their negative attitudes? One possible reason for this could be a lack of awareness about the value and benefits of PbD practices such as enhanced privacy and trustworthiness of NIDS. Participants may also perceive PbD practices as time-consuming, costly, or conflicting with their priorities or business goals. Another factor could be a lack of leadership support or organizational culture that values and promotes PbD practices. Without a positive attitude towards PbD, participants may not be motivated to engage in continuous learning and improvement of their practices or to advocate for PbD within their organization. This can lead to a risk of resistance or non-compliance with PbD requirements or standards, especially if there are competing priorities or pressures. Therefore, it is important to address the attitude dimension of PbD along with knowledge and practices as well as to communicate the value and benefits of PbD practices to all stakeholders involved in NIDS development. During the focus group discussion of Case 6, several potential areas for further investigation were identified:

• Profile of respondents: differentiated by their employers–either issuing authorities (such as government entities) or private-sector companies—revealed distinct attitudes towards PbD implementation. It was initially hypothesized that respondents from the private sector might exhibit more negative attitudes due to the costs associated with implementing PbD. However, it is important to note that suppliers of NIDS solutions possess expertise in privacy and security matters. Despite this proficiency, they frequently encounter challenges during implementation, influenced by client requirements, budget constraints, and pressures to meet market deadlines. These factors can significantly hinder the application of PbD principles in NIDS projects. Additionally, there is a tendency for customers to underestimate the ongoing costs related to privacy and security measures, essential for combating fraud, thereby affecting the comprehensive implementation of PbD.

• Incentivizing PbD implementation: The focus group discussion highlighted a significant gap in motivation for implementing PbD principles, pointing out the absence of positive incentives. Participants suggested that rather than relying solely on penalties for non-compliance, offering rewards or other forms of positive incentives could encourage companies to adopt PbD more willingly. This approach aligns with the observation that the drive to implement PbD in NIDS projects is often limited to achieving the minimum regulatory compliance. However, it is imperative for customer management teams to recognize the benefits of PbD and to actively incentivize projects that incorporate PbD principles from their inception, thus fostering a more proactive and beneficial integration of privacy measures.

• Geographic segmentation: The focus group discussion revealed that attitudes towards PbD could vary based on geographic location. Detailed geographic segmentation could illuminate regional differences in attitudes towards PbD, offering insights that could lead to more region-specific recommendations. It’s crucial to reiterate that priorities differ across regions. While the incorporation of PbD from the project’s inception is ideal, it might not always be the most pressing concern. In the context of developing countries, the primary objective of a National Digital ID (NDID) system often centers on providing an identity to every individual without discrimination, thereby facilitating their access to rights and services. Here, the challenge of inclusion takes precedence over PbD. The focus on inclusion necessitates consensus building and, in some instances, strict adherence to PbD principles could impede the enrollment of certain population segments, for example, due to illiteracy. Although the goal is to address both inclusion and PbD concurrently, practical considerations and the immediate need for access and inclusion often take priority.

• Economic context: The discussion indicated that attitudes and practices might differ between developed and developing economies due to the different challenges they face when implementing new regulations and practices. In developed economies, existing systems and resources might make it easier to introduce and comply with new regulations like GDPR. However, in developing countries, introducing new regulations may encounter more resistance due to resource constraints or entrenched ways of doing things.

Despite the limitations on segmentation due to research ethics and dissemination policies, the discussion provided valuable insights into the factors that may contribute to negative attitudes toward PbD implementation, even when knowledge and good practices are present. Hence, Case 6 underscores the importance of cultivating a positive attitude towards PbD which should be considered as crucial as the dissemination of knowledge and encouragement of good practices.

Case 7 (the ascenders): Represents participants who have knowledge and positive attitude towards PbD but lack good practices. Despite no actual participants falling under this case, it is worth examining potential reasons that could lead to such a situation. Case 7 scenario might exist where individuals or organizations have been exposed to and understand the importance of PbD principles, holding a positive attitude towards them. However, they might encounter obstacles that prevent them from translating these knowledge and attitude into effective practices. During the focus group discussion, several reasons for Case 7 scenario were explored including:

• Lack of awareness: Individuals might be unaware of the ways in which PbD principles can be effectively implemented in their specific context, even though they understand and appreciate these principles in general.

• Inadequate support from stakeholders: Effective implementation of PbD requires support from various stakeholders, including leadership, peers, clients, regulators etc.. If these stakeholders do not prioritize or support PbD, it can be challenging for individuals to implement PbD practices.

• Limited resources: PbD implementation often requires time, budget, skills, and tools. In the absence of these resources, individuals might struggle to implement good practices despite having the necessary knowledge and a positive attitude.

• Conflicting priorities: If individuals or organizations face competing demands or pressures, PbD might be Neglected or deprioritized, thus hindering the implementation of good practices.

• Inconsistency in the enforcement of regulations: If regulations related to PbD are inconsistently enforced, individuals might not be motivated or obliged to consistently implement good practices.

From the focus group discussion, it is clear that in such situations, efforts should be aimed at overcoming these barriers to facilitate the translation of knowledge and positive attitudes into effective practices. This could involve raising awareness about the implementation of PbD, garnering support from stakeholders, allocating resources for PbD implementation, aligning PbD with organizational priorities, and advocating for consistent enforcement of regulations.

Case 8 (the PbD champions): Represents the ideal state where participants (24.63%) have the knowledge and positive attitude towards PbD and demonstrating good PbD practices. The results suggest that the participants received adequate training and education on PbD principles and understand the rationale and importance behind them that has helped to shape their positive attitude towards it. Additionally, the participants may have had previous hands-on experience implementing PbD practices which has helped them to develop the necessary skills and knowledge to apply these practices effectively. This group is likely motivated by their understanding and positive attitude to continue improving their PbD practices. During the focus group discussion, the dialogue revealed several factors potentially contributing to achieving this ideal Case 8 scenario include:

• Adequate training and education: Participants have received thorough training and education on PbD principles, enabling them to grasp the rationale and importance behind these practices. This foundational knowledge is crucial for developing a positive attitude towards PbD and understanding its benefits and requirements.

• Hands on experience: Previous hands on experience with PbD practices has allowed these participants to acquire and refine the skills needed to implement these principles effectively. Practical experience is invaluable for reinforcing theoretical knowledge and understanding the real-world implications of PbD.

• Years of experience in relevant roles: The longevity in a relevant role could naturally lead to the acquisition of significant knowledge and the formation of a positive attitude towards PbD. This experience contributes to both the accumulation of knowledge and the formation of positive attitudes towards PbD principles.

• Knowledge of regulations: Understanding the regulatory landscape including the potential penalties for non-compliance could motivate the acquisition of knowledge and the cultivation of a positive attitude towards PbD. Awareness of legal requirements and implications can serve as a strong incentive for prioritizing privacy from the design phase.

• Government adoption of practices from developed economies: In some contexts, the government’s willingness to adopt systems and practices from developed economies facilitates smoother workflows and better PbD implementation. This willingness can provide a supportive environment that fosters the application of PbD principles.

• Recognition of the importance of PbD beyond compliance: Understanding that PbD offers benefits beyond mere regulatory compliance–such as enhancing trust with users and customers, and potentially providing a competitive advantage–can motivate a genuine commitment to these practices.

These contributing factors highlight the multifaceted approach required to achieve the ideal state of PbD integration. It is important to note that while these factors can significantly enhance PbD practices, challenges such as lack of regulatory enforcement or insufficient resources can still hinder their application in different contexts. Therefore, understanding and addressing these challenges while leveraging the positive influences can help in replicating the success of Case 8 across various settings.

As a conclusion of the focus group discussion, it is evident that the knowledge, attitudes, and practices regarding PbD implementation are interconnected and deeply influence each other. Throughout the discussions on the various cases, the recurring theme has been the importance of effective communication, comprehensive training, and conveying the purpose of privacy-oriented actions to cultivate a positive mindset towards PbD. In particular, the focus group discussion has underscored that hands-on experience with good practices can foster a deeper understanding of PbD principles. This experiential learning appears to play a significant role in shaping attitudes towards PbD positively. Furthermore, we have identified the potential of success stories and tangible impacts of PbD implementation as powerful tools to sustain and amplify these positive attitudes. The identification of Case 8 as the ideal scenario leads us to consider the possibility of utilizing individuals fitting in this case as campaigners within their respective organizations. Their experiences and insights could serve to guide and inspire others towards improving their PbD practices.

5.1 Insights from testing the hypotheses

The survey results and the focus group discussions have provided insightful perspectives on the relationships among knowledge, attitudes, and practices in relation to PbD implementation. They have led us through the development and testing of three main hypotheses and bringing out interesting difference and challenges in these relationships.

Hypothesis 1 proposed a positive correlation between stakeholders’ knowledge of PbD principles and their actual practices. However, the survey results showed only a weak positive correlation between stakeholders’ knowledge and practice. This aligns with the findings of Senarath & Arachchilage [18] and Hadar et al. [13], who noted significant gaps in developers’ understanding of privacy requirements. Our results add another layer to this discussion by suggesting that while there is some connection between knowledge and practice, the link is not as strong as we might have expected and might not be as obvious or as robust as initially presumed. This discovery is against the assumption that increased knowledge will naturally translate into improved practices. Also, the focus group discussion reiterated this finding. The group discussion shared that having knowledge did not necessarily lead to improved practices. For instance, even if individuals are equipped with extensive knowledge (e.g, the theoreticians – case 5) about PbD principles, they might encounter barriers in their practical settings such as resistance from management, client requirements, budget limitations, time-to-market pressures, insufficient resources, or systemic constraints. This issue is particularly concerning, given the gap identified by Arizon Peretz et al. [53] between management and software developers in terms of aligning on privacy considerations. Additionally, focus group discussion showed there may be a gap between theoretical understanding and practical skills. Participants might comprehend PbD principles conceptually but struggle with the specific technical skills or strategic acumen needed to implement these principles in real-world scenarios. Our findings are consistent with the studies by Trujillo et al. [28] and Andrade et al. [32], who identified the lack of methodological frameworks and automated tools to guide privacy considerations across all phases of software development. Similarly, the complex nature of PbD principles may make it difficult for some individuals to translate abstract concepts into concrete actions. Acknowledging that the dynamic between knowledge and its practical implementation might be influenced by other intervening variables or contextual factors. Also, the attitudes and perceptions towards PbD could impact the extent to which knowledge is converted into practice. As revealed in the exploration of Hypothesis 2, increased knowledge might lead to more critical attitudes towards PbD, potentially hindering its practical implementation.

For Hypothesis 2, the survey demonstrated a significant negative correlation between knowledge and attitudes toward PbD. This reveals a finding where enhanced knowledge does not inspire more positive attitudes, but rather might cultivate a more critical or even negative perspective. This is an observation that complements the study by Alhazmi and Arachchilage [29] on the challenges of integrating privacy principles. One could argue that as stakeholders become more knowledgeable about PbD principles, they become increasingly aware of the potential challenges such as resource requirements and time constraints. This awareness of the complexities, costs, and potential trade-offs might develop a more cautious or even negative attitude towards its integration. This interesting finding was also manifested in the focus group discussion on how increased awareness of the potential costs and trade-offs involved in PbD implementation could contribute to negative attitudes. While knowledge is generally perceived as a catalyst for positive change, the findings from survey show it can also lead to a critical re-evaluation of established beliefs and attitudes. These insights challenge us to re-evaluate the way we present and communicate PbD principles to stakeholders. Instead of simply providing more information, we must strategically emphasize the benefits of PbD and provide practical solutions to overcome its challenges. Given that a better understanding of PbD can lead to negative attitudes, it becomes crucial to provide the necessary resources and guidance to help stakeholders navigate the complexities of PbD integration and supporting the need for targeted educational programs as proposed by Iwaya et al. [15].

The survey results provided support for Hypothesis 3 by revealing a significant positive correlation between attitudes and practices. This suggests that when stakeholders have a positive attitude towards PbD, they are more likely to actively engage in practices that reflect this positive outlook. This supporting the findings of Dias et al. [26] and Senarath and Arachchilage [21] about the role of attitudes and organizational culture in PbD adoption. An individual’s attitude towards a concept or practice often influences their willingness to adopt or reject it. In this case, a positive attitude towards PbD appears to enhance the likelihood of implementing PbD practices. Similarly, the focus group discussion complemented the survey result. Participants in the focus group agreed that having a positive mindset or attitude towards PbD is a important for improved practices. During the discussions, several examples were mentioned where a positive attitude led to proactive measures to adopt PbD principles. Participants in the focus group cited cases where a supportive stance and incentive towards PbD led to increased willingness to explore its implementation, actively seeking resources, and overcoming barriers that typically impede its adoption. This result aligns well with the proposition from Bu et al. [14] that an effective incentive mechanism is key for PbD implementation.

The findings reveal that the relationships between knowledge, attitudes, and practices towards PbD are complex and influenced by a variety of factors, including experience and roles. This indicates that efforts to enhance the adoption of PbD practices should not exclusively focus on increasing knowledge but also on cultivating positive attitudes towards PbD. Consequently, there is a clear need for targeted interventions and support to enhance PbD implementation. By translating knowledge and understanding into concrete actions, NIDS stakeholders can be motivated to more actively embrace PbD practices.

5.2 The importance of enhancing KAP about PbD

The survey results and focus group discussion reveal a compelling case for enhancing the KAP related to PbD among the stakeholders involved in the development of NIDS. The focus group discussion have emphasized the importance of enhancing the KAP regarding PbD in the context of NIDS. Understanding and implementing PbD is crucial not only for compliance with data protection laws and regulations such as the GDPR but also for maintaining public trust and safeguarding individuals’ fundamental rights. The significance of this enhancement is based on three main pillars: increasing knowledge, reshaping attitudes, and improving practices as discussed in subsections below.

5.2.1 Increasing knowledge

The survey results showed that knowledge about PbD principles among stakeholders is not sufficiently correlated with their actual practices. This indicates that while knowledge is essential, it alone may not translate into effective implementation of PbD. Nevertheless, knowledge about PbD principles provides the necessary understanding and foundation for stakeholders involved in NIDS. It is the initial to understanding the importance, benefits, and practical implementation of PbD to ensures that individuals, organizations and developers understand the concept and its importance. Hence, enhancing PbD knowledge can significantly increase awareness of stakeholders about privacy issues, providing a vital first step towards improving privacy practices. As described in focus group discussion, this could be realized through dedicated educational initiatives and comprehensive training programs focusing on PbD principles and their application.

5.2.2 Reshaping attitudes

The survey data demonstrated a significant negative correlation between knowledge and attitudes towards PbD. This correlation suggests that as stakeholders become more knowledgeable, they may develop more cautious or even negative attitudes towards PbD implementation due to its perceived complexities. Based on the focus group discussion, it is apparent that if individuals and organizations view PbD as an unnecessary burden or a hindrance to their operations, they are less likely to commit to its effective implementation. On the contrary, when individuals and organizations perceive PbD positively and viewing it as an enabler of privacy-preserving as well as trustworthy services, they are more likely to support and champion PbD principles in their work. Hence, fostering positive attitudes towards PbD is a critical step towards achieving robust privacy protections in NIDS. Education and awareness, leadership commitment, reward and incentive (as discussed by Bu et al. [14]), provision of necessary resources and promotion of collaboration can all play a significant role in shaping attitudes towards PbD.

• Education and awareness to ensure all stakeholders understand what PbD is and its relevance is crucial. This involves comprehensive education initiatives such as training sessions that highlight the value and relevance of PbD.

• Leadership commitment to demonstrating commitment to PbD at the highest level of an organization is vital. When leadership shows that they value and prioritize PbD, it sends a strong message to the rest of the organization.

• Reward and recognize for employees who effectively implement PbD principles can foster a more positive attitude towards it. Recognition can come in the form of awards, public recognition, or even just a simple thank you note.

• Providing the necessary resources (human, technological and financial) to implement PbD shows that the organization takes it seriously. This may include hiring dedicated privacy personnel, investing in privacy-enhancing technologies or providing sufficient time for employees to consider and incorporate PbD principles in their work.

• Encourage collaboration to promote open dialogue and collaboration across all departments and teams regarding best practices for PbD implementation. A collaborative environment tends to foster a more positive attitude towards shared goals.

5.2.3 Improving practices

The correlation between attitudes towards PbD and practices found in the survey data indicating the significance of a positive mindset towards PbD in facilitating better implementation. Also, In line with insights from the focus group discussion, it is critical to emphasize that PbD is not merely a theoretical concept, but a practical initiative that necessitates active participation and concrete practices aligning with its principles. While an in-depth understanding and positive attitude towards PbD contribute significantly to its adoption, the core essence of PbD lies in its successful execution and integration into an organization’s operational processes. This ensures that privacy is seamlessly embedded into the development lifecycle of NIDS, resulting in a higher level of privacy assurance to users. Thus, improving practices around PbD is tied closely with the enhancement of knowledge and the transformation of attitudes as well as requires provision of practical guidelines, efficient tools, robust support mechanisms and consistent training as identified by Canedo et al. [33]. In parallel, fostering an organizational culture that encourages PbD and incorporating policy frameworks that incentives its adoption can catalyze this transition as well as bridging the research-practice gap as highlighted by Iwaya et al. [15]. Moreover, documenting and publicizing the success stories associated with PbD can serve as a powerful motivation for stakeholders. This, in turn, amplifies the drive to transform knowledge and attitudes into tangible practices, further strengthening the holistic integration of PbD principles.

5.3 Recommendations for practice and research

Based on the findings from the survey results and the focus group discussion, this section presents several recommendations for practice and research. Table 5 represents a roadmap for implementing PbD in NIDS.

5.3.1 Recommendations for practice

First, the findings of this research underscore the crucial role of experiential learning in shaping attitudes towards PbD in NIDS. Based on this, we recommend implementing comprehensive, dynamic training programs for all NIDS stakeholders. These programs should aim to provide a foundational understanding of PbD, facilitate hands-on experiences through practical workshops, and promote a culture of privacy awareness. Key elements should include theoretical modules covering legal and ethical aspects of PbD, practical workshops for role-specific tasks, case study analyses for best practices, and soft skills training for effective communication. To assess effectiveness, both quantitative and qualitative metrics should be used, capturing changes in knowledge, attitudes, and practices related to PbD. Programs should be updated at least annually to reflect evolving privacy laws, technologies, and methodologies. This multi-faceted training approach is designed to enhance PbD compliance while also safeguarding fundamental privacy rights.

Second, effective communication was identified as a key factor for successfully implementing PbD in NIDS according to our focus group discussions. Therefore, we recommend establishing clear communication channels to align stakeholders on PbD objectives and practices. The goals are to facilitate accurate information dissemination, ensure two-way dialogue, and build a culture of transparency and trust. To meet these objectives, a multi-faceted communication strategy should be adopted. This would include internal channels like newsletters and intranet portals; regular cross departmental meetings; online forums for real-time and asynchronous dialogue; and public-facing platforms to build public trust. Organizations should train stakeholders in effective communication and establish guidelines to ensure consistent messaging. Metrics like engagement rates and the quality of cross departmental dialogue should be used to assess the effectiveness of the communication channels. These strategies should be periodically reviewed to adapt to organizational and regulatory changes. This recommendation offers a structured, actionable guide to enhance communication and thus the effective implementation of PbD in NIDS, grounded in empirical focus group insights.

Third, the focus group discussions revealed the persuasive power of success stories in shaping positive attitudes toward PbD in NIDS. As such, we recommend systematically documenting and sharing these stories to enhance PbD implementation. The aim is to offer concrete evidence of PbD’s benefits, motivate stakeholders, and cultivate a culture of continuous improvement. Types of stories to feature include internal successes, external best practices, and lessons learned from challenges turned into successes. These narratives should be disseminated through internal publications, integrated into training modules, and shared externally to build public trust. Effectiveness can be gauged through metrics like changes in employee practices, stakeholder surveys, and public sentiment analysis. All stories should comply with privacy laws and provide balanced perspectives on successes and lessons learned. By incorporating these narratives into organizational communication, stakeholders are reminded of PbD’s real-world impact, reinforcing its importance in NIDS. This recommendation offers an evidence-based guide for leveraging the potential of success stories to enhance the PbD culture within organizations.

Fourth, the focus group discussions highlighted the importance of having committed and knowledgeable individuals to lead PbD efforts in NIDS. As a result, we recommend appointing Designated PbD Champions within organizations. These champions would act as in-house experts, facilitate knowledge sharing, and coordinate PbD initiatives across stakeholder groups. Candidates for this role should possess expertise in PbD, strong interpersonal skills, and ideally hold positions with decision-making authority. Their responsibilities include strategic advisory, leading internal training, monitoring PbD implementation, and stakeholder engagement. To support their effectiveness, organizations should allocate resources like training budgets and performance monitoring tools. Effectiveness should be assessed through key performance indicators and stakeholder feedback. Designated PbD Champions are central to cultivating a privacy-centric culture and implementing PbD principles efficiently. This recommendation aims to provide an actionable framework for institutionalizing PbD leadership, grounded in empirical data.

Fifth, survey data suggests that various factors, including role, experience, and organizational culture, influence stakeholders’ KAP toward PbD in NIDS. We, therefore, recommend targeted interventions for specific stakeholder groups to boost PbD adoption and efficacy. The goals are to customize training, align interventions with real-world tasks, and deepen PbD understanding across the organization. The possible types of interventions include role-based, designed for different job functions; experience-based, tailored to career stages; and cultural, aimed at fostering a privacy-centric culture. Methodologically, these interventions should be developed through a needs assessment, content design involving PbD experts, phased implementation, and continuous monitoring via assessments and real-world tasks. Effectiveness should be measured using pre- and post-intervention surveys, stakeholder feedback, and tracking organizational changes related to PbD implementation. This targeted approach, backed by empirical data, aims to offer a nuanced, high-impact strategy for enhancing PbD in NIDS, moving beyond one-size-fits-all solutions.

Sixth, public trust is vital for the long-term success of PbD in NIDS, alongside internal organizational practices. Thus, we recommend targeted public outreach aimed at educating the populace about PbD, gathering public opinion for policy refinement, and building trust through open dialogue. This outreach can take various forms, such as educational campaigns, public forums, and feedback mechanisms, employing a multi-channel media approach and partnering with advocacy groups for wider reach. Effectiveness should be gauged through engagement metrics, pre- and post-outreach surveys, and policy impact. All initiatives should comply with privacy laws and aim to include marginalized communities. This strategy serves as a transparency tool and engages the public as a check and balance, thereby boosting both the legal compliance and social legitimacy of PbD in NIDS.

Seventh, pre-tender market research and consultations are crucial steps in the procurement process, especially for complex and sensitive projects like NIDS implementation. For governments, it ensures that the tenders are well-crafted to meet the privacy, and functional requirements of NIDS. For private companies, it offers insights into government expectations and market demands, helping them to prepare competitive and relevant bids. Before issuing public tenders for NIDS projects, it is crucial for governments to conduct comprehensive market research through Request For Information (RFI) [61, 62] processes. This will enable them to gain insights into available PbD technologies, associated costs, and market standards. Conducting RFIs helps ensure that the specifications of the tender align with the latest advancements in PbD and reflect industry best practices. This proactive step allows governments to make informed decisions and set realistic and effective PbD requirements in their NIDS tenders. Also, companies will be well-informed about the latest trends and government expectations so companies can align their solutions with government objectives, increasing their chances of winning tenders. This collaboration and consultation approach ultimately leads to more successful and efficient NIDS implementations that safeguard citizen data and comply with regulatory standards.

Eighth, industry consultation in tender drafting is a process where governments engage with private sector companies and industry experts during the preparation phase of tender documents, particularly for complex projects like NIDS. This collaborative approach involves seeking inputs from industry players on technical specifications, operational challenges, privacy concerns, and potential solutions, ensuring that the tender aligns with practical realities and the latest technological advancements. For governments, this consultation is crucial as it helps in creating realistic, informed, and comprehensive tender documents. It ensures that the specifications for NIDS projects are technologically feasible and aligned with the latest industry standards. This approach not only enhances the quality of bids received but also minimizes the risk of project failures or legal complications related to privacy and data protection, as industry players often have deeper insights into these aspects. Private companies benefit from this process as it provides them with a clear understanding of government expectations and project requirements. Being involved in the drafting stage can help them tailor their solutions more effectively to meet specific project needs, thereby increasing their chances of winning tenders. It also allows them to highlight potential privacy and security solutions early in the process, positioning themselves as knowledgeable and proactive partners in NIDS implementation. In essence, industry consultation in tender drafting fosters a mutually beneficial partnership where governments can leverage industry expertise for better project outcomes, and private companies can align their offerings more closely with government needs, enhancing the overall effectiveness and privacy compliance of NIDS projects.

Ninth, engaging with alliances and international organizations refers to the collaborative interactions between governments, private companies, and global entities that specialize in areas relevant to NIDS implementation and privacy. This engagement often involves participating in dialogues, workshops, and advisory sessions organized by alliances such as the Secure Identity Alliance (SIA) or international organizations like the United Nations or the World Bank. For governments, this engagement is crucial as it offers access to a wealth of global expertise and best practices in implementing NIDS. These organizations often provide guidance on technical standards, legal frameworks, and ethical considerations, helping governments navigate the complexities of large-scale identity projects while ensuring compliance with international privacy and human rights standards. For private companies, interacting with these alliances and organizations can be invaluable in understanding the landscape of NIDS. It helps them align their products and services with global standards and expectations, making their offerings more attractive and relevant to government projects. Moreover, these engagements can open up opportunities for partnerships and collaborations that might not be accessible through traditional market channels. This collaboration is essential for ensuring that NIDS are not only technologically advanced and efficient but also respect privacy and adhere to international human rights norms.

Tenth, policy and framework development in the context of NIDS involves creating and refining the set of rules and guidelines that govern the integration of PbD principles into the procurement and implementation processes of these systems. This development is crucial for ensuring that privacy and data protection are intrinsic components of NIDS from the start, rather than being retroactively addressed. For governments, the importance of this development lies in its ability to set clear, enforceable standards that align with international best practices. By having robust policies and frameworks in place, governments can ensure that NIDS are developed and operated in a manner that respects the privacy of individuals, complies with legal requirements, and addresses public concerns about data security. This proactive approach not only enhances public trust in government identification initiatives but also mitigates the risk of legal challenges and privacy breaches. For private companies, particularly those involved in developing or supplying technology for NIDS, such policies and frameworks are equally important. They provide a clear set of guidelines to adhere to, ensuring their products and services are compliant with privacy standards from the design phase. This compliance is not just a legal necessity but also serves as a competitive advantage in the market, showcasing their commitment to privacy and data protection. Furthermore, well-defined policies and frameworks help streamline the development process, as they offer a clear understanding of government expectations and requirements.

5.3.2 Recommendations for research

This study also has implications for future research that focus on the development of practical steps and resources to overcome the identified barriers to PbD integration. This includes conducting detailed case studies in various organizational settings, implementing pilot programs to test and refine practical steps and resources in real-world settings, organizing collaborative workshops with a broader range of stakeholders to collaboratively develop and validate practical solutions, and engaging in longitudinal studies to assess the long-term impact of these strategies. To capture the evolving impact of PbD in NIDS, we recommend longitudinal studies extending beyond the snapshot provided by our initial mixed-methods approach. These studies should aim to track changes in stakeholders’ KAP over time, evaluate the long-term efficacy of PbD interventions, and assess sustained impacts on compliance and public trust. Employing a multi-year design with periodic assessments, the studies should feature repeated surveys, focus groups, and interviews, all while adhering to ethical norms. Methodologically, they should include baseline assessments, periodic evaluations, and advanced statistical analyses such as growth curve modeling. Key evaluation metrics will cover shifts in KAP, intervention effectiveness, and indicators like data breaches and public opinion surveys. Potential challenges include participant attrition and data management complexities. This recommendation serves to provide a framework for future researchers and policymakers to assess the evolving implications of PbD in the context of NIDS. It aims to fill the critical gap between short-term outcomes and long-term impacts, thereby offering a more comprehensive view of the success and sustainability of PbD practices.

Another recommendation for research is to broaden the insights gained from this study through a comparative analysis across different settings, industries, and nations. The goals are to benchmark PbD-related KAP in diverse contexts, identify universally effective best practices, and explore the influence of legal and cultural factors. The study should sample organizations or countries differing in regulations, size, and demographics, using consistent data collection methods like surveys and focus groups. Key evaluation metrics should cover KAP disparities, regulatory impact, and effective practices. Potential challenges include capturing cultural nuances and harmonizing varied data sets. Ethical considerations must include informed consent and jurisdiction-specific data protection. By placing PbD in a broader context through comparative analysis, the study can offer globally relevant insights and advance both the academic and practical discourse on PbD in NIDS.

To deepen the understanding of PbD in NIDS, we recommend further investigation into the role-specific variations in the understanding and implementation of PbD. The research should aim to dissect how different organizational roles—such as executives, managers, and frontline staff—impact PbD practices, identify unique challenges each role faces, and formulate targeted interventions. The study should sample from a diverse range of roles and use tailored surveys, interviews, and focus groups. Specialized statistical models like multilevel modeling can analyze the role-based data. Evaluation metrics should gauge role-specific KAP regarding PbD, the influence of roles on its effective implementation, and the effectiveness of targeted interventions. Limitations could include inadequate sample size for each role and the potential for conflicting perspectives between roles. Ethical considerations must encompass confidentiality and informed consent. This research recommendation aims to enrich the existing literature by introducing role as a significant variable that influences PbD outcomes. Such a study could offer actionable insights for both policymakers and organizational leaders committed to enhancing the KAP of PbD in the context of NIDS.

The current study also leaves room for exploring the role of regulatory frameworks. We, therefore, recommend regulatory impact studies to assess how existing and potential regulations influence PbD implementation, examine the impact of varying regulatory strictness across jurisdictions, and identify legislative gaps that could be addressed to improve PbD practices. Research should include diverse organizations, document analysis, expert interviews, and a focus on key variables like compliance costs and data breaches. Methodology should involve comprehensive legal analysis and comparative evaluations of differing regulatory environments. Metrics for evaluation should consider compliance levels, the influence of regulations on KAP metrics, and the efficacy of existing laws in promoting PbD and preventing data breaches. Potential limitations include the complexity and evolving nature of laws. Ethical considerations should include informed consent and sensitivity to confidential information. Such studies can provide actionable insights for policymakers and organizations, enhancing the effective implementation of PbD in NIDS in a legally sound manner.

Moreover, the current study offers limited insights into the role of technology. Thus, we recommend that future research should focus on how emerging technologies like blockchain and machine learning influence PbD implementation, identify challenges posed by current tech, and explore ways to align technology with PbD principles. Research should include organizations of varying technological sophistication, employing methods like surveys, interviews, and usability studies. Key variables to examine include technological infrastructure and the efficacy of PbD-focused tools. Methodologically, technology audits, expert interviews, and controlled experiments can provide valuable data. Evaluation metrics should assess technology-PbD compatibility, effectiveness of tech tools, and user acceptance rates. Limitations include the rapidly evolving tech landscape and the heterogeneity of technologies across organizations. Ethical considerations should prioritize data security and informed consent. Such a focus on the intersection of technology and PbD can offer critical guidelines for NIDS development, contributing significantly to existing literature and practical applications.

Furthermore, the current study lacks a focus on underlying psychological factors. To address this gap, we recommend an expanded research framework that explores the cognitive biases, social pressures, and individual motivations impacting PbD implementation in NIDS. The study should employ a diverse stakeholder sample and utilize psychometric tests, in-depth interviews, and statistical methods designed for psychological research. Evaluation metrics should include psychological clustering to identify stakeholder trends, predictive validity for PbD-related attitudes, and the impact of psychological insights on interventions. Given the subjectivity and ethical complexities of psychological factors, rigorous informed consent and data privacy protocols must be in place. By examining the psychological factors influencing PbD in NIDS, this research can offer a more holistic understanding, thereby facilitating the development of targeted, effective adoption strategies for PbD principles. This approach promises both theoretical and practical contributions to the PbD and NIDS domains.

Lastly, future research should focus on the development of practical steps and resources to overcome the identified barriers to PbD integration. This includes conducting detailed case studies in various organizational settings, implementing pilot programs to test and refine practical solutions, organizing collaborative workshops with a broader range of stakeholders, and engaging in longitudinal studies to assess the long-term impact of these strategies. By building on the insights from our initial study, future work can provide actionable and effective solutions to enhance the integration of PbD principles in NIDS.

In this study, we investigated the stakeholders’ KAP related to PbD in the context of NIDS. Our analysis revealed several key insights that underscore the complex interplay between knowledge, attitudes, and practices. While each of these dimensions is critical, none alone is sufficient for ensuring the effective implementation of PbD in NIDS. This support findings from previous studies that pointed out gaps in understanding among both developers and organizations, the challenges in academia, legal compliance issues, and the need for methodological frameworks and automated tools.

Enhancing the adoption of PbD in NIDS is a multifaceted challenge that requires a concerted effort on multiple educational and training programs to organizational policies and from automated tools to incentive structures. A harmonized approach that targets knowledge, reshapes attitudes, and fosters better practices with a robust methodological frameworks and informed by legal considerations, stands the best chance of enhancing privacy protections in NIDS. As the importance of privacy continues to grow in our interconnected world, getting this right is not merely an academic question but a societal imperative.

6.1 Limitations

Despite its important findings, this study is not without limitations. Firstly, the sample size of 203 participants may limit the generalizability of the findings. The sample’s composition of managerial roles with significant experience might have biased the results, particularly regarding attitudes towards PbD. Secondly, the study could be subject to self-reporting bias (common in survey-based research) with participants potentially overestimating their knowledge or practices related to PbD or providing responses influenced by social desirability bias. Additionally, the study didn’t capture potentially influential contextual factors such as organizational culture, industry-specific regulations, or resource availability and the geographic distribution of participants. This might impact the understanding and implementation of PbD principles. Lastly, although the focus group discussion offered valuable qualitative insights, it was subject to the participants’ perspectives and experiences. This may not represent the diversity of challenges and strategies in PbD implementation fully. Potential influential factors like the dynamics of the discussion or group thinking could also shape the conclusions drawn from the discussion. Therefore, future studies as discussed above should seek to address these limitations to provide more comprehensive insights into the application of PbD principles.