The usage of social media platforms is increasing rapidly and now also more and more enterprises start to have their own presence on different social media platforms. Even if an enterprise is present on a social media platform, it isn‘t given that the own employees are allowed to access these platforms mostly due to the existing risks. One of the biggest risks is the loss of the reputation of a enterprise that only with a continuos monitoring of the social media platforms can be reduced. With a clear social media governance including a clear strategy and a risk analysis an enterprise can train their employees in a awareness program.
Risk management: Social media usage in enterprises
1. R i sk m a na g e me nt: S oc i al m e di a us age in e nte rpris e s
!"# "#$%#&!'(!())#!'(
Daniel Walther
!
University of Applied Science Northwestern Switzerland, Switzerland
daniel.walther@students.!nw.ch
!!
!
Abstract
-).%'$!#&*/)012!'!3&4%#%*%)#!
The usage of social media platforms is increasing rapidly and now also more and more enterprises start
#
to have their own presence on different social media platforms. Even if an enterprise is present on a
social media platform, it isn‘t given that the own employees'&112+(-3# -4)-# )**&.%# 5,&5*,6# -4/&274# )# 82(*-925# 5/
$# %&'()*# +,-.&/0# (%# )+# &+*(+,# are allowed to access these platforms mostly
'&112+(')-,6#0,,5#(+#-&2'46#%4)/,#5('-2/,%#)+;#<(;,&%#.(-4#&-4,/#'&112+(-3#1,18,/
due to the existing risks. One of the biggest risks is the loss of the reputation of a enterprise that only
'&++,'-(&+#(%#%4)/,;=#!
with a continuos monitoring of the social media platforms can be reduced. With a clear social media
#
governance including a clear strategy and a risk analysis an enterprise can train their employees in a
awareness program. %&'()*# +,-.&/0 # %-/2'-2/,# (+'*2;,%# 4)<(+7# )# 5/&:(*,# ?.4('4# '&+-)(+%# 5,/%&+)*# (+:&
>4,#
-4,# 2%,/@6# :/(,+;%# ?-/2%-,;# '&112+(-3# 1,18,/%# -4)-# ')+# 5&%-# '&11,+-%# &+# -4,# 2%,
%,+;# 5/(<)-,# 1,%%)7,%@# )+;# 7/&25%# ?5,&5*,# .(-4# -4,# %)1,# (+-,/,%-%# 1,,-# &+*(+,#
Keywords: Risk management, social media, user awareness, social media governance, social media
<)/(,-3#&:#-&5('%@=#A&1,#%&'()*#+,-.&/0%#)*%&#)**&.#2%,/%#-,/%&+)*(%,#-4,(/#5/&:(*,#2
strategy, social media threats, security standards, reputation.
-&#'/,)-,#-4,(/#&.+#8*&7#,+-/(,%=##
#
1. IntroductionB/&1# )# :2+'-(&+)*# 5&(+-# &:# <(,.# ?!!@6# %&'()*# +,-.&/0%# ')+# 8,# '*)%%(:(,;# (+# -.&# 1)
During the last few years the usage of social)+;# +('4, # %&'()*# +,-.&/0%=#aD,+,/)*# 52/5&%, # %&'()*# +,-.&/0%# 4)<
7,+,/)*# 52/5&%, # media raised every year. According study from Enisa (2010) 283 mil-
lions European users %'&5,#'&112+(')-(&+#)+;#(+-,/)'-(&+#)1&+7#2%,/%#)+;#)+38&;3#(%#:/,,#-&#E&(+#-4,#&+*
visited a social networking site. This study also figured out, that Facebook is playing a lead-
ing role in the social networking area. Enisa (2010) pointed out%5,'(:('# -4,1,# &/# (+-,/,%-# 82-# -4,3#net-
%(+',# -4,3# ;&# +&-# ')-,/# -&# )+3# that there are four main activities on a social 7)-4,/# )# <)/(,-
$1&+7# &-4,/%6# B)',8&&06# F3%5)',6# G);&&# )+;# H,-*&7# 8,*&+7# -&# -4(%# ')-,7&/3=# I+#
working platform as shown in the figure below.
+('4, # %&'()*# +,-.&/0%# )**&.# 2%,/%# -&# 5,/:&/1# )# %5,'(:('# )'-(<(-3# ?!"@=# G2%(+,%%9
+,-.&/0%# %2'4# )%# J(+0,;
23'&$! %(-,%# %2'4# )%# L*)%%1)-,%='
).-/*&$,! %(-,%# :&'2%,;# &+# )# %5,'(:('
'%4! )%#5/&:,%%(&+)*#'&+-)'-%#&/
5.4$+, &*;#%'4&&*#:/(,+;%=##
#
#
#
#
"#$%$&'(!
23'&$! #
)*&)+,$"! 6$$/!
+).%.+%,! #
,+-.'(!! )$+)($ #
'%4!.4$',
%$/0+&1, #
#
#
#
7$$)!.%! #
#
/+*-3!
0./3!
8&.$%4, #
#
B(72/,#!C#M(::,/,+-#-35,%#&:#(+-,/,%-%#%5/,);#&2-#:/&1! 7,+,/)*#52/5&%, ##
Figure #
%&'()*#+,-.&/0%=#1: Social networking activities (Enisa, 2010)
#
1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
?!!@# B&/# )# ;,,5,/# )+)*3%(%# %,,! $*,N)+;,/# O('4-,/6# F('4),*# P&'46! "#$%&'($)! (*! )(%'+,! $-&.(/0
Q/&',,;(+7%# &:# -4,# R-4# K+-,/+)-(&+)*# L&+:,/,+',# &+# -4,#M,%(7+# &:# L&&5,/)-(<,# A3%-,1%6# L)//39
2. Cavazza (2008) defined social media like „social media are places, tools, services allowing individuals to express
themselves (and so to exist) in order to meet, share…“. He points out, that the term social media contains two
main aspects. As first aspect, and most important, the term social defines that the main purpose is to interact
with others all over the world. The second one is the term media which defines how the social interaction takes
place. The term media includes all possible technologies like movies, blogs, short messages, pictures and many
more. During the last years the real-time factor got a very important feature of the current social media plat-
forms. The real-time factor means that in todays social media behavior all users update their profiles a few times a
day and also get informations from the other users in the same speed.
Cavazza (2010) released his newest social media landscape, which is shown in the picture below.
Figure 2: Social media landscape 2011 (Cavazza, 2010)
In contradiction to the social media landscapes from Cavazza (2010), the last one differs in one main point. Dur-
ing his research he figured out that today the main players in social media are Facebook and Google and every
other social media platform can be connected to these two platforms. This fact leads him to the result that today
social media is controlled by Facebook and Google.
2
3. According to Loubet (2011) more than 500 million users are active on Facebook, more than 200 million users uses
Twitter and more than 100 millions have a LinkedIn profile. These figures are huge and show the importance of
the social media platform today and that there seems to be a big need for the social interaction.
„Of the Fortune 100 companies, 65 percent have active Twitter accounts, 54 percent have Facebook fan pages, 50
percent have YouTube video channels and 33 percent have corporate blogs“ is stated within a white paper from
ISACA (2010a) which shows that in the meantime also enterprises tries to use the social media channels for their
marketing purposes.
Most of the enterprises today prevents the access to the social media platforms because there exists no clear best
practices neither none of the existing security standards can be used as reference. This paper focus exactly on
these gaps. The aim of this paper is to investigate the most popular security standards in regards to the social me-
dia platforms and derive compliant best practices on how to handle the topic social media within a enterprise.
The following security standards will taken into account:
• ISO/IEC 27002:2005 (2008)
• ISO/IEC 27005:2008 (2008)
• The Standard of Good Practice (ISF, 2007)
• IT-Grundschutz (BSI, 2009)
According to the latest OpenDNS (2011) report that 23% of the enterprises blocks Facebook and MySpace will be
blocked by 13%.
Figure 3: OpenDNS (2011) Report - Filtering by business users
One of the most interesting fact is, that today mostly only the private social media platform (like Facebook and
Twitter) are filtered by the enterprises. The business related social media platform (like Xing and LinkedIn) are
allowed even they provide in the meantime the same functionalities as the private platforms (e.g. comments).
The organization of the paper is that in the next chapter the motivation and background will be clearly high-
lighted. Within the chapter 3 the existing standards are examined related to the topic social media. Thus the in-
formation from the current standards are derived the chapter 4 looks at the reputation problems of an enterprise
by using social media. The chapter 5 then points out the mitigation of the social media risks according the infor-
3
4. mations from the preceding chapters. The chapter 6 and 7 discuss the outcome of this paper and the outlook for
the future.
4
5. 2. Motivation and background
As discussed in chapter 1 a lot of enterprises blocks the access to private social media platforms (OpenDNS, 2011).
One reason for this behavior is that there exists a lot of risks and threats in using social media platforms.
2.1. S o c i a l M e d i a R i s k s
Therefore a lot of organizations and companies released their studies with an analysis of the risks in their point of
view.
Within a study from Ernst&Young (2010) their customers are facing the following three top risks within social
media:
• Achieving compliance with regulations
• Protecting reputation and brand
• Managing privacy and protecting personal information
Enisa (2010) defines six main risks in regards the the social media platforms:
• Identity theft
• Malware
• Corporate data leakage and reputation risk
• Stolen or lost mobile phone
• User‘s position tracking
• Data misuse
And in the study from ISACA (2010a) they defined nine main issues divided into personal and corporate risks:
• Introduction of viruses and malware to the organizational network (corporate)
• Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence (corporate)
• Unclear or undefined content rights to information posted to social media sites (corporate)
• A move to a digital business model may increase customer service expectations (corporate)
• Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery
(corporate)
• Use of personal accounts to communicate work-related information (personal)
• Employee posting of pictures or information that link them to the enterprise (personal)
• Excessive employee use of social media in the workplace (personal)
• Employee access to social media via enterprise-supplied mobile devices (personal)
5
6. In a second study from ISACA (2010b) they named the following five top risks in social media for business which
are more technical oriented:
• Viruses/malware
• Brand hijacking
• Lack of control over content
• Unrealistic customer expectations of “Internet-speed” service
• Non-compliance with record management regulations
An analysis of these issues from the different studies above, the following six main issues exists:
• Problems with malware which spreads over a social networking site
• Problems with corporate data loss
• Problems with the corporate reputation due to fraudulent profiles or damaging statements
• Problems with compliance with record management regulations
• Problems with the privacy of the employee or the customer
• Problems with the lack of possibilities to control social media activities
The current listings of the social media risks can be subdivided into two different themes. Either the technical
aspects like viruses, less internet speed and the lack of the technical control. On the other hand there are the or-
ganizational aspects like compliance with regulations, protection of the reputation and the data protection.
As these risks are well-known but the safeguards are mostly not available or clear. The next chapters will concen-
trate on how they can build a complete social media governance and be able to reduce the risks and build up
safety measures.
6
7. 2.2. S o c i a l M e d i a T h r e a t s
The above listed risks turns to look theoretical, but they are not. The next few threat examples from the popular
social media platform Facebook will show that these risks from chapter 2.1 are real. Unfortunately this list is not
complete as there exists some more threats.
SCAM and Phishing
Currently one of the most seen attacks on Facebook are phishing and SCAM attacks. The Facebook phishing at-
tacks don‘t really differ from all other. They try to get the username and password from users which aren‘t careful
enough. One of the last phishing attack was discovered by Cluley (2011a) where attackers created a fake Facebook
Security fanpage and a Facebook application where the users should enter their details or the user account will be
blocked.
Figure 4: Facebook phishing application (Cluley 2011a)
7
8. On the other hand the SCAM attacks on Facebook raised in the past month. SCAM is defined as a fraudulent
scheme or swindle action (Definitions.net, 2011) and within Facebook it will be often combined with a shocking
or sexual phishing video which will be posted as status. Cluley (2011b) investigated such a SCAM attack on Face-
book where a video from an Italian TV star was announced where she shows her breast live in a TV show. But the
Facebook users who wanted to see this short sequence only got a survey or online prize draw where the scammers
earn a commission for each entry. And by the way, the announced video does not exists mostly.
Figure 5: Facebook SCAM video (Cluley, 2011b)
Malicious applications and Malware
Today every one can create its own Facebook application with different features, currently one of the most fa-
mous application is the game Farmville on Facebook. Also attackers figured out how to use it for their purposes,
especially because an application may get a complete access to each profile if the users accept it. Cluley (2011c)
looked at an actual case where an attacker created a Google+ application for Facebook which wants to get access
to all informations of a user plus the application wants to write on the wall and get its email address. In fact, if a
user accept this, he has completely lost his own profile.
8
9. Figure 6: Facebook application request for permission (Cluley, 2011c)
If an malicious application owns one or more profile it also can be used to infect the real user with malware or
even worse to distribute it to all the friends of it. Scheid (2010) investigated the most famous Facebook malware
named Koobface which was initially distributed by SCAM but the distribution can also be done by an application.
The Koobface malware is a worm which was also analyzed by Symantec (2010). Symantec (2010) discovered a lot
of functionalities which are built into Koobface: „
• Spread through social networks
• Steal confidential information
• Inject advertising into web browsers
• Redirect web browsing to malicious sites
• Intercept Internet traffic
• Block access to certain Internet sites
• Start a web server to serve as a command and control server for other Koobface infections
• Download additional files, such as updates to itself and other pay-per-install software that includes fake secu-
rity products
9
10. • Steal software license keys
• Break CAPTCHAs
• Determine if a link is blocked by Facebook
• Create new Blogspot accounts and pages
• Modify the Hosts file“
These functionalities shows that the Koobface malware turns an infected computer in a member of a botnet
which Symantec (n.d.) defined as „A network of computers containing Trojan horses or other malicious code that
work together to perform tasks that are assigned by the network's creator or controller.“.
Social Engineering
One of the biggest phenomena on Facebook is that apparently a lot of users publicizes their life completely and
let to know everyone everything about themselves. This fact can be very dangerous because any attacker can cre-
ate this way an exact profile of a person and use this information for an attack like a burglary while the user is
away from home.
In a recent study from ID Analytics (2010) as cited in Gupta (2011) they found out that „
• A shocking 63% reveal information about their schools on social networks;
• More than 40% divulge information on their favorite music or band;
• 35% reveal their favorite book;
• 25% disclose information on their favorite vacation spot“.
One more issue is that the politic of Facebook is to develop new features and activate them for all users by de-
fault. This can also lead to a unwanted publication of private data. The last such newly integrated feature was the
automated face recognition on all pictures where all users have to opt out if they aren‘t interested (Guynn, 2011).
Clickjacking
The clickjacking is a kind of SCAM which has the target to propagate a message, video or picture very fast over
Facebook. Therefore the attacker adds a piece of code (e.g. javascript) within its page which will be executed each
time a user views its content and it puts it on the wall of the user.
10
11. 3. Security standards and social media
A top risk by enterprises is the compliance with current regulations and standards. This chapter investigates the
following used standards and good practices which are used today:
• ISO/IEC 27002:2005 (2008)
• The Standard of Good Practice (ISF, 2007) (will be listed as standard even it is a good practice)
• IT-Grundschutz (BSI, 2009)
The above mentioned security standards are investigated based on the risks which are listed in chapter 2.1. The
table below shows if the identified top social risks are treated within the selected security standards.
ISO/IEC 27002 ISF The Standard BSI IT-
of Good Practices Grundschutz
Compliance X X X
Reputation pro- X
tection
Viruses/malware X X X
Brand hijacking (X)
Lack of control X (X) X
Privacy X X X
Data loss X X X
Table 1: Comparison security standards and top social media risks
The results shows that all three standards are aware of the technical issues but have a lack in the organizational
issues.
The Standard of Good Practice (ISF, 2007) is the only standards which gives recommendation on the protection
of the own reputation. But it lacks on the recommendations to control the traffic because it focus only on the
network monitoring and stops at OSI Layer 4 (Cisco 1999) with the recommended deep controls.
The ISO/IEC 27002:2005 (2008) is the only one which cares on the brand hijacking issue but unfortunately only
in an external view. That means it covers only such problems when an enterprise works with another enterprise
together to prevent that the other enterprise is e.g. a fake enterprise. There is no coverage for a brand hijacking in
regards of the own enterprise.
This analysis clarified why enterprises today aren‘t sure how to threat the social media technologies. Even if they
are compliant with the current security standards a lot of open questions resides. As shown above the open points
mainly are on an organizational basis. The technical aspects (not in the focus of this paper) can be solved today
mostly without problems as there are enough solutions available.
11
12. 4. Reputation and social media
One of the biggest risk which came up with the social media platforms is that the activities are very hard to ob-
serve due to the massive amount of different platforms.
In regards of the problems that can rise up with social media reputation two main issues have to be investigated
(Enisa, 2010 and ISACA, 2010b):
• brand hijacking: This term define the fact when someone creates a fake enterprise identity and acts in the
name of this enterprise.
• bad reputation: This term define the fact when someone publish hurtful statements about an enterprise.
To avoid both above mentioned problems different strategies can be applied. Even if all these strategies look sim-
ple and practicable they aren‘t because a lot of effort is needed.
With the following methods and measures enterprises can observe and probably control the activities within the
social media platforms:
• Monitoring:
It is absolutely necessary that an enterprise is monitoring the activities on all (at least the most popular ones)
social media platforms on a daily basis. These monitoring tasks must contain at least the following objective:
- Using search engines and the built in search functions within the platforms to figure out if a stranger is
using a profile name which can have a negative impact on the enterprise. This is needed either to avoid a
brand hijacking and also to prevent false statements.
An example can be that if an enterprise owns a social media site and suddenly a user with the same
name as the CEO starts to create comments about the enterprise even the real CEO never created such
a profile.
With a effective monitoring of the social media platforms such issues can be detected and actions can
be started.
• Contact with the owner of the social media platforms:
In order to be able to react if there is any misuse of a brand or a profile (like described above) it is necessary
that each enterprise is able to contact the operator of the social media platforms. With a good connection to
these operators it is much easier to react in case of a misuse because the operators have to possibilities to de-
lete or modify incorrect profiles or comments.
• Be part of the social media community:
Today it is absolutely necessary that an enterprise starts to be part of the social media community. The reason
for this step is that it is much easier to monitor the social media platforms if an enterprise is also part of it
because a lot of the content of these platforms are not visible outside of the platforms and can only be seen by
the members.
Being part of the social media communities has some advantages and disadvantages. In the table below some
of the main points are listed.
12
13. Advantages Disadvantages
Monitoring is easier because all the Extremely high amount of available
content is viewable. social media platforms which makes it
hard to be part of all of them.
Contact to the social media platform The operators may not be interested in
operators is easier. helping the enterprises.
Name of the brands and products can As there are so much platforms and
be reserved on the platforms to avoid probably some names are already re-
misuse. served an easy registration won‘t be
possible.
Direct contact to the customers. The customers can also create damag-
ing comments if they are unhappy with
an enterprise or a product.
Marketing possibilities. The social media platforms needs a
daily and actual presence of the mar-
keting department. No social media
presence is better than a not actual
presence.
Table 2: Advantages and disadvantages being part of the social media community
If the above described methods are applied and an enterprise is an active part of the social media community a lot
of problems with brand hijacking and bad reputation can be solved easily. If there occurs a more complicated mis-
use of an enterprise within a social media platform a direct contact to the operator and the public authorities is
indispensable.
13
14. 5. Mitigation of social media risks
Because of the shown risks in chapter 2.1. of social media platforms for an enterprise it is absolutely necessary that
each enterprise faces these risks and starts an internal program to mitigate them.
There exists different possibilities to create a risk mitigation plan for social media. As the social media networks
rapidly grow and Rennie and Zorpette (2011) predicts that the social era of the web starts now and therefore am
enterprise has to build a social media governance to be ready for the future.
Two recommendations on how to build a social media governance from ISACA (2010a) and Ernst & Young (2011)
contains both nearly the same strategies. Ernst & Young (2011) created a social media maturity model based on the
known five levels as they are also used in CMMI-DEV (2010). This paper combines these two named strategies to
derive a good practice for enterprises to build up a social media governance.
Figure 7: Social Media Governance Maturity Model, according to Ernst & Young (2011)
The idea of presenting this social media governance maturity model in the known five levels is a good approach,
but in order to build a individual governance four levels should be enough. The reason for this appraisal is that a
risk assessment can only cover all aspects of an enterprise if the strategy is known. After the reduction into the
four levels they can be easily integrated into the famous PDCA („Plan-Do-Check-Act“) cycle which is also used in
the ISO/IEC 27001:2005 (2008).standard.
14
15. Figure 8: Social Media Governance PDCA cycle
The following subchapters describes each phase in a detailed manner. Due to simplicity reasons the risk assess-
ment and strategy explanation are separated.
5.1. S o c i a l M e d i a R i s k A s s e s s m e n t
According to Ernst & Young (2011) the following risk categories have to be taken into account:
• Confidentiality risks (e.g. data loss)
• Legal and compliance risks (e.g. data privacy, regulatory violations)
• Reputational risks (e.g. brand hijacking)
• Operational risks (e.g. internet traffic, employee efficiency)
• Strategic risks (e.g. wrong strategy, losing customers)
These categories also covers the risks found earlier in this paper. Depending of the social media strategy the risk
assessment has to be designed in a different way. According to the risk categories the following three have to be
always treated in the same way:
• Confidentiality risks
• Legal and compliance risks
• Reputational risks
15
16. The other two risk categories have more dependencies regarding the social media strategy:
• Operational risks: Risks depends highly on the fact if the social media access within the enterprise is allowed
or not.
• Strategic risks: Risks depends highly if the enterprise is or will have a social media presence or not.
To evaluate the risks the standard ISO/IEC 27005:2008 (2008) should be taken in account. There exists also a lot
of other IT risk frameworks like RiskIT (2009)
Within ISO/IEC 27005:2008 (2008) the risk management process is divided into six parts:
• Context establishment (e.g. scope and boundaries)
• Information security risk assessment (risk analysis and risk evaluation)
• Information security risk treatment (risk reduction, risk retention, risk avoidance and risk transfer)
• Information security risk acceptance
• Information security risk communication
• Information security risk monitoring and review (last and important step to guarantee the PDCA lifecycle
within the risk management)
Only the following listed parts of the ISO/IEC 27005:2008 (2008) risk management process below will be taken
into account as the others are very depending on each enterprise hence no clear statement can be given.
• Context establishment (e.g. scope and boundaries)
- This part won‘t be described more in detail as this paper itself describes the context exactly
• Information security risk assessment (risk analysis and risk evaluation)
- Mainly the part risk analysis will be described
• Information security risk treatment (risk reduction, risk retention, risk avoidance and risk transfer)
- The risk reduction part will be highlighted
• Information security risk monitoring and review (last and important step to guarantee the PDCA lifecycle
within the risk management)
- Main focus is the risk monitoring within this paper
Within the risk analysis the threats, vulnerabilities and the risk estimation will be created which means, that af-
terwards a complete list with all risks and their scoring (qualitatively or quantitatively) should be known. In the
preceding chapters the social media threats are already listed but what are the vulnerabilities for an enterprise.
Within ISO/IEC 27005:2008 (2008) some possible vulnerabilities are listed. The following excerpt lists the vul-
nerabilities which have to be taken into account regards to social media. The complete list of vulnerabilities can
be found in Appendix A.
16
17. Types Vulnerability
Hardware Uncontrolled copying
Software No 'logout' when leaving the workstation
Poor password management
Failure to produce management reports
Network Unprotected communication lines
Unprotected sensitive traffic
Transfer of passwords in clear
Inadequate network management (resilience of routing)
Personnel Absence of personnel
Insufficient security training
Incorrect use of software and hardware
Lack of security awareness
Lack of monitoring mechanisms
Unsupervised work by outside or cleaning staff
Lack of policies for the correct use of telecommunications media and messaging
Organization Lack of procedure of monitoring of information processing facilities
Lack of regular audits (supervision)
Lack of procedures of risk identification and assessment
Lack of formal process for authorization of public available information
Lack of procedures for classified information handling
Lack or insufficient provisions (concerning information security) in contracts with employees
Lack of defined disciplinary process in case of information security incident
Lack of formal policy on mobile computer usage
Lack or insufficient 'clear desk and clear screen' policy
Lack of established monitoring mechanisms for security breaches
Lack of procedures of provisions compliance with intellectual rights
Table 3: List of vulnerabilities for social media, according to ISO/IEC 27005:2008 (2008)
For the risk estimation the qualitative method should be used. The reason is that for most of the soft factor vul-
nerabilities (and also threats) there is no possibility to quantify them correctly.
17
18. 5.2. S o c i a l M e d i a S t r a t e g y
A social media strategy of an enterprise is an essential factor for the future. Especially in regards of the informa-
tion security risk management, social media governance and the social media awareness. Without a clearly defined
strategy it is nearly impossible to create them and to have a vision for the future within social media. A strategy
contains at least the following aspects (Jones and George, 2008):
• SWOT (Strength-Weaknesses-Opportunities-Threats) analysis
• Definition of goals
• KPI (Key Performance Indicator) definition
The following social media SWOT analysis example can be used as reference. The listed facts may not be com-
plete because they rely on the business sector and also on the goals of a social media strategy.
Figure 9: Social Media strategy SWOT analysis
18
19. A social media strategy may support different or only one goal. The following goals may exist (non-exhaustive
enumeration):
• Being present on social media platforms as company
• Providing services on social media platforms
• It is allowed to access and work with social media platforms for the employees
• It is prohibited to access and work with social media platforms for the employees
• Social media isn‘t crucial for the enterprise and therefore no social media presence is needed
The definition of a KPI may be one of the hardest part, depending on the goals. If an enterprise has a non social
media strategy it is very easy because there are not many KPI possible instead of an enterprise with a social media
presence. The proceeding table shows some possible KPI values (according to Kallas (2011)):
Strategy Key Performance Indicator
Without social media Amount of brand hijacking incidents
Amount of fake employee identities on social media platforms
Amount of good/bad comments from employees on social media platforms
Amount of good/bad comments from external people on social media plat-
forms
Amount of incidents regarding the prohibition of social media
With social media Amount of brand hijacking incidents
Amount of fake employee identities on social media platforms
Amount of good/bad comments from employees on social media platforms
Amount of good/bad comments from external people on social media plat-
forms
Amount of incidents regarding the usage of social media
Amount of customer requests/orders on social media
Amount of complaints on social media
Amount of congratulations on social media
Amount of Fans
Amount of social media access hits by employees
Table 4: List of possible KPI measures
With the described minimum content of a social media strategy it is possible to derive all needed documents
which are needed to have a secure social media environment in an enterprise. A detailed list of the KPI values
from Kallas (2011) is available in the Appendix B.
Owyang and Lovett (2010) created 11 different KPI values which can be calculated from different values which are
available on the internet or within an enterprise. The KPI values from Owyang and Lovett (2010) are more so-
19
20. phisticated than others because they use the existing KPI values (like these from Kallas (2011)) and calculate new
values. Hereby the list of these 11 KPI values from Owyang and Lovett (2010):
KPI name KPI formula
Share of Voice Brand Mentions / (Total Mentions (Brand + Competitor A, B, C…n))
Audience Engagement (Comments + Shares + Trackbacks)/ Total Views
Conversation Reach Total People Participating / Total Audience Exposure
Active Advocates n of Active Advocates (past 30 days) / Total Advocates
Advocate Influence Unique Advocate’s Influence / Total Advocate Influence
Advocacy Impact Number of Advocacy Driven Conversions / Total Volume of Advocacy Traffic
Issue Resolution Rate Total # Issues Resolved Satisfactorily / Total # Service Issues
Resolution Time Total Inquiry Response Time / Total # Service Inquiries
Satisfaction Score Costumer Feedback (input A,B,C…n) / All Costumer Feedback
Topic Trends # of Specific Topic Mentions / All Topic Mentions
Sentiment Ratio (Positive : Neutral : Negativ Brand Mentions) / All Brand Mentions
Idea Impact # of Postitive Conversions, Shares, Mentions / Total Idea Conversions, Shares, Mentions
Table 5: List of possible KPI measures, according to Owyang and Lovett (2010)
5.3. S o c i a l M e d i a G o v e r n a n c e
The social media governance defines and clarify the following facts based on the goals of the social media strategy:
• Social media guidelines
These social media guidelines should be available for every employee and help them to be able to move in a
secure way within the existing social media platforms. IBM (2010) has published their newly updated social
computing guideline were they define the behavior they expect from the employees on a social media plat-
form. Mostly guidelines and policies were put in the same context, but policies are more strict than guidelines
and guidelines do not contain any definition in case of a violation.
• Social media policies
The social media policies are one of the most important tool to regulate and control the social media activities
of the enterprise and of the employees. All these policies are mandatory and therefore also disciplinary actions
have to be defined in case of a disrespect. Such a policy may have the following structure:
- Introduction (definition of the topic and the relevance for this policy).
- Explication of the goals of the social media strategy and the position of the enterprise.
- Definition of the enterprise rules for the employees on how and what is allowed in regards to the social
media platforms.
20
21. - Definition on how the social media is monitored (including the usage of it) and how the incidents will
processed in case of a violation. Mostly only a reference on the disciplinary actions are made because
these actions have to be fulfilled and regulated by the human resource department.
• Needed processes for social media within the enterprise
Depending on the social media strategy and the defined goals it is needed to define processes to have some
boundaries regards to the social media usage of an enterprise. Following facts may probably need a new proc-
ess:
- Creating an enterprise profile on a new social media platform
- Creating a social media marketing campaign
- Adding an employee to the social media profile administrators
- Social media monitoring
- Legal processes in case of an incident
- and many more
All these parts of the social media governance have to be used for the social media awareness and is a reference
for all employees in the case that they are not sure if a specific action is allowed or not.
In a trend survey of nCircle (2011) 68% of the participating enterprises have already a social media policy but
within the same survey the responding enterprises also said that only 44% of the employees are compliant to this
policy. This is a clear sign that either the existing policy is not known, to complex or there is no awareness pro-
gram.
5.4. S o c i a l M e d i a A w a r e n e s s
A social media awareness campaign is needed to train the employees in terms of the social media strategy and so-
cial media governance. Such a awareness training can be a classroom or a web-based training. It is recommended
that this campaign is integrated into the enterprise security awareness program.
The content of a social media awareness campaign should contain at least the following points:
• Introduction to social media
- What is social media
- Which platforms exists
- What is the main usage of the different platforms
• Threats on social media (related on private and enterprise usage)
- Don‘t „Like“ everything
- Keep attention of social media SCAM, phishing, clickjacking, malicious applications and malware
21
22. • Rules:
- How to work with a social media platform as an employee
- How to work with a social media platform at home
- How to teach the children
• A short test on the learned material
5.5. S o c i a l M e d i a M o n i t o r i n g
The last part which is needed to be able to mitigate the existing social media risks is the monitoring of the exist-
ing platforms and the usage. In contrast to the other parts, the monitoring is mainly a technical part. This means
that the monitoring can be mostly easily automated by different technologies (e.g. WWW-Proxy servers, auto-
mated internet crawlers, ...). The monitoring can also be used for creating the input of the different KPI values
described in chapter 5.2
The following actions may be monitored:
• Social media usage of the employees
• Comments on social media platforms with a link to the enterprise
• Profiles (enterprise or private) which may be a fake and are used to hurt the enterprise
• Trends and new social media platforms
Neely (2010) states that „Monitoring finds symptoms; listening finds causes“ which means that a social media
monitoring will find some violations, but only if an enterprise is active within the social media platforms and
learns to listen what is going on it will find the real sources of the violations and can bring them down.
22
23. 6. Conclusion
As shown within this paper there exists many possible threats within the current social media platforms neverthe-
less there are also chances which aren‘t highlighted in this paper. But all the best chances may disappear when an
enterprise don‘t have a strategy and assesses the risks like described in chapter 4 and 5.
Currently most of the large enterprises (more than 1000 employees) have already a established social media gov-
ernance according to Ernst & Young (2011) but all smaller ones (below 1000 employees) don‘t. One example is
IBM (2010) with a existing social media governance. But even in large enterprises the social media is handled in a
different way.
With a clear and defined social media governance a enterprise can handle the usage of social media platforms and
the presence in a social media platform in a secure way. But the definition of an accepted and strictly adhered so-
cial media governance is not so easy because of the following reasons:
• Legal situation may be different in each country
• Monitoring of all users and their actions is expensive and complex for large companies
• Monitoring of e.g. brand hijacking on existing social media platforms is complex because there exists a lot of
them and new platforms will come up in future
This paper also showed that there exist currently no widely accepted and known secure social media concepts.
Even the established security standards contains no special part about the new possibilities which arise with social
media.
The following three points were not part of this paper and have to be discussed besides it:
• Exists there a possibility to make a quantitative based risk analysis within a social media risk analysis?
• Is it necessary that the existing and established security standards (e.g. ISO/IEC 27001:2005 (2008s), ISO/IEC
27002:2005 (2008)) includes a special part for social media?
• How is the Generation Y (Wolf, 2010) which are grown up with social media platforms reacting if the em-
ployer disallow the usage of it?
23
24. Re f e re n ce s
BSI, 2009.IT-Grundschutz. Bonn: Bundesamt für Sicherheit in der Informationstechnik.
CAVAZZA, F., 2008. Social Media Landscape [online]. Available from:
http://www.fredcavazza.net/2008/06/09/social-media-landscape/ [Accessed 23 May 2011].
CAVAZZA, F., 2010. Social Media Landscape 2011 [online]. Available from:
http://www.fredcavazza.net/2010/12/14/social-media-landscape-2011/ [Accessed 23 May 2011]
CISCO, 1999. Open System Interconnection Reference Model [online]. Available from:
http://docwiki.cisco.com/wiki/Internetworking_Basics#Open_System_Interconnection_Reference_Model [Ac-
cessed 2 June 2011]
CLULEY, G., 2011a. Fake Facebook Security Team phishes passwords $om users [online]. Available from:
http://nakedsecurity.sophos.com/2011/07/03/fake-facebook-security-team-phishes-passwords-from-users [Accessed
19 July 2011].
CLULEY, G. 2011b. This Girl must be out of her mind on live television - Facebook scam [online]. Available from:
http://nakedsecurity.sophos.com/2011/07/18/this-girl-must-be-out-of-her-mind-on-live-television-facebook-scam
[Accessed 19 July 2011].
CLULEY, G., 2011c. Google+ invite scam spreads on Facebook via rogue application [online]. Available from:
http://nakedsecurity.sophos.com/2011/07/13/google-plus-invite-scam-facebook [Accessed 19 July 2011].
CMMI-DEV, 2010. CMMI® for Development, Version 1.3. Hanscom AFB, Carnegie Mellon University.
DEFINITIONS.NET, 2011. Definition of scam [online]. Available from: http://www.definitions.net/definition/scam
[Accessed 19 JUly 2011].
ENISA, 2010. Online as soon as it happens. Heraklon: ENISA, (DOI : 10.2824/15183)
ERNST & YOUNG, 2010. Borderless security, Ernst & Young’s 2010 Global Information Security Survey [online]. Avail-
able from: http://www2.eycom.ch/publications/items/giss/2010_giss/2010_EY_GISS_Borderless_Security.pdf [Ac-
cessed 27 May 2011].
ERNST & YOUNG, 2011. Social Media Policy Survey in the Swiss Financial Sector: Contro'ing the Uncontro'able. Pres-
entation at (ISC)2 Security Ambassadors Meeting. Aberhardt Peter, Stuermer Matthias.Zuerich: 12 May 2011.
GUPTA, U., 2011. How to Mitigate Social Media Risks [online]. Available from:
http://blogs.bankinfosecurity.com/posts.php?postID=872 [Accessed 19 July 2011].
GUYNN, J., 2011. Here's how to opt out of Facebook's facial-recognition feature [online]. Available from:
http://articles.latimes.com/2011/jun/11/business/la-fi-techsavvy-facebook-20110612 [Accessed 19 July 2011].
HARDY, C. A., WILLIAMS, S.P., 2010. Managing Information Risks and Protecting Information Assets in a Web
2.0 era. In: 23rd Bled eConference eTrust: Implications for the Individual, Enterprises and Society June 20 - 23, 2010. Kranj:
University of Maribor, 234-247.
IBM, 2010. IBM Social Computing Guidelines [online]. Available from:
http://www.ibm.com/blogs/zz/en/guidelines.html [Accessed 10 July 2011].
ISACA, 2010a. Social Media: Business Benefits and Security, Governance and Assurance Perspectives. Rolling Meadows:
ISACA.
ISACA, 2010b. Top Five Social Media Risks for Business [online]. Available from:
http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/Top-Five-Social-Media-Risks-for-Busi
ness-New-ISACA-White-Paper.aspx [Accessed 26 May 2011].
24
25. ISF, 2007. The Standard of Good Practice for Information Security. Surrey: Information Security Forum Limited.
ISO/IEC 27001:2005, 2008. Information technology – Security techniques – Information security management systems – Re-
quirements. Berlin: DIN Deutsches Institut für Normung e.V.
ISO/IEC 27002:2005, 2008. Information technology – Security techniques – Code of practice for information security man-
agement. Berlin: DIN Deutsches Institut für Normung e.V.
ISO/IEC 27005:2008(E), 2008. Information technology – Security techniques – Information security risk management. Ge-
neva: International Organization for Standardization ISO.
JONES, G. R., GEORGE J.M., 2008. Contemporary Management. 5th ed. New York: McGraw-Hill
KALLAS, P., 2011. 48 Social Media KPIs (Key Performance Indicators) [online]. Available from:
http://www.dreamgrow.com/48-social-media-kpis-key-performance-indicators/ [Accessed 17 July 2011].
LOUBET, K., 2011. 25 Unbelievable Social Media Statistics [online]. Available from:
http://www.social2b.com/index.php/2011/04/21/25-social-media-statistics/ [Accessed 23 May 2011]
NCIRCLE, 2011. nCircle 2011 Social Media Security Trends Survey [online]. Available from:
http://www.ncircle.com/index.php?s=resources_surveys_Survey-SocialMedia-2011 [Accessed 10 July 2011].
NEELY, D., 2010. Social-Media Listening vs. Social-Media Monitoring: Truly Connecting, or Merely Co'ecting? [online].
Available from:
http://www.marketingprofs.com/articles/2010/3634/social-media-listening-vs-social-media-monitoring-truly-conne
cting-or-merely-collecting [Accessed 10 July 2011].
OpenDNS, 2011. OpenDNS® 2010 Report Web Content Filtering and Phishing. San Francisco: OpenDNS, Inc.
OWYANG. J., LOVETT, J., 2010. Social Marketing Analytics [online]. Available from:
http://www.slideshare.net/jeremiah_owyang/altimeter-report-social-marketing-analytics?from=embed [Accessed 17
July 2011].
RENNIE, J., ZORPETTE, G., 2011. The Social Era of the Web Starts Now. IEEE Spectrum, 6 (11), 23-25.
RISKIT, 2009. The RiskIT Framework. Rolling Meadows: ISACA.
SCHEID, J., 2010. Get Rid of Facebook Viruses [online]. Available from:
http://www.brighthub.com/internet/security-privacy/articles/73700.aspx [Accessed 19 July 2011].
SYMANTEC, 2010. W32.Koobface [online]. Available from:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99 [Accessed 19 July 2011].
SYMANTEC, n.d.. Glossary - bot network [online]. Available from:
http://www.symantec.com/business/security_response/glossary/define.jsp?letter=b&word=bot-network [Accessed
19 July 2011].
WOLF, D., 2010. Junge Ko'egen sind anspruchsvo', flexibel, ko'egial [online]. Available from:
http://www.business-wissen.de/personalmanagement/generation-y-junge-kollegen-sind-anspruchsvoll-flexibel-kolle
gial [Accessed 20 July 2011].
25
26. Appendi x A
List of the complete vulnerabilities according to ISO/IEC 27005:2008 (2008).
Types Vulnerability
Hardware Insufficient maintenance/faulty installation of storage media
Lack of periodic replacement schemes
Susceptibility to humidity, dust, soiling
Sensitivity to electromagnetic radiation
Lack of efficient configuration change control
Susceptibility to voltage variations
Susceptibility to temperature variations
Unprotected storage
Lack of care at disposal
Uncontrolled copying
Software No or insufficient software testing
Well-known flaws in the software
No 'logout' when leaving the workstation
Disposal or reuse of storage media without proper erasure
Lack of audit trail
Wrong allocation of access rights
Widely-distributed software
Applying application programs to the wrong data in terms of time
Complicated user interface
Lack of documentation
Incorrect parameter set up
Incorrect dates
Lack of identification and authentication mechanisms like user authentication
Unprotected password tables
Poor password management
Unnecessary services enabled
Immature or new software
Unclear or incomplete specifications for developers
Lack of effective change control
Uncontrolled downloading and use of software
Lack of back-up copies
Lack of physical protection of the building, doors and windows
Failure to produce management reports
Network Lack of proof of sending or receiving a message
Unprotected communication lines
Unprotected sensitive traffic
Poor joint cabling
Single point of failure
26
27. Types Vulnerability
Lack of identification and authentication of sender and receiver
Insecure network architecture
Transfer of passwords in clear
Inadequate network management (resilience of routing)
Unprotected public network connections
Personnel Absence of personnel
Inadequate recruitment procedures
Insufficient security training
Incorrect use of software and hardware
Lack of security awareness
Lack of monitoring mechanisms
Unsupervised work by outside or cleaning staff
Lack of policies for the correct use of telecommunications media and messaging
Site Inadequate or careless use of physical access control to buildings and rooms
Location in an area susceptible to flood
Unstable power grid Loss of power supply
Lack of physical protection of the building, doors and windows
Organization Lack of formal procedure for user registration and de-registration
Lack of formal process for access right review (supervision)
Lack or insufficient provisions (concerning security) in contracts with customers and/
or third parties
Lack of procedure of monitoring of information processing facilities
Lack of regular audits (supervision)
Lack of procedures of risk identification and assessment
Lack of fault reports recorded in administrator and operator logs
Inadequate service maintenance response
Lack or insufficient Service Level Agreement
Lack of change control procedure
Lack of formal procedure for ISMS documentation control
Lack of formal procedure for ISMS record supervision
Lack of formal process for authorization of public available information
Lack of proper allocation of information security responsibilities
Lack of continuity plans
Lack of e-mail usage policy
Lack of procedures for introducing software into operational systems
Lack of records in administrator and operator logs
Lack of procedures for classified information handling
Lack of information security responsibilities in job descriptions
Lack or insufficient provisions (concerning information security) in contracts with
employees
Lack of defined disciplinary process in case of information security incident
Lack of formal policy on mobile computer usage
27
28. Types Vulnerability
Lack of control of off-premise assets
Lack or insufficient 'clear desk and clear screen' policy
Lack of information processing facilities authorization
Lack of established monitoring mechanisms for security breaches
Lack of regular management reviews
Lack of procedures for reporting security weaknesses
Lack of procedures of provisions compliance with intellectual rights
Table 6: List of all ISO/IEC 27005:2008 (2008) vulnerabilities
28
29. Appendi x B
Kallas (2011) proposed 48 different KPI values within 4 different categories which can be used for social media:
KPI category KPI
Distribution Followers
Fans
Number of mentions
Reach
Social bookmarks (SumbleUpon, Delicious)
Inbound links
Blog subscribers
Interaction Retweets
Forward to a friend
Social media sharing
Comments
Like or rate something
Reviews
Contributors and active contributors
Pageviews
Unique visitors
Traffic from social networking sites
Time spent on site
Response time
Influence Share of conversation vs competitors
Net Promoter
Satisfaction
Sentiment positive, neutral or negative
Number of brand evangelists
Action and ROI Sales revenue
Registered users
Issues resolved and resolution rate
Number of leads (per day, week, month)
Cost of lead
Lead conversion rate
Cost of sale
Revenue (per follower, lead, customer)
Lifetime value of customers
Support cost (per customer in social channels)
29
30. KPI category KPI
Share of repeat customers (from social media vs other channels)
Transaction value per customer
Money in the bank, net profit, etc
Internal Blog posts
E-books
Presentations
Videos
Facebook updates
Tweets
Forum posts
Social media marketing budget
Social media staff payroll
Social media development costs
Table 7: List of all KPI values, according to Kallas (2011)
30