Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
R i sk m a na g e me nt: S oc i al m e di a us age in e nte rpris e s           !"#                                       ...
Cavazza (2008) defined social media like „social media are places, tools, services allowing individuals to expressthemselve...
According to Loubet (2011) more than 500 million users are active on Facebook, more than 200 million users usesTwitter and...
mations from the preceding chapters. The chapter 6 and 7 discuss the outcome of this paper and the outlook forthe future. ...
2. Motivation and backgroundAs discussed in chapter 1 a lot of enterprises blocks the access to private social media platf...
In a second study from ISACA (2010b) they named the following five top risks in social media for business whichare more tec...
2.2. S o c i a l M e d i a T h r e a t sThe above listed risks turns to look theoretical, but they are not. The next few t...
On the other hand the SCAM attacks on Facebook raised in the past month. SCAM is defined as a fraudulentscheme or swindle a...
Figure 6: Facebook application request for permission (Cluley, 2011c)If an malicious application owns one or more profile i...
•   Steal software license keys•   Break CAPTCHAs•   Determine if a link is blocked by Facebook•   Create new Blogspot acc...
3. Security standards and social mediaA top risk by enterprises is the compliance with current regulations and standards. ...
4. Reputation and social mediaOne of the biggest risk which came up with the social media platforms is that the activities...
Advantages                             Disadvantages                 Monitoring is easier because all the     Extremely hi...
5. Mitigation of social media risksBecause of the shown risks in chapter 2.1. of social media platforms for an enterprise ...
Figure 8: Social Media Governance PDCA cycleThe following subchapters describes each phase in a detailed manner. Due to si...
The other two risk categories have more dependencies regarding the social media strategy:•   Operational risks: Risks depe...
Types                                                      Vulnerability   Hardware       Uncontrolled copying   Software ...
5.2. S o c i a l M e d i a S t r a t e g yA social media strategy of an enterprise is an essential factor for the future. ...
A social media strategy may support different or only one goal. The following goals may exist (non-exhaustiveenumeration):•...
phisticated than others because they use the existing KPI values (like these from Kallas (2011)) and calculate newvalues. ...
- Definition on how the social media is monitored (including the usage of it) and how the incidents will           processe...
•   Rules:         - How to work with a social media platform as an employee         - How to work with a social media pla...
6. ConclusionAs shown within this paper there exists many possible threats within the current social media platforms never...
Re f e re n ce sBSI, 2009.IT-Grundschutz. Bonn: Bundesamt für Sicherheit in der Informationstechnik.CAVAZZA, F., 2008. Soc...
ISF, 2007. The Standard of Good Practice for Information Security. Surrey: Information Security Forum Limited.ISO/IEC 2700...
Appendi x AList of the complete vulnerabilities according to ISO/IEC 27005:2008 (2008).     Types                         ...
Types                                              Vulnerability               Lack of identification and authentication of...
Types                                          Vulnerability        Lack of control of off-premise assets        Lack or in...
Appendi x BKallas (2011) proposed 48 different KPI values within 4 different categories which can be used for social media: ...
KPI category       KPI                   Share of repeat customers (from social media vs other channels)                  ...
Nächste SlideShare
Wird geladen in …5
×

Risk management: Social media usage in enterprises

3.621 Aufrufe

Veröffentlicht am

The usage of social media platforms is increasing rapidly and now also more and more enterprises start to have their own presence on different social media platforms. Even if an enterprise is present on a social media platform, it isn‘t given that the own employees are allowed to access these platforms mostly due to the existing risks. One of the biggest risks is the loss of the reputation of a enterprise that only with a continuos monitoring of the social media platforms can be reduced. With a clear social media governance including a clear strategy and a risk analysis an enterprise can train their employees in a awareness program.

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Risk management: Social media usage in enterprises

  1. 1. R i sk m a na g e me nt: S oc i al m e di a us age in e nte rpris e s !"# "#$%#&!(!())#!( Daniel Walther ! University of Applied Science Northwestern Switzerland, Switzerland daniel.walther@students.!nw.ch !! ! Abstract -).%$!#&*/)012!!3&4%#%*%)#! The usage of social media platforms is increasing rapidly and now also more and more enterprises start # to have their own presence on different social media platforms. Even if an enterprise is present on a social media platform, it isn‘t given that the own employees&112+(-3# -4)-# )**&.%# 5,&5*,6# -4/&274# )# 82(*-925# 5/ $# %&()*# +,-.&/0# (%# )+# &+*(+,# are allowed to access these platforms mostly &112+()-,6#0,,5#(+#-&246#%4)/,#5(-2/,%#)+;#<(;,&%#.(-4#&-4,/#&112+(-3#1,18,/ due to the existing risks. One of the biggest risks is the loss of the reputation of a enterprise that only &++,-(&+#(%#%4)/,;=#! with a continuos monitoring of the social media platforms can be reduced. With a clear social media # governance including a clear strategy and a risk analysis an enterprise can train their employees in a awareness program. %&()*# +,-.&/0 # %-/2-2/,# (+*2;,%# 4)<(+7# )# 5/&:(*,# ?.4(4# &+-)(+%# 5,/%&+)*# (+:& >4,# -4,# 2%,/@6# :/(,+;%# ?-/2%-,;# &112+(-3# 1,18,/%# -4)-# )+# 5&%-# &11,+-%# &+# -4,# 2%, %,+;# 5/(<)-,# 1,%%)7,%@# )+;# 7/&25%# ?5,&5*,# .(-4# -4,# %)1,# (+-,/,%-%# 1,,-# &+*(+,# Keywords: Risk management, social media, user awareness, social media governance, social media <)/(,-3#&:#-&5(%@=#A&1,#%&()*#+,-.&/0%#)*%&#)**&.#2%,/%#-&#5,/%&+)*(%,#-4,(/#5/&:(*,#2 strategy, social media threats, security standards, reputation. -&#/,)-,#-4,(/#&.+#8*&7#,+-/(,%=## #1. IntroductionB/&1# )# :2+-(&+)*# 5&(+-# &:# <(,.# ?!!@6# %&()*# +,-.&/0%# )+# 8,# *)%%(:(,;# (+# -.&# 1)During the last few years the usage of social)+;# +(4, # %&()*# +,-.&/0%=#aD,+,/)*# 52/5&%, # %&()*# +,-.&/0%# 4)< 7,+,/)*# 52/5&%, # media raised every year. According study from Enisa (2010) 283 mil-lions European users %&5,#&112+()-(&+#)+;#(+-,/)-(&+#)1&+7#2%,/%#)+;#)+38&;3#(%#:/,,#-&#E&(+#-4,#&+* visited a social networking site. This study also figured out, that Facebook is playing a lead-ing role in the social networking area. Enisa (2010) pointed out%5,(:(# -4,1,# &/# (+-,/,%-# 82-# -4,3#net- %(+,# -4,3# ;&# +&-# )-,/# -&# )+3# that there are four main activities on a social 7)-4,/# )# <)/(,- $1&+7# &-4,/%6# B),8&&06# F3%5),6# G);&&# )+;# H,-*&7# 8,*&+7# -&# -4(%# )-,7&/3=# I+#working platform as shown in the figure below. +(4, # %&()*# +,-.&/0%# )**&.# 2%,/%# -&# 5,/:&/1# )# %5,(:(# )-(<(-3# ?!"@=# G2%(+,%%9 +,-.&/0%# %24# )%# J(+0,; 23&$! %(-,%# %24# )%# L*)%%1)-,%= ).-/*&$,! %(-,%# :&2%,;# &+# )# %5,(:( %4! )%#5/&:,%%(&+)*#&+-)-%#&/ 5.4$+, &*;#%4&&*#:/(,+;%=## # # # # "#$%$&(! 23&$! # )*&)+,$"! 6$$/! +).%.+%,! # ,+-.(!! )$+)($ # %4!.4$, %$/0+&1, # # # # 7$$)!.%! # # /+*-3! 0./3! 8&.$%4, # # B(72/,#!C#M(::,/,+-#-35,%#&:#(+-,/,%-%#%5/,);#&2-#:/&1! 7,+,/)*#52/5&%, ## Figure # %&()*#+,-.&/0%=#1: Social networking activities (Enisa, 2010) # 1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ?!!@# B&/# )# ;,,5,/# )+)*3%(%# %,,! $*,N)+;,/# O(4-,/6# F(4),*# P&46! "#$%&($)! (*! )(%+,! $-&.(/0 Q/&,,;(+7%# &:# -4,# R-4# K+-,/+)-(&+)*# L&+:,/,+,# &+# -4,#M,%(7+# &:# L&&5,/)-(<,# A3%-,1%6# L)//39
  2. 2. Cavazza (2008) defined social media like „social media are places, tools, services allowing individuals to expressthemselves (and so to exist) in order to meet, share…“. He points out, that the term social media contains twomain aspects. As first aspect, and most important, the term social defines that the main purpose is to interactwith others all over the world. The second one is the term media which defines how the social interaction takesplace. The term media includes all possible technologies like movies, blogs, short messages, pictures and manymore. During the last years the real-time factor got a very important feature of the current social media plat-forms. The real-time factor means that in todays social media behavior all users update their profiles a few times aday and also get informations from the other users in the same speed.Cavazza (2010) released his newest social media landscape, which is shown in the picture below. Figure 2: Social media landscape 2011 (Cavazza, 2010)In contradiction to the social media landscapes from Cavazza (2010), the last one differs in one main point. Dur-ing his research he figured out that today the main players in social media are Facebook and Google and everyother social media platform can be connected to these two platforms. This fact leads him to the result that todaysocial media is controlled by Facebook and Google. 2
  3. 3. According to Loubet (2011) more than 500 million users are active on Facebook, more than 200 million users usesTwitter and more than 100 millions have a LinkedIn profile. These figures are huge and show the importance ofthe social media platform today and that there seems to be a big need for the social interaction.„Of the Fortune 100 companies, 65 percent have active Twitter accounts, 54 percent have Facebook fan pages, 50percent have YouTube video channels and 33 percent have corporate blogs“ is stated within a white paper fromISACA (2010a) which shows that in the meantime also enterprises tries to use the social media channels for theirmarketing purposes.Most of the enterprises today prevents the access to the social media platforms because there exists no clear bestpractices neither none of the existing security standards can be used as reference. This paper focus exactly onthese gaps. The aim of this paper is to investigate the most popular security standards in regards to the social me-dia platforms and derive compliant best practices on how to handle the topic social media within a enterprise.The following security standards will taken into account:• ISO/IEC 27002:2005 (2008)• ISO/IEC 27005:2008 (2008)• The Standard of Good Practice (ISF, 2007)• IT-Grundschutz (BSI, 2009)According to the latest OpenDNS (2011) report that 23% of the enterprises blocks Facebook and MySpace will beblocked by 13%. Figure 3: OpenDNS (2011) Report - Filtering by business usersOne of the most interesting fact is, that today mostly only the private social media platform (like Facebook andTwitter) are filtered by the enterprises. The business related social media platform (like Xing and LinkedIn) areallowed even they provide in the meantime the same functionalities as the private platforms (e.g. comments).The organization of the paper is that in the next chapter the motivation and background will be clearly high-lighted. Within the chapter 3 the existing standards are examined related to the topic social media. Thus the in-formation from the current standards are derived the chapter 4 looks at the reputation problems of an enterpriseby using social media. The chapter 5 then points out the mitigation of the social media risks according the infor- 3
  4. 4. mations from the preceding chapters. The chapter 6 and 7 discuss the outcome of this paper and the outlook forthe future. 4
  5. 5. 2. Motivation and backgroundAs discussed in chapter 1 a lot of enterprises blocks the access to private social media platforms (OpenDNS, 2011).One reason for this behavior is that there exists a lot of risks and threats in using social media platforms.2.1. S o c i a l M e d i a R i s k sTherefore a lot of organizations and companies released their studies with an analysis of the risks in their point ofview.Within a study from Ernst&Young (2010) their customers are facing the following three top risks within socialmedia:• Achieving compliance with regulations• Protecting reputation and brand• Managing privacy and protecting personal informationEnisa (2010) defines six main risks in regards the the social media platforms:• Identity theft• Malware• Corporate data leakage and reputation risk• Stolen or lost mobile phone• User‘s position tracking• Data misuseAnd in the study from ISACA (2010a) they defined nine main issues divided into personal and corporate risks:• Introduction of viruses and malware to the organizational network (corporate)• Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence (corporate)• Unclear or undefined content rights to information posted to social media sites (corporate)• A move to a digital business model may increase customer service expectations (corporate)• Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery (corporate)• Use of personal accounts to communicate work-related information (personal)• Employee posting of pictures or information that link them to the enterprise (personal)• Excessive employee use of social media in the workplace (personal)• Employee access to social media via enterprise-supplied mobile devices (personal) 5
  6. 6. In a second study from ISACA (2010b) they named the following five top risks in social media for business whichare more technical oriented:• Viruses/malware• Brand hijacking• Lack of control over content• Unrealistic customer expectations of “Internet-speed” service• Non-compliance with record management regulationsAn analysis of these issues from the different studies above, the following six main issues exists:• Problems with malware which spreads over a social networking site• Problems with corporate data loss• Problems with the corporate reputation due to fraudulent profiles or damaging statements• Problems with compliance with record management regulations• Problems with the privacy of the employee or the customer• Problems with the lack of possibilities to control social media activitiesThe current listings of the social media risks can be subdivided into two different themes. Either the technicalaspects like viruses, less internet speed and the lack of the technical control. On the other hand there are the or-ganizational aspects like compliance with regulations, protection of the reputation and the data protection.As these risks are well-known but the safeguards are mostly not available or clear. The next chapters will concen-trate on how they can build a complete social media governance and be able to reduce the risks and build upsafety measures. 6
  7. 7. 2.2. S o c i a l M e d i a T h r e a t sThe above listed risks turns to look theoretical, but they are not. The next few threat examples from the popularsocial media platform Facebook will show that these risks from chapter 2.1 are real. Unfortunately this list is notcomplete as there exists some more threats.SCAM and PhishingCurrently one of the most seen attacks on Facebook are phishing and SCAM attacks. The Facebook phishing at-tacks don‘t really differ from all other. They try to get the username and password from users which aren‘t carefulenough. One of the last phishing attack was discovered by Cluley (2011a) where attackers created a fake FacebookSecurity fanpage and a Facebook application where the users should enter their details or the user account will beblocked. Figure 4: Facebook phishing application (Cluley 2011a) 7
  8. 8. On the other hand the SCAM attacks on Facebook raised in the past month. SCAM is defined as a fraudulentscheme or swindle action (Definitions.net, 2011) and within Facebook it will be often combined with a shockingor sexual phishing video which will be posted as status. Cluley (2011b) investigated such a SCAM attack on Face-book where a video from an Italian TV star was announced where she shows her breast live in a TV show. But theFacebook users who wanted to see this short sequence only got a survey or online prize draw where the scammersearn a commission for each entry. And by the way, the announced video does not exists mostly. Figure 5: Facebook SCAM video (Cluley, 2011b)Malicious applications and MalwareToday every one can create its own Facebook application with different features, currently one of the most fa-mous application is the game Farmville on Facebook. Also attackers figured out how to use it for their purposes,especially because an application may get a complete access to each profile if the users accept it. Cluley (2011c)looked at an actual case where an attacker created a Google+ application for Facebook which wants to get accessto all informations of a user plus the application wants to write on the wall and get its email address. In fact, if auser accept this, he has completely lost his own profile. 8
  9. 9. Figure 6: Facebook application request for permission (Cluley, 2011c)If an malicious application owns one or more profile it also can be used to infect the real user with malware oreven worse to distribute it to all the friends of it. Scheid (2010) investigated the most famous Facebook malwarenamed Koobface which was initially distributed by SCAM but the distribution can also be done by an application.The Koobface malware is a worm which was also analyzed by Symantec (2010). Symantec (2010) discovered a lotof functionalities which are built into Koobface: „• Spread through social networks• Steal confidential information• Inject advertising into web browsers• Redirect web browsing to malicious sites• Intercept Internet traffic• Block access to certain Internet sites• Start a web server to serve as a command and control server for other Koobface infections• Download additional files, such as updates to itself and other pay-per-install software that includes fake secu- rity products 9
  10. 10. • Steal software license keys• Break CAPTCHAs• Determine if a link is blocked by Facebook• Create new Blogspot accounts and pages• Modify the Hosts file“These functionalities shows that the Koobface malware turns an infected computer in a member of a botnetwhich Symantec (n.d.) defined as „A network of computers containing Trojan horses or other malicious code thatwork together to perform tasks that are assigned by the networks creator or controller.“.Social EngineeringOne of the biggest phenomena on Facebook is that apparently a lot of users publicizes their life completely andlet to know everyone everything about themselves. This fact can be very dangerous because any attacker can cre-ate this way an exact profile of a person and use this information for an attack like a burglary while the user isaway from home.In a recent study from ID Analytics (2010) as cited in Gupta (2011) they found out that „• A shocking 63% reveal information about their schools on social networks;• More than 40% divulge information on their favorite music or band;• 35% reveal their favorite book;• 25% disclose information on their favorite vacation spot“.One more issue is that the politic of Facebook is to develop new features and activate them for all users by de-fault. This can also lead to a unwanted publication of private data. The last such newly integrated feature was theautomated face recognition on all pictures where all users have to opt out if they aren‘t interested (Guynn, 2011).ClickjackingThe clickjacking is a kind of SCAM which has the target to propagate a message, video or picture very fast overFacebook. Therefore the attacker adds a piece of code (e.g. javascript) within its page which will be executed eachtime a user views its content and it puts it on the wall of the user. 10
  11. 11. 3. Security standards and social mediaA top risk by enterprises is the compliance with current regulations and standards. This chapter investigates thefollowing used standards and good practices which are used today:• ISO/IEC 27002:2005 (2008)• The Standard of Good Practice (ISF, 2007) (will be listed as standard even it is a good practice)• IT-Grundschutz (BSI, 2009)The above mentioned security standards are investigated based on the risks which are listed in chapter 2.1. Thetable below shows if the identified top social risks are treated within the selected security standards. ISO/IEC 27002 ISF The Standard BSI IT- of Good Practices Grundschutz Compliance X X X Reputation pro- X tection Viruses/malware X X X Brand hijacking (X) Lack of control X (X) X Privacy X X X Data loss X X X Table 1: Comparison security standards and top social media risksThe results shows that all three standards are aware of the technical issues but have a lack in the organizationalissues.The Standard of Good Practice (ISF, 2007) is the only standards which gives recommendation on the protectionof the own reputation. But it lacks on the recommendations to control the traffic because it focus only on thenetwork monitoring and stops at OSI Layer 4 (Cisco 1999) with the recommended deep controls.The ISO/IEC 27002:2005 (2008) is the only one which cares on the brand hijacking issue but unfortunately onlyin an external view. That means it covers only such problems when an enterprise works with another enterprisetogether to prevent that the other enterprise is e.g. a fake enterprise. There is no coverage for a brand hijacking inregards of the own enterprise.This analysis clarified why enterprises today aren‘t sure how to threat the social media technologies. Even if theyare compliant with the current security standards a lot of open questions resides. As shown above the open pointsmainly are on an organizational basis. The technical aspects (not in the focus of this paper) can be solved todaymostly without problems as there are enough solutions available. 11
  12. 12. 4. Reputation and social mediaOne of the biggest risk which came up with the social media platforms is that the activities are very hard to ob-serve due to the massive amount of different platforms.In regards of the problems that can rise up with social media reputation two main issues have to be investigated(Enisa, 2010 and ISACA, 2010b):• brand hijacking: This term define the fact when someone creates a fake enterprise identity and acts in the name of this enterprise.• bad reputation: This term define the fact when someone publish hurtful statements about an enterprise.To avoid both above mentioned problems different strategies can be applied. Even if all these strategies look sim-ple and practicable they aren‘t because a lot of effort is needed.With the following methods and measures enterprises can observe and probably control the activities within thesocial media platforms:• Monitoring: It is absolutely necessary that an enterprise is monitoring the activities on all (at least the most popular ones) social media platforms on a daily basis. These monitoring tasks must contain at least the following objective: - Using search engines and the built in search functions within the platforms to figure out if a stranger is using a profile name which can have a negative impact on the enterprise. This is needed either to avoid a brand hijacking and also to prevent false statements. An example can be that if an enterprise owns a social media site and suddenly a user with the same name as the CEO starts to create comments about the enterprise even the real CEO never created such a profile. With a effective monitoring of the social media platforms such issues can be detected and actions can be started.• Contact with the owner of the social media platforms: In order to be able to react if there is any misuse of a brand or a profile (like described above) it is necessary that each enterprise is able to contact the operator of the social media platforms. With a good connection to these operators it is much easier to react in case of a misuse because the operators have to possibilities to de- lete or modify incorrect profiles or comments.• Be part of the social media community: Today it is absolutely necessary that an enterprise starts to be part of the social media community. The reason for this step is that it is much easier to monitor the social media platforms if an enterprise is also part of it because a lot of the content of these platforms are not visible outside of the platforms and can only be seen by the members. Being part of the social media communities has some advantages and disadvantages. In the table below some of the main points are listed. 12
  13. 13. Advantages Disadvantages Monitoring is easier because all the Extremely high amount of available content is viewable. social media platforms which makes it hard to be part of all of them. Contact to the social media platform The operators may not be interested in operators is easier. helping the enterprises. Name of the brands and products can As there are so much platforms and be reserved on the platforms to avoid probably some names are already re- misuse. served an easy registration won‘t be possible. Direct contact to the customers. The customers can also create damag- ing comments if they are unhappy with an enterprise or a product. Marketing possibilities. The social media platforms needs a daily and actual presence of the mar- keting department. No social media presence is better than a not actual presence. Table 2: Advantages and disadvantages being part of the social media communityIf the above described methods are applied and an enterprise is an active part of the social media community a lotof problems with brand hijacking and bad reputation can be solved easily. If there occurs a more complicated mis-use of an enterprise within a social media platform a direct contact to the operator and the public authorities isindispensable. 13
  14. 14. 5. Mitigation of social media risksBecause of the shown risks in chapter 2.1. of social media platforms for an enterprise it is absolutely necessary thateach enterprise faces these risks and starts an internal program to mitigate them.There exists different possibilities to create a risk mitigation plan for social media. As the social media networksrapidly grow and Rennie and Zorpette (2011) predicts that the social era of the web starts now and therefore amenterprise has to build a social media governance to be ready for the future.Two recommendations on how to build a social media governance from ISACA (2010a) and Ernst & Young (2011)contains both nearly the same strategies. Ernst & Young (2011) created a social media maturity model based on theknown five levels as they are also used in CMMI-DEV (2010). This paper combines these two named strategies toderive a good practice for enterprises to build up a social media governance. Figure 7: Social Media Governance Maturity Model, according to Ernst & Young (2011)The idea of presenting this social media governance maturity model in the known five levels is a good approach,but in order to build a individual governance four levels should be enough. The reason for this appraisal is that arisk assessment can only cover all aspects of an enterprise if the strategy is known. After the reduction into thefour levels they can be easily integrated into the famous PDCA („Plan-Do-Check-Act“) cycle which is also used inthe ISO/IEC 27001:2005 (2008).standard. 14
  15. 15. Figure 8: Social Media Governance PDCA cycleThe following subchapters describes each phase in a detailed manner. Due to simplicity reasons the risk assess-ment and strategy explanation are separated.5.1. S o c i a l M e d i a R i s k A s s e s s m e n tAccording to Ernst & Young (2011) the following risk categories have to be taken into account:• Confidentiality risks (e.g. data loss)• Legal and compliance risks (e.g. data privacy, regulatory violations)• Reputational risks (e.g. brand hijacking)• Operational risks (e.g. internet traffic, employee efficiency)• Strategic risks (e.g. wrong strategy, losing customers)These categories also covers the risks found earlier in this paper. Depending of the social media strategy the riskassessment has to be designed in a different way. According to the risk categories the following three have to bealways treated in the same way:• Confidentiality risks• Legal and compliance risks• Reputational risks 15
  16. 16. The other two risk categories have more dependencies regarding the social media strategy:• Operational risks: Risks depends highly on the fact if the social media access within the enterprise is allowed or not.• Strategic risks: Risks depends highly if the enterprise is or will have a social media presence or not.To evaluate the risks the standard ISO/IEC 27005:2008 (2008) should be taken in account. There exists also a lotof other IT risk frameworks like RiskIT (2009)Within ISO/IEC 27005:2008 (2008) the risk management process is divided into six parts:• Context establishment (e.g. scope and boundaries)• Information security risk assessment (risk analysis and risk evaluation)• Information security risk treatment (risk reduction, risk retention, risk avoidance and risk transfer)• Information security risk acceptance• Information security risk communication• Information security risk monitoring and review (last and important step to guarantee the PDCA lifecycle within the risk management)Only the following listed parts of the ISO/IEC 27005:2008 (2008) risk management process below will be takeninto account as the others are very depending on each enterprise hence no clear statement can be given.• Context establishment (e.g. scope and boundaries) - This part won‘t be described more in detail as this paper itself describes the context exactly• Information security risk assessment (risk analysis and risk evaluation) - Mainly the part risk analysis will be described• Information security risk treatment (risk reduction, risk retention, risk avoidance and risk transfer) - The risk reduction part will be highlighted• Information security risk monitoring and review (last and important step to guarantee the PDCA lifecycle within the risk management) - Main focus is the risk monitoring within this paperWithin the risk analysis the threats, vulnerabilities and the risk estimation will be created which means, that af-terwards a complete list with all risks and their scoring (qualitatively or quantitatively) should be known. In thepreceding chapters the social media threats are already listed but what are the vulnerabilities for an enterprise.Within ISO/IEC 27005:2008 (2008) some possible vulnerabilities are listed. The following excerpt lists the vul-nerabilities which have to be taken into account regards to social media. The complete list of vulnerabilities canbe found in Appendix A. 16
  17. 17. Types Vulnerability Hardware Uncontrolled copying Software No logout when leaving the workstation Poor password management Failure to produce management reports Network Unprotected communication lines Unprotected sensitive traffic Transfer of passwords in clear Inadequate network management (resilience of routing) Personnel Absence of personnel Insufficient security training Incorrect use of software and hardware Lack of security awareness Lack of monitoring mechanisms Unsupervised work by outside or cleaning staff Lack of policies for the correct use of telecommunications media and messaging Organization Lack of procedure of monitoring of information processing facilities Lack of regular audits (supervision) Lack of procedures of risk identification and assessment Lack of formal process for authorization of public available information Lack of procedures for classified information handling Lack or insufficient provisions (concerning information security) in contracts with employees Lack of defined disciplinary process in case of information security incident Lack of formal policy on mobile computer usage Lack or insufficient clear desk and clear screen policy Lack of established monitoring mechanisms for security breaches Lack of procedures of provisions compliance with intellectual rights Table 3: List of vulnerabilities for social media, according to ISO/IEC 27005:2008 (2008)For the risk estimation the qualitative method should be used. The reason is that for most of the soft factor vul-nerabilities (and also threats) there is no possibility to quantify them correctly. 17
  18. 18. 5.2. S o c i a l M e d i a S t r a t e g yA social media strategy of an enterprise is an essential factor for the future. Especially in regards of the informa-tion security risk management, social media governance and the social media awareness. Without a clearly definedstrategy it is nearly impossible to create them and to have a vision for the future within social media. A strategycontains at least the following aspects (Jones and George, 2008):• SWOT (Strength-Weaknesses-Opportunities-Threats) analysis• Definition of goals• KPI (Key Performance Indicator) definitionThe following social media SWOT analysis example can be used as reference. The listed facts may not be com-plete because they rely on the business sector and also on the goals of a social media strategy. Figure 9: Social Media strategy SWOT analysis 18
  19. 19. A social media strategy may support different or only one goal. The following goals may exist (non-exhaustiveenumeration):• Being present on social media platforms as company• Providing services on social media platforms• It is allowed to access and work with social media platforms for the employees• It is prohibited to access and work with social media platforms for the employees• Social media isn‘t crucial for the enterprise and therefore no social media presence is neededThe definition of a KPI may be one of the hardest part, depending on the goals. If an enterprise has a non socialmedia strategy it is very easy because there are not many KPI possible instead of an enterprise with a social mediapresence. The proceeding table shows some possible KPI values (according to Kallas (2011)): Strategy Key Performance Indicator Without social media Amount of brand hijacking incidents Amount of fake employee identities on social media platforms Amount of good/bad comments from employees on social media platforms Amount of good/bad comments from external people on social media plat- forms Amount of incidents regarding the prohibition of social media With social media Amount of brand hijacking incidents Amount of fake employee identities on social media platforms Amount of good/bad comments from employees on social media platforms Amount of good/bad comments from external people on social media plat- forms Amount of incidents regarding the usage of social media Amount of customer requests/orders on social media Amount of complaints on social media Amount of congratulations on social media Amount of Fans Amount of social media access hits by employees Table 4: List of possible KPI measuresWith the described minimum content of a social media strategy it is possible to derive all needed documentswhich are needed to have a secure social media environment in an enterprise. A detailed list of the KPI valuesfrom Kallas (2011) is available in the Appendix B.Owyang and Lovett (2010) created 11 different KPI values which can be calculated from different values which areavailable on the internet or within an enterprise. The KPI values from Owyang and Lovett (2010) are more so- 19
  20. 20. phisticated than others because they use the existing KPI values (like these from Kallas (2011)) and calculate newvalues. Hereby the list of these 11 KPI values from Owyang and Lovett (2010): KPI name KPI formulaShare of Voice Brand Mentions / (Total Mentions (Brand + Competitor A, B, C…n))Audience Engagement (Comments + Shares + Trackbacks)/ Total ViewsConversation Reach Total People Participating / Total Audience ExposureActive Advocates n of Active Advocates (past 30 days) / Total AdvocatesAdvocate Influence Unique Advocate’s Influence / Total Advocate InfluenceAdvocacy Impact Number of Advocacy Driven Conversions / Total Volume of Advocacy TrafficIssue Resolution Rate Total # Issues Resolved Satisfactorily / Total # Service IssuesResolution Time Total Inquiry Response Time / Total # Service InquiriesSatisfaction Score Costumer Feedback (input A,B,C…n) / All Costumer FeedbackTopic Trends # of Specific Topic Mentions / All Topic MentionsSentiment Ratio (Positive : Neutral : Negativ Brand Mentions) / All Brand MentionsIdea Impact # of Postitive Conversions, Shares, Mentions / Total Idea Conversions, Shares, Mentions Table 5: List of possible KPI measures, according to Owyang and Lovett (2010)5.3. S o c i a l M e d i a G o v e r n a n c eThe social media governance defines and clarify the following facts based on the goals of the social media strategy:• Social media guidelines These social media guidelines should be available for every employee and help them to be able to move in a secure way within the existing social media platforms. IBM (2010) has published their newly updated social computing guideline were they define the behavior they expect from the employees on a social media plat- form. Mostly guidelines and policies were put in the same context, but policies are more strict than guidelines and guidelines do not contain any definition in case of a violation.• Social media policies The social media policies are one of the most important tool to regulate and control the social media activities of the enterprise and of the employees. All these policies are mandatory and therefore also disciplinary actions have to be defined in case of a disrespect. Such a policy may have the following structure: - Introduction (definition of the topic and the relevance for this policy). - Explication of the goals of the social media strategy and the position of the enterprise. - Definition of the enterprise rules for the employees on how and what is allowed in regards to the social media platforms. 20
  21. 21. - Definition on how the social media is monitored (including the usage of it) and how the incidents will processed in case of a violation. Mostly only a reference on the disciplinary actions are made because these actions have to be fulfilled and regulated by the human resource department.• Needed processes for social media within the enterprise Depending on the social media strategy and the defined goals it is needed to define processes to have some boundaries regards to the social media usage of an enterprise. Following facts may probably need a new proc- ess: - Creating an enterprise profile on a new social media platform - Creating a social media marketing campaign - Adding an employee to the social media profile administrators - Social media monitoring - Legal processes in case of an incident - and many moreAll these parts of the social media governance have to be used for the social media awareness and is a referencefor all employees in the case that they are not sure if a specific action is allowed or not.In a trend survey of nCircle (2011) 68% of the participating enterprises have already a social media policy butwithin the same survey the responding enterprises also said that only 44% of the employees are compliant to thispolicy. This is a clear sign that either the existing policy is not known, to complex or there is no awareness pro-gram.5.4. S o c i a l M e d i a A w a r e n e s sA social media awareness campaign is needed to train the employees in terms of the social media strategy and so-cial media governance. Such a awareness training can be a classroom or a web-based training. It is recommendedthat this campaign is integrated into the enterprise security awareness program.The content of a social media awareness campaign should contain at least the following points:• Introduction to social media - What is social media - Which platforms exists - What is the main usage of the different platforms• Threats on social media (related on private and enterprise usage) - Don‘t „Like“ everything - Keep attention of social media SCAM, phishing, clickjacking, malicious applications and malware 21
  22. 22. • Rules: - How to work with a social media platform as an employee - How to work with a social media platform at home - How to teach the children• A short test on the learned material5.5. S o c i a l M e d i a M o n i t o r i n gThe last part which is needed to be able to mitigate the existing social media risks is the monitoring of the exist-ing platforms and the usage. In contrast to the other parts, the monitoring is mainly a technical part. This meansthat the monitoring can be mostly easily automated by different technologies (e.g. WWW-Proxy servers, auto-mated internet crawlers, ...). The monitoring can also be used for creating the input of the different KPI valuesdescribed in chapter 5.2The following actions may be monitored:• Social media usage of the employees• Comments on social media platforms with a link to the enterprise• Profiles (enterprise or private) which may be a fake and are used to hurt the enterprise• Trends and new social media platformsNeely (2010) states that „Monitoring finds symptoms; listening finds causes“ which means that a social mediamonitoring will find some violations, but only if an enterprise is active within the social media platforms andlearns to listen what is going on it will find the real sources of the violations and can bring them down. 22
  23. 23. 6. ConclusionAs shown within this paper there exists many possible threats within the current social media platforms neverthe-less there are also chances which aren‘t highlighted in this paper. But all the best chances may disappear when anenterprise don‘t have a strategy and assesses the risks like described in chapter 4 and 5.Currently most of the large enterprises (more than 1000 employees) have already a established social media gov-ernance according to Ernst & Young (2011) but all smaller ones (below 1000 employees) don‘t. One example isIBM (2010) with a existing social media governance. But even in large enterprises the social media is handled in adifferent way.With a clear and defined social media governance a enterprise can handle the usage of social media platforms andthe presence in a social media platform in a secure way. But the definition of an accepted and strictly adhered so-cial media governance is not so easy because of the following reasons:• Legal situation may be different in each country• Monitoring of all users and their actions is expensive and complex for large companies• Monitoring of e.g. brand hijacking on existing social media platforms is complex because there exists a lot of them and new platforms will come up in futureThis paper also showed that there exist currently no widely accepted and known secure social media concepts.Even the established security standards contains no special part about the new possibilities which arise with socialmedia.The following three points were not part of this paper and have to be discussed besides it:• Exists there a possibility to make a quantitative based risk analysis within a social media risk analysis?• Is it necessary that the existing and established security standards (e.g. ISO/IEC 27001:2005 (2008s), ISO/IEC 27002:2005 (2008)) includes a special part for social media?• How is the Generation Y (Wolf, 2010) which are grown up with social media platforms reacting if the em- ployer disallow the usage of it? 23
  24. 24. Re f e re n ce sBSI, 2009.IT-Grundschutz. Bonn: Bundesamt für Sicherheit in der Informationstechnik.CAVAZZA, F., 2008. Social Media Landscape [online]. Available from:http://www.fredcavazza.net/2008/06/09/social-media-landscape/ [Accessed 23 May 2011].CAVAZZA, F., 2010. Social Media Landscape 2011 [online]. Available from:http://www.fredcavazza.net/2010/12/14/social-media-landscape-2011/ [Accessed 23 May 2011]CISCO, 1999. Open System Interconnection Reference Model [online]. Available from:http://docwiki.cisco.com/wiki/Internetworking_Basics#Open_System_Interconnection_Reference_Model [Ac-cessed 2 June 2011]CLULEY, G., 2011a. Fake Facebook Security Team phishes passwords $om users [online]. Available from:http://nakedsecurity.sophos.com/2011/07/03/fake-facebook-security-team-phishes-passwords-from-users [Accessed19 July 2011].CLULEY, G. 2011b. This Girl must be out of her mind on live television - Facebook scam [online]. Available from:http://nakedsecurity.sophos.com/2011/07/18/this-girl-must-be-out-of-her-mind-on-live-television-facebook-scam[Accessed 19 July 2011].CLULEY, G., 2011c. Google+ invite scam spreads on Facebook via rogue application [online]. Available from:http://nakedsecurity.sophos.com/2011/07/13/google-plus-invite-scam-facebook [Accessed 19 July 2011].CMMI-DEV, 2010. CMMI® for Development, Version 1.3. Hanscom AFB, Carnegie Mellon University.DEFINITIONS.NET, 2011. Definition of scam [online]. Available from: http://www.definitions.net/definition/scam[Accessed 19 JUly 2011].ENISA, 2010. Online as soon as it happens. Heraklon: ENISA, (DOI : 10.2824/15183)ERNST & YOUNG, 2010. Borderless security, Ernst & Young’s 2010 Global Information Security Survey [online]. Avail-able from: http://www2.eycom.ch/publications/items/giss/2010_giss/2010_EY_GISS_Borderless_Security.pdf [Ac-cessed 27 May 2011].ERNST & YOUNG, 2011. Social Media Policy Survey in the Swiss Financial Sector: Controing the Uncontroable. Pres-entation at (ISC)2 Security Ambassadors Meeting. Aberhardt Peter, Stuermer Matthias.Zuerich: 12 May 2011.GUPTA, U., 2011. How to Mitigate Social Media Risks [online]. Available from:http://blogs.bankinfosecurity.com/posts.php?postID=872 [Accessed 19 July 2011].GUYNN, J., 2011. Heres how to opt out of Facebooks facial-recognition feature [online]. Available from:http://articles.latimes.com/2011/jun/11/business/la-fi-techsavvy-facebook-20110612 [Accessed 19 July 2011].HARDY, C. A., WILLIAMS, S.P., 2010. Managing Information Risks and Protecting Information Assets in a Web2.0 era. In: 23rd Bled eConference eTrust: Implications for the Individual, Enterprises and Society June 20 - 23, 2010. Kranj:University of Maribor, 234-247.IBM, 2010. IBM Social Computing Guidelines [online]. Available from:http://www.ibm.com/blogs/zz/en/guidelines.html [Accessed 10 July 2011].ISACA, 2010a. Social Media: Business Benefits and Security, Governance and Assurance Perspectives. Rolling Meadows:ISACA.ISACA, 2010b. Top Five Social Media Risks for Business [online]. Available from:http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/Top-Five-Social-Media-Risks-for-Business-New-ISACA-White-Paper.aspx [Accessed 26 May 2011]. 24
  25. 25. ISF, 2007. The Standard of Good Practice for Information Security. Surrey: Information Security Forum Limited.ISO/IEC 27001:2005, 2008. Information technology – Security techniques – Information security management systems – Re-quirements. Berlin: DIN Deutsches Institut für Normung e.V.ISO/IEC 27002:2005, 2008. Information technology – Security techniques – Code of practice for information security man-agement. Berlin: DIN Deutsches Institut für Normung e.V.ISO/IEC 27005:2008(E), 2008. Information technology – Security techniques – Information security risk management. Ge-neva: International Organization for Standardization ISO.JONES, G. R., GEORGE J.M., 2008. Contemporary Management. 5th ed. New York: McGraw-HillKALLAS, P., 2011. 48 Social Media KPIs (Key Performance Indicators) [online]. Available from:http://www.dreamgrow.com/48-social-media-kpis-key-performance-indicators/ [Accessed 17 July 2011].LOUBET, K., 2011. 25 Unbelievable Social Media Statistics [online]. Available from:http://www.social2b.com/index.php/2011/04/21/25-social-media-statistics/ [Accessed 23 May 2011]NCIRCLE, 2011. nCircle 2011 Social Media Security Trends Survey [online]. Available from:http://www.ncircle.com/index.php?s=resources_surveys_Survey-SocialMedia-2011 [Accessed 10 July 2011].NEELY, D., 2010. Social-Media Listening vs. Social-Media Monitoring: Truly Connecting, or Merely Coecting? [online].Available from:http://www.marketingprofs.com/articles/2010/3634/social-media-listening-vs-social-media-monitoring-truly-connecting-or-merely-collecting [Accessed 10 July 2011].OpenDNS, 2011. OpenDNS® 2010 Report Web Content Filtering and Phishing. San Francisco: OpenDNS, Inc.OWYANG. J., LOVETT, J., 2010. Social Marketing Analytics [online]. Available from:http://www.slideshare.net/jeremiah_owyang/altimeter-report-social-marketing-analytics?from=embed [Accessed 17July 2011].RENNIE, J., ZORPETTE, G., 2011. The Social Era of the Web Starts Now. IEEE Spectrum, 6 (11), 23-25.RISKIT, 2009. The RiskIT Framework. Rolling Meadows: ISACA.SCHEID, J., 2010. Get Rid of Facebook Viruses [online]. Available from:http://www.brighthub.com/internet/security-privacy/articles/73700.aspx [Accessed 19 July 2011].SYMANTEC, 2010. W32.Koobface [online]. Available from:http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99 [Accessed 19 July 2011].SYMANTEC, n.d.. Glossary - bot network [online]. Available from:http://www.symantec.com/business/security_response/glossary/define.jsp?letter=b&word=bot-network [Accessed19 July 2011].WOLF, D., 2010. Junge Koegen sind anspruchsvo, flexibel, koegial [online]. Available from:http://www.business-wissen.de/personalmanagement/generation-y-junge-kollegen-sind-anspruchsvoll-flexibel-kollegial [Accessed 20 July 2011]. 25
  26. 26. Appendi x AList of the complete vulnerabilities according to ISO/IEC 27005:2008 (2008). Types Vulnerability Hardware Insufficient maintenance/faulty installation of storage media Lack of periodic replacement schemes Susceptibility to humidity, dust, soiling Sensitivity to electromagnetic radiation Lack of efficient configuration change control Susceptibility to voltage variations Susceptibility to temperature variations Unprotected storage Lack of care at disposal Uncontrolled copying Software No or insufficient software testing Well-known flaws in the software No logout when leaving the workstation Disposal or reuse of storage media without proper erasure Lack of audit trail Wrong allocation of access rights Widely-distributed software Applying application programs to the wrong data in terms of time Complicated user interface Lack of documentation Incorrect parameter set up Incorrect dates Lack of identification and authentication mechanisms like user authentication Unprotected password tables Poor password management Unnecessary services enabled Immature or new software Unclear or incomplete specifications for developers Lack of effective change control Uncontrolled downloading and use of software Lack of back-up copies Lack of physical protection of the building, doors and windows Failure to produce management reports Network Lack of proof of sending or receiving a message Unprotected communication lines Unprotected sensitive traffic Poor joint cabling Single point of failure 26
  27. 27. Types Vulnerability Lack of identification and authentication of sender and receiver Insecure network architecture Transfer of passwords in clear Inadequate network management (resilience of routing) Unprotected public network connections Personnel Absence of personnel Inadequate recruitment procedures Insufficient security training Incorrect use of software and hardware Lack of security awareness Lack of monitoring mechanisms Unsupervised work by outside or cleaning staff Lack of policies for the correct use of telecommunications media and messaging Site Inadequate or careless use of physical access control to buildings and rooms Location in an area susceptible to flood Unstable power grid Loss of power supply Lack of physical protection of the building, doors and windowsOrganization Lack of formal procedure for user registration and de-registration Lack of formal process for access right review (supervision) Lack or insufficient provisions (concerning security) in contracts with customers and/ or third parties Lack of procedure of monitoring of information processing facilities Lack of regular audits (supervision) Lack of procedures of risk identification and assessment Lack of fault reports recorded in administrator and operator logs Inadequate service maintenance response Lack or insufficient Service Level Agreement Lack of change control procedure Lack of formal procedure for ISMS documentation control Lack of formal procedure for ISMS record supervision Lack of formal process for authorization of public available information Lack of proper allocation of information security responsibilities Lack of continuity plans Lack of e-mail usage policy Lack of procedures for introducing software into operational systems Lack of records in administrator and operator logs Lack of procedures for classified information handling Lack of information security responsibilities in job descriptions Lack or insufficient provisions (concerning information security) in contracts with employees Lack of defined disciplinary process in case of information security incident Lack of formal policy on mobile computer usage 27
  28. 28. Types Vulnerability Lack of control of off-premise assets Lack or insufficient clear desk and clear screen policy Lack of information processing facilities authorization Lack of established monitoring mechanisms for security breaches Lack of regular management reviews Lack of procedures for reporting security weaknesses Lack of procedures of provisions compliance with intellectual rights Table 6: List of all ISO/IEC 27005:2008 (2008) vulnerabilities 28
  29. 29. Appendi x BKallas (2011) proposed 48 different KPI values within 4 different categories which can be used for social media: KPI category KPI Distribution Followers Fans Number of mentions Reach Social bookmarks (SumbleUpon, Delicious) Inbound links Blog subscribers Interaction Retweets Forward to a friend Social media sharing Comments Like or rate something Reviews Contributors and active contributors Pageviews Unique visitors Traffic from social networking sites Time spent on site Response time Influence Share of conversation vs competitors Net Promoter Satisfaction Sentiment positive, neutral or negative Number of brand evangelists Action and ROI Sales revenue Registered users Issues resolved and resolution rate Number of leads (per day, week, month) Cost of lead Lead conversion rate Cost of sale Revenue (per follower, lead, customer) Lifetime value of customers Support cost (per customer in social channels) 29
  30. 30. KPI category KPI Share of repeat customers (from social media vs other channels) Transaction value per customer Money in the bank, net profit, etc Internal Blog posts E-books Presentations Videos Facebook updates Tweets Forum posts Social media marketing budget Social media staff payroll Social media development costs Table 7: List of all KPI values, according to Kallas (2011) 30

×