sign in sign up
<<
Home , Vulnerability management

Social media and business: balancing risks and opportunities. A literature review.

Alicia Zorraquino

Information Security, master's level (120 credits) 2020

Luleå University of Technology Department of Computer Science, Electrical and Space Engineering Acknowledgments

I would like to acknowledge and appreciate the support rendered by my supervisors, Martin Lundgren (Luleå University of Technology) and Arthur Meulstee (Inter IKEA Group).

Abstract

Purpose

This thesis analyses what are the current information security risks and opportunities of social media in a business context based on publications from 2015 to 2020.

Design/methodology/approach

This papers follows a qualitative method, particularly a Systematic Literature Review guided by Okoli and and Schabram (2010), the concept-centric approach described by Webster and Watson (2002) and thematic analysis described by Braun and Clarke (2006).

Findings

Data leaks, non-compliance and reputational risks seem to be the most significant corporate social media risks. Adopting social media policies and providing employees social media security education, training and awareness are the most mentioned controls by the reviewed literature.

Social media are more and more used as a intelligence source and for cyber security prediction and detection. Furthermore, social media may be used for InfoSec discussion, as a tool for Information Security Training and Awareness, for internal cyber threat sharing and for incident response handling.

Originality/value

This thesis provides an overall view of the risks, controls and opportunities that social media use implies for private organizations. Further research is needed that focuses primarily on the opportunities that social media offer to strengthen business Information Security.

Keywords

Social Media, Risk, Control, Opportunity, Information Security, Corporate Security.

1

Table of contents

1. Introduction ...... 4 1.1. Background ...... 4 1.2. Problem description ...... 6 1.3. Scope and limitations ...... 7 1.4. Disposition ...... 7 2. Theoretical background and related work ...... 8 2.1. Information security social media risks, countermeasures and opportunities ...... 8 2.2. Related work ...... 9 3. Method ...... 11 3.1. Literature search ...... 13 3.2. Practical screen ...... 14 3.3. Quality appraisal ...... 16 3.4. Data extraction and synthesis of studies...... 16 3.5. Writing the review ...... 17 4. Overview of the literature ...... 18 5. Findings ...... 19 5.1. What are the private organisations social media risks related to information security? ...... 20 5.1.1. Technical risks ...... 20 5.1.1.1. Virus and introduction...... 20 5.1.1.2. Corporate social media account abuse ...... 20 5.1.1.3. Inefficient use of employer network resources ...... 20 5.1.2. Non-technical risks ...... 21 5.1.2.1. Corporate data leaks risk ...... 21 5.1.2.2. Corporate espionage risk...... 21 5.1.2.3. Source of information for hackers and social engineering ...... 21 5.1.2.4. Non-compliance risk ...... 21 5.1.2.5. Reputational risk ...... 22 5.2. What are the common measures to control private organisations social media InfoSec risks? ...... 22 5.2.1. Formal controls ...... 22 5.2.1.1. Social media policies ...... 22 5.2.1.2. Social media risk management ...... 25 5.2.2. Informal controls ...... 26 5.2.2.1. SM employees’ security education, training and awareness ...... 26

2

5.2.3. Technical controls ...... 27 5.2.3.1. Social media account configuration and management ...... 27 5.2.3.2. Social media monitoring ...... 27 5.2.3.3. Social media employees use audit ...... 27 5.2.3.4. Traditional measures ...... 27 5.3. How social media may be used to improve private organisations information security? ...... 28 5.3.1. As a source of cyber threat information ...... 28 5.3.1.1. As a threat intelligence source ...... 28 5.3.1.2. As a source for cyber security prediction and detection ...... 30 5.3.1.3. As an input for InfoSec and Risk Management Processes ...... 33 5.3.2. As a tool for InfoSec discussion ...... 33 5.3.2.1. As a tool for InfoSec dissemination ...... 33 5.3.3. As an internal InfoSec communication tool ...... 33 5.3.3.1. For employees’ security education, training and awareness ...... 33 5.3.3.2. For internal cyber threat sharing ...... 34 5.3.4. As a tool for incident response ...... 34 5.3.4.1. Social media as a tool for incident response and handling ...... 34 6. Discussion ...... 36 7. Conclusions ...... 40 7.1. Practical contributions ...... 40 7.2. Future research ...... 41 References ...... 42

3

1. Introduction

1.1. Background

Kaplan and Haenlein (2010) define Social Media (SM) as “a group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of User Generated Content”.

According to Aichner and Jacob (2015), some of the common forms of SM are blogs (e.g. WordPress) and microblogs (e.g. Twitter), forums, social networks (e.g. Facebook), business networks (e.g. LinkedIn), collaborative projects (e.g. wikis, Google Docs), enterprise social networks, photo (e.g. Pinterest, Flickr) or video sharing (e.g. YouTube) and virtual worlds (e.g. IMVU).

Social media offer organisations cost effective, convenient and efficient means of conducting business by providing interaction channels for their users. Their power comes from their immediacy, omnipresence and availability (Maal and Wilson-North, 2019). SM have changed corporation HR practices, being used for recruitment to expand the candidate pool, to check candidates ‘background and to interact with them (Nagendra, 2014).

Regarding operations, social media may provide constant online collaboration (connecting groups of interest) and communication (e.g. videoconferences), engagement (motivating the employees) and knowledge sharing. SM may improve work productivity too by facilitating, for example, internal access to the company´s resources (Hysa and Spalek, 2019).

Nowadays, social media are popular and ubiquitous applications. Thus, in January 2019 there were 3 486 millions of active SM users (Statista, 2019). As of January 2020, the most popular social networks worldwide were Facebook, YouTube, WhatsApp, Facebook Messenger and WeChat (Statista, 2020). According to Eurostat (2020), 53 % of European Union companies used at least one type of SM in 2019, and 86% of these businesses use SM to build their image and to market products.

However, the speed with which information can be disseminated on social media creates an opportunity to quickly spread “fake news” (Moravec, Minas and Dennis, 2019) as we have seen regarding the Coronavirus (Europol, 2020).

Furthermore, social media are also used as a platform for cybercriminals. Users have high levels of trust in SM, which results in a large amount of self-disclosed personal

4 information on social networks. This information may be exploited by cyber-criminals to carry out more attacks targeted at the business where they are working. In fact, SM phishing increased by 200% from 2016 to 2017 (ENISA, 2019). Restrict information and show caution with regard to social media is a general recommendation from the Europol’s European Cybercrime Centre (2019) for both companies and employees.

According to Europol (2011), the use of SM at work has the potential to infect corporate networks with spyware and other means to harvest personal, corporate and financial data for profit. For example, malicious software may by injected into posted items and links may be shared to websites designed to extract personal information.

When adopting external social media platforms, security controls mostly depend on the platform providers (Di Gangi, Johnson, Worrell and Thompson, 2016). However, companies should also take measures to address information security (InfoSec) corporate social media risks, whether technical (e.g. keeping software updated, monitoring SM sites) or related to policies and people such as implementing and keeping up-to-date a SM policy and some social media guidelines (Oehri and Teufel, 2012), developing a social media incident notification and response plan and providing employees SM training and awareness (He, 2012).

Instead of just looking at social media as a risk factor, some authors consider that they may contribute to a better InfoSec, if used for raising security awareness (Pham and Nkhoma, 2018; European Cybercrime Centre, 2019), as a source of cyber threat intelligence (Sapienza, Ernala, Bessi, Lerman and Ferrara, 2018) or as a means for establishing and maintaining trust (NIST SP 800-150 Guide to Cyber Threat Information sharing). Social media may also be used in security incident management (Wang and Park, 2017).

The increasing interest of cybercriminals in SM tools may impact business. SM use in corporations may cause huge financial and reputational damage such as if corporate networks are infected (Vijayan, 2020), trade secrets disclosed (Pooley, 2020), future projects revealed (Cross, 2014) and laws and intellectual property rights violated (Green, 2016).

Driven by the need to address such serious concerns, companies consider various countermeasures including but not limited to SM sites monitoring (Cooper, Stavros and Dobele, 2019) and the adoption of SM policies (Di Gangi et al., 2016).

5

At the same time, some researchers come up with the idea of using SM to strengthen risk identification (Deliu, Leichter and Franke, 2017) and notification (Rosati, Deeney and Cummins, 2018), contributing to a better InfoSec.

However, there is an incomplete understanding of how social media could harm information security, but also how social media can be applied to strengthen information security, i.e., as an opportunity.

1.2. Problem description

This thesis considers that there is a need of providing an overview of the available literature to connect the knowledge about the current state of the art on this topic. Having a current overview of the risks and upsides with social media in information security would give companies additional insights into better security practices.

This thesis sets out to answer the following Research Question (RQ), formulated after discussion with an expert (Leedy and Ormrod, 2019):

RQ1: What are the information security risks and opportunities of social media in private organisations?

This research question is divided in three sub questions which help the researcher to get a better idea of how to approach the entire research (Leedy et al., 2019). The sub questions are the following:

RQ 1.1. What are the private organisations SM risks related to information security?

RQ 1.2. What are the common measures to control private organisations SM information security risks?

RQ 1.3. How SM may be used by to improve private organisations information security?

The contribution of the research question and sub questions is the following. Literature reviews have previously been used to study similar research issues before within information security to give insights about SM risks (e.g. Deleure et al., 2012; Wiliams et al., 2017). However, there is an incomplete picture of how SM, in relation to risks, has been used to improve information security. Thus, this thesis aims to provide a complete picture of SM use by private organisations.

6

1.3. Scope and limitations

This thesis aims to analyse the InfoSec risks and opportunities of SM in private organisations. This thesis is focused on information security, i.e. in the protection of the confidentiality, integrity and availability of information assets, according to Whitman and Mattord (2019), and any other aspect of SM use is excluded.

The terms companies and organizations are used interchangeably along the thesis. Furthermore, from the research question it is clear that the environmental scope is delimited to private organizations. This thesis addresses the use of SM by the private organisations, excluding the personal use of SM by employees. This limits the scope to focus on a wider perspective which may have address SM risk and opportunities regarding users in general. This perspective would have had a strong focus on users´ security and privacy. It also excludes the consideration of SM use by Nations and public entities.

In order to provide an overview of the current state of art of SM in private organisations, a systematic literature review following Okoli and Schabram (2010) guidelines seemed fitting. However, due to time constraints and in order to deliver the most relevant input, only articles written in English, published in journals or conference proceedings, between 2015 and January 2020 and fully available online were covered. The papers were gathered using both “LTU library” and “Google Search” search engines.

1.4. Disposition

The rest of this thesis is structured as follows. Section 2 discuss the theoretical aspects of the subject, including the related work on existing surveys. Section 3 describes the method of data gathering including the databases and search criteria used. Section 4 displays a brief overview of the papers gathered. Section 5 includes the findings regarding the research question in three sub sections. The first address research sub question 1, private organisations SM InfoSec risks; the second address research sub question 2, private organisations SM InfoSec controls; the third, research sub question 3, of how SM may be used to strengthen private organisations InfoSec. Section 6 includes the discussion. Finally, section 7 includes the conclusions, discusses the practical contributions and identifies areas for future research.

7

2. Theoretical background and related work

This section describes the key concepts used in the thesis and the related work.

2.1. Information security social media risks, countermeasures and opportunities

According to section 1.2 (Problem description), the research question (What are the information security risks and opportunities of social media in private organisations) was decomposed in three sub questions, related to private organisations InfoSec SM risks, controls and opportunities.

The definition of InfoSec social media risks may start with the definition of InfoSec risk in general. According to Gantz, Philpott and Windham (2013), InfoSec risk includes the impacts to an organization and its stakeholders that may happen due to the threats and vulnerabilities associated with the operation and use of information systems and the environments in which they work. Therefore, InfoSec social media risk can be defined as the impact that a company may suffer as a consequence of a threat exploiting a SM vulnerability.

According to Gantz et al. (2013), InfoSec risks are mitigated through preventive, detective, and corrective security controls which aim to protect the company information assets or to limit the damage should a compromise occur. People, processes and technology contribute to control SM threats.

Thus, SM security analyses users´ behaviour to strengthen the human factor (Tayouri, 2015). It also deals with SM policies and culture (Patel and Jasani, 2010; Oehri et al., 2012) and relies on technical measures such as encryption or malware detection (Gupta, Thakral and Cloudhury, 2018). Therefore, InfoSec SM countermeasures can be defined as the measures that companies (may) adopt in order to control InfoSec SM risks.

Regarding InfoSec SM opportunities, some authors and agencies consider that SM may contribute to a better InfoSec, such as if used for raising security awareness (Pham et al., 2018; European Cybercrime Centre, 2019), as a source of cyber threat intelligence (Sapienza et al., 2018) or as a means for establishing and maintaining trust (NIST SP 800-150 Guide to Cyber Threat Information sharing). SM may also be used in security incident management (Wang et al., 2017).

Therefore, InfoSec SM opportunities can be defined as the ways in which SM may contribute to strengthen business InfoSec. E.g. if used for raising security awareness, to

8 share knowledge and best practice, as a source of cybersecurity intelligence or as a communication mean in a security incident.

2.2. Related work

Williams and Hausman (2017) carried out a literature review related to corporate SM security. They reviewed 61 articles and categorise the SM business risks in five classes: technical (e.g. malware, spam), human (e.g. blurring boundaries between professional and personal usage), content (e.g. information loss or disclosure of confidential information), compliance (e.g. violation of laws, identity theft) and reputational (e.g. loss of reputation or loss of trust). However, as it is said in their conclusion, they only provide a list of potential risks with little explanation and no guidance about how to deal with them.

Regarding SM threats, some authors enumerate SM threats in specific fields such as in corporate project management (Hysa et al., 2019), while others have a more general approach (Thakur, Hayajneh and Tseng, 2019; Ahmad, 2013; Putchala, Bhat and R, 2013; He, 2012).

Thus, Thakur et al. (2019) study SM cyber threats such as security risks of mobile SM and challenges such as the vulnerability of the social network security systems and conflicts between privacy and the desire of share of SM users.

Ahmad (2013) enumerates some SM security attacks (such as adware, spyware, phishing attacks) and countermeasures (e.g. enforcing an acceptable usage policy, providing all the staff security awareness, using web monitoring tools and data loss prevention tools).

Putchala et al. (2013) explain the InfoSec challenges in SM interactions by identifying some risks (e.g. unregulated flow of information, disclosure of personal information and information security breach), mentioning some key issues regarding the adoption of SM (e.g. longevity of interactions, productivity vs. participation in SM and deficit of awareness and training), and offering some strategies such as the development of policy and guidelines.

He (2012) mentions some SM security risks (e.g. insufficient authentication controls, phishing or information leakage) and mitigation techniques (e.g. developing a SM acceptable use and security policy, routine SM site monitoring and user education and training program) with a focus in organisations.

9

Some authors categorize SM business risks according to different criteria such as if they are technical, human, content, compliance or reputational (Williams et al., 2017); media content threats (such as multimedia content exposure or static links), traditional threats (e.g. phishing, malware or spam) and social threats (e.g. cyber bullying or corporate espionage) (Gupta et al., 2018); and social (e.g. source of information for hackers), technical (e.g. unauthorised access to SM account) and legal (e.g. purposeful loss of competitive data or trade secrets) risks (Di Gangi et al., 2016).

Regarding the convenience of creating a corporate SM framework or policy and their content, Prayitno, Tavares, Damaini and Setyohadi (2017) propose a regulatory framework creation to reduce SM risks in companies; Di Gangi et al. (2016) provide a comprehensive view of the current state of SM policy development and Patel et al. (2010) examine the impact of SM on corporations and propose the adoption of some corporate SM guidelines.

Regarding the view of SM as an opportunity to contribute to strengthen InfoSec, in most cases, researchers focus on the use of social media as sources to predict or detect threats (e.g. Okutan, Werner, Yang and McConky, 2018; Dionisio, Alves, Ferreira and Bessani, 2019; Nagai, Takita, Furumoto, Shiraishi, Xia, Takano, Mohri and Morii, 2019).

10

3. Method

This section explains the research method chosen in this thesis and how it has been followed.

It is well known that there are two main research methodologies: qualitative and quantitative. The former deals with numbers and statistics, while the last deals with words and meanings. Inductive research tends to be closely qualitative while deductive research tends to be quantitative (Greener, 2011).

This thesis adopts a qualitative research, particularly a Systematic Literature Review (SLR). A SLR is “a means of identifying, evaluating and interpreting all available research relevant to a particular research question” (Kitchenham, 2004, p.1).

The review follows a systematic search strategy guided by Okoli et al. (2010) guidelines. For those, a SLR is a “systematic, explicit, and reproducible method for identifying, evaluating, and synthesizing the existing body of completed and recorded work produced by researchers, scholars, and practitioners” (Okoli et al., 2010, p.4).

The selection of Okoli et al. (2010) guidelines was mainly driven by their comprehensiveness and structure. Furthermore, they are focused on SLR of Information Systems Research as opposed to more specific methods such as the SLR in Software Engineering described by Kitchenham and Charters (2007).

Okoli et al. (2010) define a compiled set of four phases for a SLR, all of which are essential for a rigorous review. The first one, Planning, includes two steps: purpose of the literature review and protocol development. The second one, Selection, covers the literature search step and the practical screen one. The third phase, Extraction, includes the quality appraisal step and the data extraction. Finally, in the last phase, Execution, the synthesis of studies, and writing the review steps are carried out.

In particular, each step includes the following (Okoli et al., 2010):

1. Determination of the purpose of the literature review: this step has to answer to the question: Why do a literature review? 2. Protocol development: this step has to do with planning the specific steps and procedures to be followed in the particular SLR. 3. Literature search: it involves searching for data (papers) which would be analysed in the SLR. A suggested stopping rule would be when repeated searches by whatever means result in the same references, without new results.

11

4. Practical screen: this step implies reducing the papers to be considered only to relevant studies on the basis of predetermined criteria (e.g. content, language, participants, dates, authors). 5. Quality appraisal: this step examines the articles more closely to assess their quality, eliminating papers that do not meet the standard established by the reviewer. 6. Data extraction: information is systematically taken from each paper to serve as the raw material for the following step. 7. Synthesis of studies: information gathered in the previous steps is aggregated, discussed, organized and compared. 8. Writing the review: this step aims to report the findings and write the review.

A figure describing the research design is included below (figure 1).

•1. Purpose of the literature review Planning •2. Protocol development

•3.Literature search Selection •4. Practical screen

•5. Quality appraisal Extraction •6. Data extraction

•7. Synthesis of Execution studies •8. Writing the review

Figure 1. SLR phases and steps as defined by Okoli et al. (2010)

The first phase was excluded because the purpose of the literature review is already discussed in section 1.2 (problem description) and 1.3 (scope and limitations), and because the “Protocol and training” step aims to bring multiple researches together, to ensure consistency. It is also worth mentioning that the Data extraction phase and Synthesis of studies were merged (see section 3.4).

12

3.1. Literature search

Taking into account the research question posed in section 1.2, literature was collected from 2015 onwards without any limitation regarding their field of study and methodology. Only articles available online and in English were reviewed.

Two databases -LTU Library and Google Scholar- were systematically searched in January and February 2020 to gather relevant papers.

LTU Library indexes the following scientific databases: Academic Search Premier, ACM Digital Library, arXiv.org, ASTM Compass, IEEE Xplore, ScienceDirect Journals, Scopus, SPIE Digital, SpringerLink, Web of Science.

Google Scholar also indexes major computer science literature databases such as IEEE Xplore, ACM Digital Library, ScienceDirect and SpringerLink.

The keywords were selected by analysing and decomposing the research question and sub questions, as well as asking for expert ‘advice. Terms for Social Media, security, attack, threat, risk, vulnerability, control, countermeasure, monitoring, incident response, incident response plan, best practices, threat intelligence, source of intelligence, crisis communication and information security were combined as shown in the following table (table 1).

Search results Search Keywords number LTU Google Library Scholar

1-2 “Social Media Security” 492 874

“Social Media threat” OR "social media risk" OR "social media vulnerability" OR "social media control" OR 3-4 1472 1780 "social media countermeasure" OR "social media attack" OR "social media incident response" OR "social media best practices" "social media" AND "source of intelligence" AND 5-6 122 78 “information security”

13

Search results Search Keywords number LTU Google Library Scholar

"social media" AND "crisis communication" AND 7-8 235 359 “information security” "social media" AND "Incident response plan" AND 9-10 215 347 “information security” "social media monitoring " AND “information 11-12 41 290 security" "social media " AND "threat intelligence" AND 13-14 442 986 “information security” Table 1. Data base searches

The result of some searches yielded a high number of hits, with a total of 7733 papers.

3.2. Practical screen

This step decides the inclusion and exclusion of the papers retrieved from the above mentioned searches, i.e. which papers should be considered for the review.

According to Okoli et al. (2010), this step is a very subjective part of the literature review. There are no absolute rights and wrongs here, but considerations of what is reasonable and justifiable. The screen must be broad enough to include enough studies to satisfactorily answer the research question, being at the same time practically manageable, considering time constraints.

This step is not focused on quality (which is addressed in the following step, section 3.3.). Instead, it is based on two categories of criteria, the inclusion and the exclusion criteria mentioned by Okoli et al. (2010): “according to whether the study’s content is applicable to the research question; and according to explicitly defined, albeit perhaps arbitrary, criteria chosen in order to restrict the total number of articles considered so that the literature review may be practically manageable.”

As it is mentioned above, the selected keywords yielded 7733 papers in total. They were all assessed by their title. There were many papers dealing with catastrophes in general and their prediction and management by the emergencies ‘agencies and users´ security and privacy perceptions and practices (particularly students, e.g. Frost and Hamlin, 2017). Some papers were focused on how SM may affect national security (e.g. Imamverdiyev, 2016). There were also papers mentioning SM in an incidental manner

14 such as their use in reconnaissance phase of APTs (e.g. Bahrami, Dehghantanha, Dargahi, Parizi, Choo and Javadi, 2019) or in social engineering attacks (e.g. Heartfield and Loukas, 2016; Salahdine and Kaabouch, 2019). Some papers were focused on SM providers (Zhao and Zhao, 2015; Calbalhin, 2018). Others refer to SM risks but without a corporate point of view (e.g. Shoro, Hyder and Kazmi, 2018). Finally, there were other papers dealing with corporate SM risks but not related to InfoSec (e.g. Taylor, Haggerty, Gresty, Pacheco, Berry and Almond, 2015, on employees´ harassment via SM).

If a title indicated an interesting topic, its abstract was carefully reviewed. Thus, 313 abstracts were carefully reviewed. Then, only those papers which matched the following criteria were selected:

Inclusion criteria:

(1) Language: English

(2) Source: Academic Journal or Conference Proceedings

(3) Year of publication: from 2015 onwards

(4) Content: dealing with private organisations SM InfoSec risks and opportunities, including:

-Risks: considering both the threats and the controls or measures adopted by private organisations to deal with them.

-Opportunities: considering the ways in which SM may contribute to strengthen private organisations InfoSec.

Exclusion criteria:

(1) Availability: papers not available online were excluded (2) Quality: papers which did not meet the quality appraisal (see section 3.3) were excluded

From the initial 7733 papers, 313 of them were assessed at abstract level. For each detailed examination, notes were taken indicating the reason for the outcome (inclusion or exclusion). For the 38 selected papers, notes were taken regarding whether they contributed to answer the research sub question 1, 2 and 3, in a concept matrix as suggested by Webster et al., 2002. Also their references (title, author(s), year of publication, source) were kept.

15

3.3. Quality appraisal

The quality appraisal step address the quality of the articles selected in the previous step. According to Okoli et al. (2010), the quality criteria should be understood and they must be explicit so that the resulting literature review can be reproducible.

Inspired by Fink (2010), the quality of the screened papers was assessed according to the following pre-determined quality criteria:

(1) Is the paper ‘research design internally and externally valid? (2) Are the data sources used in the paper reliable and valid? (3) Are the analytic methods appropriate given the characteristics and quality of the study´s data? (4) Are the results meaningful in practical terms?

The criteria were adopted in order to assure that each paper´ strategy allow its author(s) to discuss and display its elements in a logical and coherent way, that the data sources mentioned were properly identified or at least described in a satisfactory level, that the adequate method was used and that the results were meaningful in practice, i.e. meaningful in the real world.

Papers selected according to the previous steps (in total, 38) were assessed against the quality criteria. Each quality criteria were phrased as a yes or no answer.Then, in case a paper did not meet any quality criteria, the assessment was finished and the paper excluded. Once finished the assessment, 7 papers were excluded. The remaining 31 papers were subjected to the next stage.

3.4. Data extraction and synthesis of studies

After the selection of 31 papers as a result of the previous steps, the data were extracted and synthesised for answering the research sub questions following the Webster et al. (2002) concept-centric approach.

Thus, while an author-centric approach presents a summary of the relevant articles, in a concept-centric approach, concepts determine the organizing framework of the review (Webster et al., 2002).

So, in this thesis each research sub question from section 1.2 served as a predefined concept for data extraction. Then, within each concept (i. InfoSec private organisations SM risks, ii. InfoSec private organisations SM controls, iii. InfoSec private organisations SM opportunities), themes were extracted and analysed.

16

In order to extract and analyse the themes, the six-step process proposed by Braun and Clarke (2006) was followed, including:

1. Familiarizing with the data: papers were read carefully. 2. Generating initial codes: initial codes were assigned by writing notes on extracted data. 3. Searching for themes: themes which capture something important about the data in relation to the research question were searched. 4. Reviewing themes: the themes were reviewed and required modifications were made. 5. Defining and naming themes: the name of the themes were review to assure they fulfil its goal. 6. Producing report.

3.5. Writing the review

For ensuring a structured report of findings regarding the three research sub questions, the results (Section 5. Findings) were displayed in three sub sections. Thus, the first sub section addresses research data extraction concept 1: private organisations SM InfoSec risks; the second addresses research data extraction concept 2; : private organisations SM InfoSec controls; the third, research data extraction concept 3: how SM may be used to strengthen private organisations InfoSec.

Section 6 includes the discussion and Section 7 includes the conclusions as well as the practical contributions and areas for future research.

17

4. Overview of the literature

This section includes a brief overview of the papers retrieved and discussed in this thesis. The result of the data gathering, practical screening and quality appraisal were applied as reflected in figure below (figure 2).

References retrieved 7733

Papers screened regarding their abstract 313

Papers assessed regarding their quality 38

Selected papers 31

Figure 2. A flow diagram illustrating the research process As it is shown in figure 2, a total of 31 papers were finally selected. Of these, 13 were conference proceedings and 18 were published in academic journals, some of them in the field of information systems (e.g. Journal of Information Systems), others in security journals (e.g. Cybersecurity), and others from various other fields (e.g. Journal of Big Data, International Journal of Applied Management Sciences & Engineering).

Figure 3 illustrates the number of articles which contributed to answer each of the three sub questions. It is worth mentioning that some papers contributed to more than one sub question.

Number of papers which contributed to answer each sub question 30

20

10

0 RQ 1.1. RQ 1.2. RQ 1.3.

Figure 3. Number of papers which contributed to answer each research sub question.

18

5. Findings

This section includes the results regarding the research question in three sub sections. Each sub section address one of the tree research data extraction concepts and includes as subheadings the extracted themes (see section 3.4. Data extraction and synthesis).

The concepts and themes are shown in the following table (table 2).

Concept Theme

Private organisations  Technical risks SM  Non-technical risks InfoSec risks Private organisations  Formal controls SM  Informal controls  Technical controls InfoSec controls

How SM may be used to strengthen  As a source of cyber threat information  As a tool for InfoSec discussion private  As an internal InfoSec communication tool  As a tool for incident response organisations

InfoSec

Table 2. Concepts and themes

19

5.1. What are the private organisations social media risks related to information security?

The existing social media risks identified in this thesis reflect two dominant themes within a private organisations environment: technical and non-technical risks.

5.1.1. Technical risks Technical social media risks include the risks a private organisation may suffer in its technological infrastructure due to the use of social media.

5.1.1.1. Virus and malware introduction “Social media platforms are increasingly used as vectors for introducing malicious code (malware) into the organizational computing environment, thereby circumventing traditional security controls to gain unauthorized access to accounts” (Di Gangi et al., 2016, p. 1101).

Virus and malware introduction is also mentioned by Almeida et al. (2019), Molok, Ahmad and Chang (2018) and Green (2016) for whom it is one of the highest-ranking SM risks. Additionally, Pallegedara and Warren (2016) links this risk to the inappropriate use of SM by employees: “The inappropriate use of social media by employees may result in (…) possible malware risks” (Pallegedara et al., 2016, p.86)

5.1.1.2. Corporate social media account abuse The corporate SM accounts (e.g. in LinkedIn, Facebook, Twitter) may be abused if they are duplicated -profile cloning, mentioned by Almeida et al. (2019)- or if they are hacked or unauthorized accessed (Di Gangi et al., 2016).

According to Di Gangi et al. (2016), the hacks or unauthorized access to social media account risk is an “Unauthorized use of an organization’s social media accounts by a third party with the intent to cause harm” (p. 1113).

5.1.1.3. Inefficient use of employer network resources Di Gangi et al. (2016) define inefficient use of employer network resources as “Negative effects on corporate servers, network bandwidth and other corporate IT resources of employees accessing social media sites” (p. 1114).

20

5.1.2. Non-technical risks Non-technical risks include social media risks that a private organisation may suffer due to the use of social media other than technical risks.

5.1.2.1. Corporate data leaks risk

Corporate data leak is one of the highest-ranking SM risks (Green, 2016), which may be due to its general nature (Di Gangi et al., 2016).

Corporate data leak is an increasing security risk for organisations (Molok et al., 2018; Pallegedara et al., 2016). It can take the form of manual or electronic transmission and may not necessarily be deliberately (Green, 2016).

Molok et al. (2018) define data leak widely as the leakage of sensitive information which may include “trade secrets, intellectual property, business strategies, product or service related details and even confidential client and customer information” (p. 351). By contrast, Di Gangi et al. (2016) differ data leak from intellectual property leakage, purposeful loss of competitive data or trade secrets and unintended exposure of information.

5.1.2.2. Corporate espionage risk Corporate espionage risk refers to the possibility that the information about a company is gathered assembling data published on social media by the company or its workers. This social risk is mentioned by Almeida, Pinheiro and Oliveira (2019).

5.1.2.3. Source of information for hackers and social engineering The vast amount of information publicly available to social engineers facilitates attacks, according to Wilcox and Bhattacharya (2015), Di Gangi et al. (2016) and Prayitno et al. (2017). Furthermore, Tounsi (2017) says that phishing abuses mostly information found in social media.

Molok et al. (2018) further argue that carelessness in accepting friend requests in Online Social Networking (OSN) increases risk of adding untrusted users, which potentially may lead to a monitoring of organisational targets and social engineering attacks to progress an impeding attack.

5.1.2.4. Non-compliance risk Non-compliance is also one of the highest-ranking SM risks for organisations (Green, 2016). It is the risk “created by the violation of the legislative and regulatory framework within which a company operates. This includes laws, regulations, standards and

21 prescribed practices. The result of non-compliance can result in increased reputational risk.” (Green, 2016, p.76)

Non-compliance may lead to litigation, which some authors consider standalone. For example, Green (2016) says that the unauthorised use of photos of thirds on an organisation’s SM page might cost dearly; and in a more general sense, Pallegedara et al. (2016), argue that the inappropriate use of SM by employees may cause the organisation potential lawsuits and legal penalties.

5.1.2.5. Reputational risk Brand and reputational risk is the most significant corporate SM risk, according to Di Gangi et al. (2016).

New disclosure expectations increase exposure to reputational risk which “involves an organisation suffering loss or foregoing possible business opportunities as a result of the relevant shareholders or the public losing faith in the company´s character, integrity or quality of operations” (Green, 2016, p. 75).

5.2. What are the common measures to control private organisations social media InfoSec risks?

The existing measures to control social media risks identified in this thesis reflect three dominant themes within a private organisations environment: formal controls, informal controls and technical controls.

5.2.1. Formal controls

5.2.1.1. Social media policies The lack of implementation of policies is one of the key challenges of corporate SM. Indeed, only 46.67% of surveyed by Green (2016) said that their companies have a SM policy. Similarly, Almeida et al. (2019) note that only 32.8% surveyed said that their companies implement social networking security policies.

According to Green (2016), an organisation should have strict internal policies and frameworks of corporate SM communication to ensure that employees are aware of and legally bound to these policies. Di Gangi et al. (2016) agrees with this and find that the best approach to mitigate corporate SM is a clear SM policy frequently communicated.

22

The need to establish a security policy is also stated by Cooper et al. (2019) and also by Almeida et al. (2019) who find that 40% of respondents (in a sample of 372) do not know some of risks of using Social Networking Sites.

The importance of good SM policies is highlighted by Jafar et al. (2019) who find that organizational SM rules have negative moderation effects on work-related SM use for information sharing and obtaining information. However, they consider that the negative effect is due to poor policies. Thus, when employees face SM use restrictions, they feel deprived from knowledge exchange process. For this reason, they suggest the provision of a flexible environment and employee training instead of SM use restriction.

SM policies´ content is reviewed by some authors such as Di Gangi et al. (2016), Wilcox et al. (2015) and Pallegedara et al. (2016).

Thus, Di Gangi et al. (2016), find that the (40) SM policies analysed include an average number of seven risks. From the most to the least mentioned, they include:

 (un)intentional violation of legal or regulatory requirements (77.5% of policies),  reputation damage (65%),  purposeful loss of competitive data or trade secrets (62.5%),  employees’ views perceived as sanctioned/approved by employer (62.5%),  unreliable UGC (57.5%),  online content may be stored or indexed (52.5%),  damage to consumer confidence (42.5%),  unintended exposure of information (35%),  online content shared with untended third party for commercial purposes (35%),  inconsistent branding (35%),  productivity loss (30%),  online content shared with untended third party for non-commercial purposes (30%),  uncontrollable actions (22.5%),  inefficient use of employer network resources (17.5%),  source of information for hackers/social engineering (15%),  malware (15%),  social mobilization/online activism (12.5%),  perception of SM acceptance/adoption (10%),  hacks/unauthorized access to SM account (7.5%),  online content may facilitate discriminatory hiring (2.5%),

23

 minority influence or amplifications of events (2.5%) and  damage to morale (2.5%).

On the other hand, Di Gangi et al. (2016) conclude that current corporate SM policies fails to cover all corporate SM risks, as they focus mainly on those with external impact (e.g. on customers or the public) particularly legal and social risks more than on technical risks.

For its part, Wilcox et al. (2015) provide a review of SM policies as a resource for a best practice framework. They find that most of the analysed policies deal with:

 acceptable use (96%) including how their employees will use SM for personal or professional use at work;  legal aspects (92%), with a general statement that employees are expected to comply with the applicable law or further elaborations particularly related to privacy, confidentiality, copyright and intellectual property;  employee conduct (87%), referring to existing codes of conduct or further elaborating the “do and don’ts” of SM use; and  SM content management (62%), regulating what content is to be published online.  SM account management (46%), which applies to the creation, maintenance and destruction of the corporative accounts; and  Security (42%), covering technical (e.g. password protection, authentication) and behavioural issues (e.g. awareness).

Pallegedara et al. (2016) study how organisations address the unauthorised information disclosure in 25 SM policies. The three prevalent themes mentioned are confidentiality, rules of engagement and information classification.

Thus, most SM policies deal with confidentiality (62.21%) which employees must maintain it all the time. Employees can not disclose confidential information through SM unless in their exercise of duties or allowed by relevant policies. However, in most cases the term confidentiality is contextually undefined. Therefore, companies need an information classification scheme –in their SM policies or separately- which defines confidential and sensitive information in their specific context.

In the theme “rules of engagement”, mentioned in 61.91% of the SM policies, companies provide specific guidelines on how to be SM responsible. However, in most cases they do not provide employee full guidance.

24

Information classification, clarifying what is confidential information for the company including examples, is mentioned in 45.48% of the SM policies.

Other topics mentioned in SM policies are personal opinions (9.85%), organisational reputation (9.47%), unauthorised organisational accounts (8.09%), permission to engage via SM (6.35%), misinformation (5.90%), and engagement with third parties, rules after leaving the company, actions after an unauthorised disclosure, references to other policies and intelligence gathered from disclosed information (4.11%).

Finally, Prayitno et al. (2017) notes the need to keep updated SM policies so that the development of SM and technologies are taken into account.

5.2.1.2. Social media risk management According to Green (2016), only 46.67% of surveyed (auditors) said that corporate SM risks are considered in their corporate risk management.

Demek et al. (2017) consider that companies are implementing SM policies on ad-hoc basis, without using a formalized risk management (RM) process. Thus, they as well as Green (2016) state that companies are taking a reactive approach to social media risk management instead of a proactive one.

In order to model social risk management, some authors such as Lenk, Krahel, Janvrin and Considine (2019) or Molok et al. (2018) propose RM frameworks, being the first more general while the second is focused on social networks.

Thus, Lenk et al. (2019) propose an integrated social technology strategy and RM framework to model RM during social technology strategy selection and implementation. It is developed for accounting organisations and inspired by the Balanced ScoreCard (BSC) Framework and the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management Framework.

The framework has two stages. The first one is the strategy selection, in which one BSC perspective (learning and growth, internal process, customer and financial) is selected. A social technology strategy risk assessment and use benefit analysis is carried out, following the COSO areas of social technology. If the expected costs from the risks are lower than the expected benefits, it is adopted. Then, the second stage, strategy implementation planning, starts. Here, a more traditional BSC perspective is used so all four BSC perspectives are visited sequentially and strategic objectives, performance metrics, targets and initiatives are considered.

25

Focused on how corporations may mitigate the risk of sensitive information leakage via Online Social Networking, Molok et al. (2018) develop the OSN Leakage Mitigation Capability Framework.

In this Framework, seven factors of the organisation ‘capability to mitigate OSN leakage are identified:

 management perception of OSN security impacts,  management commitment to support OSN security initiatives,  how OSN security responsibility is assigned,  employee awareness of OSN security implications,  OSN security policy (adoption and enforcement),  security education, training and awareness (SETA) and  technical controls of OSN.

According to these factors, their Framework allows to assess the organisation´s ability to mitigate the risk of OSN leakage and to provide guidance for its improvement. Thus, the framework outlines the following four maturity levels:

 Level 1 is “reactive” and corresponds to a low capacity due to ad hoc strategies.  Level 2 is “Planned” and represents a medium-low capability given planned but unimplemented strategies.  Level 3 is “Managed” and reflects a medium-high capability because there are strategies and security is structured.  Level 4 or “Integrated” in which there is a high capability thanks to a sophisticated security strategy, governance and control around SM.

5.2.2. Informal controls

5.2.2.1. SM employees’ security education, training and awareness According to Demek, Raschke, Janvrin and Dilla (2017), appropriate training regarding SM policies is important to make the employees aware of their existence and helps them to understand the risks associated with SM use.

The convenience or need of creating employee awareness and training related to Corporate SM is stated by Wilcox et al. (2015) when analysing the countermeasures against corporate social engineering, Almeida et al. (2019) when analysing the main security risks related to the use of social networks in corporations and by Di Gangi et al. (2016) when reflecting on the best approaches to mitigate corporate SM.

26

Furthermore, Jafar, Geng, Ahmad, Niu and Chan (2019) defend that there is a dire need for employee SM use training regarding instead of restricting its use. Prayitno et al. (2017) further argue that every employee should be trained at least at a basic level regarding SM risks and how to prevent them and that if necessary, training should be given to employees who play a role in the corporative use of SM.

5.2.3. Technical controls

5.2.3.1. Social media account configuration and management Prayitno et al. (2017) defend that the IT department should have authority over the technical aspects of social media and that it should be engaged in account management and maintenance. Accounts should be correctly configured (e.g. enabling, when available, two-factor authentication), as default security settings provide minimal security.

Cooper et al. (2019) also say that in order to avoid social media incidents, respondents had security protocols which include password management and restriction of administrator rights.

5.2.3.2. Social media monitoring Social media risks and damages may be reduced by using monitoring tools (Almeida et al., 2019; Di Gangi et al., 2016; Molok et al., 2018). Companies implement social media monitoring in order to guard against SM hostility (Cooper et al., 2019).

5.2.3.3. Social media employees use audit According to Almeida et al. (2019), 38.17% surveyed said that their companies audit the employees ‘use of SNS. Thus, taking into account that only 32.8% surveyed said their companies implement social networking security policies, it is deduced that some companies do not have any social network security policy but audit their employees ‘use.

5.2.3.4. Traditional network security measures According to Wilcox et al. (2015), traditional network security measures (antivirus, firewalls and access controls) are combined with monitoring activities (e.g. data loss prevention, active monitoring and internal auditing) in order to control social engineering risk.

Demek et al. (2017) also say that SM technical controls combine web content filtering, and operating system security and that technical monitoring controls assist in policy enforcement.

27

5.3. How social media may be used to improve private organisations information security?

The ways in which social media may be used to improve identified in this thesis reflect four dominant themes within a private organisations environment: their use as a source of cyber threat information, as a tool for InfoSec discussion, as an internal InfoSec communication tool and as a tool for incident response.

5.3.1. As a source of cyber threat information

5.3.1.1. As a threat intelligence source Sharing within the community remains the primary source of threat intelligence (Deliu et al., 2017). Recent years have seen an increased use of SM for discussing and sharing information about natural and technical hazards (Syed, Rahafrooz and Keisler, 2018).

Thus, according to Kapellmann and Washburn (2019), 52% surveyed (48 Industrial Control Systems -ICS- and Critical Infrastructure stakeholders from 15 different industries) said they use news and media as a source of information, and they expressed interest in regulated forums (45%), community-driven forums (32%) and other social media (9%) as tools for sharing information about ICS vulnerabilities.

Forums, chats or in general a lively community that shares indicators of compromise for emerging threats enriched with their collective knowledge and experience are also SM functionalities expected from Cyber Threat Intelligence (CTI) sharing platforms by nearly half of the experts surveyed by Sillaber, Sauerwein, Mussmann and Breu (2018) when dealing with inter-organizational cyber threat intelligence sharing.

According to Sauerwein, Pekaric, Felderer and Breu (2019), expert blogs, social networks and forums are mostly informal sources which provide information mainly about vulnerabilities and corresponding attacks, but also about threats, countermeasures, risks and assets. Most information is unstructured (without a standardized data format) and with missing or insufficient interfaces, making difficult its automatic integration. Publications are both regular (daily, weekly or monthly) and whenever news or incidents occur.

In most cases, the authors (security experts, vendors and normal users and sometimes governments) publish original information, i.e., their own information. Blogs are more traceable than social networks and forums, having traceability a positive impact in trust, which, at the same time, plays a key role in InfoSec sharing (Sauerwein et al., 2019).

28

Among social networks, Twitter is mentioned by several papers such as Syed et al. (2018) who study how software vulnerability information is shared there. The authors identify five content categories of software vulnerability tweets (alerts, patch, advisory, exploit and root-cause) and find that most tweets are related to the root-cause of the vulnerabilities (42%), vulnerability alerts (32%), exploit information (29%), advisory (19%) and patch information (4%).

Some tweets discuss more than one theme. Root-cause tweets triggers a high number of retweets which the authors explain by the fact that mostly expert users such as InfoSec professionals or vendors discuss or share technical analysis about vulnerabilities on SM.

Vulnerabilities with a higher severity score and those related to application software are more retweeted than those with lower scores or related to system software. Interestingly, deferred disclosure (which may have patches available) are more retweeted than immediately disclosed vulnerabilities for which the patches may not be available yet.

Twitter users seem to follow more individual experts who use to analyse technical details of vulnerabilities and share patch information rather than security organisations (like CERT/CC) which mostly alert about new disclosed vulnerabilities. Technical features of tweet content contribute positively to its retweetability while (non-uniform) hashtags and URLs (which make the message more complex and requires more processing) have a negative impact.

The benefits of collective sharing and learning from shared threat information are undeniable as greater communication between organizations would improve preparedness against adversaries. However, there are some barriers that impede it such as natural reticent and quality issues including relevance, timeliness, accuracy, comparability, coherence and clarity (Kapellmann et al., 2019; Tounsi, 2017).

In this sense, Kapellmann et al. (2019) highlight that vulnerability management requires a large amount of time and resources and that better quality information may reduce the effort required for vulnerability management, increasing the level of preparedness of organisations against known threats.

Sillaber et al. (2018) also find that stakeholders expect that sharing platforms have automated sharing functionalities that facilitate the timely sharing of CTI. Additionally, Syed et al. (2018) suggest the use of codified hashtags to improve the quality of information extracted from Twitter.

29

5.3.1.2. As a source for cyber security prediction and detection Once that companies have the possibility to collect huge amounts of information from several SM sources, they need tools or methods to manage it and convert it into knowledge and actions.

Indeed, there are several papers that explore the possibility of using SM data from Twitter or other open source intelligence (OSINT) sources for cyber security prediction and detection using machine learning techniques (MLT).

Thus, Lippman, Weller-Fahy, Mensch, Campbell, Campbell, Streilein and Carter (2017) propose the use of MLT to detect cyber discussions in SM forums (Twitter, Stack Exchange and Reddit). For doing so, they use term frequency-inverse document frequency features and logistic regression and linear support vector machine –SVM- classifiers.

The classifiers miss less than 10% of cyber documents (false negative) and classify less than 1% non-cyber as cyber documents (false positive). They find that logistic regression classifiers perform well when there were more than roughly 200 words in a discussion. They also find that performance seems to degrade when a classifier is trained on one corpus and tested on another.

Similarly, Deliu et al. (2017) compare the performance of different MLT methods to locate hacker forums posts that may include relevant cyber threat intelligence. They find that the support vector machine classifier performs at least as well as the Convolutional Neural Networks (CNN).

Regarding cyber threats prediction, Nagai et al. (2019) propose a method based on security blog posts using guided-topic model to visualise the relationship between words. Additionally, the user can give additional information to the topic model in order to learn topics of specific interest according to the organisation´ state and environment.

Subroto and Apriyana (2019) also propose a model to predict cyber risks but it is based on Twitter using SM big data analytics (histogram analysis, word cloud and commonality analysis, cluster dendrogran analysis and pyramid analysis) and statistical machine learning (Naïve Bayes, K-nearest neighbors, Support Vector Machines, Decision Trees and Artificial Neural Networks). They report that Artificial Neural Networks has the highest accuracy among the machine learning methods tested.

Deb, Lerman and Ferrara (2018), Okutan et al. (2018) and Sarkar, Almukaynizi, Shakarian and Shakarian. (2019) aim to predict specific malicious cyber-events

30

(endpoint malware, malicious destination and malicious emails) against a specific organization.

On one hand, Deb et al. (2018) apply sentiment analysis to hacker forum posts both on the surface (World Wide Web accessible through standard browsers) and dark web (sites accessible via TOR private network platform) in a model with three phases. In the first phase, hacker posts are collected from preselected forums identified on the basis of cyber security words; in the second one, sentiment analysis is carried out on processed text -Valence Aware Dictionary for sEntiment Reasoning, LIWC and SentiStrength methods-; finally, in the third phase, prediction is made using time-series signal.

On the other hand, Okutan et al. (2018) develops an integrated system feed from unconventional signals derived from Twitter, GDELT (Global Database of Events, Language, and Tone) and OTX (Open Threat Exchange) open platforms. Their integrated approach achieves up to 87% (endpoint malware), 90% (malicious destination) and 96% (malicious email) Area Under Curve (AUC) for forecasting those attacks.

This system has three main components. The first input missing (incomplete) signals. For doing so, different predictive signal imputation techniques (based on SVM, MLP and KNN algorithms) are evaluated and compared, being the KNN the one with the best AUC values. The second component aggregates signal over the past significant lags. After considering different approaches, the Weighted Significant Average Based Aggregation with a t-table shows the best AUC values. The third component is a novel filtering method (SMOTE+, a modified version of the Synthetic Minority Over Sampling Technique) to handle the imbalanced ground truth.

Close to Okutan et al. (2018), but with less optimal results (a maximum AUC of 69%) Sarkar et al. (2019) mine data only from dark web forums (not on the surface) using both supervised and unsupervised learning models. Their paper suggests that “focusing on the reply path structure between groups of users based on random walk transitions and community structures” has better performance than relying only on forum or user posting statistics previous to attacks (Sarkar et al., 2019, p.56)

Thus, Sarkar et al. (2019) continue their previous work (Sarkar, Almukaynizi, Shakarian and Shakarian, 2018) where they already highlighted the reply network structure of user interactions, i.e. the role that network and interaction patterns may play, as useful indicators for predicting enterprise cyber threats. For this purpose, they create a novel network mining which extracts a set of specialised users (“experts”) using the directed reply network of users to identify those whose posts with vulnerability information gain

31 attention from other users in a given time frame. Then, some time series of features “capture the dynamics of interactions centred around the experts” across individual dark web forums (Sarkar et al., 2019, p. 57).

Dionisio et al. (2019) emphasize the timeliness of Twitter as a valuable source for relevant cyber threat awareness, proposing a tool which uses neural networks to process information received from Twitter which may be relevant for specific assets of an infrastructure. First, the tool collects, filters and pre-process tweets from a selected subset of Twitter accounts. Second, a binary classifier based on a CNN labels them as relevant or irrelevant to the monitored infrastructure assets. Third, relevant entities (such as vulnerability or identifier) are extracted by a Named Entity Recognition model, implemented as a Bidirectional Long Short-Term Memory neural network. The relevant entities extracted can be used to issue a security alert or to improve an indicator of compromise.

Twitter is also a source for Sapienza et al. (2018) who propose a more general method called DISCOVER. This method is an early cyber threat warning system that mines online chatter from cyber actors on Twitter, security blogs and dark web forums to generate warnings with a precision above 80%. Data extracted from (69) Twitter and (290) blogs of cyber security experts are used for warning generation. Dictionaries are used to filter out common words that are unlikely related to cyber threats and context- specific words; then, terms with unique occurrence are excluded and a check that the found term exists in a threat dictionary is carried out. Finally, the method uses dark web forums to monitor mentions about the generated warnings. Thus, the (263) dark web forums provide warnings ´timelines and a verification step on whether the warning is a one-time occurrence (new) or has been already mentioned.

Also general (not focused on one organisation) is the web-based service proposed by Lee, Hsieh, Wei, Mao, Dai and Kuang (2016) and called Sec-Buzzer. It aims to detect cyber threat emerging topics and possible solutions from information retrieved from a set of cyber security Twitter users and specific RSS blogs. The tool integrates the results from the emerging topics detected using Twitter and calibrated timeline events extracted from RSS articles.

For doing so, Sec-Buzzer includes a SM connector which gather content from Twitter based on a list of experts, a learning framework which extends the experts list, an expert authority weighting and the emerging topic recognition. Once detected the cyber security emerging topics, the information is extracted from selected RSS blogs (which are also extended using a learning framework) forming timeline events.

32

5.3.1.3. As an input for InfoSec and Risk Management Processes According to Sauerwein, Sillaber and Breu (2018), SM streams and blogs are shadow cyber threat intelligence sources, i.e. they are obtained without the organisational explicit approval or support.

The shadow cyber threat intelligence sources impact in the InfoSec RM processes, particularly during vulnerability (30%) and threat analysis (30%) processes for which they are used ad-hoc without following any formal process. 27% of the sources are used for the implementation of a security architecture (e.g. implementing countermeasures) and 13% for supporting intuitive security management activities.

One of the main reasons to rely on shared cyber threat intelligence is its timely acquisition and processing. 60% sources are accessed on daily basis and more than 50% provided intelligence which lead to actionable events.

The authors argue that a formal process on how the InfoSec data sources can be used as input for RM is missing, concluding that a comprehensive framework to specify all relevant InfoSec data sources for InfoSec RM and a subsequent collection and processing of data would be needed.

5.3.2. As a tool for InfoSec discussion

5.3.2.1. As a tool for InfoSec dissemination Social media may be used to discuss InfoSec topics such as Data Protection compliance. In this regard, Gruzd, Abul-Fottouh and Mashattan (2020) study the General Data Protection Regulation (GDPR) Twitter discussion and they find that the most influential accounts studied belong to companies and experts that offer cybersecurity services or IT business consultancy. Mostly, they are accounts of CEOs, corporate directors or founders of cybersecurity firms, who share information about a broader impact of GDPR on business, particularly on big technology firms, and advice on how to be GDPR compliant. Additionally, the authors note that users do not interact but instead Twitter was used for one-way communication (rhetorical function) or information dissemination.

5.3.3. As an internal InfoSec communication tool

5.3.3.1. For employees’ security education, training and awareness Pham et al. (2018) study three methods for raising InfoSec awareness –formal training, virtual communities and SM platforms, and the designation of departmental InfoSec experts- and their impact on employees´ InfoSec practice.

They find that virtual communities and SM platforms are a new way of group knowledge sharing which allow information, experience, opinion and feedback sharing without the

33 need of face-to-face meetings. Indeed, they find that SM applications are used at work for unofficial group information sharing. It is noted however that some groups included employees and thirds, although the details of the communications were confidential.

5.3.3.2. For internal cyber threat sharing In a survey carried out by Pham et al. (2018), most participants preferred the use of SM to company ‘email for sharing urgent and significant security warnings. The surveyed preferred the use of SM for knowledge sharing due to their convenience and immediateness, but it should be noted that many surveyed were not aware of SM security risks neither of the consequences from disclosing information on potentially open and unsecure channels. The authors argue that information should be posted in the adequate group to avoid flooding irrelevant messages, and they suggest that companies may explore the use of mobile SM tools to make easier and foster timely employees ‘security knowledge and concerns sharing.

This contrast with what happens between cyber security professional according to the findings of Sauerwein et al. (2018). Thus, in a survey to 11 experts, mostly security analyst, they say that 45% of the cyber threat intelligence is internally distributed (mainly with cyber security professionals or within the security operations team) by email and only 11 % via forums or chats.

5.3.4. As a tool for incident response

5.3.4.1. Social media as a tool for incident response and handling Communication is essential for effective incident response and handling in order to minimize the performance and reputation impacts on companies. In case of incident, such as a data breach, stakeholders should be assured that an adequate response to the situation is being taken.

In this regard, Rosati et al. (2018) argue that although overall there is a positive view on SM adoption in companies´ communications, the risk of losing control of the information flow due to the SM virality should be considered and appropriate communication strategies should be designed.

Particularly, they discuss whether the disclosure of data breaches on SM increases the negative stock price reaction to data breach announcements. For doing so they study Twitter activity related to 32 data breaches from 29 companies.

Thus, social media activity of breached companies increase an average of 10%. However, only 9% of companies with an active Twitter account use it to disclose the data breach. Furthermore, given the reduced number of characters of Twitter and the complex

34 information to be communicated, these tweets tend to not give details of the incident and to link to a more complete text on the company´s website.

Gruzd et al. (2020) also observe a lack of presence from companies involved in an ongoing data breach crisis, which may be because SM engagement during crisis may exacerbate it.

Rosati et al. (2018) find that for high visibility firms (larger firms with greater access to media outlets and their audiences, for which SM simply ads to an already established level of market attention), a data breach announcement seems to cause a significant negative stock price impact in the short-term (the day of the announcement and the two following ones), which is larger when they disclose the event on Twitter. It seems that the market recovers quickly, with stock price reaching a new equilibrium three days after the announcement day. As a consequence, the disclosure of a data breach on SM worsen the negative stock price reaction to the announcement. This suggests that spreading bad news to a large audience is not a convenient communications strategy.

For low visibility firms (those which struggle in reaching a large audience, for which SM allow to overcome the limited coverage of traditional media –e.g. newspapers-), the data breach announcement on Twitter mitigates the negative response in the short-term, making the movement towards a new price equilibrium faster.

Other factors with an important impact on short-term stock price reaction are abnormal Twitter communication of the company, the audience ‘size (the larger the audience, the more negative the impact), the type of incident (e.g. payment card frauds breaches have a more negative impact than other breaches) and abnormal traditional media activity such as press releases (which slightly reduces the negative impact).

35

6. Discussion

This thesis sets out to answer the following Research Question: What are the information security risks and opportunities of social media in private organisations?

This research question is divided in the following three sub questions:

What are the private organisations SM risks related to information security?

What are the common measures to control private organisations SM information security risks?

How SM may be used by to improve private organisations information security?

The results indicate that private organisations InfoSec SM risks related to information security include technical risks: virus and malware introduction, corporate social media account abuse and inefficient use of employer network resources and non-technical risks: corporate data leaks risk, corporate espionage risk, source of information for hackers and social engineering, non-compliance risk and reputational risk.

The results also show that the most significant corporate SM risks are reputational risk (Di Gangi et al, 2016), corporate data leaks risk (Di Gangi et al., 2016 and Green, 2016) and non-compliance risk (Green, 2016).

It is also worth highlighting that social media as a source of information for hackers and social engineering and as a vector for virus and malware introduction are mentioned by many authors too (Wilcox et al., 2015; Di Gangi et al., 2016; Prayitno et al., 2017; Almeida et al., 2019 and Tounsi, 2017 mention the first. Di Gangi et al., 2016; Molok et al., 2018; Pallegedara et al., 2016; Almeida et al., 2019 and Green, 2016 mention the second).

The results indicate as well that the risks are interconnected. For example, it is said that non-compliance may result in increased reputational risk (Green, 2016). Furthermore, corporate data leaks risk has a general nature which includes many other risks related to SM use (Di Gangi et al., 2016).

The risks found in this thesis are consistent with the existing literature. Thus, for example data leak risk is mentioned by He (2012), non-compliance risk is mentioned by Williams et al. (2017), reputational risk is mentioned by Putchala et al. (2013). And social media as a source of information for hackers and social engineering, or as a vector for virus and malware introduction is mentioned by Ahmad (2013).

36

However, literature related to how social media creates an opportunity to quickly spread “fake news” (Moravec et al., 2019) and information on how the “fake news” may impact private organisations were expected to be found.

In the opinion of the author of this thesis, “fake news” risk may be included in reputational risk. Thus, an organisation´ reputation may be affected directly (if the fake news is related to this organisation) or indirectly (e.g. if the organisation contributes to its spreading – although it may cause legal liability too-).

Regarding the common measures to control private organisations social media InfoSec risks, the results indicate that they include formal controls: social media policies and social media risk management; informal controls: social media employees’ Security Education, Training and Awareness; and technical controls: social media account configuration and management, social media monitoring social media employees use audit and traditional network security measures.

Thus, the most mentioned measures in the reviewed literature are SM employees´ SETA (Demek et al., 2017; Wilcox et al., 2015; Almeida et al., 2019; Di Gangi et al., 2016; Jafar et al., 2019; Prayitno et al., 2017) and SM policies (Green, 2016; Di Gangi et al., 2016; Cooper et al., 2019; Almeida et al. 2019; Jafar et al., 2019; Wilcox et al., 2015; Pallegedara et al., 2016; Demek et al., 2017).

Both controls (SETA and SM policies) are consistent with the existing literature. Thus, SM policies and guidelines are already mentioned by Oehri et al. (2012), and SETA is mentioned by He (2012).

In the opinion of the author of this thesis, both measures (SETA and SM policies) are key to control SM risks. Employees should be aware of the corporate SM policies. It is also opinion of the author that the SM policies should be framed in a formalized risk management process (following Demerk et al., 2017).

Regarding other controls mentioned, it is worth noting that corporate SM accounts should be monitored (Cooper et al., 2019). Likewise, SM employees use should be audited (Cooper et al., 2019), and traditional network security measures should be implemented (Wilcox et al., 2015).

Concerning how SM may be used as an opportunity to improve private organisations information security, this thesis finds the possibility to use social media as a source of cyber threat information, including as a threat intelligence source, as a source for cyber security prediction and detection and as an input for InfoSec and Risk Management Processes; as a tool for InfoSec discussion, as an internal InfoSec communication tool

37 including their use for SETA and for internal cyber threat sharing and, finally, as a tool for incident response.

In most cases, as expected, reviewed researchers focus on the use of social media as sources to predict or detect threats (Lippman et al., 2017; Deliu et al., 2017; Nagai et al., 2019; Subroto et al., 2019; Deb et al., 2018; Okutan et al., 2018; Sarkar et al., 2019; Sarkar et al., 2018; Dionisio et al., 2019; Sapienza et al., 2018; Lee et al., 2016).

However, in recent years there has been an increased use of SM for discussing and sharing threat intelligence (Syed et al., 2018). These shadow cyber threat intelligence sources also impact risk management processes, as it is said by Sauerwein et al. (2018).

The increasing interest in social media for cyber threat sharing has been reflected in the literature (Deliu et al., 2017; Syed et al., 2018; Kapellman et al., 2019; Sillaber et al., 2018; Sauerwein et al., 2019; Tounsi, 2017).

Thus, recently, some authors have started to discuss how SM (forums, blogs, social networks, chats…) are used for threat intelligence sharing. Particularly interesting for the author of this thesis is the broad use of Twitter especially by individual InfoSec experts rather than security organisations (Syed et al., 2018).

It is worth noting that social media offer other opportunities to private companies other than cyber threat sharing or prediction. Thus, private companies may use social media internally for SETA (Pham et al., 2018) and for internal cyber threat sharing (Pham et al., 2018; Sauerwein et al., 2018) as well as externally as a tool for InfoSec dissemination and discussion (Gruzd et al., 2020).

In particular, as regards to the use of social media as a tool for InfoSec dissemination and discussion, it should be noted that social media offer spaces for discussion which may help companies to share information related to security other than cyber threats. For example, how to be GDPR compliant, as mentioned by Gruzd et al. (2020).

Anyway, the results of this thesis are impacted by its scope. Thus, this thesis analyses InfoSec risks and opportunities of SM in private organisations, excluding any other aspect (other than InfoSec), any other organisations (such as public ones), and personal use of SM by employees.

The results are also impacted by the method chosen. Furthermore, according to Okoli et al. (2010), the practical screen is a very subjective part of the literature review, although inclusion and exclusion criteria were adopted (only articles written in English, published

38 in journals or conference proceedings, between 2015 and January 2020, fully available online and dealing with corporate SM InfoSec risks and opportunities were covered).

Despite its limitations, this thesis provides a general overview of how social media impact private organisations. Studying the risks that the use of social media may imply for private organisations and analysing the measures that may contribute to control them as well as the ways in which private organisations may use social media to strengthen InfoSec, this thesis offers a whole picture of social media use.

Having a current overview of the risks and upsides with social media in information security would contribute to consider the balance between risks and benefits, taking into account the available controls, and it would give companies additional insights into better security practices.

39

7. Conclusions

A systematic literature review on private organisations SM has been carried out to derive an enumeration of risks, countermeasures and opportunities. The themes discussed in the papers reviewed were analysed according to the research data extraction concepts. Totally, 31 papers including conference proceedings as well as academic journals, over a period of five years (2015-2019), were reviewed.

The results suggest that private organisations InfoSec SM risks related to information security include technical risks: virus and malware introduction, corporate social media account abuse and inefficient use of employer network resources and non-technical risks: corporate data leaks risk, corporate espionage risk, source of information for hackers and social engineering, non-compliance risk and reputational risk.

Regarding what are the common measures to control private organisations SM InfoSec risks, the review shows there are formal controls: social media policies and social media risk management; informal controls: social media employees’ Security Education, Training and Awareness; and technical controls: social media account configuration and management, social media monitoring social media employees use audit and traditional network security measures.

Concerning how SM may be used as an opportunity to improve private organisations information security, this thesis finds the possibility to use social media as a source of cyber threat information, including as a threat intelligence source, as a source for cyber security prediction and detection and as an input for InfoSec and Risk Management Processes; as a tool for InfoSec discussion, as an internal InfoSec communication tool including their use for SETA and for internal cyber threat sharing and, finally, as a tool for incident response.

7.1. Practical contributions

This paper provides a complete picture of InfoSec social media risks, controls and opportunities in private organisations.

By highlighting the social media risks, controls and opportunities, companies have the opportunity to gain understanding on how social media may impact corporate security. Companies may find also measures to avoid or limit damages related to social media use. Furthermore, companies also find practical ways in which social media may be used as an opportunity to strengthen their InfoSec.

40

However, it should be noted that given that the social media opportunities mentioned are very resources demanding and require a specific skill-set, not all private organisations will benefit from this.

Data leaks, non-compliance and reputational risks seem to be the most significant corporate social media risks.

Adopting social media policies and providing employees social media security education, training and awareness are the most mentioned controls by the reviewed literature.

Social media are more and more used as a threat intelligence source and their use for cyber security prediction and detection is analysed in this thesis. Furthermore, social media may contribute to internal cyber threat sharing although employees should be aware of the risks and consequences from disclosing information on potentially unsecure channels. Regarding incident response, the use of social media to disclose an incident may exacerbate it, and the risk of losing control of information flow should be considered.

Finally, this thesis also highlights some open issues that may be addressed by the research community, included in the following sub section.

7.2. Future research

This literature review has allowed to identify some areas where research is required to cope with future challenges, mainly related to the use of social media to strengthen corporate InfoSec.

Thus, the use of social media as a threat intelligence source may be more effective if the information would be provided in structured form. Better quality information may reduce the effort required for vulnerability management. More research may find ways to identify and structure information security social media conversations.

More research may focus on how social media streams and blogs are currently used by InfoSec experts for the Risk Management Processes.

Finally, more research may study what particular social media tools may be used for a safe InfoSec discussion within the corporations including for fostering the employees´ security education, training and awareness.

41

References

Ahmad, A. (2013). Social Media Security Risk and It´s Protection against Security Attacks. International Journal Computer Technology and Applications, 4(1), 136-140.

Aichner T. and Jacob F. (2015). Measuring the degree of corporate social media use. International Journal of Market Research. 2015;57(2):257-275. doi:10.2501/IJMR-2015- 018.

Almeida, F., Pinheiro, J., & Oliveira, V. (2019). Social Network Security Risks and Vulnerabilities in Corporate Environments. International Journal of Applied Management Sciences & Engineering, 6(1), 14. Retrieved from http://search.ebscohost.com.proxy.lib.ltu.se/login.aspx?direct=true&db=edb&AN=1331 79126&lang=sv&site=eds-live&scope=site

Bahrami, P. N., Dehghantanha, A., Dargahi, T., Parizi, R. M., Choo, K. K. R., & Javadi, H. H. (2019). Cyber Kill Chain-Based Taxonomy of Advanced Persistent Threat Actors: Analogy of Tactics, Techniques, and Procedures. Journal of Information Processing Systems, 15(4).

Braun, V., Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77–101.

Calbalhin, J. P. (2018). Facebook User’s Data Security and Awareness: A Literature Review. Journal of Academic Research, 3(2), 1-13.

Cooper, T., Stavros, C. and Dobele, A. R. (2019). Domains of influence: exploring negative sentiment in social media. Journal of Product & Brand Management, 28(5), 684.

Cross, M. (2014). Social Media Security : Leveraging Social Networking While Mitigating Risk. Syngress.

Deb, A., Lerman, K., & Ferrara, E. (2018). Predicting Cyber-Events by Leveraging Hacker Sentiment. Information (2078-2489), 9(11), 280.

Deliu, I., Leichter, C., & Franke, K. (2017). Extracting cyber threat intelligence from hacker forums: Support vector machines versus convolutional neural networks. 2017 IEEE International Conference on Big Data (Big Data), Big Data (Big Data), 2017 IEEE International Conference On, 3648–3656.

42

Demek, K. C., Raschke, R. L., Janvrin, D. J., & Dilla, W. N. (2017). Do organizations use a formalized risk management process to address social media risk? International Journal of Accounting Information Systems, 28, 31–44.

Di Gangi, P. M., Johnston, A. C., Worrell, J. L., & Thompson, S. C. (2016). What could possibly go wrong? A multi-panel Delphi study of organizational social media risk. Information Systems Frontiers, 20(5), 1097–1116.

Dionisio, N., Alves, F., Ferreira, P. M., & Bessani, A. (2019, July). Cyberthreat detection from twitter using deep neural networks. In 2019 International Joint Conference on Neural Networks (IJCNN) (pp. 1-8). IEEE.

ENISA (2019) ENISA Threat Landscape 2018. Available at https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018 (Accessed on December, 12th 2019).

European Cybercrime Centre (2019) Internet Organised Crime Threat Assessment (IOCTA) report 2019. Available at https://www.europol.europa.eu/sites/default/files/documents/iocta_2019.pdf (Accessed on May, 2th 2020).

Europol (2011) The Hidden Risks Of Social Media. Available at https://www.europol.europa.eu/newsroom/news/hidden-risks-of-social-media (Accessed on May, 2th 2020).

Europol (2020) Catching the virus cybercrime, disinformation and the COVID-19 pandemic. Available at https://www.europol.europa.eu/sites/default/files/documents/catching_the_virus_cyberc rime_disinformation_and_the_covid-19_pandemic_0.pdf (Accessed on May 2th, 2020).

Eurostat (2020) Social media - statistics on the use by enterprises. Available at: https://ec.europa.eu/eurostat/statistics-explained/index.php/Social_media_- _statistics_on_the_use_by_enterprises (Accessed on March, 28th 2020).

Fink, A. (2010). Conducting research literature reviews: From the Internet to paper, 3rd ed. Sage Publications, Inc.

Gantz, S. D., Philpott, D. R. and Windham, D. (2013). FISMA and the risk management framework: the new practice of federal cyber security.

Green, S. C. (2016). Risks associated with corporate social media communication-time for internal auditing to step-up. Southern African Journal of Accountability and Auditing Research, 18(1), 73-91.

43

Greener, I. (2011). Designing Social Research : A Guide for the Bewildered Ed. 1.

Gruzd, A., Abul-Fottouh, D., & Mashatan, A. (2019). Who is Influencing the# GDPR Discussion on Twitter: Implications for Public Relations. HICSS-53 Proceedings.

Gupta, S., Thakral, A. and Choudhury, T. (2018) Social Media Security Analysis of Threat and Security Measures. 2018 International Conference on Advances in Computing and Communication Engineering. Paris, France, 22-23 June 2018.

He, W. (2012). A review of social media security risks and mitigation techniques. Journal of Systems and Information Technology, 14(2), 171-180.

Heartfield, R., & Loukas, G. (2016). Evaluating the reliability of users as human sensors of social media security threats. 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), 2016 International Conference On, 1–7.

Hysa, B. and Spalek, S. (2019). Opportunities and threats presented by social media in project management. Heliyon, 5(4), e01488. https://doi- org.proxy.lib.ltu.se/10.1016/j.heliyon.2019.e01488

Imamverdiyev, Y. (2016). Social Media And Security Concerns. Problems of information society, 7(2), 18-23.

Jafar, R. M. S., Geng, S., Ahmad, W., Niu, B., & Chan, F. T. S. (2019). Social media usage and employee’s job performance: The moderating role of social media rules. Industrial Management & Data Systems, 119(9), 1908.

Kapellmann, D., & Washburn, R. (2019). Call to action: Mobilizing community discussion to improve information-sharing about vulnerabilities in industrial control systems and critical infrastructure. In 2019 11th International Conference on Cyber Conflict (CyCon) (Vol. 900, pp. 1-23). IEEE.

Kaplan, A. M. and Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities of Social Media. Business Horizons, 53(1), 59–68. https://doi- org.proxy.lib.ltu.se/10.1016/j.bushor.2009.09.003

Kitchenham, B. (2004). Procedures for Performing Systematic Reviews.

Kitchenham, B. and Charters, S. (2007) Guidelines for performing Systematic Literature Reviews in Software Engineering [Internet]. Keele University and Durham University Joint Report; 2007. Report No.: EBSE 2007-001. Available from: https://userpages.uni- koblenz.de/~laemmel/esecourse/slides/slr.pdf

44

Lee, K.-C., Hsieh, C.-H., Wei, L.-J., Mao, C.-H., Dai, J.-H., & Kuang, Y.-T. (2017). Sec- Buzzer: cyber security emerging topic mining with open threat intelligence retrieval and timeline event annotation. Soft Computing - A Fusion of Foundations, Methodologies & Applications, 21(11), 2883.

Leedy, P. D., & Ormrod, J. E. (2019). Practical Research: Planning and Design, 12th Edition. Pearson.

Lenk, M. M., Krahel, J. P., Janvrin, D. J., & Considine, B. (2019). Social Technology: An Integrated Strategy and Risk Management Framework. Journal of Information Systems, 33(2), 129–153.

Lippman, R. P., Weller-Fahy, D. J., Mensch, A. C., Campbell, W. M., Campbell, J. P., Streilein, W. W., & Carter, K. M. (2017, March). Toward finding malicious cyber discussions in social media. In Workshops at the Thirty-First AAAI Conference on Artificial Intelligence.

Maal, M. and Wilson-North, M. (2019). Social media in crisis communication – the “do’s” and “don’ts”. International Journal of Disaster Resilience in the Built Environment, (5), 379.

Molok, N. N. A., Ahmad, A., & Chang, S. (2018). A case analysis of securing organisations against information leakage through online social networking. International Journal of Information Management, 43, 351-356.

Moravec, P. L., Minas, R. K., & Dennis, A. R. (2019). Fake News on Social Media: People Believe What They Want to Believe When It Makes No Sense at All. MIS Quarterly, 43(4), 1343–1360.

Nagai, T., Takita, M., Furumoto, K., Shiraishi, Y., Xia, K., Takano, Y. & Morii, M. (2019). Understanding Attack Trends from Security Blog Posts Using Guided-topic Model. Journal of Information Processing, 27, 802-809.

Nagendra, A. (2014). Paradigm Shift in HR Practices on Employee Life Cycle Due to Influence of Social Media. Procedia Economics and Finance, 11, 197–207.

NIST SP 800-150 Guide to Cyber Threat Information Sharing. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

Oehri, C., & Teufel, S. (2012). Social media security culture. 2012 Information Security for South Africa, Information Security for South Africa (ISSA), 2012, 1–5.

45

Okoli, C. and Schabram, K. (2010). "A Guide to Conducting a Systematic Literature Review of Information Systems Research, Sprouts: Working Papers on Information Systems, 10(26). http://sprouts.aisnet.org/10-26

Okutan, A., Werner, G., Yang, S. J., & McConky, K. (2018). Forecasting with incomplete, imbalanced, and insignificant data. Cybersecurity (2523-3246), 1(1).

Pallegedara, D., & Warren, M. (2016). Unauthorised Disclosure of Organisational Information through Social Media: A Policy Perspective. IDIMC 2016, 86.

Patel, N. and Jasani, H. (2010) Social Media Security Policies: Guidelines for Organizations. Issues in Information Systems, vol. XI, n. 1.

Pham, H. C., Ulhaq, I., Nkhoma, M., Nguyen, M. N., & Brennan, L. (2018). Exploring Knowledge Sharing Practices for Raising Security Awareness. In Australasian Conference on Information Systems (pp. 1-7). Australasian Conference on Information Systems.

Pooley, J. (2020) The Transmissibility of Information: How Your Trade Secrets Are Like a Virus. Available at https://www.ipwatchdog.com/2020/04/28/transmissibility- information-trade-secrets-like-virus/id=121126/ Accessed May 2th, 2020.

Prayitno, O. T., Tavares, O., Damaini, A. A. and Setyohadi, D. B. (2017). Regulatory framework creation analysis to reduce security risks the use of social media in companies. Proceedings - 2017 4th International Conference on Information Technology, Computer, and Electrical Engineering, ICITACEE 2017, 2018–January, 235–238.

Putchala, S., Bhat, K. and R, A. (2013) Information Security Challenges in Social Media Interactions Strategies to normalize practices across physical and virtual worlds. IEEE.

Rosati, P., Deeney, P., Cummins, M., Van der Werff, L., & Lynn, T. (2018). Should You Disclose a Data Breach via Social Media? Evidence from US Listed Companies. In Proceedings of the 51st Hawaii International Conference on System Sciences.

Salahdine, F., & Kaabouch, N. (2019). Social Engineering Attacks: A Survey. Future Internet, 11(4), 89.

Sapienza, A., Ernala, S. K., Bessi, A., Lerman, K., & Ferrara, E. (2018). Discover: Mining online chatter for emerging cyber threats. In Companion Proceedings of the The Web Conference 2018 (pp. 983-990).

46

Sarkar, S., Almukaynizi, M., Shakarian, J. and Shakarian, P. (2018). Predicting enterprise cyber incidents using social network analysis on dark web hacker forums. The Cyber Defense Review, 87-102.

Sarkar, S., Almukaynizi, M., Shakarian, J. and Shakarian, P. (2019). Mining user interaction patterns in the darkweb to predict enterprise cyber incidents. Social Network Analysis & Mining, 9(1), N.PAG.

Sauerwein, C., Pekaric, I., Felderer, M., & Breu, R. (2019). An analysis and classification of public information security data sources used in research and practice. Computers & security, 82, 140-155.

Sauerwein, C., Sillaber, C., & Breu, R. (2018). Shadow cyber threat intelligence and its use in information security and risk management processes. Multikonferenz Wirtschaftsinformatik (MKWI 2018).

Shoro, S., Hyder, M. S., & Kazmi, S. N. H. (2018). Social Media Security Risks and Cyber Threats. International Journal of Computer Science & Emerging Technologies, 2(1), 33- 37.

Sillaber, C., Sauerwein, C., Mussmann, A., & Breu, R. (2018). Towards a Maturity Model for Inter-Organizational Cyber Threat Intelligence Sharing: A Case Study of Stakeholders' Expectations and Willingness to Share. In Proceedings of Multikonferenz Wirtschaftsinformatik (pp. 1409-1420).

Statista (2019) Number of monthly active social media users in millions by region. Available at: https://www.statista.com/statistics/454772/number-social-media-user- worldwide-region/ (Accessed on November, 11th 2019).

Statista (2020) Global social networks ranked by number of users. Available at: https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number- of-users/ (Accessed on March, 28th 2020).

Subroto, A., & Apriyana, A. (2019). Cyber risk prediction through social media big data analytics and statistical machine learning. Journal of Big Data, 6(1), 50.

Syed, R., Rahafrooz, M., & Keisler, J. M. (2018). What it takes to get retweeted: An analysis of software vulnerability messages. Computers in Human Behavior, 80, 207- 215.

Taylor, M., Haggerty, J., Gresty, D., Pacheco, N. C., Berry, T., & Almond, P. (2015). Investigating employee harassment via social media. Journal of Systems and Information Technology.

47

Tayouri, D. (2015) The Human Factor in the Social Media Security – Combining Education and Technology to Reduce Social Engineering Risks and Damages. http://search.ebscohost.com.proxy.lib.ltu.se/login.aspx?direct=true&db=edsbas&AN=ed sbas.7654149E&lang=sv&site=eds-live&scope=site Accessed January 9, 2020

Thakur, K., Hayajneh, T. and Tseng, J. (2019). Cyber Security in Social Media: Challenges and the Way Forward. IT Professional, 21(2), 41-49.

Vijayan, J. (2020) Social Media Platforms Double as Major Malware Distribution Centers. Available at https://www.darkreading.com/vulnerabilities---threats/social-media- platforms-double-as-major-malware-distribution-centers/d/d-id/1333973 Accessed May 2th, 2020.

Wang, P., & Park, S. A. (2017). Communication in cybersecurity: a public communication model for business data breach incident handling. Issues in Information Systems, 18(2).

Webster, J. and Watson, R.T. (2002). Analysing the Past to Prepare for the Future: Writing a Literature Review. MIS Q. 2002 Jun;26(2):xiii.

Whitman, M.E. and Mattford, H.J. (2019]). Management of information security. (Sixth edition.) Boston, MA: Cengage Learning.

Wilcox, H., & Bhattacharya, M. (2016). A framework to mitigate social engineering through social media within the enterprise. Proceedings of the 2016 IEEE 11th Conference on Industrial Electronics and Applications, ICIEA 2016, 1039–1044. https://doi-org.proxy.lib.ltu.se/10.1109/ICIEA.2016.7603735.

Williams, S. P., & Hausman, V. (2017). Categorizing the business risks of social media. Procedia computer science, 121, 266-273.

Zhang, Z., & Gupta, B. B. (2018). Social media security and trustworthiness: Overview and new direction. Future Generation Computer Systems, 914.

Zhao, J., & Zhao, S. Y. (2015). Security and Vulnerability Assessment of Social Media Sites: An Exploratory Study. Journal of Education for Business, 90(8), 458–466.

48