Despite the benefits of social media to organizations, there were cases of information ... gather business intelligence [8] and cyber criminals may perform cyber ...
The 5th International Conference on Information and Communication Technology for the Muslim World (ICT4M) 2014
Information Security Awareness through the use of Social Media Nurul Nuha Abdul Molok, Shuhaili Talib, Asma Md. Ali and Murni Mahmud Department of Information Systems Kulliyyah (Faculty) of ICT, International Islamic University Malaysia Kuala Lumpur, Malaysia {nurulnuha, shuhaili, sis_asma and murni}@iium.edu.my
Abstract—The proliferation of online social media use amongst employees has been reported to be incriminating organizational information security. Despite the benefits of social media to organizations, there were cases of information leakage, malware, identity theft, espionage and sabotage through such use. This paper explores employees’ awareness of information security around social media and presents the initial findings of a study on a tertiary education institution in Malaysia. As an extension to a previous study, this study also found that employees were not only disclosing personal information but they are also disclosing organizational information on social media. This indicates there is a potential for information security threats to organizations through employees’ use of social media. Nevertheless, the findings demonstrate that some participants were aware about the implications of employees’ use of social media to information security. Keywords-information security management; information security awareness; information leakage; social media; social networking
I.
INTRODUCTION
In the internetworked society, social media can be accessed through multiple computer and communication platforms, anywhere at any time. Such use somehow blurs the boundaries between employees’ professional and personal use of social media, presenting challenges for organizations to protect the confidentiality, integrity and availability of their valuable information. There have been series of reported cases worldwide about the use of social media amongst employees and the damages that it brings to organizations and to the employees, themselves. For example, in Malaysia, 5 police constables were suspended from work for disclosing disgraceful remarks about their chief on Facebook [1]. At a local university, a student suddenly became a wanted person for disclosing a joke about bombing the Prime Minister’s helicopter [2]. In the U.K., the Ministry of Defense’ secrets were leaked 16 times in 18 months via Facebook and Twitter [3]. In the U.S., a congressman twittered his secret trip to Iraq and kept on posting his whereabouts via his BlackBerry from time to time [4]. An Israeli soldier leaked the location and time of an upcoming raid in his Facebook status update causing Israeli military to cancel the entire operation and expel him from his battalion [5]. And these are just to name a few. Social media can be compared to a double-edged sword as it can facilitate communication on one hand and increase
the risk of security incidents on the other [6, 7]. One of the threats posed by the leakage of organizational information through social media is that it can open the door for more serious threats: potential competitors may exploit it to gather business intelligence [8] and cyber criminals may perform cyber espionage or sabotage on targeted organizations [9]. A study suggests that organizations should provide security guidelines to manage employees’ use of social media [7]. However, neither that study in particular, nor literature in general, specifically addresses how organizations mitigate the risk of inadvertent information leakage through these sites. This preliminary study is an extension to a set of qualitative studies on information leakage through social media [10, 11]. One of the issues identified in these particular studies is to address understanding of security impacts of social media by establishing quantitative empirical evidence. Through the qualitative studies, the how and why questions were answered. Now, the current study aims to answer how many, to expand the knowledge about this phenomenon. Thus, using survey questions, this study aims to measure how employees used social media and how many of them were aware of information security issues through such use. The study was carried out at a tertiary education institution in Malaysia, involving 47 participants. Opinions from the employees were also sought in terms of how organizations could mitigate security issues through social media. This paper discusses the initial findings of this study which starts with a brief literature review on information security and social media, followed by the research methods and findings. Finally, it discusses the conclusion of the study. II.
RESEARCH BACKGROUND
A. Information Security Awareness The paper refers to the definition of information security as given by the international management systems standard for Information Security. It defines it as “the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities” [12]. Following this definition, the paper discusses social media threats and how these threats can implicate organizational information, the organization and also employees. In this
