A review of social media security risks and mitigation techniques
Tóm tắt
The purpose of this paper is to examine social media security risks and existing mitigation techniques in order to gather insights and develop best practices to help organizations address social media security risks more effectively.
This paper begins by reviewing the disparate discussions in literature on social media security risks and mitigation techniques. Based on an extensive review, some key insights were identified and summarized to help organizations more effectively address social media security risks.
Many organizations do not have effective social media security policy in place and are unsure of how to develop effective social media security strategies to mitigate social media security risks. This paper provides guidance to organizations to mitigate social media security risks that may threaten the organizations.
The paper consolidates the fragmented discussion in literature and provides an in‐depth review of social media security risks and mitigation techniques. Practical insights are identified and summarized from an extensive literature review. Sharing these insights has the potential to encourage more discussion on best practices for reducing the risks of social media to organizations.
Từ khóa
Tài liệu tham khảo
Abraham, S. and Chengalur‐Smith, I. (2010), “An overview of social engineering malware: trends, tactics, and implications”, Technology in Society, Vol. 32 No. 3, pp. 183‐96.
Aytes, K. and Connolly, T. (2003), “A research model for investigating human behavior related to computer security”, AMCIS 2003 Proceedings, pp. 2027‐31.
Blue Ocean (2011), Social Media Security Policy, available at: www.blueoceantechnologies.net/BlueOceanTechnologiesSocialMediaSecurityPolicy.pdf (accessed 12 November).
CDC (2009), Social Media Security Mitigations, available at: www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf (accessed 12 October 2011).
Chi, M. (2011), “Security policy and social media use”, available at: www.sans.org/reading_room/whitepapers/policyissues/reducing‐risks‐social‐media‐organization_33749 (accessed 9 November).
Cisco Systems (2008a), “Data leakage worldwide: the effectiveness of corporate security policies”, available at: www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/Cisco_STL_Data_Leakage_2008_.pdf (accessed 16 November 2011).
Cisco Systems (2008b), “Data leakage worldwide: the effectiveness of security policies”, available at: www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11‐503131.pdf (accessed 9 November 2011).
Clavette, L., Faggard, D., Bove, P. and Fordham, J. (2009), New Media and the Air Force, United States Air Force, available at: www.af.mil/shared/media/document/AFD‐090406‐036.pdf (accessed 26 November 2011).
Clearswift (2011), “Work life web 2011”, available at: https://info.clearswift.com/express/clients/clearhq/papers/Clearswift_report_WorkLifeWeb_2011.pdf (accessed 12 November).
Curry, S. (2011), “The weakest link is the human link”, available at: www.securityweek.com/weakest‐link‐human‐link (accessed 16 November).
Davinson, N. and Sillence, E. (2010), “It won't happen to me: promoting secure behaviour among internet users”, Computers in Human Behavior, Vol. 26 No. 6, pp. 1739‐47.
Federal CIO Council (2009), Guidelines for Secure Use of Social Media by Federal Departments and Agencies, available at: www.cio.gov/Documents/Guidelines_for_Secure_Use_Social_Media_v01‐0.pdf (accessed 20 November 2011).
Ghosh, S. (2011), “Seven social media security best practices”, available at: http://searchsecurity.techtarget.in/tip/Seven‐social‐media‐security‐best‐practices (accessed 16 November).
Granger, S. (2002), Social Engineering Fundamentals, Part II: Combat Strategies, available at: www.securityfocus.com/infocus/1533 (accessed 17 November 2011).
Hayden, L. (2009), “Human information security behaviors: differences across geographies and cultures in a global user survey”, Proceedings of the American Society for Information Science and Technology Annual Meeting, Vancouver, BC, available at: www.asis.org/Conferences/AM09/open‐proceedings/papers/2.xml (accessed 16 November 2011).
Huber, M., Kowalskiy, S., Nohlbergz, M. and Tjoa, S. (2009), “Towards automating social engineering using social networking sites”, Proceedings of International Conference on Computational Science and Engineering.
Intel (2009), Prioritizing Information Security Risks with Threat Agent Risk, available at: ftp://download.intel.com/it/pdf/Prioritizing_Info_Security_Risks_with_TARA.pdf (accessed 16 November 2011).
ISACA (2010), “Top five social media risks for business: new ISACA white paper”, available at: www.isaca.org/About‐ISACA/Press‐room/News‐Releases/2010/Pages/Top‐Five‐Social‐Media‐Risks‐for‐Business‐New‐ISACA‐White‐Paper.aspx (accessed 16 November 2011).
Ivaturi, K. and Janczewski, L. (2011), “A taxonomy for social engineering attacks”, CONF‐IRM 2011 Proceedings, Paper 15, available at: http://aisel.aisnet.org/confirm2011/15 (accessed 16 November).
Jagatic, T., Johnson, N., Jakobsson, M. and Menczer, F. (2006), “Social phishing”, Communications of the ACM, Vol. 50 No. 10.
Jakobsson, M. and Myers, S. (2006), Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, Wiley, Hoboken, NJ.
Kaplan, M. and Haenlein, M. (2010), “Users of the world, unite! The challenges and opportunities of social media”, Business Horizons, Vol. 53 No. 1, pp. 59‐68.
Kaspersky Labs (2009), Kaspersky Security Bulletin: Malware Evolution 2008, available at: www.securelist.com/en/analysis?pubid=204792051 (accessed 16 November 2011).
McAfee (2010), 2011 Threats Predictions, available at: http://161.69.13.40/us/resources/reports/rp‐threat‐predictions‐2011.pdf (accessed 16 November 2011).
MWR InfoSecurity (2011), Is Social Media One of Your Vulnerabilities?, available at: www.mwrinfosecurity.com/files/Events/mwri_social‐media‐security_2011‐01‐28.pdf (accessed 23 November).
Peltier, T.R. (2006), “Social engineering: concepts and solutions”, Information Systems Security, Vol. 15 No. 5, pp. 13‐21.
Perez, S. (2009), “Top 8 web 2.0 security threats”, available at: www.readwriteweb.com/enterprise/2009/02/top‐8‐web‐20‐security‐threats.php (accessed 25 November 2011).
Ponemon (2011), Ponemon Institute Research Report: Global Survey on Social Media Risks Survey of IT & IT Security Practitioners, available at: www.websense.com/content/ponemon‐institute‐research‐report‐2011.aspx (accessed 23 November).
Qualman, E. (2009), Socialnomics: How Social Media Transforms the Way We Live and Do Business, Wiley, Hoboken, NJ.
Safko, L. and Brake, D. (2009), The Social Media Bible: Tactics, Tools, and Strategies for Business Success, Wiley, Hoboken, NJ.
SANS Institute (2011), Password Policy, available at: www.sans.org/security‐resources/policies/Password_Policy.pdf (accessed 23 November).
Scott, D.M. (2008), “The US air force: armed with social media”, available at: www.webinknow.com/2008/12/the‐us‐air‐force‐armed‐with‐social‐media.html (accessed 23 November 2011).
Sherry, D. (2008), “How to implement and enforce a social networking security policy”, available at: http://searchsecurity.techtarget.com/tip/How‐to‐implement‐and‐enforce‐a‐social‐networking‐security‐policy (accessed 23 November 2011).
Son, J.Y. (2011), “Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies”, Information & Management, Vol. 48 No. 7, pp. 296‐302.
Sophos (2011), “Example social media security policy”, available at: www.sophos.com/sophos/docs/eng/smst/sophos‐example‐social‐media‐security‐policy.pdf (accessed 23 November).
Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. (2005), “Analysis of end user security behaviors”, Computers and Security, Vol. 24 No. 2, pp. 124‐33.
Symantec (2011a), “Social media protection flash poll global results”, available at: www.slideshare.net/symantec/symantec‐2011‐social‐media‐protection‐flash‐poll‐global‐results (accessed 23 November).
Symantec (2011b), “Symantec enterprise vault 10 reduces the risks of using social media tools for business”, available at: www.symantec.com/about/news/release/article.jsp?prid=20110801_02 (accessed 23 November).
Vroom, C. and von Solms, R. (2004), “Towards information security behavioral compliance”, Information Management & Computer Security, Vol. 6 No. 4, pp. 167‐73.
Zeltser, L. (2011), “Monitoring social media for security references to your organization”, available at: http://isc.sans.edu/diary.html?storyid=10921 (accessed 23 November).
Zhang, H. (2011), “Social media: a hacker's secret weapon for accessing your network”, available at: http://esj.com/Articles/2011/10/31/Social‐Media‐Hackers‐Secret‐Weapon.aspx?Page=1 (accessed 23 November).