- Computing and Information Systems - Theses
Now showing 1 - 1 of 1
ItemMitigating the risk of organisational information leakage through online social networkingAbdul Molok, Nurul Nuha ( 2013)The inadvertent leakage of sensitive organisational information through the proliferation of online social networking (OSN) is a significant challenge in a networked society. Although considerable research has studied information leakage, the advent of OSN amongst employees represents new fundamental problems to organisations. As employees are bringing their own mobile devices to the workplace, which allow them to engage in OSN activities at anytime and anywhere, reported cases involving leakage of organisational information through OSN are on the rise. Despite its opportunities, OSN has the tendency to blur the boundaries between employees’ professional and personal use of social media, presenting challenges for organisations to protect the confidentiality of their valuable information. The thesis investigates two phenomena. First, it explores the disclosure of sensitive organisational information by employees through the use of social media. Second, it looks into organisational security strategies employed to mitigate the associated security risks. During the first multiple-case study, employees across four organisations were interviewed to understand their OSN behaviour and the types of work-related information they disclosed online. In the second multiple-case study, the researcher went back to the same organisations and interviewed security managers to understand potential security impacts of employees’ OSN behaviour, and the various security strategies implemented in the organisations. The findings emerging from these interpretive multiple-case studies, based on rich insights from both employees and security managers, led to the development of a maturity framework. This framework can assist organisations to assess, develop or improve their security strategies to mitigate social media related risks. The framework was evaluated through focus groups with experts in security and social media management. The research, which consists of two sets of multiple case studies and focus groups, has resulted in three main contributions as stated below: 1. Understanding of contextual influences on the disclosure of sensitive organisational information, from multiple perspectives 2. Identification of the influence of managerial attitudes on the deployment of a particular information security strategy, especially in relation to social media use amongst employees 3. Development and evaluation of a Maturity Framework for Mitigating Leakage of Organisational Information through OSN As suggested by the literature, security behaviour can be either intentional or unintentional in nature. However, this research found that information leakage through employees’ OSN was more unintended than intended, which indicated that generally, employees did not mean to cause security problems to organisations. The research also provided evidence that information leakage through OSN was due to influences that could be categorized into personal, organisational and technological factors. Interestingly, employees and security managers had different understandings of why information leakage through OSN happens. Employees demonstrated that leakage was inadvertent, while security managers did not understand that employees had no intention of causing security problems. These findings suggested that information leakage via OSN could be effectively mitigated by organisations, depending on the way the managemet perceived how employees’ OSN behaviour could jeopardise the confidentiality of information. In accordance to the security literature, this research found different kinds of security strategies that organisations employed to mitigate security issues posed by OSN. Interestingly, this research also found that across the organisations, these security strategies varied in their levels of sophistication, revealing certain managerial attitudes which influenced the organisational capability to manage the risk of leakage via employees’ OSN. Since the higher level of strategy sophistication actually results in more risk-averse employee OSN behaviour, this research identified relationships between employee OSN behaviour, OSN security strategies and the managerial attitudes. For example, the organisation that received little management support on security initiatives tended to have poorly developed controls, which resulted in low level of employees’ awareness of risky OSN behaviour. Finally, this research culminated in the development of a Maturity Framework for Mitigating Leakage of Organisational Information through OSN which was evaluated by security experts through focus groups. This framework can be used by organisations to assess how well their current information security measures can be expected to protect them from this insider threat. It can also provide recommendations for organisations to improve their current OSN security strategies.