Disclosure of Organizational Information by Employees on Facebook: Looking at the Potential for Information Security Risks

Online social networking (OSN) is a global phenomenon and its use by employees has been reported to be detrimental to organizations. Nevertheless, OSN impacts on organizational information security are rarely discussed in academic literature. This study investigates the use of OSN sites by employees and work-related information disclosed on their personal pages that may jeopardize the security of organizational information. The paper presents the characteristics of work-related information that can be disclosed on Facebook, possibly has the potential to open the doorway for information security threats. It also discusses the qualitative findings from four Malaysian-based organizations under study. Across these four organizations, 22 employees who were active users of Facebook were interviewed to obtain their OSN experience, to explore information they disclosed online and the underlying reasons for doing so. The findings will facilitate our recommendation for organizations to minimize this issue by understanding the behavioural facets of information security

Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats

The explosion of online social networking (OSN) in recent years has caused damages to organisations due to leakage of information by their employees. Employees’ social networking behaviour, whether accidental or intentional, provides an opportunity for advanced persistent threats (APT) attackers to realise their social engineering techniques and undetectable zero-day exploits. APT attackers use a spear-phishing method that targeted on key employees of victim organisations through social media in order to conduct reconnaissance and theft of confidential proprietary information. This conceptual paper posits OSN as the most challenging channel of information leakage and provides an explanation about the underlying factors of employees leaking information via this channel through a theoretical lens from information systems. It also describes how OSN becomes an attack vector of APT owing to employees’ social networking behaviour, and finally, recommends security education, training and awareness (SETA) for organisations to combat these threats

Exploring The Use Of Online Social Networking By Employees: Looking At The Potential For Information Leakage

The proliferation of online social networking (OSN) in recent years has caused organizations information security threats due to disclosure of information by their employees on their sites. The accessibility of OSN to anyone, at any time, using any devices, causes confidential and sensitive organizational information to be disclosed to unauthorised individuals, whether accidentally or intentionally. This study aims to explore this current phenomenon by investigating OSN use behaviour among employees that leads to information leakage through the lens of Decomposed Theory of Planned Behavior. It also seeks to investigate the strategies utilized by organizations to control such use and propose a control framework that effectively safeguards organizational information security from this threat

Advanced persistent threats awareness and readiness: a case study in Malaysian financial institutions

Advanced Persistent Threats (APT) has targeted the financial institutions (FI) for intelligence gathering on sensitive customer information and monetize the attack. APT could cause disastrous impact to the targeted FI and the country's economy if there is a lack of preparation to confront these challenges and attacks. A case study on local FI was carried out to examine the influencing factors of APT awareness among FI's cybersecurity practitioners and to investigate the security strategies employed by FI to protect them from APT attacks. Feedback from CyberSecurity Malaysia (CSM) was sought to validate the findings. It was found that the factors that influence APT awareness in local FI include the emphasis on informal learning on APT, attackers' financial motivation, the FI's reputational risks and the availability of financial regulatory requirements to combat any cybersecurity risks. The awareness has led cybersecurity practitioners in local FI to implement advanced security technologies and integrated security controls as their readiness to defend FI against APT attacks

Persuasive technology from Islamic perspective

The effective use of persuasive technology in health, computing, sales, education, environment, etc is rapidly expanding. Persuasive technology is efficient in changing the attitudes and behaviours of end users. This paper demonstrates how persuasive technology and its design factors proposed in FBM are associated with the Islamic perspective from the Quran and Hadith. This paper starts by explaining the ethics of persuasive technology and discussing persuasive technology and its principal design factors in the Islamic perspective. The paper also discusses the extent to which Islamic principles enhance the concept of persuasive technology as an interactive computing system that could change attitudes and behaviours. In particular, this paper discusses how practices and principles of the design factors of persuasive technology were identified and applied in early Islamic era. The conceptual findings assert that Islamic principles are a universal and contemporary religion that cares for persuasive technology concepts

A case analysis of securing organisations against information leakage through online social networking

The inadvertent leakage of sensitive information through Online Social Networking (OSN) represents a significant source of security risk to organisations. Leakage of sensitive information such as trade secrets, intellectual property and personal details of employees can result in a loss of competitive advantage, loss of reputation, and erosion of client trust. We present 4 case studies which examine drivers for employee leakage behaviour and corresponding security management strategies. Drawing on these case studies, we present a maturity framework for organisational OSN Leakage Mitigation Capability (OSN-LMC) and lessons learned from the case analysis

Responsibility-value alignment in information security governance

This paper contributes by discussing the categorization of responsibilities of top management in information security to the four (4) leadership characteristics in Islam as defined and showed by the Prophet Muhammad (PBUH). Contemporary studies, mostly from the West explores the responsibilities of the top management in information security. However, without binding the responsibilities to a specific set of virtue ethics, it will only become a set of tasks rather than responsibilities. Therefore, based on the literature review, this paper introduces a conceptual model that describe the categorization of management’s responsibilities in information security governance to the four (4) Islamic leadership principles – Truthfulness, Trustworthiness, Advocacy and Wisdom. This model allows researchers and practitioners to understand and appreciate the accountability of top management in steering information security initiatives in their organizations from Islamic perspective

Persuasive technology in the Islamic perspective: the principles and strategies

The employment of persuasive technology in education, computing, sales, health, and environment is dramatically increasing. Persuasive technology is powerful in changing the attitudes and behaviours of end users. This paper begins by presenting the ethics of persuasive technology which are relevant to Islamic values and beliefs, and how the concept of persuasion had been applied in Islam practices to influence people. It explores how persuasive technology and its design factors presented in FBM are related to the Islamic practices proven in the Quran and Hadith. Additionally, this paper discusses persuasive technology strategy tools and their activities from Islamic prospective. The paper also examines in depth how Islamic concepts improve the perception of persuasive technology as an interactive computing system which is able to modify attitudes and behaviours. Essentially, this paper also demonstrates how practices and principles of the design factors and strategy tools of persuasive technology have been identified and utilized in early Islamic age. Those principles and strategies are further analyzed from Quran verses and Hadith that are of particular relevance. The conceptual results claim that Islamic principles are a contemporary and universal religion that takes care of the persuasive technology aspects and view of the critically of persuasive technology to Muslim society

Persuasive technology for improving information security awareness and behavior: literature review

The use of Persuasive Technology in various fields is rapidly increasing. It can be applied in many fields such as computing, marketing, sales, environment, education, and health. Persuasive Technology has been found effective in bringing a required change in users' behaviors and attitudes. However, the use of persuasive technology is scarce in the field of Information Security awareness. This paper reviews extensive literature review which focuses on a perspective on how to create awareness among users for good information security practices by applying Persuasive Technology techniques and approaches. The conceptual findings suggest there is a tremendous potential of Persuasive Technology to be applied to persuade users to change their behavior and perception toward Information Security practices

Information security awareness through the use of social media

The proliferation of online social media use amongst employees has been reported to be incriminating organizational information security. Despite the benefits of social media to organizations, there were cases of information leakage, malware, identity theft, espionage and sabotage through such use. This paper explores employees' awareness of information security around social media and presents the initial findings of a study on a tertiary education institution in Malaysia. As an extension to a previous study, this study also found that employees were not only disclosing personal information but they are also disclosing organizational information on social media. This indicates there is a potential for information security threats to organizations through employees' use of social media. Nevertheless, the findings demonstrate that some participants were aware about the implications of employees' use of social media to information security