Social-media-based risk communication for data co-security on the cloud

Pages442-463
Publication Date11 Dec 2019
DOIhttps://doi.org/10.1108/IMDS-03-2019-0131
AuthorJean Pierre Guy Gashami,Christian Fernando Libaque-Saenz,Younghoon Chang
SubjectInformation & knowledge management,Information systems,Data management systems,Knowledge management,Knowledge sharing,Management science & operations,Supply chain management,Supply chain information systems,Logistics,Quality management/systems
Social-media-based risk
communication for data
co-security on the cloud
Jean Pierre Guy Gashami
Global ICT Division, KINY & Partners, Seoul, Korea
Christian Fernando Libaque-Saenz
Department of Engineering, Universidad del Pacifico, Lima, Peru, and
Younghoon Chang
School of Management and Economics,
Beijing Institute of Technology, Beijing, China
Abstract
Purpose Cloud computing has disrupted the information technology (IT) industry. Associated benefits
such as flexibility, payment on an on-demand basis and the lack of no need for IT staff are among the reasons
for its adoption. However, these services represent not only benefits to users but also threats, with
cybersecurity issues being the biggest roadblock to cloud computing success. Although ensuring data
security on the cloud has been the responsibility of providers, these threats seem to be unavoidable. In such
circumstances, both providers and users have to coordinate efforts to minimize negative consequences that
might occur from these events. The purpose of this paper is to assess how providers and users can rely on
social media to communicate risky events.
Design/methodology/approach Based on the Situational Theory of Publics and trust, the authors
developed three research questions to analyze stakeholderscommunication patterns after a security breach.
By gathering Twitter data, the authors analyzed the data security breach faced by the Premera Blue Cross
Web application.
Findings The results indicate that Premera acted as the main source of information for Twitter users, while
trustworthy actors such as IT security firms, specialists and local news media acted as intermediaries,
creating small communities around them. Theoretical and practical implications are also discussed.
Originality/value Social media could be use d for diffusing information of pote ntial threats; no research
has assessed its usage in a cloud-based securitybreach context. The study aims to fill this gap and propose
a framework to engage cl oud users in co-securing their data along with cl oud providers when they f ace
similar situations.
Keywords Social network analysis, Information technology, Cloud computing, Risk mitigation,
Premera Blue Cross, Risk communication behaviour
Paper type Research paper
1. Introduction
Cloud computing is disrupting information technology (IT) consumption across industries.
Historically, enterprises needed to buy, rent or lease on-premise solutions. The disadvantage
of this system is that it is not flexible and needs significant investment of time, money and
effort to add new capacity (Vithayathil, 2018). In addition, it requires a permanent IT team to
solve any problem that may arise. Cloud computing services, on the other hand, allow
enterprises to access flexible models, paying for IT services on an on-demand basis.
Enterprises do not need to invest in IT staff because cloud computing providers are
responsible for maintaining the services. Not surprisingly, the cloud computing market for
data centers, software, applications and other services is expected to reach US$547bn by
2018, while by 2022 these services may represent more than half of enterprisesIT
expenditure (Deloitte, 2017).
Although cloud computing provides benefits such as cost reduction, fast time to market,
business mobility and convenience (Chang et al., 2019; Gashami et al., 2016), these services
Industrial Management & Data
Systems
Vol. 120 No. 3, 2020
pp. 442-463
© Emerald PublishingLimited
0263-5577
DOI 10.1108/IMDS-03-2019-0131
Received 11 March 2019
Revised 19 August 2019
9 November 2019
Accepted 13 November 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/0263-5577.htm
442
IMDS
120,3
imply that our data asset is heldon the providers infrastructure. Thisfact may expose users
to risks that are not undertheir control. Accordingly, datarisk has been pointed out as a high
threat to cloudcomputing (Chen and Zhao, 2012; Kingand Raja, 2012; Svantesson andClarke,
2010). Indeed, the World Economic Forum (2019) posits that technological risks such as
cybersecurityand data breach-related risksare becoming a crisis to society. In addition, most
companies, institutes, organizations and governments are transforming theirlegacy in-house
computing systems to cloud-based systems. Even famous IT companies such as Microsoft,
Amazon, Google, Alibab a, Oracle and Salesforce. com are changing their t raditional IT
services to a cloud-based IT service model. These security breaches can cause data losses,
intellectual property theft, physical security threat and other kinds of damagesto users. The
cost of such security breaches is enormous. For instance, costs associated to data security
breaches in the healthcare industry alone could reach US$5.6bn annually (Experian, 2015).
Althoughcloud providers make effortsto ensure the safety of user data, securitybreaches still
occur (Armbrust et al., 2010; Takabi et al., 2010).A report by Alert Logic raised the flag on the
rise of attacks across all incident types for private and cloud hosting providers, with cloud
hosting providers being the most exposed to security threats (Gashami et al., 2016). Some
research even argues that data security breaches are inevitable on the cloud (Staten et al.,
2014). Cloud providers have developed risk management frameworks to deal with these
threats. These risk frameworks focus mainly on risk analysis, risk assessment and risk
mitigation (Me Choi et al., 2016; Zhang et al., 2010). While cloud providers understand the
technical and managerial aspects of implementing these frameworks on their side, it is still
unclear how cloud providers handle consumers throughout the analysis, assessment and
mitigation of security breaches. Existing research suggests that risk communication with all
stakeholders is an important element of risk management in various contexts (Aguirre, 2004;
Lagadec, 2002). It has been shown, for example, thatdeficient communication or lack thereof
limits emergency and recovery efforts during situations of risk mitigation (Reynolds and
Seeger, 2005), while coordinated communication has been found to be crucial for
environmental disaster management (Comfort, 2007). On the cloud front, dealing with data
risk involves both cloud providers and users because at the same time as cloud providers
prepare foror deal with any potential datasecurity breach, risk communication with userscan
play a crucial role in limiting the potential damages. Given that cloud computing is still a
relatively new concept, user awareness on data practices and protection through proper
communicationcan prevent serious data loss or theft. Forexample, the National Initiativefor
Cybersecurity Education created by the US Government recognizes the role of awareness in
online user self-protection (Paulsen et al., 2012). Indeed, communication of potential security
breaches to users can to some extent prompt the enhancement of data protection practices
such as changing or reinforcing weak passwords, using private keys, shifting to two-step
authentication or enabling local backup of data (Rainie and Duggan, 2014). Conversely,
deficient, ineffective or inaccurate communication of potential threats to user data can affect
mitigation efforts(Cavoukian, 2009). Prior research even suggests that retaining information
from security breaches can increase thepossibility of damages (SamuelsonLaw, Technology
& Public Policy Clinic, 2007). Despite the relevance of risk communication in the context of
cloud computing, to the best of our knowledge there is no research on its role in risk
management situations.
Prior studies on risk and crisis management agree on the importance of pre- and
post-crisis communication (Coombs and Holladay, 1996; Veil et al., 2011). Hence, it is
important to identify potential channels to achieve good communication. New social media
networks such as Twitter and Facebook have been suggested as new avenues for
channeling information during the risk management process due to their low cost and
worldwide usage (Schultz et al., 2011; Wright and Hinson, 2009). With more than 335m and
2.2bn active users, respectively (Twitter, 2019), these media have become an important
443
Social-media-
based risk
communication

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT