ScienceDirect

Available online at www.sciencedirect.com

ScienceDirect
Procedia Computer Science 00 (2019) 000–000
www.elsevier.com/locate/procedia
Available online at www.sciencedirect.com
Procedia Computer Science 00 (2019) 000–000
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 181 (2021) 302–309
CENTERIS - International Conference on ENTERprise Information Systems / ProjMAN -
International Conference on Project MANagement / HCist - International Conference on Health
CENTERIS - and Social Care
International Information
Conference Systems and Technologies
on ENTERprise 2020 / ProjMAN -
Information Systems
International Conference on Project MANagement / HCist - International Conference on Health
Analytical framework for
and Social Care social media
Information Systems risk analysis 2020
and Technologies in organizations
Analytical Susan
framework fora,*,social
P. Williams Clara S.media risk
Nitschke a
analysis
, Catherine A. in organizations
Hardyb

a
Center for Enterprise Information Research, University of Koblenz, Koblenz, 56070, Germany
a, a
SusanUniversity
P. Williams
b *, Clara
of Sydney Business School,S. Nitschke
University , Catherine
of Sydney, A. Hardyb
Sydney, 2006, Australia
a
Center for Enterprise Information Research, University of Koblenz, Koblenz, 56070, Germany
b
University of Sydney Business School, University of Sydney, Sydney, 2006, Australia
Abstract

In this paper we examine the complex and changing configurations of social media risks in organizations. To gain a deeper
Abstract
understanding of the nature, structure and interrelatedness of social media risks we develop a framework for risk analysis that
provides multifaceted
In this paper we examine profiles of risk types
the complex and risk incidents.
and changing Through
configurations the process
of social media of developing
risks the risk analysis
in organizations. To gain aframework
deeper key
insights into social media risks in organizations were made visible. Social media risks were found to be:
understanding of the nature, structure and interrelatedness of social media risks we develop a framework for risk analysis i) evolving, overlapping
that
and highly interrelated leading to derivative risks and risk chains; ii) spatiotemporal in nature, having broad
provides multifaceted profiles of risk types and risk incidents. Through the process of developing the risk analysis framework spatial reach, bothkey
geographical and relationally and long temporal frames that link current risks to future consequences, emphasizing
insights into social media risks in organizations were made visible. Social media risks were found to be: i) evolving, overlapping the need for a
longitudinal view iii) representing
and highly interrelated multiple stakeholder
leading to derivative interests
risks and risk chains;and risk appetites, and
ii) spatiotemporal iv) blurring
in nature, having thebroad
boundaries
spatial between
reach, both
business, professional
geographical and individual
and relationally and longrisks and perceptions
temporal frames thatoflink
risk. Theserisks
current insights open consequences,
to future up imperativesemphasizing
for further research
the needand
for a
invite the potential for alternative theoretical lenses to examine these variations in perceptions and spatiotemporal
longitudinal view iii) representing multiple stakeholder interests and risk appetites, and iv) blurring the boundaries between perspectives on
social media risk.
business, professional and individual risks and perceptions of risk. These insights open up imperatives for further research and
invite the potential for alternative theoretical lenses to examine these variations in perceptions and spatiotemporal perspectives on
© 2020media
social The Authors.
risk. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
© 2021 The Authors.
Peer-review Published byof
under responsibility Elsevier B.V.
the scientific
© 2020 The Authors. Published by Elsevier B.V. committee of the CENTERIS - International Conference on ENTERprise
This is an open
Information access/ ProjMAN
Systems article under
- the CC BY-NC-ND
International license
Conference (https://creativecommons.org/licenses/by-nc-nd/4.0)
on Project MANagement / HCist - International Conference on Health
This is an
Peer-review open access
under article under
responsibility the
of andCC BY-NC-ND
the Technologies license
scientific committee (https://creativecommons.org/licenses/by-nc-nd/4.0)
of the CENTERIS - International Conference on ENTERprise
and Social
Peer-review Care Information Systems
under responsibility of the scientific 2020
committee of the MANagement
CENTERIS -/ HCist
International Conference on ENTERprise
Information Systems / ProjMAN - International Conference on Project - International Conference on Health
Information Systems
and Social Care / ProjMAN
Information - International
Systems Conference
and Technologies 2020on Project MANagement / HCist - International Conference on Health
and Social Care Information Systems and Technologies 2020
Keywords: social media risk; risk analysis framework; risk profiling; risk chains; spatiotemporal;

Keywords: social media risk; risk analysis framework; risk profiling; risk chains; spatiotemporal;

* Corresponding author. Tel.: +49 261 287 2552; fax: +49 261 287 2521.
E-mail address: williams@uni-koblenz.de
* Corresponding author. Tel.: +49 261 287 2552; fax: +49 261 287 2521.
1877-0509 © 2020 The
E-mail address: Authors. Published by Elsevier B.V.
williams@uni-koblenz.de
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the CENTERIS - International Conference on ENTERprise Information Systems /
1877-0509 © 2020 The Authors. Published by Elsevier B.V.
ProjMAN - International Conference on Project MANagement / HCist - International Conference on Health and Social Care Information Systems
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
and Technologies 2020
Peer-review under responsibility of the scientific committee of the CENTERIS - International Conference on ENTERprise Information Systems /
ProjMAN - International Conference on Project MANagement / HCist - International Conference on Health and Social Care Information Systems
and Technologies 2020
1877-0509 © 2021 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the CENTERIS - International Conference on ENTERprise
Information Systems / ProjMAN - International Conference on Project MANagement / HCist - International Conference on
Health and Social Care Information Systems and Technologies 2020
10.1016/j.procs.2021.01.150
 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309 303
2 Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000

1. Introduction

The organizational use of social media platforms has increased rapidly and social media is now routinely used to
market products, communicate with stakeholders, obtain feedback and respond to queries, recruit new employees and
to collaborate with business partners [1] [2] [3]. A significant and growing body of research has examined the strategic
uses of social media [4] [5]. However, less attention has been directed towards examining the risks and vulnerabilities
arising from the organizational use of social media, prompting calls for further studies in social media risk analysis
and governance [6] [7].
Managing social media risks across diverse social media platforms and in changing regulatory environments, has
also remained a key concern for practitioners from the board level to the individual over a number of years [8] [9]
[10]. Practitioner surveys also consistently report social media as a key strategic risk area for organizations [11] [12]
and having a significant impact on how business is conducted, brand and regulatory processes, and relationships with
customers [12]. Despite its strategic importance, there remains an insufficient understanding of social media risks and
organizations lack satisfactory social media risk monitoring plans [13]. In response to calls for deeper engagement
with social media risk at a theoretical and practical level, this paper examines the structure and nature of social media
risks. Building on our previous work on the categorization of social media risks (anonymized for review) the objectives
of this work are to i) identify key aspects/dimensions of social media risk and risk incidents; and ii) draw from the
identified risk aspects to develop a multi-dimensional risk profile that can be used to structure and analyze individual
risk incidents. The outcome is an analytical framework for identifying and profiling social media risks; providing a
more complete, nuanced and in-depth analysis of the organizational risks of social media.

2. Organizational risks of social media

Existing studies of social media risks in organizations typically examine risks as they arise in specific domains or
industry sectors, providing overviews of social media risks in sectors such as finance, health and government [14] [15]
[16]. Other studies emphasize the risks of social media and their consequences for the work of specific professional
groups, for example medical, legal, law enforcement, human resources and marketing professionals [17] [18] [19]. A
further group of studies have focused on specific types of social media risk, for example, security risks, content risks
or reputational risks (e.g., [20] [22]). A small, but important body of prior research studies have addressed risk
identification (e.g., [23] [24]) and the categorization of social media risks (e.g., [6] [7] [25] [26]). Whilst these studies
provide a useful starting point, our analysis revealed a number of limitations in terms of their completeness and depth,
and there remains to date, no comprehensive overview of the organizational social media risk landscape.
Further, social media platforms are by nature highly complex sociotechnical systems, evolving through the addition
of new functions and changing uses, which may potentially generate new sources of risk and new risk types. This
presents a challenge as “the dynamic nature of risks has important implications for the design of a risk classification
system” [27]; new risks must, over time, be identified, assessed and incorporated into the risk analysis process.
Thus, although social media risks are acknowledged as being of importance in the academic literature, current work
is fragmented and largely cross-sectional in nature, with limited attention given to the in-depth analysis and
theorization of these risks and how they are evolving over time [6] [28]. In our previous work [28] we addressed these
limitations; in this study we extend this work through the development of a framework for social media risk analysis.

3. Research approach and research design

Following an iterative, interpretive research design [29], the study addresses the requirement for a deeper
understanding of social media risks by identifying key aspects of risk; resulting in the development of a method for
social media risk profiling and a database of social media risk incidents.

3.1. Social media risk profiling

In previous work we developed a social media risk categorization schema; through which we identified six main
risk categories: Technical, Human, Content, Conformance, Performance, and Reputational and 76 associated sub-
304 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309
Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000 3

categories (see: [28] for more detailed information). However, whilst the categorization schema provides an in-depth
categorization of social media risks, it provides limited insight into the complexity of those risks and the different
ways they manifest themselves in practice. This study develops a method and process for risk profiling in order to
extend the previous work and examine the complex, interrelated nature of social media risks. The objectives of the
research are to i) identify key aspects/dimensions of social media risk and risk incidents; and ii) draw from the
identified risk aspects to develop a multi-dimensional risk profile that can be used to structure and analyze individual
risk incidents. The process of developing the framework and key insights are presented in this paper.

3.2. Data collection and analysis

To achieve these objectives, social media incidents were collected from the academic and professional literatures
and from publicly accessible incident reports such as news reports and administrative documents (e.g. press releases,
court reports). An incident database was created and a record was generated for each incident. As new incidents are
identified they are added to the database, which currently contains 99 incident records (June 2020). Data analysis was
conducted using an iterative qualitative coding process following Saldaña [30] and Miles, Huberman & Saldaña [31],
through which each incident was then analyzed to identify the different risk aspects and the risk types involved. First,
a generic risk profile, the social media risk type profile was derived (Figure 1 left). This is a coordinative document
containing high-level information relating to key aspects of each social media risk type. Including, for example, the
source and target of the risk, links to specific risk incidents where this risk occurred and cross-references to other
social media risk types and referenced literature sources.

Figure 1: Social media risk type profile (left) and Social media risk incident profile (right)

Through further coding cycles a more detailed analysis instrument, the social media risk incident profile (Figure 1
right) was developed. The risk incident profile contains more detailed information about specific real-world risk
incidents. For example, information concerning the stakeholders involved, the affected entities, locus of risk, whether
the risk is episodic or ongoing, whether the risk is specific to social media, which social media platforms and
information types are involved, the impact of the risk and what consequences, responses or actions resulted from this
incident. Actions include, for example, the development of new usage guidelines, termination of an employment
contract, legal responses such as financial measures or custodial sentencing; providing further insights into the
perceived seriousness of the risk to the stakeholders involved. Also included in the risk incident profile are fields to
enable cross-referencing to identify related risks or subsequent risk incidents and links to referenced literature sources;
thus, enabling similar risks to be compared and the linkages between related incidents to be examined.
 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309 305
4 Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000

Risk type profiles were created for all the risk types identified in the previously defined risk categorization
schema [28] and risk incident profiles were created for all the identified risk incidents. A single risk type profile is
linked to one or more risk incident profiles, that is, to multiple real-world cases where this risk type occurred. A
single risk incident profile may contain one or more risk type instances. An example is provided in Figure 2, which
shows the risk profile for the social media risk type Hacking and the associated risk incident (ID IN65)
Hackers_Twitter_FalseInformation_AssociatedPress. This was a case where the Associated Press Twitter account
was hacked and false information published about an attack on the White House [32]. As can be seen in the risk type
profile (Figure 2 left), the risk type Hacking is associated with three risk incidents (IN22; IN54; IN65). In addition to
Hacking, the risk incident profile ID IN65 (Figure 2 right) includes instances of three further risk types (Brand
hijacking; False information; Financial losses and cost).

Figure 2: Example of social media risk incident profile for risk type Hacking

3.3. Social media risk chains

The risk profiling method has enabled us to conduct a much more thorough and nuanced analysis of social media
risks. An interesting outcome from the analysis of the data contained in the risk incident profiles is the finding that
risks are frequently linked and interrelated. The risk incident profile reveals that the occurrence of one risk may be a
trigger for a subsequent risk, or itself an outcome of a previously occurring risk. Thus, forming what we define as risk
chains. This was frequently the case with reputational risks, which usually occurred as an outcome of another type of
risk. For example, a risk chain is triggered by a hacking attack where an unauthorized party gains access to the social
media account of a company; this results in loss of content control and the posting of inappropriate content. This in
turn causes a loss of customer confidence, either because of the nature of the posted content or the perception that the
company is not trustworthy since it cannot control its social media, ultimately manifesting in reputational or economic
damage, through for example, decline in image or loss of customers, decline in market share etc.
In this study, we used the risk incident profiling method outlined above to also identify and visualize risk chains.
Whenever we encountered linkages between risks during the risk incident analysis they were captured in a separate
record and then analyzed further and visualized as risk chains. The risk chain example described above along with the
associated social media risk incident profile is visualized in Figure 3. In this incident (IN65), the Twitter account of
the news gathering organization Associated Press was hacked in April 2013, which allowed the hackers to hijack the
organization’s brand. Posting ‘on behalf’ of the Associated Press, the hackers published a tweet with a false story
about a terror attack at the White House. The consequence of this action was that within minutes havoc was created in
306 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309
Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000 5

the stock market with the Dow Jones Industrial Average falling 150 points [32]. The risk profiling process revealed
many such cases where an initial event/action triggered multiple, linked risk types creating a risk chain.

Figure 3: Risk chain example for IN65 Hackers_Twitter_FalseInformation_AssociatedPress.

We also identified extended risk chains where one risk incident triggers a new, separate risk incident involving
additional events, stakeholders, actions and consequences. The concept of risk chains is an important finding from
the risk profiling process and requires further analysis; these more complex configurations of risk chains and their
visualization are currently being addressed in the next phase of this research.

4. Analytical framework for social media risk analysis

Through the iterative process of analyzing the extant literature and real-world risk incidents and guided by the
research design presented above, we developed four risk analysis instruments: the social media risk categorization
schema [28], risk type profile, risk incident profile and risk chain visualization. Used together these four instruments
provide the basis for the analytical framework to guide the identification and in-depth analysis of social media risks
(Figure 4).
Social m edia risk cat egory and t ype analysis Social m edia risk incident analysis
Schem a m aint enance Risk profiling
Objective: to m aintain and Objective: to develop risk profiles and analyse risk incidents
update the SM risk
categorisation schem a.

If new SM risk type is Literature (scholarly

If new SM risk type is
articles. industry
identified from SM risk identified from SM risk reports, newspaper
incidents, then update incidents then create new articles)
categorisation schema SM risk type profile Scanning of SM risk incidents
Incident narrative
Incident narrative
Incident narrative
Type 1.1 Creation of SM Analysis of SM
Category 1
Type SM risk SM risk risk incident profiles risk incidents
Type 1.2
Category 2 1.2.1 type incident
profiles profiles
… …
…

SM risk categorisation schema Development of risk chains to

visualise dependencies
between risk instances
identified in SM risk incidents

SM risk chain
visualisations

Analysis of links between

separate risk incidents

Social m edia risk analysis dat abase

Figure 4: Analytical framework for social media risk analysis

The framework comprises the two interlinked activities: Social media risk category and type analysis and social
media risk incident analysis. Social media risk category and type analysis involves the maintenance and updating of
the risk classification schema and individual risk profiles. Whenever a new risk type is identified it must be categorized
and added to the categorization schema and a risk type profile (Figure 1) created to record the basic information
regarding the risk type. The main activity is social media risk incident analysis which involves firstly scanning the
literature (including industry reports, news articles as well as scholarly publications) to identify new risks incidents.
 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309 307
6 Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000

A risk incident profile is created for each new risk incident containing the key aspects of the incident, including, risk
types, stakeholders, locus of risk, nature of risk, platforms and information involved, consequences for and actions
taken by organizations etc. (see Figure 1). The risk incidents are then further analyzed to identify and examine linkages
between risks instances and risk incidents (risk chain analysis). These are then captured and visualized as risk chains.
These methods for risk profiling and risk chain analysis have enabled us to develop a large body of data about social
media risks and risks chains, enabling us to examine risk complexity and how social media risks and the risk landscape
are changing. For example, the in-depth analysis of a risk incident has revealed the emergence of new stakeholders
and new places where the risk occurs. It also serves to uncover changes in the ways that risks are being interpreted and
addressed by organizations, how risks and their consequences are viewed, and the specific actions and measures being
applied to mitigate risks. The resulting analytical framework extends previous studies of social media risk in
organizations, by providing a more comprehensive and faceted categorization of social media risks in organizations
as well as a systematic method for the in-depth analysis of risk incidents and risk chains. In the following section we
discuss some of the key insights gained through the development and use of the framework to identify and analyze
social media risks in organizations.

5. Discussion of findings and imperatives for future research

The primary motivation for developing the social media risk analysis framework and risk incident database was to
provide a means to systematically capture data about social media risks in order to investigate their complex and
changing nature. Through the process of developing the framework we gained the following key insights into social
media risks in organizations and identified areas requiring further research investigation.
Evolving and overlapping nature of risk types. The process of risk profiling makes visible the complex assemblages
of actors, events, actions and technologies that become entangled during the use of social media in organizations. The
analysis of real-world risk incidents also revealed that risks manifest themselves in multiple ways and thus, may appear
in more than one risk category; requiring a flexible form of categorization. Further, social media’s highly interactive,
complex and rather uncontrollable nature brings the potential for new risks to arise [33]. Consequently, risk analysis
is an ongoing process. This faceted and evolving nature of risk types raises challenges for both risk management and
governance and raises the imperative for a further stream of research to examine alternative risk governance
approaches.
Spatiotemporal nature of social media risks. Our analysis also reveals a strong spatiotemporal element to social
media risks. The locus of risk, where the risk originates (the source) and the various sites of impact range from places
within the organization to sites very distant from the organization; involving stakeholders from the company’s
employees to third parties totally unknown and beyond the control of the user organization. Further, the timing of risk
and when the risk becomes visible may vary. Some risk types have immediate consequences whereas others, often
part of a risk chain, may only become manifest long after the original risk incident occurred. A limitation of prior work
on social media risk is that most studies are snapshots of risks at a single point in time and fail to track the consequences
of, and linkages between risks over time. The framework for analyzing social media risks and the database of risk
incidents developed in this study are enabling us to identify and monitor these spatiotemporal variations in the structure
and nature of risks and to capture a longitudinal view of the changing profiles of social media risk and its treatment in
organizations. The social media risk framework and incident database form an archive of research artefacts (literature
and risk incidents) and risk analyses (risk profiles, risk chains). This provides a record of organizational experiences
with, and responses to social media risks as they were lived, that can be shared and used by future researchers to
understand how social media risks evolved and changed.
Stakeholder interests and risk appetite. A limitation of prior research on social media risk is that the unit of analysis
has focused primarily on the user organization and has paid less attention to the broader palette of stakeholders and
relevant social groups enmeshed in the wider platform ecosystem. Our previous study on risk categorization and the
current in-depth analysis of social media risks identified the involvement of a wide range of stakeholder groups,
including the social media using organization and its employees, as well as external stakeholders, such as business
partners, customers and regulators. Some of these groups have a close relationship, and some have no direct
relationship with the social media using organization. Further, there is considerable variability in perceptions of risk
[34] as organizations and individuals have differing appetite for, or aversion to specific social media risks. This was
308 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309
Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000 7

revealed in the risk incident profiles, in particular through the analysis of the different actions taken by organizations
following a risk incident. Our preliminary analysis revealed that some organizations have a higher appetite for social
media risk than others. Further, existing risks may take on greater or less importance shaped by public perceptions of
risk or by changing legal and regulatory responses, thus requiring research that incorporates theoretical lenses sensitive
to the social amplification or attenuation of risk. Through the risk categorization and risk profiling activities we now
have data captured in the regularly updated database of risk incident profiles that can be used to track the impact of
specific risk types and to understand how responses to them are changing over time. This database now provides the
foundation for further research to examine the changing risk landscape and to incorporate interdisciplinary theoretical
lenses such as the social amplification of risk framework [35] for monitoring and explaining these changes.
Stakeholder perspective, identity and the blurring of boundaries. The risk analysis process also made visible the
blurring of identities and the intersection of the boundaries between business, professional and personal perspectives
on social media risk. For example, the “friending of a customer or client” in Facebook may be seen as a positive thing
from a business perspective, bringing the business closer to its customers; however, in many professional fields [36]
the act of friending may represent a breach of ethical rules regarding inappropriate relationships with clients and is
thus, treated differently from a professional perspective. Further, the blurring of boundaries between the personal and
organizational use of social media may shape how individuals communicate and behave in their work lives or lead to
activities from their personal lives being under scrutiny by their employers (e.g. [37]). In addition, things employees
(or their families and friends) do outside work using their personal social media account may bring organizational
risks and consequences (e.g. [38]). Further research is required to examine this blurring of boundaries and roles with
relation to social media and to understand social media, risks and vulnerabilities from the differing identities of
individual stakeholders. To address these aspects of stakeholder perspective and risk appetite we have initiated a stream
of research to gain an understanding of the significance of social media risks from different stakeholder groups;
experiences of social media risks, both organizationally and individually (e.g. attitudes, meanings, importance); and
how social media risks are being governed in organizations. This work has commenced with an interview-based study
to examine social media and social media governance from the perspective of executive board members, who as a
group have mandates to make decisions about what is best for the organization, must comply with fiduciary duties and
professional codes of conduct and may also use social media in their personal lives.

6. Concluding remarks

In this paper we have identified social media as complex, changing and affording limited control from the
perspective of the end-user organizations. We argue that the existing literature lacks detail and precision in the ways
social media risks are presented and has, to date, paid limited attention to the complex and changing configurations of
risk. We address this limitation and present an account of the development of a framework and tools to enable the
longitudinal analysis and monitoring of social media risks in organizations. We build on our previous work on social
media risk categorization to gain a deeper understanding of the nature and structure and interrelatedness of social
media risks we developed tools and a method for risk profiling and risk chain analysis that provide multifaceted
profiles of risk types and risk incidents. This work extends previous work in both scope and depth and provides the
foundation for building a longitudinal view that captures the people, actions and events surrounding social media risks
in organizations. The risk analysis work is ongoing and the database is continuously extended to include new incidents
and risk types as they arise. Our current stream of research is directed towards an empirical examination of
organizations perceptions of, and strategies for, the governance of social media and is adding personal accounts of
strategies for social media risk governance to the archive.

References

[1] Dong, J. Q., & Wu, W. (2015). Business value of social media technologies: Evidence from online user innovation communities. Journal of
Strategic Information Systems, 24, 113–127.
[2] Goh, K.-Y., Cheng, S. H., & Zhije, L. (2013). Social Media Brand Community and Consumer Behavior: Quantifying the Relative Impact of
User- and Marketer-Generated Content. Information Systems Research, 24, 88–107.
[3] Majchrzak, A., Faraj, S., Kane, G. C., & Azad, B. (2013). The contradictory influence of social media affordances on online communal
knowledge sharing. Journal of Computer-Mediated Communication, 19, 38–55
 Susan P. Williams et al. / Procedia Computer Science 181 (2021) 302–309 309
8 Susan P. Williams et al. / Procedia Computer Science 00 (2019) 000–000

[4] Wakefield, R., & Wakefield, K. (2016). Social media network behavior: A study of user passion and affect. Journal of Strategic Information
Systems, 25, 140–156.
[5] Baptista, J., Wilson, A. D., Galliers, R. D., & Bynghall, S. (2017). Social Media and the Emergence of Reflexiveness as a New Capability
for Open Strategy. Long Range Planning, 50, 322–336.
[6] Demek, K. C., Raschke, R. L., Janvrin, D. J., & Dilla, W. N. (2018). Do organizations use a formalized risk management process to address
social media risk? International Journal of Accounting Information Systems, 28(May 2016), 31–44.
[7] Di Gangi, P. M., Johnston, A. C., Worrell, J. L., & Thompson, S. C. (2016). What could possibly go wrong? A multi-panel Delphi study of
organizational social media risk. Information Systems Frontiers, 20, 1097–1116.
[8] ISACA. (2010). Social Media: Business Benefits and Security, Governance and Assurance Perspectives (White Paper). In: ISACA
Emerging Technology White Paper.
[9] Mennie, P. (2015). Social Media Risk and Governance. Philadelphia, PA: Kogan Page.
[10] Zhang, J. (2016). Hype Cycle for Legal and Regulatory Information Governance, 2016. Gartner.
[11] McClure, J., & Parkinson, A. (2017). The State of Digital and Social Media Risk Management. SNCR 2020 Series. Exploring New
Communications Tools and Technologies, October.
[12] NC State University, & Protiviti. (2018). Executive Perspectives on Top Risks in 2019. Retrieved April 18, 2019, from
https://www.knowledgeleader.com/knowledgeleader/content.nsf/web+content/surveyreportexecutiveperspectivesontoprisks2019
[13] O’Brian, D. (2019). Social media and its importance to the board. Retrieved March 6, 2019, from NACD Directorship website:
https://www2.deloitte.com/us/en/pages/center-for-board-effectiveness/articles/social-media-and-its-importance-to-the-board.html
[14] Bertot, J. C., Jaeger, P. T., & Hansen, D. (2012). The impact of polices on government social media usage: Issues, challenges, and
recommendations. Government Information Quarterly, 29, 30–40.
[15] FFIEC. (2013). Social Media: Consumer Compliance Risk Management Guidance (pp. 1–31). pp. 1–31. Retrieved from
https://www.occ.treas.gov/news-issuances/bulletins/2013/bulletin-2013-39.html
[16] Lim, W. M. (2015). Social media in medical and health care: Opportunities and challenges. Marketing Intelligence & Planning, 34, 964–
976.
[17] Balog, E. K., Warwick, A. B., Randall, V. F., & Kieling, M. C. (2012). Medical professionalism and social media. Military Medicine, 177,
123–125.
[18] Lackey Jr, M. E., & Minta, J. P. (2012). Lawyers and Social Media: The Legal Ethics of Tweeting, Facebooking and Blogging. Touro Law
Review, 28(1), Article 7.
[19] Terry, N. (2012). Fear of Facebook: Private ordering of social media risks incurred by healthcare providers. Nebraska Law Review, 90(3).
[20] Aula, P. (2010). Social media, reputation risk and ambient publicity management. Strategy & Leadership, 38(6), 43–49.
[21] Brivot, M., Gendron, Y., & Guénin, H. (2017). Reinventing organizational control. Meaning contest surrounding reputational risk
controllability in the social media arena. Accounting, Auditing & Accountability Journal, 30, 795–820. https://doi.org/10.1108/AAAJ-06-
2015-2111
[22] DeCamp, M. (2013). Physicians, social media, and conflict of interest. Journal of General Internal Medicine, 28, 299–303. He, W. (2012).
A review of social media security risks and mitigation techniques. Journal of Systems and Information Technology, 14, 171–180.
https://doi.org/10.1108/13287261211232180
[23] Braun, R., & Esswein, W. (2012). Corporate risks in social networks - Towards a risk management framework. 18th AMCIS 2012.
[24] Thompson, T., Hertzberg, J., & Sullivan, M. (2013). Social media risks and rewards. Retrieved March 20, 2017, from
http://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2013/ADV-social-media-survey.ashx
[25] Munnukka, J., & Järvi, P. (2014). Perceived risks and risk management of social media in an organizational context. Electronic Markets, 24,
219–229.
[26] Oehri, C., & Teufel, S. (2012). Social media security culture. Information Security for South Africa (ISSA). Johannesburg, SA.
[27] American Academy of Actuaries. (2011). On Risk Classification. Washington, DC: American Academy of Actuaries.
[28] Williams, S. P., & Hausmann, V. (2017). Categorizing the Business Risks of Social Media. Procedia Computer Science, 121, 266–273.
[29] Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15, 320–330.
https://doi.org/10.1057/palgrave.ejis.3000589
[30] Saldaña, J. (2009). The coding manual for qualitative researchers. Los Angeles, CA: SAGE Publications.
[31] Miles, M. B., Huberman, A. M., & Saldaña, J. (2014). Qualitative Data Analysis: A Methods Sourcebook (3rd ed.). Thousand Oaks: SAGE
Publications Ltd.
[32] Protiviti. (2013). Board Perspectives: Risk Oversight. Social Business: What It Means to Your Risk Profile.
[33] Nexgate. (2013). Mapping roles and responsibilities for social media risk (White Paper). Nexgate.
[34] Slovic, P. (2000). The perception of risk. London, UK: Earthscan.
[35] Kasperson, J. X., & Kasperson, R. E. (2005). The Social Contours of Risk: Risk. Volume 1: Publics, Risk Communication & the Social
Amplification of Risk. Virginia: Earthscan.
[36] Mansfield, S. J., Morrison, S. G., Stephens, H. O., Bonning, M. A., Wang, S.-H., Withers, A. H. J., … Perry, A. W. (2011). Social media and
the medical profession. The Medical Journal of Australia, 194, 642–644.
[37] Richey, M., Ravishankar, M. N., & Coupland, C. (2016). Exploring situationally inappropriate social media posts: An impression
management perspective. Information Technology and People, 29, 597–617.
[38] Field, M. (2017). Apple fires employee after daughter’s video of iPhone X goes viral. Retrieved December 18, 2017, from The Telegraph
website: https://www.telegraph.co.uk/technology/2017/10/30/apple-fires-employee-daughters-video-new-iphone-x-goes-viral/