The growth of social media has crossed the boundary from individual to organizational use, bringing with it a set of benefits and risks. To mitigate these risks and ensure the benefits of social media use are realized, organizations have developed a host of new policies, procedures, and hiring practices. However, research to date has yet to provide a comprehensive view on the nature of risk associated with the use of social media by organizations. Using a multi-panel Delphi approach consisting of new entrants to the workforce, certified human resource professionals, and certified Information Technology auditors, this study seeks to understand organizational social media risk. The results of the Delphi panels are compared against a textual analysis of 40 social media policies to provide a comprehensive view of the current state of social media policy development. We conclude with directions for future research that may guide researchers interested in exploring social media risk in organizations.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price excludes VAT (USA)
Tax calculation will be finalised during checkout.
http://mashable.com/2011/02/16/red-cross-tweet/ (Accessed 05/15/2016)
https://www.zerofox.com/blog/top-9-social-media-threats-2015/ (Accessed 05/15/2016)
https://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171513574 (Accessed 05/15/2016)
Alter, S., & Sherer, S. A. (2004). A general, but readily adaptable model of information system risk. Communications of the Association for Information Systems, 14(1–28), 1.
Argenti, P. A., & Druckenbiller, B. (2004). Reputation and the corporate brand. Corporate Reputation Review, 6(4), 368–374.
Aula, P. (2010). Social media, reputation risk, and ambient publicity management. Strategy & Leadership, 38(6), 43–49.
Barton, B. F., & Barton, M. S. (1984). User-friendly password methods for computer-mediated information systems. Computers & Security, 3(3), 186–195.
Baskerville, R., Park, E. H., & Kim, J. (2014). An emote opportunity model of computer abuse. [article]. Information Technology & People, 27(2), 155–181. doi:10.1108/itp-11-2011-0068.
Baur, A. W. (Forthcoming). Harnessing the social web to enhance insights into people’s opinions in business, government and public administration. Information Systems Frontiers, 1–21.
Bernoff, J., & Schadler, T. (2010). Empowered. Harvard Business Review, 88(July–August), 95–101.
Best, R. (1974). An experiment in delphi estimation in marketing decision making. Journal of Marketing Research, 11, 448–452.
Bharati, P., Zhang, C., & Chaudhury, A. (2014). Social media assimilation in firms: investigating the roles of absorptive capacity and institutional pressures. Information Systems Frontiers, 16(2), 257–272.
Boje, D., & Murninghan, J. (1982). Group confidence pressures in iterative decisions. Management Science, 28, 1187–1196.
Boyatzis, R. E. (1998). Transforming qualitative information: Thematic analysis and code development. Chicago: Sage.
Boyd, D. (2008). Facebook’s privacy trainwreck: exposure, invasion, and social convergence. Convergence: The International Journal of Research into New Media Technologies, 14(1), 13–20.
Brancheau, J. C., & Wetherbe, J. C. (1987). Key issues in information systems management. MIS Quarterly, 11(1), 22.
Brancheau, J. C., & Wetherbe, J. C. (1990). The adoption of spreadsheet software: testing innovation diffusion theory in the context of end-user computing. Information Systems Research, 1(2), 115–143.
Brockhoff, K. (2002). The performance of forecasting groups in computer dialogue and face-to-face discussion. In M. Turoff, & H. A. Linestone (Eds.), The Delphi Method: Techniques and Applications. Addison-Wesley Publishing Co.
Buckley, J. L. (1974). Family Educational Rights and Privacy Act (FERPA). In U. S. Congress (Ed.), (Vol. 20 U.S.C. § 1232 g; 34 CFR Part 99). Washington, D. C.: United States Congress.
Byrd, S. (2012). Hi fans! Tell us your story!: incorporating a stewardship-based social media strategy to maintain brand reputation during a crisis. Corporate Communications: An International Journal, 17(3), 241–254.
Chou, W.-Y. S., Hunt, Y. M., Beckjord, E. B., Moser, R. P., & Hesse, B. W. (2009). Social media use in the United States: implications for health communication. Journal of Medical Internet Research, 11(4), e48.
Choudhary, A., Hendrix, W., Lee, K., Palsetia, D., & Liao, W.-K. (2012). Social media evolution of the Egyptian revolution. Communications of the ACM, 55(5), 74–80.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004). Enterprise risk management - integrated framework. New York, NY: Committee of Sponsoring Organizations of the Treadway Commission.
Culnan, M. J., McHugh, P. J., & Zubillaga, J. I. (2010). How large U.S. companies can use twitter and other social media to gain business value. MIS Quarterly Executive, 9(4), 243–259.
Dahlander, L., & Piezunka, H. (2014). Open to suggestions: how organizations elicit suggestions through proactive and reactive attention. Research Policy, 43, 812–827.
Deans, P. C. (2011). The impact of social media on C-level roles. MIS Quarterly Executive, 10(4), 187–200.
Delbecq, A., Van de Ven, A., & Gustafson, D. (1975). Group techniques for program planning: A guide to nominal group and delphi processes. Glenview, IL: Scott, Foresman, and Company.
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. [article]. Information Systems Journal, 16(3), 293–314. doi:10.1111/j.1365-2575.2006.00219.x.
Di Gangi, P. M., & Wasko, M. (2009). Steal my idea! Organizational adoption of user innovations from a user innovation community: a case study of Dell IdeaStorm. Decision Support Systems, 48(1), 303–312.
Di Gangi, P. M., Wasko, M., & Hooker, R. E. (2010). Getting customers’ ideas to work for you: learning from Dell how to succeed with online user innovation communities. MIS Quarterly Executive, 9(4), 213–228.
Dickinson, G. W., Leitheiser, R. L., Wetherbe, J. C., & Nechis, M. (1984). Key information systems issues for the 1980’s. MIS Quarterly, 8(3), 24.
Dijkmans, C., Kerkhof, P., & Beukeboom, C. J. (2015). A stage to engage: social media use and corporate reputation. Tourism Management, 47(April), 58–67.
El-Gayar, O. F., & Fritz, B. D. (2010). A web-based multi-perspective decision support system for information security planning. [article]. Decision Support Systems, 50(1), 43–54. doi:10.1016/j.dss.2010.07.001.
Gaines-Ross, L. (2013). Get social: a mandate for new CEOs. MIT Sloan Management Review, 54(3), 1–5.
Gallaugher, J., & Ransbotham, S. (2010). Social media and customer dialog management at Starbucks. MIS Quarterly Executive, 9(4), 197–212.
Goel, S., & Chengalur-Smith, I. (2010). Metrics for characterizing the form of security policies. Journal of Strategic Information Systems, 19, 281–295.
Goh, S. H., & Di Gangi, P. M. (2016). A framework for understanding risk perceptions in cooperatives. The Cooperative Accountant, LXIV(Summer), Article 2.
Goodhue, D. L., & Straub, D. (1991). Security concerns of system users: a study of perceptions of the adequacy of security. Information Management, 20(1), 13–27.
Gramm, P., Leach, J., & Bliley, T. J. Jr. (1999). Gramm-Leach-Bliley Act. In t. U. S. Congress (Ed.), (Vol. Public Law 106–102). Washington, D. C.: United States Congress.
Gray, P., & Hovav, A. (2014). Using scenarios to understand the frontiers of IS. Information Systems Frontiers, 16, 337–345.
Gregor, S. (2006). The nature of theory in information systems. MIS Quarterly, 611–642.
Guitierrez, F. J., Ochoa, S. F., Zurita, G., & Baloian, N. (2016). Understanding student participation in undergraduate course communities: a case study. Information Systems Frontiers, 18(1), 7–21.
Hanna, R., Rohm, A., & Crittenden, V. L. (2011). We’re all connected: the power of the social media ecosystem. Business Horizons, 54(3), 265–273.
Helm, C., & Jones, R. (2010). Brand governance: the new agenda in brand management. Brand Management, 17, 545–547.
Hogben, G. (2007). Security issues and recommendations for online social networks. ENISA position paper (1).
Hsu, L., & Lawrence, B. (2015). The role of social media and brand equity during a product recall crisis: a shareholder value perspective. International Journal of Research in Marketing, 33(1), 59–77.
Hunton, J. E., Wright, A. M., & Wright, S. (2004). Are financial auditors overconfident in their ability to assess risks associated with enterprise resource planning systems? Journal of Information Systems, 18(2), 7–28.
Ifinedo, P. (2011). An exploratory study of the relationships between selected contextual factors and information security concerns in global financial services institutions. Journal of Privacy & Security, 7(1), 25–49.
IT Governance Institute (ITGI) (2005). COBIT 5. Rolling Meadows, IL: IT Governance Institute.
Jenkins, C. (2012). Towards ‘social’ security. Computer Fraud & Security, 2012(8), 18–20. doi:10.1016/s1361-3723(12)70084-2.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3), 549–566.
Johnston, A. C., Worrell, J. L., Di Gangi, P. M., & Wasko, M. (2013). Online health communities: an assessment of the influence of participation on patient empowerment outcomes. Information Technology & People, 26(2), 213–235.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.
Kallinikos, J., & Tempini, N. (2014). Patient data as medical facts: social media practices as a foundation for medical knowledge creation. Information Systems Research, 25(4), 817–833.
Kane, G. C. (2015a). Can you really let employees loose on social media? MIT Sloan Management Review, 56(2), 1–9.
Kane, G. C. (2015b). Enterprise social media: Current capabilities and future possibilities. MIS Quarterly Executive, 14(1), 1–16.
Kane, G. C., Fichman, R. G., Gallaugher, J., & Glaser, J. (2009). Community relations 2.0. Harvard Business Review, November.
Kane, G. C., Alavi, M., Labianca, G., & Borgatti, S. P. (2014). What’s different about social media networks? A framework and research agenda. MIS Quarterly, 38(1), 275–304.
Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., & Wei, K.-K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23, 139–154.
Kaplan, A. M., & Haenlein, M. (2010). Users of the world unite! The challenges and opportunities of social media. Business Horizons, 53(1), 59–68.
Kennedy, E., & Kassebaum, N. (1996). Health Insurance Portability and Accountability Act (HIPPA) of 1996. In t. U. S. Congress (Ed.), (Vol. Public Law 104–191). Washington, D. C.: United States Congress.
Kietzmann, J. H., Hermkens, K., McCarthy, I. P., & Silvestre, B. S. (2011). Social media? Get serious! Understanding the functional building blocks of social media. Business Horizons, 54(3), 241–251.
Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies. Information Management, 41(5), 597–607.
Krasnova, H., Günther, O., Spiekermann, S., & Koroleva, K. (2009). Privacy concerns and identity in online social networks. Identity in the Information Society, 2, 39–63.
Krasnova, H., Widjaja, T., Buxmann, P., Wenninger, H., & Benbasat, I. (2015). Why following friends can hurt you: an exploratory investigation of the effects of envy on social networking sites among college-age users. Information Systems Research, 26(3), 585–605.
Landis, J. R., & Koch, G. G. (1977). The measurement of observer agreement for categorical data. Biometrics, 33(1), 159–174.
Leidner, D., Koch, H., & Gonzalez, E. (2010). Assimilating generation Y IT new hires into USAA’s workforce: the role of an enterprise 2.0 system. MIS Quarterly Executive, 9(4), 229–242.
Leonardi, P. M., Huysman, M., & Steinfield, C. (2013). Enterprise social media: definition, history, and prospects for the study of social technologies in organizations. Journal of Computer-Mediated Communication, 19(1), 1–19.
Levy, M., Leusner, A., & Wasti, K. (2015). Putting the squeeze on social media: understanding social media regulation, and its associated risks, is key to helping protect the organization from potential harm. Internal Auditor, 72(1), 36–42.
Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014). Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal, 24(6), 479–502.
Linestone, H. A., & Turoff, M. (2002). The Delphi method: techniques and applications. Reading: Addison-Wesley Publishing Co.
Lundmark, L. W., Oh, C., & Verhaal, J. C. (Forthcoming). A little birdie told me: social media, organizational legitimacy, and underpricing in initial public offerings. Information Systems Frontiers, 1–16. doi:10.1007/s10796-016-9654-x.
Miller-Merrell, J. (2012). The workplace engagement economy where HR, social, mobile, and tech collide. Employment Relations Today, 39(2), 1–9.
Mooney, J. L., Wright Jr., H. R., & Higgins, L. N. (2010). Gen Y’s addiction to Web 2.0: problem or strategy? The Journal of Corporate Accounting & Finance, 22(1), 63–73.
Ng, B. Y., & Feng, A. E. (2006). An exploratory study on managerial security concerns in technology start-ups. In 10th Pacific Asia Conference on Information Systems, Kuala Lumpur, Malaysia, pp. 189–196.
Paliwoda, S. (1983). Predicting the future using Delphi. Management Decision, 21(1), 31–38.
Reich, B. H., & Benbasat, I. (2000). Factors that influence the social dimension of alignment between business and information technology objectives. MIS Quarterly, 24(1), 81–113.
Rhee, H.-S., Ryu, Y. U., & Kim, C.-T. (2012). Unrealistic optimism on information security management. Computers & Security, 31, 221–232.
Sarasohn-Kahn, J. (2008). The wisdom of patients: Health care meets online social media. Oakland, CA: California HealthCare Foundation.
Saridakis, G., Benson, V., Ezingeard, J. N., & Tennakoon, H. (2016). Individual information security, user behavior and cyber victimisation: an empirical study of social networking users. Technological Forecasting and Social Change, 102(C), 320–330.
Schmidt, R. (1997). Managing delphi surveys using nonparametric statistical techniques. Decision Sciences, 28(3), 763–774.
Schmidt, R., Lyytinen, K., Keil, M., & Cule, P. (2001). Identifying software project risks: an international delphi study. Journal of Management Information Systems, 17(4), 5–35.
Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–522.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
Tan, T., Ruighaver, T., & Ahmad, A. (2003). Incident handling: Where the need for planning is often not recognised. In 1st Australian Computer, Network & Information Forensics Conference, Perth, Western Australia.
Tapscott, D. (2008). Grown up digital: How the net generation is changing your world. New York: McGraw-Hill.
Templier, M., & Paré, G. (2015). A framework for guiding and evaluating literature reviews. Communications of the Association for Information Systems, 37(Article 6), 112–137.
Teo, T. S. H., Nishant, R., Goh, M., & Agarwal, S. (2011). Leveraging collaborative technologies to build a knowledge sharing culture at HP analytics. MIS Quarterly Executive, 10(1), 1–18.
Tsui, T. C. (2013). Experience from the anti-monopoly law decision in China (Cost and Benefit of Rule of Law). The Network: Business at Berkeley Law(April/ May).
van Zyl, A. S. (2009). The impact of social networking 2.0 on organizations. The Electronic Library, 27, 906–918.
Viera, A. J., & Garrett, J. M. (2005). Understanding interobserver agreement: the Kappa statistic. Family Medicine, 37(5), 360–363.
Vishwanath, A. (2015). Diffusion of deception in social media: social contagion effects and its antecedents. Information Systems Frontiers, 17, 1353–1367.
Wakunuma, K. J., & Stahl, B. C. (2014). Tomorrow’s ethics and today’s response: an investigation into the ways information systems professionals perceive and address emerging ethical issues. Information Systems Frontiers, 16, 383–397.
Weber, R. (2012). Evaluating and developing theories in the information systems discipline. Journal of the Association for Information Systems, 13(1), 1–30.
Wesch, M. (2008). An anthropological introduction to YouTube. In U. Library of Congress (Ed.).
Willison, R., & Backhouse, J. (2006). Opportunities for computer crime: considering systems risk from a criminological perspective. [article]. European Journal of Information Systems, 15(4), 403–414. doi:10.1057/palgrave.ejis.3000592.
Worrell, J. L., Di Gangi, P. M., & Bush, A. A. (2013). Exploring the use of the Delphi method in accounting information systems research. International Journal of Accounting Information Systems, 14(3), 193–208.
Yan, X., Wang, J., & Chau, M. (2015). Customer revist intention to restaurants: evidence from online reviews. Information Systems Frontiers, 17, 645–657.
Risk Domain (Source of Risk)
Intentional or unintentional violation of legal or regulatory requirements
Legal / Regulatory (Internal)
Inappropriate sharing of personal or professional information that is deemed confidential or privileged by government laws or other regulatory bodies.
Online content may facilitate discriminatory hiring practices
Legal / Regulatory (Internal)
Use of social media content that is typically deemed inappropriate, unethical, or illegal for the purposes of making hiring decisions or resource assignments.
Author generated – Expansion of legal/ regulatory requirements
Purposeful loss of competitive data or trade secrets
Legal / Regulatory (Internal)
Inappropriate sharing of professional information that is deemed confidential or privileged by a company or organization.
Minority Influence or amplification of events
Creation of a distorted sense of market opinion by increasing the visibility of a vocal and visible minority.
(Helm and Jones 2010)
Unintended exposure of information
Accidental transmission and disclosure of information to an unintended third party.
Social mobilization/ online activism
Ability of a distributed group of individuals or groups to coordinate expressing their opinions and/or interests.
Source of information for hackers/ social engineering
The use of information found on a social media platform to gain unauthorized access to personal or organizational resources.
Reduction in worker efficiency and/or effectiveness due to social media usage for social or non-work purposes.
(van Zyl 2009)
Unreliable user-generated content
Creation of content (posts, images, etc.) by users which contains misinformation, errors, or other incorrect data.
Damage to reputation
Use of social media in a manner that diminishes how an organization is perceived by others.
Employee views perceived as sanctioned/ approved by employer
Misperception by individuals, customers and others that a posting by an individual represents the views of their employer.
Online content may be stored or indexed
Property of social media posts and content that they can be easily searched and/or stored for future access or retrieval by an individual or organization.
Online content shared with unintended third parties for commercial purposes
Use or transmission of an organization’s content to a third party for an expected economic gain.
(Krasnova et al. 2009)
Online content shared with unintended third parties for non-commercial purposes
Use or transmission of organization’s content to a third party for reasons other than economic gain.
(Krasnova et al. 2009)
Perception of social media acceptance/adoption
Concern that an organization may not be adept or savvy at using social media.
Image of an organization as portrayed via social media may be inconsistent with the image communicated through more traditional means.
Damage to consumer confidence
Information disseminated through social media may damage current and potential customers’ impressions of a company, its products and/or services.
Damage to morale
Information disseminated through social media may damage the sense of well-being and faith that employees share regarding their employer.
Author generated – Extrapolation from damage to consumer confidence
Social media content that is shared or contributed about an organization in a manner that is not under the organization’s direct control.
(van Zyl 2009)
Hacks / unauthorized access to social media account
Unauthorized use of an organization’s social media accounts by a third party with the intent to cause harm.
Inefficient use of employer network resources
Negative effects on corporate servers, network bandwidth and other corporate IT resources of employees accessing social media sites.
(van Zyl 2009)
Temporary inability to access social media applications or platforms.
Author generated – IT infrastructure risk
Malicious software (malware)
Use of fake profiles, postings, blogs or other social media content to secretly install malicious software on a person’s computer without their consent.
About this article
Cite this article
Di Gangi, P.M., Johnston, A.C., Worrell, J.L. et al. What could possibly go wrong? A multi-panel Delphi study of organizational social media risk. Inf Syst Front 20, 1097–1116 (2018). https://doi.org/10.1007/s10796-016-9714-2