H.U.M.O.R. Threat Assessment
Within the H.U.M.O.R. Matrix, we can continue to break down the threat assessment process and identify what the problem may be within each category. Let’s take an example of a threat against a well-known brand. In October 2010, Porsche AG announced it was banning employees from using social media sites.5 They were not specific regarding whether the ban applied only to work hours or to home hours as well. Obviously telling someone what they can do during nonwork hours is difficult and probably illegal, but Porsche’s identification of a significant threat had driven them to this decision. Porsche was worried that employees might post company confidential information to social media sites. “The social media websites may expose the automaker to unwanted observation and these services imply a certain threat potential,” Porsche spokesman Dirk Erat was quoted as saying. If we map this back to our H.U.M.O.R. matrix, this threat could be associated with Human Resources policy violations and Utilization copyright and intellectual property violations.
5 “Facebook Access Blocked to Porsche’s Employees on Espionage Threat, ”International Business Times (October 12, 2010), http://www.ibtimes.com/articles/70846/20101012/facebook-porsche.htm.
Using the H.U.M.O.R. Matrix, we can identify threat vectors that can be launched either from “hackers,” customers, employees, or any other sort of potential attacker.
Human Resources Threats
These threats target processes that are either inappropriate or not in place:
Policy violations Employees can violate the social media policy or social media security policy. But this is predicated on the company actually having a policy that outlines the restrictions in place. Policy violations are an internal threat.
Termination Human Resources must have developed and communicated a termination policy that addresses potential threats posed by disgruntled ex-employees, with a specific response by the company as a consequence of any such policy violation.
Personal usage Employees’ personal usage of social media can affect the corporation’s reputation when they post things such as inappropriate pictures or the like or confidential information about the company.
Utilization Threats
Resource Utilization threats are focused on how assets can be put at risk through social media mediums:
Technology Technology threats are easy to identify. Threats encompass everything from malware to Trojans to phishing sites and scams. These are known methods of attack against corporate use of social media.
Intellectual property Threats to intellectual property (IP) may come from the employee, a supplier, or a competitor. The employee can try to specifically disseminate IP or may just inadvertently give away IP over social media channels. The supplier may have access to sensitive IP through enterprise-collaborative applications. The competitor might scrap social media channels for IP that should not have been made available or might use social media channels to disseminate IP about your company or even plant false IP to damage your reputation.
Copyright Copyright threats are more widespread, and most attacks are generally inadvertent and minimally damaging. People may use your logos and other publicly available information without your express permission, and they may “remix” or change it for their own activist purposes. In many cases, these illegitimate uses are hard to detect, although sometimes they become viral and widely shared. The majority of copyright attacks will be external to your company.
Monetary Threats
These threats result in financial loss by malicious theft, resource costs due to security remediation measures, loss through inefficient use of assets, or opportunity loss due to threats distracting the company from its focus:
Financial loss Social media can be used by an attacker for immediate financial gain through impersonation and by accessing employee accounts. The financial loss may all be inadvertent if an employee were to cause damage. One example occurred in November 2010, when an underwriter for the General Motors IPO was dropped because the underwriter’s employee leaked information via e-mail.6 Although e-mail is not a true social media platform, it can easily be used as such and connect to other platforms such as LinkedIn or Facebook. Now you can actually claim your Facebook e-mail account, which is something like [email protected].
6 Tom Krisher, “UBS Employee Leaked Information on GM IPO” (November 10, 2010), http://abcnews.go.com/Business/wireStory?id=12108775.
Resource costs Responding to social media attacks may require purchasing new systems, monitoring tools, and other dashboards and utilities. Tools are a requirement; however, training employees will prove extremely useful and reduce the need for technology controls.
Time to recovery The amount of time spent recovering from a data breach can be extremely expensive.
Opportunity loss Responding to social media threats can easily distract company IT or HR personnel from more productive activities.
Operational Threats
Operational threats will usually have a direct impact on the functioning of the IT, marketing communications, and/or HR departments. Day-to-day activities will likely be disrupted.
Downtime Downtime can occur for many reasons. If the company relies on many social media outlets, any threat that can take a marketing campaign offline can affect the functions of the company. On October 6, 2010, Facebook went down for some hours. If your company had dedicated staff to working on a Facebook campaign that day, what would the impact have been on your marketing budget and expected results from your campaign? You could not recover any costs from Facebook. What if a hacker was launching a denial of service (DOS) attack against a particular social media site you are using; this could greatly impact your revenue model. Downtime costs have neither been calculated for external social media sites for most companies, nor is there a model for calculating these costs because results greatly depend on community and consumer sharing and engagement. How do you calculate the lost opportunity from engagement that never occurred because the social platform was not available?
Data loss Compromising accounts on social networks is very easy. A corporate Facebook account that is taken over by an attacker might contain confidential data about customers along with marketing lists.
Reputation Threats
A Reputation threat is more dispersed but no less dangerous. It might take a while for something like a Twitter attack to become known, but it can definitely impact the company’s brand value:
Competitive disadvantage An attacker can launch an anonymous attack against your brand very easily. They can hide behind new profiles, spread disparaging remarks, and send out fake information about your company. Although your competitors can launch these attacks without your knowing where they are coming from, it is unlikely they would do so because someone will always find out where the attacks come from and your competitors’ reputation would eventually take a hit.
Disgruntled customers and employees A disgruntled customer or employee can start posting to their blog and social networks about disappointing product and service experiences. For example, an aggrieved musician created a music video about how United Airlines broke his guitar; the video quickly went viral and currently has amassed over 9 million views. According to a Forrest Research report, “Do Your Employees Advocate for Your Company?”, employees surveyed put detractors at 49 percent, those who were neutral at 24 percent, and promoters at only 27 percent.
Activist attacks A consumer group or activist organization can mount an attack against your social media properties. When Nestlé started a Facebook page for KitKat, Greenpeace quickly built a grassroots digital campaign denouncing Nestlé for harming native species when harvesting key ingredients for their chocolate. It was a marketing fiasco for Nestlé.
False information Customers and consumer advocacy groups may simply be posting erroneous information about the product, its origins, and its utilization. Such misrepresentations lead to misperceptions that can significantly impact the competitiveness of the product in the marketplace.
Management crisis Without a structured approach, a social media crisis can easily spin out of control. Recall BP’s lack of social media response to the fake BP Twitter account that was set up to disparage the company after the Gulf of Mexico oil spill. The response quickly spun out of BP’s control and became a PR nightmare. Reputation is a key driver of purchasing, and if a company’s reputation is damaged, word of mouth can affect trust, which, in turn, affects sales. Nielsen reported in their 2009 Global Online Consumer Survey that some form of trust was very important in advertising and brand awareness, as shown in Figure 4-1. Once trust is lost online, rebuilding it is very difficult.
Figure 4-1 Nielsen 2009 Global Online Consumer Survey
Reputation threats challenge corporations on many levels:
Transparency and authenticity Does the initial attack and/or the company’s response (or lack thereof) confuse the customer?
Reaction time and behavior Does the company address the threat quickly and appropriately before it negatively impacts reputation value?
Trusted relationships Has the company built a strong and trusted reputation online that can withstand some period of attack?
Companywide response capabilities Are the company’s responses across departments, channels, and geographic regions coordinated and consistent?
Compromise of the influencers Do the brand’s online influencers understand how the attack is affecting the brand? Otherwise, this misunderstanding can impact customers.
Customer service Are customer services issues responded to appropriately? Otherwise, customers will quickly become disaffected and negatively influenced.
Multiple communications channels Negative mentions can occur through many different social platforms at once. Are all of the possible social platforms and distribution mechanisms being used effectively and simultaneously to deal with the problem?