Narrative review: Social media use by employees and the risk to institutional and personal information security compliance in South Africa

is recommended that organisations implement methods to minimise social media risks to ensure that the integrity of information is preserved through these awareness programmes to employees.


Introduction
The use of social media is soaring worldwide as employees seek to gain access to their organisation's information through their mobile devices and laptops, especially during the current Coronavirus Disease 2019 (COVID- 19) pandemic. 1 With the increased number of social media accessed through these digital devices, there is an amplified number of prospective cyberattacks to organisations, which includes network attacks, the spread of malicious code, as well as ransomware. 1,2 Information security breaches, leading to the disclosure of sensitive information, reputational damage and increased threats from cyberattacks on social networking tools has pointed to the need for information security management in organisations. 2,3 For this reason, organisations should be actively involved in information security awareness programmes as social media risks are ever-increasing. 4,5 According to Frauenstein and Flowerday 6 technology controls alone cannot deal with social media risks; therefore, employees play a vital role in the defence. between structural and relational factors married with virtual work. The results indicated that the relationship between structural factors and relational factors with perceived virtual work experience is said to be positive. Professional isolation and job performance was found to be highly negatively correlated. Aloul 4 and Ajzen and Fishbein 5 notice a rise in phishing attacks, for instance, malspam and ransomware attacks as COVID-19 is used by attackers as bait to impersonate brands and mislead employees. This puts personal computers and phones on high risk and will likely result in more of these gadgets getting infected. Therefore, both the general populace and businesses are targeted. This implies that even end-users who are bound to download COVID-19-related applications are also being tricked into downloading ransomware as it appears as one of the modern legitimate applications. In addition, the functioning of many security teams at organisations is likely to be impaired because of the COVID-19 pandemic, which impairs the detection abilities of malicious activities.
In South Africa, the enforcement of the 'work from home' policy by some companies has become popular. Thus, it is plausible to learn that a stable power supply and a fast internet connection may be a luxury in some rural areas, and this may force employees and students to work from public spaces or internet café's to utilise power and free internet facilities. 8 Notwithstanding a milestone achievement made by the South African government in making sure that affordable data are available to students to work online, this move would expose the computing facilities and confidential information of institutions to theft or damage.
The problem is that employees lack the knowledge concerning the risk associated with social media platforms for the computing facilities and confidential information of their institution, especially when used at the workplace. Some organisations have not effectively established information security awareness programmes for their employees, which can result in unintentional negative behaviour. 9 Unintentionally, uninformed employees make naïve mistakes that can open the door to cyberattacks that exploit vulnerabilities in the organisation's system of controls. Moreover, if employees are not well informed regarding the risks and privacy issues when accessing social media during working hours at the workplace, they could expose the organisation's reputational damage and customer loss. 4,5 Furthermore, the emergence of COVID-19 plague has forced businesses and governments to depend increasingly on technology to assist citizens, thus the use of digital systems have become popular and the only alternative to save people and businesses. 8 New demands have been placed on networks and datacentre infrastructure as remote working and collaboration tools have become important systems, with a new wave of demands placed on networks and datacentre infrastructure. 10 The emergence of malicious actors in a bid to exploit fears over the pandemic has placed many organisations to panic and they have extended networks beyond the firewall as security remains a pervasive concern. 8 This study aims to propose a model to ensure employee information security compliance when using social media for work-related business. To achieve this objective, a desktop literature review was conducted to identify risks involved when using social media in the workplace and any workrelated business. The structure of the study is outlined as follows: literature is discussed in the first section followed by a theoretical foundation applied in this research. Other sections to follow are comprised of information security awareness, compliance strategies and thereafter, a proposed model for the study and the conclusion.

Literature review
The literature review highlights relevant topics of the study.

Social media use and human firewall
According to Tarantino, McDonough and Hua, 11 social media refers to websites and applications that enable organisations to create and share information. These include Twitter, MySpace, Facebook, Flickr, Google Plus and YouTube. 9 The use of social media and its adoption in organisations has increased as the benefits are substantial. Various studies state that marketing is the biggest beneficiary of social networking tools. 9,12 Organisations encourage employees, especially in the sales and marketing department, to reach out to customers using social media as most customers use these platforms to search for goods and services. 12,13 Social media use has the potential to increase sales and market-share for organisations. In addition, social media use at the workplace can help organisations to maintain a competitive advantage, and some use it as a communication tool to spread messages faster amongst core workers and customers. 13,14 Schraner 15 adds that interacting with customers on social media sites helps the organisation understand customer needs much better and improve service delivery. Engaging with consumers helps to discover undelivered consumer demands and complaints. Furthermore, allowing employees to make use of social media tools is considered helpful on strengthening customer relationships and penetrating new geographical areas, which makes social media tools a key mechanism for sparking innovation. 15 Another possible aspect is that forbidding social media tools in the workplace may harm employee morale and affordable communication. 16 It is believed that there is no single technology solution that can assist in fighting today's most urgent security problems. 17 Organisations should not just invest in security technology, but also activate a security-conscious workplace culture (human firewall). Human firewall's main objective is to stimulate the awareness of employees to such an extent that they act as a solid line of defence against external attacks that threatens security systems. 4,5,17 A human firewall aims to equip employees and block weakest links in the organisational security by educating employees about the security of the organisation. There are three main components of human firewall: employee education, minimising human error and getting ahead of new threats.

Employee education
Security education should cover all levels within the organisation and should go beyond treating security training as compliance-based 'check-box' activity. 1 Information technology (IT) departments are not spared. They need education on how to implement policies that are secure but not too restrictive that the flow of business is disrupted. Administrators have become the de facto target for attacks, as they allow an easy pivot point to gain access inside the network. Hence, IT departments are more vulnerable because of elevated administrative privileges on the network, as well as weaker controls for email attachments and internet browsing.

Minimising human error
Hackers and spammers usually predict human nature to exploit human error-related opportunities. They do so by using social engineering to gain trust by manipulating vulnerable users into clicking on malicious links in emails that are thought to be from legitimate sources. 18 This common trickery known as phishing requires the user to be complicit in by clicking the link. Hence, the most reliable defence is educating employees about possible threats. To counter this popular attack, there is a range of new technologies helping organisations to deal with these threats. For instance, sophisticated email gateways are used through creation of unique safe links in every email hyperlink before it reaches the user's inbox. To counter a situation where some employees invariably click bad links, there is a need for an added layer of protection which helps to protect users who either intentionally or accidentally fail to follow training and guidance. 19

New threats
There is a need for employees to be well informed and adapt to the latest security measures as new threats, like phishing and malware change constantly. 20 In a recent report by Panda Security 21 (February 2020), it is said that, in a total of about 30 million unique new threats recorded every day, an average of 82 000 are new malware strains. 2 With such rapid increment of new attacks, smart security investments cannot rely on yesterday's 'tried and true' methods to stay ahead of the game.

Traditional firewall
A traditional firewall can be defined as a device that can control the traffic that is allowed to enter or exit a point within the network. It is comprised of both hardware and software meant to protect computers from hackers and other threats. It blocks dangerous software or data from reaching the system. 5 Hardware firewalls provide network-wide protection to fight online threats. Software firewalls installed on individual computers are meant to inspect data more closely and blocks specific programmes from sending data to the internet. A combination of both kinds of firewalls is sometimes used to provide a more complete safety net for networks with high-security concerns. 17

Hardware firewalls
A hardware firewall is installed between the internet and a local area network (LAN) of computers. 2 Inspection of all the data received from the internet is done, passing along the safe data packets whilst blocking the potentially dangerous packets. Hardware firewalls may require expert set up to properly protect a LAN without affecting the performance and access to remote sites or web pages and this may not be a feasible solution in the absence of a dedicated IT department. To simplify the job, for businesses with many computers, network security should be controlled from one single device. 17

Software firewall
Software firewall is usually installed on individual computers on a network. 20 Software firewalls are not similar to hardware firewalls, as the latter could easily distinguish between programs on a computer. It can allow or block the execution of various programs and allow data to one program whilst blocking another. 1 Software firewalls also filter outgoing data and remote responses to outgoing requests. However, it is also important to note that software firewalls require installation, updating and administration on each computer. 22

Theoretical foundation
This study utilised a desktop literature review method. Deterrence theory and the theory of reasoned action (TRA) were employed as a theoretical foundation as they are widely used information systems theory. Theory of reasoned action explores the relationship between behaviours and attitudes within human action. It is useful on predicting how individuals will behave by analysing their pre-existing attitudes and behavioural intentions. Theory of reasoned action depicts a model containing benefits for forecasting the intention to perform a behaviour based on an individual's attitude and normative beliefs. 4,5 It evaluates two incentive components, the attitude and subjective norms.
The theory proposes that an employee's behaviour intention depends on both subjective norms and attitude. The theory explains that an employee's attitude towards information security influences the individual's behaviour. It is determined by intent, a basis to execute a certain behaviour. 4,5,23 In addition, TRA relies on the notion that employees make realistic decisions based on the information available to them. Employees who make naïve mistakes and those with a negative attitude towards information security at organisations require motivation to comply for them to http://www.td-sa.net Open Access behave responsibly. An awareness programme is therefore needed to educate and train them to protect the organisation's information assets. 4,5 This study applied the deterrence theory (DT) to threaten or explain the consequences of failure to behave responsibly when using social media. Deterrence is described as a threat of punishment to employees through some form of sanction. 24 Similarly, DT is the idea that a more severe punishment will more likely deter a rationally calculating human being from committing unjust acts. Deterrence can be classified into two categories: specific and general. The difference between these two is that the latter refers to the actual punishment of an individual offender, whilst the former denotes the implications of the threat of punishment and that threat involves both the risk of the harshness of the sanction and detection. Elliott 25 adds that the DT can be applied as a preventive control and has various effects including intimidation, education and reinforcement. The intimidating effects of punishment are general and specific. Furthermore, the DT can be used as a formal sanction to stimulate and reinforce employees to behave more responsibly when using social media at the workplace. If employees do not withdraw from illegal activities on social media out of fear of the negative costs, they are not deterred. However, there are some limitations to the DT. Elliott 25 points out that DT has less impact in controlling or getting read of habitual, unthinking behaviour from the employees because of heuristic information processing.

Research methodology
The study employed a scoping literature review to gather data. Literature analysis was carried out based on the information obtained from Google Scholar, Science Direct, as well as Research Gate and the Association for Computing Machinery (ACM). Research was undertaken thoroughly from the chosen sources to confirm the authenticity of every article relevant to the study and meeting all the inclusion criteria. 25 The search was done extensively to gather relevant data from every article that corresponded to the inclusion criteria irrespective of the kind of studies they were derived from. All available articles were included as long as they have touched the risks involved when using social media in the workplace. Whilst incorporating relevant information within the parameters, articles that were published between 2010 and 2018 were consulted, respectively ( Table 1).
The research has made use of a forward and backward search strategy to ensure inclusion of relevant references in the review (Table 1). An extensive database was compiled of the keywords that were used in the search process. This included a full description of the keywords and the motives for inclusion of these various keywords. Table 1 illustrate the format used to compile keywords used to download the article from the database. The complete articles were derived from the numerous databases and analysed individually by two academics. Thereafter, the researchers reached agreement by coordinating their findings to identify the articles, which are relevant for the study.
It was challenging to utilise any special tool in the data extraction process because the articles to be analysed were based on various types of studies. Therefore, extraction and tabulation of data were done manually and separately before comparing and combining it. 26 Findings were synthesised into more relevant data after grouping the findings under each theme (Figure 1). Reciprocal translation analysis was used. After a comparison of findings of one study, similarities were drawn from there and the synthesised outcome was then compared with another study until all articles had been synthesised (Figure 1). Literature analysis results were grouped into the three categories of factors as outlined by the theoretical background. In Figure 1, the Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA) model, employed in this study is shown in Figure 1.
The inclusion criteria contained within is that the study must address risks associated with social media use at the workplace. This was carried out to allow numerous studies to be involved and to take part in the review process. A total of 1135 studies of journal articles and conference articles from all the databases were obtained. These results have included both unsuitable and unfiltered data. To filter the results, search engine filtering, range and regional filtering were used and resulted in 435 studies remaining. In order to analyse suitability, these studies were again read and screened, based on the exclusion criteria as follows: published between 2010 and 2018 and whether the studies addressed risks associated with social media use at the workplace.
After the first screening, 435 studies were obtained. The full text of these studies was reviewed by the authors and only 15 studies were retained. The reasons for the elimination of 420 studies were: • A total of 395 studies were eliminated because of the title, year and context. • The other 25 studies did not discuss the challenges associated with social media when used in the workplace. • Table 1-A1 lists the 15 studies that are included in the research and the identified topics from after the thematic analysis.

Results
Employees should be made aware of the risks of using social media and securing information assets, as well as the associated costs if this is not done correctly. 18,20 Many employees are vulnerable and are targeted by cybercriminals. 5 Whilst there are many reasons for employee vulnerability, the primary factor is that employees lack adequate knowledge on the risks involved when using social media and often find themselves wandering into cyberspace without any awareness preparation. 23 Sophos 27 stated that malware and attack vectors are targeting social media users as they lack knowledge about them and securing information. Some employees access links, adverts and pop-ups that infect their machines, which allows access to criminals who cause harm to organisations. 28  Thus, social media can be viewed as a source of malicious behaviour in the workplace. At Fair Work Australia an employee posted on her account (MySpace) threatening messages and described how she was sexually harassed by her employer and the employee refused to remove the post.
Another risk is when personal accounts are used to communicate work-related information, which may result to the unauthorised disclosure of confidential information. In a recent case, Hillary Clinton used her private email server for State communication, which resulted in leaking party secrets to the opposition parties. 30 Similarly, leaking trade secrets through emerging technologies has severe effects as an organisation can suffer financial loss and decreased market share. 20,31 An employee such as these needs to be trained to enhance their knowledge concerning the use of information confidentiality.
Most organisations hold confidential and sensitive client information, which can be disclosed accidentally. Hicks 18 provided an example of a nurse who posted a medical record of a patient, including admission date and her full name on his Facebook page. Such an employee needs to be trained to enhance his or her knowledge concerning the use of information confidentiality. Illegal access, as well as the use of confidential information found on an employee social media profile, may perhaps lead to numerous risks, for instance, identity theft, fraud, stalking and loss of employment. 22,32 For example, an employer found an http://www.td-sa.net Open Access employee who was pregnant and her working hours were shortened. The employee realised that the employer found this information on her Facebook page. There is a need to educate employees about privacy preservation online. 32 Furthermore, Shullich 3 added that there is an increasing number of dismissal cases as organisations punish offenders to serve as an example to other employees to behave responsibly. Van Niekerk and Maharaj 16 provided an example where a worker was dismissed because the company's guidebook warned workers not to insult and threaten other employees on social media as it is grounds for dismissal. Williams 33 provided an example of eight workers who lost their jobs after an insane social media post.
Some organisations are prohibiting workers from using social media in the workplace as a measure to combat abuse of social media tools. Bolotaeva and Cata 31 indicated that certain employees spend too many hours on social networks doing non-work related activities, which harms productivity, results in network utilisation issues and increased risk of exposure to malicious software. Hence, there is a need for monitoring of employees' actions and implementing policies that discourage the misuse of social media tools when employees are at the workplace. 34 It is thus essential to increase the knowledge of employees regarding social media risks through awareness programmes.

Managerial implications
The study suggests that employees need to be educated concerning human and traditional firewalls. This can be achieved through security awareness programmes. Compliance strategies should be implemented to get rid of social media-related risks, whilst enjoying the benefits of using these powerful platforms. Hence, integrity, confidentiality and availability of information in organisations are preserved and promoted.

Information security awareness programmes
Information security awareness programmes help to educate employees in the organisation concerning cyberattacks. Awareness is not the same as training: it is a method of stimulating, motivating and reminding employees what is expected of them. 35 Gundu et al. 23 found that information security awareness aims at raising employee's knowledge towards securing organisational assets. Besides, information security awareness programmes explain what will happen to an organisation and employees if information security management fails to inspire a workforce to take security seriously. 36 Implementing successful security awareness programmes is an essential step in enhancing information security within organisations. Aloul 4 and Ajzen and Fishbein 5 stated that security awareness provides the workforce with the knowledge that they need to behave responsibly and assists to reduce social networking risk in organisations. It is imperative to know that employees need access to training on information security awareness. 5,20 Programmes on information security awareness communicate security standard information to the workforce, which helps to change negative attitudes towards information security. 34 However, steering security awareness programmes in organisations are fruitless if employees do not act on them or follow the information received during the awareness campaigns. 6,37 Various methods can be used to convey a security message to employees. These strategies include classroom-style training, security awareness websites, security posters, booklets and newsletters. The following section discusses components for mitigating social media risk.

Compliance strategies
There are actions that organisations can use to reduce social media risk to acceptable levels. These elements include security policies, social media guidelines and punishment to educate employees on how to behave when using social media tools.

Security policies
Kentucky University 38 mentioned that social media policy explains what the employees must not do on social media sites in the course of their employment. Policies on social media determine the guidelines and clearly define the standards of satisfactory behaviour that organisations expect from the workers when using social media tools. 35 Social media policy provides relevant guidelines that limit the freedom of workers when interacting with customers online. 5,20 A well-designed and thorough policy on social media use can minimise social networking risks. 32 Social media policy addresses various risks such as disclosure of organisation information, harassment and discrimination on social networks. In addition, when organisations take proper steps to address social media vulnerabilities, they can successfully safeguard valuable information and mitigate legal actions. 38 Organisations have social media usage policies but these guidelines are not implemented because they are not enforced by top management. 3 There is a need for top management to administer social media and privacy policies to reduce the risk inherent to these technologies. These policies need to be in place and well explained to the employees who often make naïve mistakes. Accordingly, employees need to be trained on safe social media practices in concert with a social media policy as it helps to mitigate social media risks. 28

Social media guidelines
Organisations' use of social media policy will help to educate employees about opportunities and the risk social media present when accessed and used at the workplace. 12 Social media guidelines provide employees with relevant guidance for using social network tools to communicate work-related business. Besides, they assist in clarifying business and personal use of social media. 33

Punishment
Punishment is explained by the DT and is another enforcement strategy that organisations can employ. 24 This involves imparting fear to malicious employees such that others will be aware of the punishment. This enforcement strategy can be used in organisations and functions as an example for employees who have not yet participated in criminal events. The following section will introduce the proposed model of implementation. Figure 2 depicts the proposed model, which aims at addressing risks, associated with social media. Cyber breaches by employees expose the organisation's 'trade secrets', which could lead to financial, customer loss and reputational damage. To address social media risk, an information security awareness strategy needs to be in place to educate employees about information security controls; how to behave when using social sites and the implications of not obeying the social media policy.

Proposed model
The first subsystem of the model (Figure 2) consists of education, training, CIA and privacy. All four components are needed to make sure that social media risks are minimised to acceptable levels. If employees are well informed through awareness strategies (education and training) about the need to maintain CIA and privacy of information as it assists in achieving employee information security compliance, which is cultivated through policies, procedures and best practices. The second subsystem (Figure 2) is an enforcement approach and consists of a punishment component. If some components of the two subsystems are absent, then output (reducing social media risks) will not be cultivated. The proposed information security awareness model is presented here.
The proposed model includes components from the Reasoned Action Theory, the DT (punishment), the CIA and privacy. Theory of reasoned action describes the constructs that influence employee behaviour. Theory of reasoned action relies on the belief that employees make realistic decisions based on the information available to them and awareness strategies, education and training could be used to provide information regarding social media risk. Naïve employees could be able to behave responsibly if they are trained about social media risks. 4,5 The DT defines the benefits derived from using punishment (e.g. dismissal) in the case that an employee has violated the social media policy. This will serve as an example and a warning to every employee.
Thereafter, an awareness will be present amongst employees of the consequences by not following security policies available in the organisations. 24 The model demonstrates how awareness strategies (training and education), privacy and CIA can be employed to guide employee information security compliance to ensure that social media risk is minimised. 5,20

Conclusion
Actions of employees could increase the prevalence of cyber risk in various organisations. It can be through  careless handling of sensitive data, exposure to phishing attacks, weak passwords, or data breaches caused by user awareness issues. Cyber breaches by employees can open the door to cyberattacks that exploit vulnerabilities in the organisation's system of controls and expose the organisation to risks leading to reputational damage and customer loss. Although these technologies such as social media have become essential to organisations, especially now during the COVID-19 pandemic, it is essential to negate cyber breaches.
Organisations need to establish information security control awareness programmes to enhance the level of security and educating employees on how to behave when using social media tools both at work or at home. The study recommends that the implementation of the various aspects discussed in the proposed model of information security awareness will contribute towards minimising social media risks to acceptable levels, whilst enjoying the benefits of using these powerful platforms. Moreover, this will ensure that CIA and privacy of information in organisations are preserved.