Identification and Validation of Social Media Socio-Technical Information Security Factors with Respect to Usable-Security Principles ()
1. Introduction
Social Media (SM) usage has often been perceived through the lens of traditional information security systems. Whereby, information security parameters are identified, developed and implemented using objective information security principles [1]. Contrarily, SM usage embraces both objective, and subjective principles of information security systems [1] [2]. Hence, the development of information security systems would take into consideration both the objective, and subjective aspects of information security principles. In this case, the study professes SM usage into social and technical dimensions, respectively. The social dimension attributes consist of the behavioral (subjective) aspects of information security, while the technical dimension entails the technology (objective) aspects of information security [1] [3] [4]. In line with usable-security principles, no study has been done to identify SM usage information security factors, in the domain of social, and technical dimensions [3]. Existing studies often focus on information security attributes associated with mainly the technical aspect of SM usage [5]. And yet, numerous studies have reported social-engineering (behavioral) attacks as one of the prevalent forms of online information security breaches [4] [5]. Therefore, this study was intended to identify, examine, and validate SM socio-technical information security factors, in line with usable-security principles.
Relatively, existing studies on SM usage often focus on the descriptive roles, or practitioner’s experience, while specifying benefits and risks associated with mainly the technical aspect of information security, which may be context specific [3] [4] [6]. As such, their measures and findings could be limited in scopes, and prone to duplications, redundancy, or inconsistency [1]. Contrarily, this study focused on identifying the key SM usage information security factors within the social, and technical domain of SM usage, with respect to usable-security principles [4] [7] [8]. In this case, SM socio-technical information security factors are attributes of SM functions that embrace SM operational requirements ranging from hardware, software, personal, and organizational structures [3] [4]. The components of the social dimension include; the people (SM users), and organization (structure), while the technical dimension includes the technology (SM platforms), and tasks performed [3] [4]. With respect to usable-security principles, SM socio-technical information security factors are attributes of information security, which embraces the technical information security factors, but also takes into consideration usability aspects of those factors, in a seamless way [4] [7]. Thus, SM socio-technical information security factors were identified based on usable-security principles [4] [7] [9].
1.1. SM Definition
In congruent with SM practitioners and researchers, SM is often defined as “a group of internet-based applications built on ideological and technological foundation of Web 2.0 concepts, which enables creation, modification, and sharing of user-generated contents online” [10] [11]. In this case, SM usage domain entails the social dimension, and technical dimension, respectively [1] [6]. Generally, the key roles of SM usage include relationship development, information sharing, self-presentation, and entertainment [12] [13] [14] [15]. For instance, Facebook, Twitter, and LinkedIn are mainly used for relationship development, while Instagram, YouTube, and Snapchat are known for sharing multimedia contents online [16]. Notably, the unique characteristics of SM usage are its ability to enable individual users to subjectively create, modify, and share user-generated contents online. Relatively, the design of the traditional information security systems is characterized by objectivity, while SM usage embraces both objectivity, and subjectivity principles [1] [10]. Therefore, with respect to information security management, the subjective, liberal and transparence nature of SM operations propagates new information security challenges associated with mainly the social (behavioral) aspect of SM usage [5] [6]. According to [6], the main information security challenges associated with SM usage include; confidentiality, litigation, and information overload [6].
Nevertheless, from the technical (objective) perspective, various SM platforms are enhanced with customizable security functions to support SM users in managing information security [6] [17]. For instance, Facebook and Twitter use two-factor verification principles: passwords as well as verification codes established using mobile devices. This authentication process helps to diminish the risk of compromising user accounts, and could avert attackers from appropriating an authentic account [17]. Furthermore, Facebook users can adjust security configurations and select users who can view their contents, and sensitive information. It can also authorize the users to allow or deny accessibility to a third party to their private contents. On the other hand, WhatsApp communication is end-to-end encrypted between two parties. The other key information security settings include: firewall settings, anti-virus, anti-spam filter, VPN setting, intrusion detection, etc. [6]. This, therefore, could imply that much of the reported risks and breaches associated with SM usage could emanate from the social (behavioral) aspect of SM usage, such as lack of knowledge, weak policy, education/training in SM usage, etc. [2] [5] [6] [18]. Since the technical aspect are enhanced with capabilities to manage and mitigate some of the dominant information security risks associated with SM usage [17].
1.2. Socio-Technical Information Systems
The phrase “socio-technical information system” embraces and mainly two dimensions of information systems: the social (people, and structures) dimension and technical (technology, and tasks) dimension [4] [7] [8]. In this case, the social dimension consists of SM users, and organizational structures including; responsibilities, rules, and policies that guide SM users in achieving the intended tasks [19]. Synonymously, the technical dimension entails the technology artifact, and knowledge required to translate system inputs into outputs [20]. On the other hand, the term usable security refers to the technical aspect of information security functions, and the usability (visibility, learnability, satisfaction, etc.) of those functions [7] [8]. Ferreira et al. (2014) define a usable-security information system as “one that is secure technically, even when used by people”. In this case, information security system which is secure technically, but difficult to use is less secure. Therefore, with respect to usable-security principles, the social, and technical dimensional factors could be identified as usability factors, and security factors, respectively [4] [7]. Altogether, the relevant factors were then identified, examined and validated, accordingly.
2. Objectives
The main objective of this study was to identify, verify, and validate Social Media (SM) socio-technical information security factors, in line with usable-security principles. Specifically, the study focused on the following specific objectives:
1) To identify the key Social Media (SM) socio-technical information security factors, in line with usable-security principles.
2) To verify the characteristics of the key Social Media (SM) socio-technical information security factors, in line with usable-security principles.
3) To validate the key Social Media (SM) socio-technical information security factors.
2.1. Methodology
The study followed literature search techniques, using mainly web of science databases. The strategy used in literature search includes Boolean keyword search, and citation guide. The relevant literatures were identified, and their contents scrutinized, in line with study objective. Afterwards, the key factors were verified and sanctioned for validation process. Both theoretical and empirical methods of validation were used. Thus, Theoretical validity test was conducted on 45 Likert scale items, using validity form, and involving 10 subject experts (reviewers). The expert was selected from Mbarara University of Science and Technology (MUST), and Kampala International University (KIU), all in Uganda. The validity process focused on “relevancy”, and “clarity” of the items. From the score ratings of the reviewers, Content Validity Index (CVI) was calculated using mean score values, at acceptable levels of CVI ≥ 0.78 [21]. On the other hand, empirical method was employed in reliability test conducted on 45 Likert scale items, using questionnaire, and involving 32 respondents. The respondents were selected from MUST and KIU, accordingly. Afterwards, Cronbach’s alpha coefficient (α-values) was then generated on SPSS, at acceptable range of 0.70 ≤ α ≤ 0.90 [22]. Overall, the results for both literature search and validation process (validity test, and reliability test) are presented in section 3, accordingly.
2.2. Literature Search Process
The strategies used in literature search include; keyword search, and citation guides, employing mainly web of science databases. Relatively, the criteria settings in web of science search engine match with the study theme, and objectives [23]. To optimize the accuracy and relevancy of search results, Boolean search criteria were used to configure the searches. The main sets of Boolean keywords used to initiate the search process include; “Social Media usage AND information security”; “socio-technical”; “usable-security”. The other search criteria used to filter and streamline the search results further include; sort by relevance (keywords), availability of source (online, open access, and peer reviewed), resource type (article, and books), subject area (keywords), literature date range (2012 to 2022), and language used (English) [23]. The relevant literatures were then filtered, scrutinized, and presented using literature summary table. The main attributes used to summarize the literatures include; the author, country, research purpose, methodology used, type of source, and summary points (factors). Subsequently, the key SM socio-technical information security factors were identified from the relevant literatures, and sanctioned for validation process. However, some of the relevant literatures excluded by search criteria were scrutinized to substantiate some of the relevant facts mentioned in the literatures.
2.3. Factor Validation Process
Validation process was then conducted to evaluate the key factors identified. The process used included theoretical validity test, and reliability test methods. Thus validity test was conducted on 45 Likert scale items, using validity form, and involving 10 subject experts (reviewers). The validity form was developed based on 4-points Likert scale rating, focusing on the “relevancy”, and “clarity” of the items. The form contained section on instructions to reviewers, demographic profiles, and the factors. Each item for “relevancy” was developed with responses (rating) ranging from “not relevant—1, item need some revision—2, relevant but need minor revision—3, very relevant—4”. Similarly, for “clarity”, the measures ranges from “not clear—1, item need some revision—2, clear but need minor revision—3, very clear—4” [21]. The experts used were experienced lecturers, and researchers from MUST and KIU, with MSc, and PhD qualifications. From the score ratings of the experts, Content Validity Index (CVI) was calculated using mean score values, at acceptable levels of CVI ≥ 0.78 [21]. The detailed CVIs results, are presented in Section 3, accordingly.
On the other hand, reliability test was conducted on 45 Likert scale items, using questionnaire, and involving 32 respondents. Each questionnaire item was developed with a 5-point Likert scale, with measures ranging from “strongly disagree—1, disagree—2, neutral—3, agree—4, and strongly agree—5” [21] [24]. The respondents used were students, and staff from Mbarara University of Science and Technology (MUST), and Kampala International University (KIU), accordingly. The study selected higher institutions of learning because SM usage is more prevalent in higher education, than the other formal settings in Uganda [25] [26]. Data were then collected, processed, and captured into SPSS for analysis. Cronbach’s alpha coefficient (α-values) was generated, at acceptable range of 0.70 ≤ α ≤ 0.90 [22] [24]. Overall, the detailed results are presented in section 3, accordingly.
3. Results
In line with the study objectives, section 3 covers data/results presentation. The results are presented in a narrative, tabular and chart formats, accordingly. At the beginning of the sections, the presentation commenced with literature search results, and demographic profiles of the experts, and respondents, respectively, followed by validity test, and reliability test results, accordingly.
3.1. Literature Search Results
The main sets of Boolean keywords used to initiate the search process include; “Social Media usage AND information security”; “socio-technical”; and “usable-security”. The other search criteria used to filter and streamline the results further included; sort by relevance (keywords), availability of source (peer reviewed journals), resource type (journal articles), subject area (keywords), literature date range (2012 to 2022), and language used (English). At the onset of literature search process, the Boolean keywords; “Social Media usage AND information security”, search results retrieved 170 literatures. However, after applying the other search criteria, the results were reduced to 99 literatures. Afterwards, the 99 literatures were scrutinized using citation guide and 13 literatures were found relevant to the study. The other sets of keywords used in the search process include; “socio-technical”, and “usable-security”. For each set of the keyword, the relevant literatures were 4 out 15 literatures retrieved, and 3 out of 14 literatures retrieved, respectively.
However, after applying search criteria using Boolean keywords; “Social Media usage AND socio-technical factors”, in line with the study gap, only 1 literature was retrieved, even after adjusting the date range criteria from 2012 to 2000 [3]. With respect to study gap, no literature was returned with the Boolean keywords; “Social Media usage AND socio-technical AND usable-security”. Overall, the key factors identified from the relevant literatures include; SM usage and information security factors (SMISF), socio-technical information security factors (STF), and information system usable-security factors (USF). TableA1 (Appendix A) presents the set of 20 relevant literatures, indicating the authors, country, study purpose, methodology used, type of source, and summary of key points (factors).
From TableA1 (Appendix A), factors appearing in all the 3 main sets of Boolean key words search (SMISF, STF and USF) were considered appropriate, and relevant for inclusion into the list of SM socio-technical information security factors. In this case, the key factors identified and examine under social dimension include; 1) usability factors—visibility, learnability and satisfaction, 2) training and education factors—help and documentation [9] [26] [27] [28]. On the other hand, the key factors identified under technical dimension include; 3) SM technology development factors—error handling, and process revocability; 4) information security factors—security, privacy and expressiveness [4] [9]. Therefore, with respect to SM usage, the relevant factors would be the common factors of the set elements represented by intersection of the 3 sets, (SMISF Ո STF Ո USF) [4]. Figure 1 below present a venn-diagram indicating the common factors of the set elements denoted by the 3 sets (SMISF Ո STF Ո USF); SM information security factors (SMISF), socio-technical factors (STF), and useable-security factors (USF), accordingly.
3.2. Data Evaluation
After identifying the relevant SM socio-technical information security factors, questionnaire and validity forms, were developed. The questionnaire items were adopted from validated information security principles developed by [4] Mujinga, Eloff & Kroeze (2019), and moderated to suit the study objectives. Each questionnaire item was developed with a 5-point Likert scale measures, with responses ranging from “strongly disagree—1, disagree—2, neutral—3, agree—4, and strongly agree—5”. The items were then revised to conform to positively worded questions. Thus, factors with “agree” and “strongly agree” would therefore mean better information security compliance, while low agreement levels such as “disagree” and “strongly disagree” would mean vulnerable or weak information security compliance. On the other hand, the 4-point Likert scale measures on the “relevancy” of the items include; “not relevant—1, item need some revision—2, relevant but need minor revision—3, very relevant—4”. Similarly, for “clarity”, the measures ranges from “not clear—1, item need some revision—2, clear but need minor revision—3, very clear—4”. Afterwards, the contents (factors and items) of the questionnaire instrument, and validity forms were then developed, and operationalized on separate templates. However, TableB1 (Appendix B) present the contents of the questionnaire, and validity form on a single template.
3.3. Demographic Profiles—Experts
The experts used in this study were information security lecturers, including ICT professionals from Mbarara University of Science and Technology (MUST), and Kampala International University (KIU), all in Uganda. The main attributes that guided the selection of the experts were qualifications (MSc. and PhD.), area of specialty, and year of experience in academics, and research [21]. Altogether, 10 experts were identified, and individually given validity forms with clear instruction, to independently complete the form. More so, they were verbally briefed, and guided on the study purpose, and how to complete the form, and they all consented. Table 1 presents the demographic profiles of the experts.
Table 1. Experts demographic profiles.
3.4. Demographic Profiles—Respondents
The respondents used in this study were mainly students, including few staff from Mbarara University of Science and Technology (MUST), and Kampala International University (KIU), accordingly. The study preferred higher institutions of learning because SM usage is more prevalent in higher education, than the other formal settings in Uganda [25] [26]. Table 2 below summarizes and presents the demographic profiles of the respondents, showing the representativeness of the sample characteristics within the category divides. Thus, indicating the frequency counts, and the corresponding percentage distributions, respectively.
Altogether, 32 respondents were given questionnaire to complete. Afterwards, the questionnaires were collected, processed, and captured into SPSS for analysis. In this case, the 10 experts were used in validity test, which was concerned with “how the measures sufficiently represent the construct that it was supposed to measure”. While the 32 respondents were used in reliability test, which was mainly concerned with “the extent to which the measure of the construct is consistent and dependable” [21]. Table 3 below summarizes and presents the results for the key factors, indicating percentage level of agreement on the items for each factor, accordingly. (n = 32; MUST n = 14, KIU n = 18).
From Table 3, the level of percentage agreement on each factor, combining “agree” + “strongly agree”, include; visibility (MUST 40%; KIU 37%), learnability (MUST 40%; KIU 41%), satisfaction (MUST 42%; KIU 41%), errors handling (MUST 35%; KIU 37%), revocability (MUST 42%; KIU 32%), help and documentations (MUST 42%; KIU 37%), security (MUST 41%; KIU 35%), privacy (MUST 42%; KIU 40%), expressiveness (MUST 42%; KIU 38%). Relatively, MUST response shows slight over-edge in percentage agreement level compared to KIU, which could imply slightly better SM usage security compliance at MUST compared to KIU. However, the validity, and reliability test results explain the consistency levels within the datasets, as presented in the subsequent sections below.
Table 2. Respondent demographic profiles.
Table 3. SM socio-technical factors, level of agreement.
3.5. Validity Test
Validity test was conducted on data generated through validity form, using 45 Likert scale items, and involving 10 subject experts. From the score ratings of the experts, Content Validity Index (CVI) was calculated using mean score values, at acceptable level of CVI ≥ 0.78 [21]. Table 4 presents validity test results for the 9 factors, based on the relevancy, and clarity of the items.
From Table 4, factors with strong validity index include; 1) usability factors —learnability and satisfaction. 2) SM technology development factors—error handling, and process revocability; 3) information security factors—security, and privacy. On the other hand, factors with weak validity index include; 1) usability factors—visibility, 2) training and education factors—help and documentation, and 3) Information security factors—expressiveness. Notably, all the factors with weak validity items were recorded under “clear but need minor revision—3” option. Therefore, as guided by the experts, the question statements were reviewed and revised accordingly. The revised items include; 1) Visibility: Social Media help function is visible, for instance, a key branded with the word “HELP” instead of “HELP or a special menu”. 2) Help and documentation: Social Media system visibly “shows” instead of “displays” the current selection/data input field. 3) Expressiveness: Social Media system can “prompt the user with” instead of “tell” the security state of the system and the alternatives for security-related actions if needed. Altogether, 9 factors were reasonable considered valid, and were sanctioned for reliability test based on the data collected from 32 respondents.
3.6. Reliability Test
Reliability test was conducted on 45 Likert scale items, using questionnaire, involving 32 respondents. The respondents used were students, and staff from Mbarara University of Science and Technology (MUST), and Kampala International University (KIU), accordingly. Each item was developed with a 5-point Likert scale, with measures ranging from “strongly disagree—1, disagree—2, neutral—3, agree—4, and strongly agree—5” [21] [24]. Subsequently, Cronbach’s alpha (α) values were then generated to reveal the consistency in the responses within the dataset. Items with Cronbach’s Alpha values (α ≥ 0.70) were considered strong reliability items, while those with Cronbach’s Alpha values between 0.50 to 0.70 were considered moderate reliability items, and those with Cronbach’s Alpha values (α < 0.50) were considered weak reliability items [29] [21] [24]. Table 5 below presents the summary of reliability test results for the items under each factor, indicating the Cronbach’s alpha (α) values for each factor, and the conclusion thereof.
Table 4. Validity test results (Item relevancy, and clarity).
From Table 5 above, all the 9 factors attained the acceptable level of reliability. However, the reliability result for revocability factor did not meet the minimum value range of 0.70 ≤ α ≤ 0.90. Altogether, the validated and maintained factors under social dimension include; 1) usability factors—visibility, learnability and satisfaction, 2) training and education factors—help and documentation. Meanwhile, the factors identified under technical dimension include; 3) SM technology development factors—error handling, and process revocability; 4) information security factors—security, privacy and expressiveness [4] [9] [30]. Overall, the relevance of the 9 factors is based on the process followed in this study, notwithstanding the study limitations. However, the following sections cover discussion of the results.
4. Discussion of Results
Presumably, the key SM socio-technical information security factors were mainly adopted from existing literatures, as guided by socio-technical, and usable-security principles [4] [8] [9]. In this case, the key factors identified and validated under social dimension include; 1) usability factors—visibility, learnability and satisfaction, 2) training and education factors—help and documentation [9] [26] [27]. Meanwhile, the key factors identified under technical dimension include; 3) SM technology development factors—error handling, and process revocability; and 4) information security factors—security, privacy and expressiveness [4] [9] [30]. Overall, all the 9 factors attained the acceptable level of validity test, and reliability test results. Remarkably, categorizing this factor under social, and technical dimensions is a reasonable way of defining the vulnerable scope of information security within SM usage domain [3]. Thus, the validated factors would provide SM practitioners and researchers with theoretical basis for rationalizing information security requirements on SM usage [4] [7].
According to [4], the operational definition of these factor include; 1) Visibility: SM system visibly keep users informed about their security status. 2) Learnability: SM system should ensure that security actions are easy to learn and remember: 3) Satisfaction: SM system should ensure that users have good experience when using the system and its security features. 4) Error handling: SM system should provide users with detailed security error messages that they can understand and act on. 5) Process revocability: SM system should allow users to revoke any of their security actions. 6) Help and documentation: SM system should make security help apparent and easy to find for users. 7) Security: SM system should provide trusted communication channels between the user and the data servers. 8) Privacy and Confidentiality: SM system should protect user information against unauthorized access by third parties. 9) Expressiveness: SM system should guide users on security in a manner that still gives them freedom of expression [4]. From the literatures, the main information security challenges associated with SM usage include; confidentiality, litigation, and information overload [6]. While the dominant factors highlighted and linked to the challenges were mainly social factors including; education and training, awareness, error handling, and user monitoring [5] [6] [31] [32].
5. Recommendations
Presently, SM platforms have continued to improve and attract new users and groups of persons with similar interests [33] [34]. For instance, in academic settings, university students and academic staff have continued to embrace SM usage in enhancing their academic operations [33] [34] [35]. In this case, SM usage would then provide a ubiquitous network space for effective interaction among students, supervisors and stakeholders [36] [37] [38]. However, from related literatures, the profound needs of preserving information security seem to be a stumbling block hindering ratification and adoption of SM usage [25] [33] [39] [40]. In this case, the validated SM socio-technical information security factors would provide SM practitioners, and researchers with alternative theoretical basis to rationalize information security requirements on SM usage [7]. The factors could be used by researchers to support evaluation and adoption of SM usage in business operations.
In reference to the study limitations, more empirical studies need to be conducted to enrich the theoretical foundations supporting SM usage in business operations. The few existing studies related to SM usage in business operations often depend on the descriptive approaches, or practitioner experience, or literature-search, which may be context specific [37] [39] [40]. As such, their measures and findings could be limited in scopes, and prone to duplications, redundancy, or inconsistency. Reasonably, the subjective nature of SM concepts makes it complex for existing theories and studies to have a standard definition of SM concepts [1]. This is mainly due to the transparence and casual nature of SM functions, where individual use colloquial forms of subjective language to express their views and opinions. Therefore, to address the unique challenges associated with SM usage, more empirical studies need to focus on generating empirical evidence to conquer the challenges often associated with unique characteristics of SM usage. The study also recommend for more empirical research to be done to assess the relative influence of the different SM socio-technical information security factors, on the safety of electronic information in organization.
6. Conclusion
This study was conducted with intention of identifying, verifying, and validating SM socio-technical information security factors, in line with usable-security principles. The study followed literature search techniques, as well as theoretical and empirical methods of factor validation. The strategy used in literature search technique included Boolean keywords search, and citation guides, using mainly web of science databases, as well as related online libraries. At the onset of the search process, 170 literatures were retrieved from different sources, but 20 literatures were found relevant to the study. As guided by study objectives, 9 SM socio-technical factors were identified, verified and validated. Both theoretical, and empirical validation processes were followed, and 7 factors attained an adequate level of validity index. However, for reliability test, 8 factors attained an adequate level of reliability. Overall, the validated factors included: 1) usability—visibility, learnability, and satisfaction; 2) education and training—help and documentation; 3) SM technology development—error handling, and revocability; 4) information security—security, privacy, and expressiveness. In this case, the validated factors would add knowledge by providing a theoretical basis for rationalizing information security requirements on SM usage. Thus, the validated factors would provide SM practitioners, researchers, and institutions with the theoretical basis for rationalizing information security requirements on SM usage [4] [7]. For instance, the factors could be used by institutions, and researchers to support the process of evaluation, and adoption of SM usage in business operations. However, more empirical studies still need to be done to enrich the theoretical foundation associated with unique (subjective) information security concepts on SM usage.
Appendix A
Appendix B
Table B1. Questionnaire items, and validity form contents, (Items adopted from: [4] Mujinga, Eloff & Kroeze 2019).