The Risks in a Web 2.0 World - Literature review Example

The Risks in a Web 2.0 World Introduction Web 2.0 refers to a second generation of web development and design, which facilitates communication, secure information sharing, interoperability, and collaboration on the World Wide Web (Moein, Malekmohammadi & Youssefi, 2010, p. 459). It can also be defined as the business revolution in the computer industry caused by the shift to the use of the internet as a platform, and an attempt to understand the rules of success on that new platform. Key among those rules is that there is need to build applications that harness network effects to get better the more they are used by people (Rim O’Reilly in 2006 as cited by Rook, not dated). In general, there is no agreed definition for Web 2.0, but the application can also be defined as a function that encompasses the networking and sharing of information, including text, data, images, sound recordings or moving images (JISC, 2008, p. 1). There are many risks associated with Web 2.0 applications. These include the viral nature of the Web 2.0 technologies, the philosophy of openness or lack of privacy when using the various applications, sharing of data among “friends,” as well as the permanence of the data stored on the Internet. The risks pose a major challenge of personal as well as company reputational damage (Musser & O’Reilly, 2006; JISC Legal Information, 2008). The aim of this paper is to discuss the highlighted risks in detail. It is important to note the perceived advantages of Web 2.0 technologies are closely associated with the perceived dangers of using the technologies. The paper therefore discusses how the so-called benefits of Web 2.0 applications attract significant risks, as well as the vulnerabilities of the Web 2.0 environment. However, the paper does not delve into a technical discussion about Web 2.0 technologies or architectures. Key points about Web 2.0 The main features of the Web 2.0 application include user generated content, a desktop look and feel utility, syndication of content, and offline storage of data and state. These can be summarized in the table below. Key features of Web 2.0 technologies Feature User generated content Desktop look and feel utility Syndication of content Offline storage of data and state. Description This means an architecture of participation, i.e. the application is open to all users that can access it It is now possible to put everything online There can be a rapid proliferation of content Writing of data to local databases Example of application Social network sites such as YouTube Google Docs eyeOS RSS Atom Gears (an open source project that enables more powerful web applications, by adding new features to a user’s web browser). HTML 5 (a language for designing and presenting content for the World Wide Web, which is a core technology of the Internet). Sources: Rook, not dated; Gears; html 5.org Risks associated with the various features of Web 2.0 Web 2.0 application is modelled to enhance the interaction between human beings and software. More to this, there are websites and web-based applications built around a core set of design patterns that blend the human experience with technology (Moein, Malekmohammadi & Youssefi, 2010, p. 459). According to Moein, Malekmohammadi and Youssefi (2010, p. 459), Web 2.0 is about the spirit of sharing, which is in contrast to the traditional concept of “knowledge is power”. Further, knowledge in the Web 2.0 world is about sharing and is about nobody’s property. According to Jern, Brezzi and Lundblad (2010, p. 380), the major tenets of Web 2.0 are collaboration and sharing, be it of technology or content. Thus, Web 2.0 websites users to do more than simply retrieve information (Moein, Malekmohammadi & Youssefi, 2010, p. 459). Web 2.0 concepts have led to the development of and evolution of web culture communities and hosted services, such as social networking sites, video sharing, blogs and so forth. The application thus embodies the idea of the proliferation of interconnectivity and interactivity of web-delivered content (Shah, 2009, p. 310; Lüers, 2008, p. 44; Volkmann, Tokarski & Grünhagen, 2010, p. 431; Bonson & Flores, 2011, p. 36). The same features of Web 2.0 described above pose significant risk to users. Most of the risks are associated with sharing of information over the World Wide Web. Thus the concept that Web 2.0 facilitates communication, secure information sharing, interoperability, and collaboration on the World Wide Web as connoted by Moein, Malekmohammadi and Youssefi (2010, p. 459) may be judged differently in this context. According to Rook (not dated), various applications in Web 2.0 can unintentionally leak information about their configuration, internal functioning, or violate privacy through a variety of application problems. The next section will thus discuss various situations in which information can be accesses in such a way that it violates privacy. General data leakage Web 2.0 technologies create many risks for employees and organisations with regards to possible leakage of personal information and company data (IT Governance Research Team 2009, p. 22). In a company environment, data leakage occurs when confidential business information – such as future plans, budget details, source code or design particulars, customer data and so forth – leaves the company. It can also arise when employees or other people get access to restricted information - such as payroll, redundancy or other types of personnel information (Clearswift, not dated). Lytras et al (2010, p. 365) add to this discussion by noting that at present it seems that companies are no longer able to escape the side effects that the Web 2.0 environment has on the way employees work, collaborate and network. Along the same line, Ross (2009) reports that recent research in the United Kingdom has measured the frequency and average cost of information security insecurity incidents and it is perplexing to note that very large companies are almost certain to have such an occurrence every year, at an average cost for the worst incidents of more than £1 million (Ross, 2009). Most users are not aware of the large amount of personal information that they voluntarily or unintentionally disclose and which is then spread over the Internet. They are also not aware of the potential for the abuse and reuse of the information they give in contexts other than those for which they were initially intended. But it is important to note that collections of information are not static in nature; as their scope, function as well as ownership can change rapidly and the information subjects are not necessarily cognisant of the fact that the details they give could be used. Most importantly, once the collected data has been disclosed, it can never be deleted (IT Governance Research Team 2009, p. 22). The various types of personal and company data and the associated risks It is always assumed that personal data once entered onto a website will be safe and free from data breaches or the unintentional disclosure to unauthorised parties (Herold, 2010, p. 334; Isaca, 2010, p. 30). But on the contrary, this may not always be the case. Different types of media are full of examples cases where data breaches have occurred. Many of such incidents involve breaches of data entered onto websites. Depending on the type of information that is inadvertently divulged, this can have different implications. Thus, it is worthwhile to understand the criticality of the implications when entering data onto any Web 2.0 website. Name and email address These details can be used for phishing attacks (IT Governance Research Team 2009, p. 23). In spite of the well recognised risks, it is still common for employees to use passwords such as partner or child’s name, sports team or pet’s name. The problem is worsened because many people are poor at managing many passwords and use the same one for many sites (Ross, 2009). There is another more direct risk, which is that personal information may be used to hack into, and gain access of email accounts, which are oftentimes poorly protected. This has a significant implication for work-related emails as there is often traffic between the two accounts, allowing hackers to identify valid work email addresses and use the same for “spear-phishing” (Ross, 2009). Spear-phishing refers to the refinement of a speculative amount of spamming emails that purport to come from another source (referred to as phishing). Tailored emails are then created, which appear to come from a named individual (such as HR or IT and so forth) in a position of authority such that the recipient will comply with the source’s request to supply information or download files. Cyber criminals use this opportunity to create their own virtual corporate directories and may target new members of staff (who are deemed to be more vulnerable) (Solari, 2010). General personal information Through the personal and sensitive information that is provided on social networking sites, phishers can create targeted phishing attacks. The inclusion of such personal and sensitive information creates a level of credibility, implying that the there is a high likelihood of the attacks being successful. Bank account information This can be used by attackers to make fraudulent financial purchases. Date of birth/person’s maiden name This is part of personally identifiable information that can be used to obtain a passport or a driving license. The same information can in turn be used fraudulently to take out large loans using another person’s name, or as proof of identification if arrested. This can also unravel identity theft, as a result of which a victim will discover that someone else has run up large financial debts or is even waned for criminal convictions in their name. Clearing such identity theft can be tedious, expensive and very complicated (IT Governance Research Team 2009, p. 23). Curriculum vitae and professional homepages These have information that can also be used for identity theft. For instance, the BBC reported that in an experiment that entailed a fake website luring people into submitting their curriculum vitae, 61 contained adequate information to apply for a credit card. Further, iProfile notes that “the most useful information for criminals, which should be omitted from an online CV, are date of birth, marital status and place of birth” (IT Governance Research Team 2009, p. 24). The internet also makes it very easy to identify those individuals that would be most ideal to steal from in accordance with their occupation and the salary they earn (IT Governance Research Team 2009, p. 24). Sharing of information and the associated risks User profiles and the wide meaning of friends One of the key aspects of Web 2.0 technologies is the possibility of sharing information. In deed, many social networking sites such as Facebook, Twitter and Hi5 use the concept of friends as a level of information sharing. User profiles and the concept of friends, coupled with the “open” approach to Web 2.0 technologies have meant that users are less informed of the risks of disclosing personal and/or company information. In view of this, an organisation known as IT Governance Ltd conducted a study in 2008 and found that 27 percent of respondents would have no problem providing their date of birth on a social networking website, and 11 percent would feel comfortable about availing their religious beliefs, sexual orientation, as well as recent party photos (IT Governance Research Team 2009, p. 32). This shows that in general, people most people do not find it unusual to submit their private information on such websites. Apart from the data protection and data privacy issues, such data can also be used for identity theft, spear phishing, and to reveal information that could be libellous and to expose confidential company information (IT Governance Research Team 2009, p. 32). Websites that use Web 2.0 technologies can collect and collate very large amounts of personal information. This may be stored as user profiles, comments posted on a blogs or wikis on Web 2.0 collaboration tools, or be uploaded to social networking tools. The problem here is that some accounts such as Facebook cannot be deleted and can only be deactivated, while other sites such as Yahoo and Google retain deleted information for a long time even after the user has deleted it. In fact, information entered in sites such as Facebook and MySpace remains indelible and lasts a lifetime (Fraser & Dutta, 2008). This poses challenges when information gets to the unintended persons accidentally or intentionally, especially where popular social networking sites such as MySpace (with over 300 million registered users by 2008) are involved (EnterpriseDB, 2008, p. 4). Reputational loss Individuals, as well as companies, are at risk of having their reputations destroyed due to misuse of the information they avail on the internet. Companies are particularly at greater risk, given that they have to use Web 2.0 technologies to engage in ad hoc collaboration with vendors, customers, workers and so forth to exchange knowledge and offer improved services. Along this line, it is also crucial that organisations ensure that they do not expose their knowledge to threats. But a problem lies here as Web 2.0 technologies are inherently difficult to secure, as they make organisational intelligence more accessible and searchable (Aljafari & Sarnikar, 2010, p. 2; Kennedy & Dysart, 2007, p. 37). As customers and other parties acquire more information about a particular company, the situation makes the company vulnerable to comments made by them. For instance, Wim Guerden of JPMorgan Chase indicated that Web 2.0 technologies pose twin threats of reputational risk competitive disintermediation as a result increased customer participation and openness of information and services interchange (Tuck School of Business, 2007, p. 5). As such, when consumers start to put stuff on wikis, the company does not like it and would like to moderate it, which defeats the whole purpose of having Web 2.0 technologies in the first place. According to Paul Argenti of Tuck Business School, reputational risks are extremely high in Web 2.0 environments because in open fields characteristic of Web 2.0 technologies, one does not have as much control over how people use their identity. In addition, companies are not very good at monitoring reputational risks in the first place. For instance, according to Paul Montgomery of Eastman Chemicals, the company is pretty conservative, and from a communications viewpoint, control is worthwhile to protect the company’s reputation as well as individuals. As such, the company has opposed greater use of Web 2.0 technologies for fear that it will have negative impacts (Tuck School of Business, 2007, p. 6). Such are the conditions in many other business environments. Loss of intellectual property Many news reports and companies have reported cases of intellectual property leakage and loss as a result of inadequate protection of knowledge assets (Aljafari & Sarnikar, 2010, p. 2). At present, companies can no longer escape the side effect of the Web 2.0 technologies on how employees work, collaborate and network. According to Lytras et al (2010, p. 365), loss of intellectual property is a key concern that occurs due to either a naïve use of the web 2.0 technologies or due to the fragility that the applications have in terms of security. In fact, there is concern that the open nature of Web 2.0 makes it generally more susceptible to breaches (Lytras et al, 2010, p. 365) This is because many people can easily have access to sensitive company information as a result of the Web 2.0 applications. Because of the ease with which materials can be copied and re-disseminated, and due to the difficulty of policing activity and establishing which country’s laws apply to the use of the Internet, the web poses major intellectual property rights issues for organisations (JISC, 2008). Other risks There are many other risks associated with the Web 2.0 environment. For instance, there are many software and websites that may neither be adequately tested, nor have the newest patches loaded. There are also cases of untrustworthy information sources that may contain factual inaccuracies and errors that affect the credibility, ethics and legality of web content. In addition, the ability to combine information from various sources could result in a decrease in relevance of content. Further, the use of Web 2.0 applications may result in unproductive use of organisational resources and time, including loses that arise from discontinuation of operations (Rudman, 2010, p. 216). Conclusion It has been argued in this paper that Web 2.0 technologies pose significant risks despite their popularity. The ease of sharing information makes it possible for information to reach unintended destinations, posing personal and company reputational damage. Most Web 2.0 websites encourage sharing of information and this exposes users to risks of phishing and hacking. In addition, organisations are at risk of losing their intellectual property rights because different parties can easily get access to company information that would otherwise be regarded confidential. Further, other risks are associated with availability of untrustworthy information on the internet, as well as the potential loss of company resources due to unproductive use of Web 2.0 technologies. References Aljafari, R. & Sarnikar, S. 2010, "A Risk Assessment Framework for Inter-Organizational Knowledge Sharing," Sprouts: Working Papers on Information Systems, Vol 10, No. 29, available from http://sprouts.aisnet.org/880/1/KMDSS_Sprouts.pdf (7 May 2011) Bonson, E. & Flores, F. 2011, “Social media and corporate dialogue: The response of global financial institutions,” Online Information Review, Vol. 35, No. 1, 2011, pp. 34-49. Clearswift, not dated, “Data leakage: The stealth threat to business,” available from http://i.i.com.com/cnwk.1d/html/itp/clearswift_data_leakage.pdf (3 May 2011) EnterpriseDB, 2008, “Web 2.0 Database Strategies: New Applications, New Infrastructures,” Available from http://www.nace.co.in/files/Whitepapers/EnterpriseDB/White%20Paper%20Web%202.0%20Database%20Strategies.pdf (7 May 2011). Fraser, M. & Dutta, S. 2008, Throwing sheep in the boardroom: How online social networking will transform your life, work and world, John Wiley and Sons, New York. Gears, available from http://gears.google.com/ (4 May 2011) Herold, R. 2010, Managing an Information Security and Privacy Awareness and Training Program (2nd edition), CRC Press, New York. Html 5.org, available from http://html5.org/ (4 May 2011). Isaac, 2010, The Business Model for Information Security, Isaca, New York. IT Governance Research Team 2009, How to Use Web 2.0 and Social Networking Sites Securely, IT Governance Ltd, New York. Jern, M., Brezzi M. & Lundblad, P. 2010, “Geovisual analytics tools for communicating emergency and early warning,” In M. Konečný, S. Zlatanova & T. L. Bandrova, Geographic Information and Cartography for Risk and Crisis Management: Towards Better Solutions, Springer, New York. JISC Legal Information, 2008, “Web 2.0 and the Law for Information Services,” 18 September 2008. JISC, 2008, “Web 2.0 and intellectual property rights,” JISC Briefing Paper, April 2008. Kennedy, M. L. & Dysart, J. 2007, Intranets for info pros, Information Today, Inc., New York. Lüers, E. 2008, Web 2.0 and Audience Research: An Analysis Focusing on the Concept of Involvement, GRIN Verlag, New York. Lytras, M. D., De Pablos, P. O., Ziderman, A., Roulstone, A., Maurer, H. & Imber, J.B. 2010, Knowledge Management, Information Systems, E-Learning, and Sustainability Research: Third World Summit on the Knowledge Society, WSKS 2010, Corfu, Greece, September 22-24, 2010, Proceedings, Part 1, Springer, New York. Moein, A., Malekmohammadi, M. & Youssefi, K. 2010, “An introduction to the Next Generation Radiology in the Web 2.0 World,” In Vossoughi, J., Herold, K. E.& Bentley W. E. 26th Southern Biomedical Engineering Conferences 2010 April 30 - May 2, 2010 College Park, Maryland, USA, Springer, New York. Musser, J. & O’Reilly, T. 2006, “Web 2.0 Principles and Best Practices,” O’Reilly Radar, Fall 2006 Rook, D. not dated, “The security risks of Web 2.0,”available from http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-david_rook-risks_of_web_2.0.pdf (4 May 2011). Ross, L. 2009, “Curb your enthusiasm: Corporate risk assessment of Web 2.0,” Charterd Institute of Management Accountants, London, available from http://www.steria.co.uk/assets/4_ASSETS/pdf/00355.pdf (5 May 2011). Rudman, R. J. 2010, “Incremental risks in Web 2.0 applications,” The Electronic Library, Vol. 28, No. 2, pp. 210-230. Shah, D.N. 2009, A Complete Guide to Internet and Web Programming, Dreamtech Press, London. Solari, C. C. 2010, Security in a Web 2.0+ World: A Standards-Based Approach, John Wiley and Sons, New York. Tuck School of Business, 2007, “Web 2.0 and the Corporation: A Thought Leadership Roundtable on Digital Strategies,” available from http://www.tuck.dartmouth.edu/cds-uploads/publications/pdf/Round_Overview_Web20.pdf (7 May 2011). Volkmann, C. K., Tokarski, K. O. & Grünhagen, M. 2010, Entrepreneurship in a European Perspective: Concepts for the Creation and Growth of New Ventures, Gabler Verlag, New York. Read More