Issue Analysis of Social Media Risks

Posted by eim on 09/04/2018

Social Media Risk


  • B.Sc. Carolin Blankenberg

  • B.Sc. Sabine Nagel

  • B.Sc. Atique Baig

  • B.Sc. Jalpa Patel

Project Overview

Although the use of Social Media provides many benefits, it also comes with many risks that affect organisations, and people on both a business or professional level.

Therefore, the aim of this research – which involves an in-depth analysis of Business and Professional Risks – includes:

  • building a collection of real-life incidents and generalize them into issues
  • creating templates in order to describe when and how a risk occurs, who the responsible and affected stakeholders are and what could be potential consequences
  • derive a risk classification

This work builds on and extends the FG EIM’s earlier work on Business and Professional Risks of Social Media.

Project Timeline

The research project consists of eight work packages (WP1-WP8). The figure below shows a brief overview of each work package, the actual Research Approach will be elaborated after the relevant Terminology is introduced.

Social Media Risk Analysis - Timeline


The research project consists of eight work packages (WP1-WP8). The figure below shows a brief overview of each work package, the actual Research Approach will be elaborated after the relevant Terminology is introduced.

IN An Incident is a very specific case taken from real-life. Incidents usually include names and places, as well as a detailed description of what happened.
“A nursing student took a photo of a pediatric patient when his mom was out and posted it on Facebook.”(IN73)

IS An Issue is a more generic form of an Incident. Issues usually describe potential risk-related actions without naming specific details.
“A medical student posts confidential patient information.”(IS06)

R A Risk is a very generic description of the overall risk area an Issue occurs in.
“Disclosure of Confidential Information.”(R13)

Research Approach

The following section will introduce the research approach of this project. As part of the Literature Analysis (WP2), the current state of research in the area of Social Media Business or Professional Risks was analysed. In particular this included an analysis of the used terminology in order to define our own Terminology , as well as an extraction and organisation of author keywords, that can be used as search terms for the next research step, which is the Collection of Incidents and Issues (WP3).

The Collection (WP3) and the creation of Collection Templates (WP4) was executed in parallel, as the templates have been constantly refined during the collection process. We started the Collection (WP3) using existing academic literature and later on switched to online sources (e.g. newspaper articles, blog posts). All Incidents, Issues and Risks that have been extracted from both academic and online sources have been analysed and stored in the corresponding template. An example of this can be seen in the Collection Templates section below.

After finalising the templates (WP4) and completing the Collection (WP3), further Issues and Risks have been derived from the existing Collection. The resulting risks have then been compared to the current FGEIM Risk Classification. The results were used to refine the list of risks and as a next step our own Risk Classification has been created (WP5).

Project Scope

As described in the Research Approach above, this project was very literature-based, so in total we covered 152 academic and 110 online sources. Both the literature research and the derivation of own Incidents, Issues and Risks resulted in the collection of 98 Incidents, 105 Issues and 55 Risks.

Academic Literature
Online Literature

Collection of Templates

In order to be able to store Incidents, Issues and Risks, templates have been created. The following accordion shows the content of each template column using the three examples described in the Terminology above. The three differently coloured bullet points show the examples on Incident (light blue), Issue (medium blue) and Risk (dark blue) level respectively. As not all columns are relevant for all three templates (Incident, Issue, Risk) the icons show whether the column is present in that particular template (shaded) or not (white).

A unique identifier containing the type and a number

  • IN73
  • IS06
  • R13

Name; For Incidents/Issues it contains the most important information separated with an underscore (Initiator_(Platform)_Action_(Accounts)_Victim)

  • NursingStudent_Facebook_Picture_Patient
  • MedicalStudent_ConfidentialInformation_Patient
  • Disclosure of Confidential Information

A short description in 1-2 sentences

  • A nursing student took a photo of a pediatric patient when his mom was out and posted it on Facebook.
  • A medical student posts confidential patient information.
  • It is often the case, that confidential business/client/patient/student information are made public using Social Media.

Date of the Incident (Month and Year)

  • 2011.08

Person who is responsible

  • Nursing Student
  • Medical Student

Person who is the main target

  • Patient
  • Patient

Who pressed charges/went public?

  • Another Nurse

Other people, that are affected

  • Dean of Nursing Program; Hospital
  • N/A

Where did the Incident take place? (usually a specific social network)

  • Facebook

What type of media was used?

  • Post; Photo

Were the accounts used for the action (source and target) private or company accounts?

  • Private(Source)-Private(Target)

What was the content of the medium?

  • “This is my 3-year-old leukemia patient who is bravely receiving chemotherapy. I watched the nurse administer his chemotherapy today and it made me so proud to be a nurse.”; In the photo, Room 324 of the pediatric unit was easily visible.
  • confidential patient information

What happened?

  • post

Why is this a problem/risk?

  • Violation of Policies; Breach of patient confidentiality; HIPAA violation
  • Unprofessional content; Confidentiality

How big was the impact? How many people were reached?

  • N/A

How did the stakeholders react?

  • Other stakeholder (Dean of Nursing Program) called Initiator into her office

What were the (legal) consequences for the stakeholders?

  • Initiator was expelled from the program

What long-term measures did the stakeholders take? (e.g. policies)

  • Other Stakeholder (hospital) contacted federal officials about the HIPAA violation and began to institute more strict policies about use of cell phones at the hospital

Sources from academic literature and online sources

  • (Barry and Hardiker, 2012; Basevi, Reid and Godbold, 2014; NCSBN, 2011)
  • (Chauhan, George and Coffin, 2012; Peck, 2013)
  • (Berman, Grande, & Hedges, 2017; Brown & Hader, 2010)

Is this a Business, Professional or Personal risk? If so, how (active/passive; intentional/unintentional)?

  • Business; Professional

Cross-references to existing Issues/Risks

  • IS06; R13; R33
  • IN73; R13; R33
  • IN73; IS06; among others

If this is part of the chain, which one (Chain ID) and with which Incidents/Issues?

Risk Classification

In the course of this project, a total number of 55 risks divided into 5 categories has been identified. The five main categories including several examples are shown below.

  • Human Risks include Risks that occur due to human failure.

    Examples: Offensive Statement, Monitoring (Blurring Boundaries)

  • Content Risks cover all Risks that involve any type of document or information.

    Examples: Disclosure of Confidential Information, Uncontrolled Spreading of Information, Uninformed Statement, Uncontrolled Transformation, Inappropriate Information, False Information

  • Compliance Risks include Risks that deal with breaking laws or policies.

    Examples: Violation of Profession-Related Laws, Violation of Company Policies

  • Operational Risks cover all Risks related to the company’s operations, finances etc.

    Examples: Inappropriate Customer Interaction, Financial

  • Identity Risks include Risks that involve the stakeholder’s Social Media accounts and reputation.

    Examples: Defamation, Negative Representation, Negative Self-Presentation; Negative Exposure


Incidents, Issues and Risks do not necessarily occur individually, they can also appear in so-called Chains. This means, that for example an Incident can be the consequence of another Incident. The following sections introduced visualised Chains of all identified types.

Risk Chains

Risk Chains can be observed on all levels, as both Incidents and Issues can have multiple risks at once, or even changes in risks over time. An example of a Risk Chain as part of an Incident can be seen in the following figure. In this Incident, a musician uploaded a video, exposing how United Airlines handled and eventually broke his guitar. One of the consequences for United Airlines was, that their stock price fell 10%, costing stockholders about $180 million in value, which is why the initial risk (Negative Exposure) turned into a Financial risk after a while

IN05: A musician uploaded a video of a song about United Airlines breaking his guitar on YouTube.

Incident Chains

Generally, two Incidents in a chain have at least one stakeholder in common. This leads to the following realistic combinations:

  • A/B → B/A: Initiator and Victim switch from one Incident to the other.
  • A/B → C/A: A party not involved in the first Incident is the Initiator of the second Incident, targeting the Initiator of the first Incident.
  • A/B → A/B: Both Initiator and Victim are the same for both Incidents
  • In the first two combinations, the Initiator turns into the Victim, whereas in the third combination, the stakeholders stay exactly the same.

In the chain shown in the figure below, a customer uses a restaurant’s Facebook page to complain about her meal. Afterwards, the restaurant’s chef offensively replies to the complaint. While the initial risk is of defamatory nature (Defamation), the second Incident not only covers two separate risks (Offensive Statement and Inappropriate Customer Interaction), but it also contains a Risk Chain as the two risks lead to a Negative Representation of the restaurant by the chef.

IN99: A disgruntled Pigalle customer complained on Facebook about her Thanksgiving meal rather than calling the restaurant or saying something.
IN95: The Pigalle chef offensively replied to a customer complaint.

As already mentioned above, the stakeholders do not necessarily have to change. Often, the Initiator and Victim are the same in both parts of the Chain.

In the Incident Chain shown below – which has only an Initiator and no Victim – Delta Air lines posts an Uninformed Statement on Twitter, which leads to a Negative Self-Presentation. After realizing what they posted, they tried to control the damage, by apologizing with another Tweet. However, they accidentally referred to their errant tweet as “precious” instead of “previous”. In this case, the Lack of Quality/Reliability lead to an even more Negative Self-Presentation, which shows, that risks can also occur during damage control and result in the opposite effect.

IN58: Delta Air Lines posted on Twitter showing they do know nothing about Ghana.
IN79: Delta Air Lines referred to an errant tweet as its “precious” tweet instead of its “previous” tweet.

In addition to Chains that happen exclusively online, there is also the possibility of offline events being part of a chain. This can occur in two different ways: either the chain starts offline and continues online, or vice versa.

Issue Chains

Generally speaking, Issue Chains are similar to Incident Chains, as Issues are just a more generalized form of an Incident. However, this universality also leads to the fact, that more than two Issues can be involved in a single chain. In the following Chain it can be distinguished between the left and the right side. While the left side shows the way of getting access to a company’s Social Media account (in this case a third party imitating or hacking the account), the right side shows the next step, i.e. what is done to the account afterwards. This can include for example posting inappropriate or false information. Therefore, any Issue from the left side can occur in a chain with one or more Issues from the right side.

IS45: A third party imitates a company Social Media account.
IS43: A third party posts inappropriate information from a company Social Media account.
IS99: A third party hacks a company Social Media account.
IS54: A third party posts false information from the company account.

In addition to Chains that happen exclusively online, there is also the possibility of offline events being part of a chain. This can occur in two different ways: either the chain starts offline and continues online, or vice versa.

Future Research

A main suggestion for future research is the collection of more Incidents. Expanding the Collection built during this research project leads to the ability to make representative and general statements about Social Media risks.
As the Collection can be easily transformed into a database with tables for Incidents, Issues and Risks, the next step would be to connect the individual tables using the ID’s as foreign keys. Afterwards, database views can be created and used for further evaluations of the database content.


  • (IN05) Aula, P., 2010. Social media, reputation risk and ambient publicity management. Strategy & Leadership, [online] 38(6), pp.43–49. Available at: <>.

  • (IN05)  Carroll, D., 2009. United Breaks Guitars. [online] Available at: <> [Accessed 24 Mar. 2018].
  • (IN05)  Macleod, D., 2009. United Broke My Guitar. [online] The Inspiration Room. Available at: <> [Accessed 1 Feb. 2018].
  • (IN05)  Revolvy, 2018. United Breaks Guitar. [online] Available at: < Breaks Guitars&item_type=topic> [Accessed 23 Mar. 2018].
  • (IN07)  Balog, E.K., Warwick, A.B., Randall, V.F. and Kieling, M.C., 2012. Medical Professionalism and Social Media: The Responsibility of Military Medical Personnel. Military Medicine, 177(2), pp.123–125.
  • (IN07)  CBS News, 2010. Haiti Docs’ Facebook Photos Triggers Probe. [online] CBS News. Available at: <> [Accessed 17 Dec. 2017].
  • (IN07)  Deaton, J., Fernandez, B. and Valencia, N., 2010. Photos of drinking, grinning aid mission doctors cause uproar. CNN. Available at: <> [Accessed 17 Dec. 2017].
  • (IN18/ IN63)  Di Stefano, G., 2011. Social Media Risks. Risk Watch, 33(3).
  • (IN20)  British Medical Association, 2011. Using Social Media: Practical and Ethical Guidance for Doctors and Medical Students. Available at: <>.
  • (IN20)  Luft, O., 2011. PCC: Civil servant’s Twitter messages were not private. [online] PressGazette. Available at: [Accessed 29 Dec. 2017].
  • (IN20)  Press Complaints Commission, 2011a. Baskerville vs Daily Mail. [online] Press Complaints Commission. Available at: <> [Accessed 29 Dec. 2017].
  • (IN20)  Press Complaints Commission, 2011b. The Minutes of the 176th Ordinary Meeting of The Press Complaints Commission Limited. [online] London, UK. Available at: <> [Accessed 29 Dec. 2017].
  • (IN20)  Ryan, S., 2011. UK Press Commission makes first ruling involving Twitter material. [online] Available at: <> [Accessed 29 Dec. 2017].
  • (IN58/ IN79)  McDonald, S.N., 2014. Delta learns the hard way that Ghana doesn ’ t have giraffes. [online] The Washington Post. Available at: <> [Accessed 25 Feb. 2018].
  • (IN58/ IN79)  Schenker, M., 2015. These corporate social media fails are so bad, they’ve had to issue mea culpas. [online] Digital Trends. Available at: <> [Accessed 25 Feb. 2018].
  • (IN73)  Barry, J. and Hardiker, N.R., 2012. Advancing nursing practice through social media: a global perspective. Online journal of issues in nursing, [online] 17(3), p.5. Available at: <>.
  • (IN73)  Basevi, R., Reid, D. and Godbold, R., 2014. Ethical guidelines and the use of social media and text messaging in health care: a review of literature. NZ Journal of Physiotherapy, [online] 42(2), pp.68–80. Available at: <>.
  • (IN73)  NCSBN, 2011. White Paper: A Nurse’s Guide to the Use of Social Media. Journal of Practical Nursing, [online] 61(3), pp.3–9. Available at: <*spi/i?SEARCH=00223867%5Cn$USEG¢ro=%24USEG&d=1>.
  • (IN95/ IN99)  Blumenthal, R.L., 2012. Pigalle to Customer: ‘You Must Enjoy Vomit’. [online] Eater Boston. Available at: <> [Accessed 22 Feb. 2018].
  • (IN95/ IN99)  Kagan, A., 2012. Pigalle Chef Marc Orfaly Issues Apology. [online] Eater Boston. Available at: <> [Accessed 22 Feb. 2018].
  • (IS06)  Chauhan, B., George, R. and Coffin, J., 2012. Social Media and You: What Every Physician Needs to Know. The Journal of Medical Practice Management, [online] 28(3), pp.206–9. Available at: <>.
  • (IS06)  Peck, J.L., 2014. Social Media in Nursing Education: Responsible Integration for Meaningful Use. Journal of Nursing Education, 53(3), pp.164–169.
  • (IS43/ IS45)  Field, J. and Chelliah, J., 2012. Social‐media misuse a ticking time‐bomb for employers. Human Resource Management International Digest, [online] 20(7), pp.36–38. Available at: <>.
  • (R13)  Berman, M.A., Grande, I.A. and Hedges, R.J., 2017. Social Media Ethics Guidelines The Social Media Committee Of The Commercial And Federal Litigation Section Co-Chairs Twitter Account Manager Law School Interns.
  • (R13)  Brown, E.D. and Hader, A.L., 2010. Patient Privacy and Social Media. AANA Journal, [online] 78(4), pp.270–274. Available at: <>.
  • (R13)  Grant Thornton, 2013. Social media risks and rewards.

  • (R13)  He, W., 2013. A survey of security risks of mobile social media through blog mining and an extensive literature search. Information Management & Computer Security, [online] 21(5), pp.381–400. Available at: <>.
  • (R13)  Herrin, B. and Ingram, T., 2010. PHI faux pas: social media and the unauthorized disclosure of PHI. The Journal of medical practice management: MPM, [online] 27(5), pp.275–6. Available at: <>.
  • (R13)  Holme, C., 2013. Social Media – the Legal Risks.
  • (R13)  Jarrahi, M.H. and Sawyer, S., 2015. Theorizing on the Take-Up of Social Technologies, Organizational Policies and Norms, and Consultants’ Knowledge-Sharing Practices. Journal of the Association for Information Science and Technology, 66(1), pp.162–179.
  • (R13)  Lackey Jr., M.E. and Minta, J.P., 2012. Lawyers and Social Media: The Legal Ethics of Tweeting, Facebooking and Blogging. Touro Law Review, 28(1), pp.149–182.
  • (R13)  Nesbit, T., 2011. Social Media: In the Work Place and Patterns of Usage. The International Journal of Interdisciplinary Social Sciences, 5(9).
  • (R13)  Nexgate, n.d. Mapping Roles and Responsibilities for Social Media Risk.