1 Securing organizations against information leakage through Online Social Networking: Case analysis and maturity framework Nurul Nuha Abdul Molok, Atif Ahmad, Shanton Chang nurul.nuha@iium.edu.my 1 , atif@unimelb.edu.au 2 , shanton.chang@unimelb.edu.au 2 1 Department of Information Systems, International Islamic University Malaysia, Kuala Lumpur, Malaysia 2 School of Computing and Information Systems, The University of Melbourne, Australia Abstract The inadvertent leakage of sensitive information through Online Social Networking (OSN) represents a significant source of security risk to organisations. Leakage of sensitive information such as trade secrets, intellectual property and personal details of employees can result in a loss of competitive advantage, loss of reputation, and erosion of client trust. We present 4 case studies examining drivers for employee leakage behaviour and corresponding security management strategies addressing OSN leakage. Drawing on these case studies, we present a maturity framework for organisational OSN Leakage Mitigation Capability (OSN-LMC) and lessons learned from the case studies. Keywords: Information Leakage, Information Security Management, Online Social Networking, Maturity Framework 1. Introduction Leakage of sensitive information across organisational boundaries is a significant and increasing security risk for organisations. Sensitive information may include trade secrets, intellectual property, business strategies, product or service related details and even confidential client and customer information. The impact of such leakage can result in a range of organizational impacts including loss of competitive advantage, loss of reputation, loss of revenue, and loss of opportunity especially where clients are sensitive to information breaches (Ahmad, Bosua, & Scheepers, 2014). Online Social Networking (OSN) is akin to a ‘leaky pipe’ as the technology is designed such that communications between the sending party and the intended recipients is visible to other parties as well. Leakage through OSN is (1) instantaneous as it is available to the audience immediately upon posting, (2) ubiquitous as it is globally accessible across myriad demographics, and (3) persistent in that is archived in perpetuity (Schneier, 2009). These characteristics entice end-users to engage with OSN but they also create opportunities for information leakage (Cascavilla, Conti, Schwartz & Yahav, 2017). We define information leakage as “a breach of the confidentiality of information, typically originating from staff inside an organisation and usually resulting in internal information being disclosed…” across organisational boundaries (ISF, 2007, p.2). A review of the literatures of Information Security Management (ISM) and OSN shows that although considerable research has focused on the intersection between these 2 discipline areas, relatively less research has looked at the strategies of security managers aimed at mitigating the risk of OSN leakage. We therefore ask the following research question: How can organisations mitigate the risk of sensitive information leakage via OSN? We begin this paper with a focused review of literature on security risks of OSN and relevant security management controls. Subsequently, we describe the research methodology, develop a maturity framework and present lessons learned.