Cloud risk communication on social media: The case of Premera Blue Cross Jean Pierre Guy Gashami1 Christian Fernando Libaque-Saenz2 Myeong-Cheol Park1 Jae Jeung Rho1 1 Korea Advanced Institute of Science and Technology N22, 291 Daehak-ro, Yusong-Gu, Daejon 34141, Republic of Korea 2 Universidad del Pacı́fico Avenida Salaverry # 2020, Jesús Marı́a, Lima 11, Peru jp.gashami@gmail.com cf.libaques@up.edu.pe imcpark@kaist.ac.kr jjrho111@kaist.ac.kr Abstract computing services by both enterprises and indi- vidual users is driven by benefits such as cost re- Cloud computing has been growing at a duction, mobility, and convenience (Gashami et fast pace. This growth has been fueled al., 2015). Indeed, users are increasingly rely- by this technology's inherent benefits such ing on cloud providers to run hardware, software, as cost reduction and convenience. How- and also to properly handle their data. However, ever, the increasing amount and variety of having more data in the cloud, including sensi- data processed on the cloud have raised tive data such as personal, financial, research, and the number of security breaches. Although health information means high potential risks for cloud providers were responsible for data users (Zhou et al., 2010). Not surprisingly, data security in the past, the new threats require risk has been identified as a high threat to cloud that both cloud providers and users coordi- computing (King and Raja, 2012). For instance, nate efforts to minimize losses and ensure costs associated with data security breaches in data recovery. Our study aims to explore the healthcare industry alone could reach US$5.6 how cloud providers and users can lever- billion annually (Experian, 2015). Undoubtedly, age social media to mitigate data security security breaches may occur in spite of cloud breaches through effective risk communi- providers efforts to ensure data safety (Armbrust et cation. We analyzed public data collected al., 2010). Some research even argues that data se- from Twitter regarding the security breach curity breaches are inevitable in the cloud (Staten faced by the Premera Blue Cross web ap- et al., 2014). To face such security challenges, plication between January and April 2015. cloud providers have developed risk management Preliminary results indicate that Premera frameworks which mainly focus on risk analy- Blue Cross (cloud provider) acted as an sis, risk assessment, and risk mitigation (Zhang information source for Twitterers seeking et al., 2010). These frameworks address techni- relevant and accurate information during cal and managerial issues; however, it is still un- this security breach. Future steps for this clear how cloud providers treat users throughout study are discussed. the analysis, assessment, and mitigation of secu- rity breaches. Existing research suggests that risk 1 Introduction communication with all stakeholders is an impor- Cloud computing is disrupting consumption mod- tant element of risk management in various con- els of information technology (IT) across indus- texts (Aguirre, 2004; Lagadec, 2002). On the tries. For example, around 65% of all major en- cloud front, communication with users may play a terprises in USA are using some form of cloud crucial role in limiting potential damages by rais- computing (Verizon, 2014), while general spend- ing user awareness of data practices and protec- ing on public cloud computing services is ex- tion. Indeed, communicating potential security pected to grow by US$921 billion by 2017 (Gart- breaches to users can lead to actions such as re- ner, 2011). The rapid increase in the use of cloud inforcing weak passwords, using private keys, or 55 enabling local backup of data (Rainie and Dug- types of cloud computing come not only with ben- gan, 2014). On the other hand, social media such efits but also with potential risks for users (Ko et as Facebook and Twitter have been signaled as the al., 2011). new avenues for channeling information during Prior studies recognized data security risk as risk management due to their low-or no-cost pol- a serious threat to cloud computing (Jaeger et icy and their worldwide usage (Wright and Hin- al., 2008). For example, research by Belian and son, 2009). Natural and health disasters are clear Hess (2011) and Wu et al. (2011) found that se- examples of populations and organizations relying curity risks were negatively affecting SaaS use on social media to alert, organize, or manage res- in enterprises. Zhang et al. (2010), on the other cue efforts (Theocharis, 2013). hand, developed an information security frame- Despite the relevance of risk communication in work for cloud computing that emphasizes the the context of cloud computing and the potential role of risk analysis, assessment, and mitigation. of social media for information dissemination dur- Whereas Chan et al. (2012) proposed a risk frame- ing a security breach, to the best of our knowledge work made up of event identification, risk assess- there is no research on the usage of social media ment, risk response, information and communi- for risk communication during security breaches cation and monitoring. These studies, however, in the cloud. The objective of our study is to fill do not consider the involvement of users in data- this gap in the literature. In this first step, we at- protection initiatives. tempt to address the following research question: RQ: Who are the key players disseminating information of cloud computing data security 2.2 Risk Communication on Social Media breaches on social media? Risk communication can be defined as a process of 2 Literature Review exchanging information among interested parties 2.1 Cloud Computing about the nature, magnitude, significance and con- Cloud computing emerged as a computing model trol of a risk (Covello et al., 1998). Risk communi- rooted in various technology innovations such cation has become highly important in risk mitiga- as virtualization and web services (Foster et al., tion and damage control in areas such as homeland 2008). Cloud computing can be defined as a com- security (Jung and Park, 2014), and earthquake oc- puting model that enables the provision of ubiq- currence (Nigg, 2006). uitous, network-based, and on-demand services to With the rapid evolution of IT, risk commu- users (Armbrust et al., 2010). With cloud comput- nication is shifting towards social network sites ing, services and infrastructure that were tradition- (SNS). SNS can be defined as applications based ally provided locally are remotely accessed, con- on Web 2.0 that serve as platforms where users sumed and paid for through a web browser or an create and distribute content (Kaplan and Haen- application interface (Marston et al., 2011). Cloud lein, 2010). These platforms facilitate sharing in- computing can be classified as: private model, formation in real time for a rapid diffusion. For ex- where the cloud is solely operated by a single or- ample, Yates and Paquette (2011) studied the use ganization; public model, where it is open to the of social media during the earthquake in Haiti in general public; community model, which allows 2010. Likewise, Bird et al. (2012) addressed how organizations with common interests to set up and citizens and rescue organizations relied on social access the same cloud; and hybrid model, which media during the Queensland and Victorian floods. is a combination of any of the three previous mod- Goolsby (2010) also highlighted the heavy use of els (Mell and Grance, 2011). Additionally, cloud Twitter in communicating the areas to avoid dur- computing services can be categorized as: Soft- ing the Mumbai attack in 2009. In short, prior re- ware as a Service (SaaS), encompassing web ap- search focuses on the use of social media in high- plications; Platform as a Service (PaaS), which of- risk environments with potential human or prop- fers software development environments over the erty loss. However, to the best of our knowledge, web; and Infrastructure as a Service (IaaS), which no study has been conducted to understand how provides users with access to storage and compu- this same channel can be used to prevent or miti- tational power (Youseff et al., 2008). All these gate data security risks. 56 2.3 The Premera Blue Cross Data Security and duplicate edges. Second, we analyzed ver- Breach tices degrees, centrality measures, and page rank. Premera Blue Cross is a health insurance company Third, we plotted vertices metrics to identify in- based in Mountlake Terrace, Washington, USA. formation sources and brokers. Table 1 shows On March 17th, 2015, the company announced the definitions of the key terminologies related to that it had suffered a security breach and that data SNA. from 11 million users might have been compro- Metrics Definitions mised (Matthews and Yadron, 2015). The Pre- Vertex A single element count of the mera Blue Cross data security breach is an exam- primary entity of a network. In ple of a typical cyber attack through a web appli- the case of Twitter, a vertex rep- cation. Web applications and services are among resents a Twitter user cloud computing key core technologies (Marston Edge An element that connects two et al., 2011). Hence, understanding data security vertices. In the Twitter context, breaches in this technology and the associated risk an edge could be a tweet, a re- mitigation can accurately reflect cloud computing tweet (RT) or a mention (@) vulnerabilities (Grobauer et al., 2011). Degree This element measures the to- 3 Data Collection and Analysis tal number of edges connected to a particular vertex. In-degree 3.1 Data Collection measures the connections point- We collected public data from Twitter based on ing inward to a vertex. Out- the keyword Premera from March 18th, 2015 degree measures the connections to March 31st, 2015, spanning a 14-day period. originating from a vertex Twitter is a microblogging SNS that allows users Betweenness A metric that indicates how to send 140-characters messages known as tweets, Centrality or much disruption to other con- respond to tweets using Retweets (RT), men- Bridge Score nections can cause the removal tions (@user), and hashtags (#word) (Kwak et of a vertex in the network al., 2010). Twitter was chosen in our study be- Eigenvector A metric that measures the qual- cause recent studies found that organizations and Centrality ity of connections of a vertex. A individuals rely heavily on Twitter for risk com- vertex with higher connections munication during protests, environmental disas- yields a higher eigenvector value ters, homeland security risks, or political cam- (PageRank is a variant of this paigns (Achrekar et al., 2011; Jung and Park, metric) 2014). We used NodeXL for data collection. Node XL, developed by the Social Media Re- Table 1: Definitions for metrics in SNA. search Foundation, is a plugin for Microsoft Excel that allows the collection and analysis of multiple NodeXL calculates graph metrics related to social media data (Smith et al., 2010). NodeXL SNS by using an algorithm developed by the So- was used in our study because it serves as a robust cial Network Analysis Project (SNAP) at Stanford tool for data analysis and for deriving knowledge University (Leskovec et al., 2011). from complex social media interactions (Kim and 4 Results and Discussion Park, 2012). Data collection yielded a total of 15 592 tweets 3.2 Data Analysis from 8 689 unique Twitter accounts. Aver- We relied on Social Network Analysis (SNA), a age geodesic distance is 6.16, with a maximum useful and reliable methodology for data analysis geodesic distance of 17, and a graph density of and visualization. Based on Perer and Shneider- 0.00005451 (see Table 2). These results suggest mans (2008) research, we measured various net- low-affinity relationships between Twitter users in work indicators for the collected data. First, we the Premera data security breach network. Table 3 examined social network graph metrics for the and Table 4 show that top five words and hashtags overall Premera Blue Cross data security breach, were related to Premera Blue Cross data security including number of vertices, edges, unique edges, breach, suggesting reliability of the collected data. 57 Graph Metric Value Top Hashtags in Entire Graph Graph Type Directed Tweet in Entire Count Vertices 8689 Graph Unique Edges 7309 infosec 701 Edges with Duplicates 8283 premera 657 Total Edges 15592 security 397 Maximum Geodesic 17 healthcare 357 Distance (Diameter) databreach 308 Average Geodesic 6.161185 Distance Table 4: Top hashtags in ”premera” network Graph Density 5.5451E-05 graph. Table 2: Overall graph metrics. magazine), hereinafter referred to as the tech community, represent IT security specialists or Top Words in Entire Graph technology-specific news media. As Twitter par- Tweet in Entire Count ticipants recognize the tech community to be spe- Graph cialists in information security and hence a reliable premera 10211 source of information, they relayed information blue 4115 coming from their accounts, making them pivotal cross 3638 bridges during the Premera Blue Cross data secu- breach 3367 rity breach. data 3287 In other words, Premera Blue Cross (@Pre- mera) acted as a source of information on Twit- Table 3: Top words counts in ”premera” network ter, while other key actors became intermediaries graph. in relaying information about this data security breach. These findings are in line with previous From an inspection of Figure 1, results indicate research suggesting: (1) problem recognition and that Premera Blue Cross (@premera) took the lead level of involvement predict information seeking on Twitter during communication of the crisis (Be- and dissemination behavior (Yates and Paquette, tweenness Centrality = 1753201.512, PageRank = 2011; Bird et al., 2012), and (2) a limited number 63.020546, In-degree = 205). This result suggests of actors such as public figures, journalists, and that the institution that received the attack (i.e., mass media play an intermediary role during cri- Premera) became the source of information for in- sis communications (Perko, 2011). formation seekers. Twitterers concerned about this data security breach turned to the Premera Blue 5 Implications Cross Twitter account to gather relevant and accu- Our study presents a new perspective that shows rate information. that data security is a cloud stakeholders issue The Seattle Times (@Seattletimes) is a provider rather than cloud providers responsibility. Also, of news and information established in Seattle our findings indicate that social media populations (Washington, USA), the same city in where Pre- turned toward the application provider for accurate mera Blue Cross Headquarters is located. The information during these events. Cloud providers geographical proximity between both institutions should be prepared to take the lead, and this can may explain the bridging role played by the former be achieved by creating and reinforcing their so- during the crisis. Considering that a great number cial media presence. For instance, cloud providers of Premeras stakeholders are located in the Seattle could engage actively in risk communication by area, results suggest that these stakeholders turned raising risk awareness on social media and edu- to this channel of local news for information about cating their followers on security procedures. the Premera Blue Cross crisis. Second, considering that the tech community Dark Reading (@darkreading), Brian Krebs and local news media play an intermediary role (@briankrebs), TechCrunch (@techcrunch), Gary during risk communication on social media, cloud Davis (@garyjdavis), and SC Magazine (@sc- providers can engage in partnerships with IT secu- 58 59 Figure 1: Vertex properties graph (PageRank on X-Axis and Betweenness Centrality on Y-Axis. rity firms and specialists, local news media based V. T. Covello, P. M. Sandman, and P. Slovic. 1998. on clients and partners location and recommend Risk communication, risk statistics and risk com- parisons: A manual for plant managers. Chemical that all stakeholders follow those accounts for rel- Manufacturers Association, Washington D.C. evant and accurate information to safeguard data and mitigate damages. Experian. 2015. Data breach industry forecast. Expe- rian Data Breach Resolution. 6 Conclusions I. Foster, Y. Zhao, I. Raicu, and S. Lu. 2008. Cloud This study highlights the need for a good risk com- computing and grid computing 360-degree com- munication during a security breach, which should pared. In Proc. Grid Computing Environments Workshop 2008 (GCE 2008). involve all cloud-computing stakeholders. Our study makes recommendations on the steps to be Gartner. 2011. Gartner identifies the top 10 strategic taken by cloud providers to ensure that clients and technologies for 2012. Gartner. partners remain reliably informed before and after J. P. G. Gashami, Y. Chang, J. J. Rho, and M.-C. any data security breach. Nevertheless, this study Park. 2015. Privacy concerns and benefits in presents some limitations. First, the present study SaaS adoption by individual users: A trade-off ap- only analyzes risk communication for a data se- proach. Information Development. doi:10.1177/ curity breach coming from web applications, one 0266666915571428. of the core technologies of cloud computing. Sec- R. Goolsby. 2010. Social media as crisis platform. ond, the present study only considers risk commu- ACM Transactions on Intelligent Systems and Tech- nication on Twitter, a single popular social media. nology, 1(1):1–11. Future steps in our study include the analysis of B. Grobauer, T. Walloschek, and E. Stcker. 2011. Un- communication patterns and the inclusion of theo- derstanding cloud computing vulnerabilities. IEEE ries that may help to explain the phenomenon un- Security and Privacy, 9(2):50–57. der study. P. T. Jaeger, J. Lin, and J. M. Grimes. 2008. Cloud computing and information policy: Computing in a policy cloud? Journal of Information Technology References and Politics, 5(3):269–283. H. Achrekar, A. Gandhe, R. Lazarus, S. H. Yu, and B. Liu. 2011. Predicting flu trends using Twitter K. Jung and H. W. Park. 2014. Citizens social me- data. In Proc. 2011 IEEE Conference on Computer dia use and homeland security information policy: Communications Workshops (INFOCOM WKSHPS Some evidences from twitter users during the 2013 2011). North Korea nuclear test. Government Information Quarterly, 31(4):563–573. B. E. Aguirre. 2004. Homeland security warnings: Lessons learned and unlearned. International Jour- A. M. Kaplan and M. Haenlein. 2010. Users of the nal of Mass Emergencies and Disasters, 22(2):103– world, unite! the challenges and opportunities of so- 115. cial media. Business Horizons, 53(1):59–68. M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, M. Kim and H. W. Park. 2012. Measuring twitter- R. Katz, A. Konwinski, G. Lee, D. Patterson, based political participation and deliberation in the A. Rabkin, I. Stoica, and M. Zahaira. 2010. Clear- South Korean context by using social network and ing the clouds away from the true potential and ob- Triple Helix indicators. Scientometrics, 90(1):121– stacles posed by this computing capability. Commu- 140. nications of the ACM, 53(4):50–58. N. J. King and V. T. Raja. 2012. Protecting the privacy A. Benlian and T. Hess. 2011. Opportunities and and security of sensitive customer data in the cloud. risks of software-as-a-service: Findings from a sur- Computer Law and Security Review, 28(3):308–319. vey of IT executives. Decision Support Systems, 52(1):232–246. R. K. L. Ko, P. Jagadpramana, M. Mowbray, S. Pear- D. Bird, M. Ling, and K. Haynes. 2012. Flooding face- son, M. Kirchberg, Q. Liang, and B. S. Lee. 2011. book: The use of social media during the queensland TrustCloud: A framework for accountability and and victorian floods. Australian Journal of Emer- trust in cloud computing. In Proc. 2011 IEEE World gency Management, 27(1):27–33. Congress on Services (SERVICES 2011). W. Chan, E. Leung, and H. Pili. 2012. Enterprise H. Kwak, C. Lee, H. Park, and S. Moon. 2010. What risk management for cloud computing. Committee is Twitter: A Social Network or a News Media? of Sponsoring Organizations of the Treadway Com- In Proc. International World Wide Web Conference mission. Committee (IW3C2). 60 P. Lagadec. 2002. Crisis management in france: D. Wright and M. Hinson. 2009. An analysis of the Trends, shifts and perspectives. Journal of Contin- increasing impact of social and other new media on gencies and Crisis Management, 10(4):159–172. public relations practice. In Proc. 12th Annual In- ternational Public Relations Research Conference. J. Leskovec, K. J. Lang, A. Dasgupta, and M. W. Ma- honey. 2011. Community structure in large net- W.-W. Wu, L. W. Lan, and Y.-T. Lee. 2011. Explor- works: Natural cluster sizes and the absence of ing decisive factors affecting an organizations saas large well-defined clusters. Internet Mathematics, adoption: A case study. International Journal of In- 6(1):29–123. formation Management, 31(6):556–563. S. Marston, Z. Li, S. Bandyopadhyay, J. Zhang, and D. Yates and S. Paquette. 2011. Emergency knowledge A. Ghalsasi. 2011. Cloud computing the business management and social media technologies: A case perspective. Decision Support Systems, 51(1):176– study of the 2010 haitian earthquake. International 189. Journal of Information Management, 31(1):6–13. A. W. Matthews and D. Yadron. 2015. Premera Blue L. Youseff, M. Butrico, and D. Silva. 2008. Toward a Cross says cyberattack could affect 11 million mem- unified ontology of cloud computing. In Proc. Grid bers. http://www.wsj.com. [Online; accessed Computing Environments Workshop (GCE 2008). 15-November-2015]. X. Zhang, N. Wuwong, H. Li, and X. Zhang. 2010. In- P. Mell and T. Grance. 2011. The NIST def- formation security risk management framework for inition of cloud computing [Recommenda- the cloud computing environments. In Proc. IEEE tions of the National Institute of Standards 10th International Conference on Computer and In- and Technology-Special Publication 800-145]. formation Technology (CIT 2010). http://csrc.nist.gov/publications/ nistpubs/800-145/SP800-145.pdf. M. Zhou, R. Zhang, W. Xie, W. Qian, and A. Zhou. [Online; accessed 15-November-2015]. 2010. Security and privacy in cloud computing: A survey. In Proc. 6th International Conference on J. M. Nigg. 2006. Communication under conditions of Semantics, Knowledge and Grids. uncertainty: Understanding earthquake forecasting. Journal of Communication, 32(1):27–36. A. Perer and B. Shneiderman. 2008. Integrating statis- tics and visualization: Case Studies of gaining clar- ity during exploratory data analysis. In Proc. Hu- man Factors in Computing Systems (CHI’08). T. Perko. 2011. Importance of risk communication during and after a nuclear accident. Integrated Envi- ronmental Assessment and Management, 7(3):388– 392. L. Rainie and M. Duggan. 2014. Heartbleeds Impact. http://www.pewinternet.org/ 2014/04/30/heartbleeds-impact/. [On- line; accessed 15-March-2016]. M. Smith, B. Shneiderman, N. Milic-Frayling, E. M. Rodrigues, V. Barash, C. Dunne, T. Capone, A. Perer, and E. Gleave. 2010. NodeXL: A free and open network overview, discovery and exploration add-in for Excel 2007/2010. http://nodexl. codeplex.com/. [Online; accessed 15-March- 2016]. J. Staten, L. E. Nelson, D. Bartoletti, L. Herbert, W. Martorelli, and H. Baltazar. 2014. Predictions 2015: The days of fighting the cloud are over. For- rester. Y. Theocharis. 2013. The wealth of (occupation) networks? communication patterns and information distribution in a twitter protest network. Journal of Information Technology and Politics, 10(1):35–56. Verizon. 2014. 2014 data breach investigations report. Verizon Business Journal, 2014(1):1–60. 61