Developing a secured social networking site using information security awareness techniques

Copyright: © 2014. The Authors. Licensee: AOSIS OpenJournals. This work is licensed under the Creative Commons Attribution License. Background: Ever since social network sites (SNS) became a global phenomenon in almost every industry, security has become a major concern to many SNS stakeholders. Several security techniques have been invented towards addressing SNS security, but information security awareness (ISA) remains a critical point. Whilst very few users have used social circles and applications because of a lack of users’ awareness, the majority have found it difficult to determine the basis of categorising friends in a meaningful way for privacy and security policies settings. This has confirmed that technical control is just part of the security solutions and not necessarily a total solution. Changing human behaviour on SNSs is essential; hence the need for a privately enhanced ISA SNS.


Introduction
Although Google is considered the most visited website in the world (Kyle 2011;Shamim 2011), it has been competing favourably with Facebook.For instance, as of 2010, Facebook was the second biggest website in the United States of America (USA) (HuffpostTech 2011;Kiesow 2011).Since February 2011, Facebook has become the second most visited website in the average country in the world (Shamim 2011), with statistics confirming the second place position in the USA and the United Kingdom (Kyle 2011).However, as of November 2013, Facebook has been ranked as the largest media site in the entire world (Smith 2013;Vaughan-Nichols 2013).
Despite these growing economic values, which have been traced to the opportunities social networking sites (SNSs) offer to their customers in meeting friends, and even complete strangers online, many SNSs have not been able to live up to the security and privacy issues they have created (Hopper 2010:2).Specifically, Facebook has been the centre of attention multiple times resulting from issues surrounding privacy since 2010 (HuffpostTech 2011;Kiesow 2011).Some notable SNSs have attempted, with no success, to implement technical controls to provide for their security.Accordingly, the users were more contented with the privacy controls of LinkedIn, until it was hacked in 2012, than with those of Facebook (Judge 2011:15).Therefore, as technical controls have failed to secure SNS in isolation, there is a need for a new SNS to be adequately secured with effective ISA techniques.
This need for a secured SNS has become more pronounced since 2012 when cyber-attacks have remained the second greatest threat in Britain after terrorism (Smith 2012).This article designs and implements a secured SNS to address security challenges in the existing SNSs using ISA techniques.The study reveals that changing human behaviour on SNSs through ISA techniques is essential and more effective.

Securing SNSs -Technical controls
Facebook has initiated architectural features that have exposed data many times, thereby making

Read online:
SNS users uncomfortable (Lucas & Borisov 2008:2).The introduction of a news feed is a noted example in which the activities of one's friends are amassed into one page.This then confirms that privacy breaches remain feasible whether or not the users painstakingly configure their privacy settings.It is especially the case now that privacy controls have little impact on how Facebook handles its backend data but only limits information flow within the SNS interface.
Although Giles (2007:17-24) highlights some security design patterns and measures, which can be implemented and practiced by service providers to prevent possible methods attackers may follow to attack the users' information, the risk associated with architectural features has been addressed by Lucas and Borisov (2008).They make use of encryption technology to introduce a design capable of safeguarding all data coming out of Facebook.However, their architectural design swaps security for usability in order to minimise the disturbance given to the users' workflow, and at the same time it retains universal accessibility.They have come up with a prototype Facebook application that makes use of proxy cryptography to resolve major restrictions on the Facebook platform.
In spite of all the calls and agitations by vendors necessitating the importance of security products, Stephanou and Dagada (2008:3) explain that 'many critical security activities have not and cannot be automated'.This is because, as Mataracioglu and Ozkan (2010:4) emphasise, 'only a small percentage of information security is maintained by technical security measures, while its greater percentage depends on the user'.Organisations have invested heavily in firewalls, antivirus systems and other technologies, yet they continue to suffer from severe IS breaches, and these problems are getting worse (Gartner 2011).
Technologies that offer security continue to require effective running by people, implying that organisations cannot achieve their security desires without people.However, as the individual is generally considered as the weakest link in the Information Security circle (Van Niekerk & Von Solms 2004:2), it is clearly a requirement that the users are given proper training on Information Security policies.Hence, the need for effective ISA on the SNSs is emphasised.

ISA techniques
Much research has been carried out on ISA techniques but most of these techniques are not based on a theoretical model; instead, they only guide about the right methods to use (Stephanou & Dagada 2008:6).For example, the research undertaken by Heidari (2010), Hinson (2012), andWolf (2010) all shows detailed work on the methods used to secure SNSs.
The research of Kumaraguru et al. (2007) prove that security awareness materials can be effective when implemented, but online materials that create user awareness about phishing threats are more effective as users tend to recognise phishing sites more accurately.They also advocate for an improvement in the quality of awareness materials, and also improved awareness techniques to enhance the users understanding of the same materials.Johnson (2012:8), in his doctoral research work conducted at the University of Lagos in May 2012, argues that much is expected from the audience.This undermines the fact that security processes can only be effective when the audience has a good security support and appreciates the security requirements.On this basis and by applying background training, Jagatic et al. (2007:96) are able to prove that it is very easy (through SNS in particular) to capture huge amounts of data for effective phishing attacks.They also attempt, but with no success, to measure the influence of information relating to social context on phishing attacks.What makes their work different is that e-mails are spoofed to deceive users, as if they are from friends in the SNS and, in the end, the total number of victims to this phishing attack outweighed the expectation (Jagatic et al. 2007:97).

Research methodology used to develop sOcialistOnline
Dynamic Systems Design Methodology (DSDM) is used to develop the SNS in this research work.This is because, like Joint Application Development (JAD) methodology, DSDM has proved to be one of the best methods when handling a project that must be completed to tight deadlines.Goodwin (2011) explains DSDM thus: It is a set of specification and design notations for object-oriented systems, combining features from methods devised by three methodology gurus: Grady Booch, James Rumbaugh and Ivar Jakobsen.(n.p.) The development of sOcialistOnline is handled by the development, security, and the user acceptance teams (UAT) headed by the author.As illustrated in Figure 1, it is based on an exploratory approach using an object oriented programming (OOP) methodology for application (SNS) development.To discourage security threats through exposure to third party applications, the use of such applications to secure the SNS is discouraged.

Designing the SNS
When planning to create the SNS, the development team followed the philosophy of Steve Jobs -'Lesser artists borrow; great artists steal' (Duffy 2010) by integrating the steps developed by Timothy Duffy with the processes highlighted by Adams (2012) to develop and implement the sOcialistOnline.These integrated steps and procedures include crafting a concept, establishing a name, obtaining venture capital, and hiring the employees.

The Requirement
According to Aiello and Ruffo (2011:3), 'a SNS is defined, in its most general meaning, as a customisable suite of interoperable, identity-based applications'.In this context, every user composes their own combination of applicative modules, or widgets, into a customised application suite where every widget can share data with other, possibly heterogeneous, widgets running locally or remotely.
Given this general definition, there is a set of desired network requirements as well as password file settings and requirements that are common to so many social widgets.Such requirements classified as privacy, service, password settings, security, and ISA are applied as the basis of architectural design of the sOcialistOnline framework.

Developmental tools
The development of sOcialistOnline is based on the Object Oriented Programming (OOP) approach, using PhP as the coding language with the MySQL database engine at the back end.The programming approach, language, and database deployed are summarised as follows: • Programming language: There are several web scripting languages suitable for this research work, which include ASPX (from Microsoft Inc.), PhP (from Zend coy.), JSP (from Java), and ColdFusion (of Macromedia).However, for its additional characteristics of robustness and platform independence, as discussed in section 6.9, the development team prefers to use PhP 5.3.8, the latest version as of January 2012.• Database: MySQL works very well with PhP because it supports MySQL natively.Using MySQL for data storage, there is no need for a third party code to connect the PhP script with the database; it has already been integrated into the PhP core.For effective security, oneway encryption cryptography was applied using the crypt algorithm for both the username and password.This ensures that, once encrypted, the password and username table cannot be decrypted again.• Programming approach: OOP is employed as the coding style, in which all the tables have their own classes.
When working with a table in the database, the class of the table provides all the functionalities needed.One notable determinant feature of OOP is inheritance.Every class inherits connect functions from the Dbconfig which connects the subclass to the database.As this is a web application that is not yet supported by PhP, polymorphism could not be applied.

Technical controls on sOcialistOnline
Fundamentally, every individual is entitled to privacy, although privacy on its own is difficult to define and formalise (Aimeur, Gambs, & Ai Ho 2010:173).Millions of internet users are accustomed to spending much time on chatting, commenting, blogging, and posting photos on SNSs, and these are the activities that eventually expose them to different privacy risks.Unfortunately, most of the current SNSs do not value the principles of data minimisation and data sovereignty (Aimeur et al. 2010:173).Some of the technical controls implemented to secure sOcialistOnline are discussed below: • Customisation of access controls: The access controls, as obtainable in the popular SNSs, on sOcialistOnline, are customised based on the users' groups and information type.Typically, a user has different classes of acquaintances including close friends, family members and colleagues at school or work.Unfortunately, only very few SNSs (such as Facebook, MySpace and Bebo) provide privacy settings that are elaborate where user profiles are broken into several small elements (Basic info, personal info, wall post, friends, etc.) (Aimeur et al. 2010).An experiment performed by Iyer (2009), and verified by Aimeur et al. (2010), confirms that the privacy settings on Facebook are erroneous and therefore not very effective, especially when a particular friend is to be restricted by his or her friend from accessing specific personal information.This ineffective access control exposes the user's privacy to security, reputation or credibility risk.sOcialistOnline is therefore designed in a way that the users can easily group their friends into user categories, making it possible to restrict the information type to the user group by means of a simple access control mechanism.• User-friendly way of setting privacy: Unlike Facebook, the user's privacy settings on sOcialistOnline are flexible to customise, and are also integrated with a user-friendly interface that is easily understood by any typical SNS user.• Customised search: A customised search is implemented on sOcialistOnline to further enhance the preservation of the user's privacy.It is therefore possible for a user to specify an individual who can search his or her profile, and the information types that can be searched.A screen-print of a customised search on sOcialistOnline is displayed in Figure 2.
For instance, a user may choose to ensure unobservability (that is, not be noticeable as a registered user on an SNS) and may want to remain totally invisible to those who are not in his or her list of friends.A user can also classify his or her personal data as 'sensitive' or 'not sensitive' relative to the search process.For example, a user may be indifferent to another user finding his or her name and sport of interest but not for sensitive information such as religion: • Active blocking of information related to users: In addition to customisation search, which is implemented for a user to specify his or her profile information that could be searched, the sOcialistOnline offers the facility for a user to untag objects from his or her profile.Hence, an individual may consider a particular photo too sensitive and therefore choose to remove the link from his or her profile and, thus, mitigate the potential risk of the picture appearing when his or her identity is searched.

ISA techniques
Several authors such as Brodie (2009), ENISA (2007), PriceWaterHouseCoopers ( 2010), and Hinson (2012) have established that an SNS cannot be adequately secured without effective ISA.Hence, the author implemented the following ISA techniques into the sOcialistOnline to further enhance its security and user privacy: • Explicit privacy policy: Generally, SNSs have a privacy policy but they often implement this to emphasise the significance of the users' privacy to the network and not to the users per se.Therefore, in most evaluations regarding the users awareness to the privacy policy, less than 10% of SNS users claim to have read and understood the policy document of their SNS (Jones & Soltren 2012:3).This is partly attributed to the fact that the document is always too long, with an average mean length of 2633 words and a median of 2.245 (Bonneau & Preibusch 2009:254).
The same situations apply to the terms and conditions.sOcialistOnline addresses this situation by summarising the policy statements into three pages, and applies the terms and conditions as a multiple alternative option.In which case, rather than the usual terms and conditions, a user-friendly community guideline is published on the sOcialistOnline to educate users in real-time.

• Privacy awareness and customisation:
The sOcialistOnline is flexible enough for users to express their data as a privacy policy, and makes it possible for them to automatically compare the compatibility of the privacy response of the users to that of the SNS.This is what the terms and conditions entail.Where there is incompatibility, a user is warned and notified instantly, although he or she may still continue with the registration.This awareness function also alerts the user of his or her unsecured privacy settings each time he or she logs on to raise his or her ISA.
• Data minimisation: As only the information required should be disclosed in all instances, SNS users should be able to confirm the information type that is accessible to the SNS services (providers and third party applications), and their use.SNSs should also clarify the user's personal data of interest to them, and state clearly what exactly their interest is concerned with for the data owner to decide whether or not to accept or reject the SNS services.An in-built mechanism is incorporated into the sOcialistOnline to restrict access to user information and authorised data only (Aimeur et al. 2010:176).
• Privacy lens: It is required of an SNS user to view his or her profile the exact way it will appear to others, for him or her to appreciate that his or her data are unsecured.This is exactly what the privacy lens is all about and it is targeted at raising the user's information security awareness on sOcialistOnline (Aimeur et al. 2010:175).• Password standardisation: To guide against guessable password formulation, the sOcialistOnline incorporates Persuasive Text Password (PTP), as proposed by Forget et al. (2008), whereby the system auto-generates some characters and inserts them into a users' password combination.The PTP plays a middle-man role between a system generated password, which is always strong but difficult to remember, and one that is user-generated that is often weak but easily remembered.However, the sOcialistOnline makes it highly flexible and optional for SNS users to accept, reject or even request alternative characters and numbers at will.• Password monitoring: In line with the user's consent, the sOcialistOnline generates and keeps personal and confidential data, including the user's passwords and photographs.This is the main input data for this research work.The development team included a password scanner, which scans the password, files and analyses the strength of the individual password.This solution prompts each user, at every log-on, to inform him or her about the strength of his or her password and advise the user to reset it accordingly, but continues to allow the user to proceed at his or her own risk.This alert pops up at the registration stage and also at every user login to eliminate the user's acclaimed ignorance of ISA, and to ensure that every individual is fully aware of the potential risk.

System testing, security and publicity
This section addresses the processes wherein the sOcialistOnline was tested, and checked to verify if it is technically secured and published for general use.

Unit and UAT testing
Available Software Development Life Cycle (SDLC) testing scripts were used to unit test the SNS.A UAT script designed by the development team was reviewed by the ICT directorate, of Tai Solarin University of Education (TASUED), Nigeria, before being presented to the testing, comprised of members of the student affairs directorate and the students' union executives.To maintain his independence, the author was not involved in the actual UAT exercise.Instead, the testing was supervised by a system analyst at the university's e-learning centre and implemented by only seven students and three non-academic staff, all of whom are knowledgeable about SNS.Informed consent forms were completed by each of the testers stating that participation was free and optional.The testers were satisfied with the sOcialistOnline, although they came up with some comments that have nothing to do with the system functionality but with the speed, stability and availability of the SNS.These problems were addressed immediately as they were problems caused by the internet service provider (ISP) who hosted the SNS server.

System security
As a result of the increasing rate at which SNSs are being attacked, Summit Technology Nig.Limited was employed to tighten up the web and application security.The focus was mostly on operating systems and the Internet Explorer platforms where the sOcialistOnline is hosted, to ensure that certain services are working correctly and securely, as they should be.

System publicity
Usually SNSs are known to experience low patronage when they are newly implemented (Khan et al. 2011).To stop or reduce this fear, the author increased user awareness amongst the university students and staff by employing the Student Affairs unit and the Staff Union government of TASUED to encourage their members to patronise the site.
Some students were invited to a presentation session on the SNSs.The author issued the invitation to some students and staff but made it clear that the participation was free, optional and anonymous.This seminar included a short question and answer session where participants were free to express their concerns about the project.The participants were also given adequate ISA guidelines towards their behaviour on SNSs in general, but with emphasis on sOcialistOnline.The seminar was organised a few days after the SNS was implemented and in the production environment, in order to promote its publicity and awareness amongst the audience and other intended users.

Results
This article discusses the development and implementation of the sOcialistOnline site.This SNS was secured by technical and ISA techniques before being migrated to the internet.Similarly, the UAT and system testing were performed but these are limited to the postulated model, and the conclusion is based on the evaluation of data obtained.Different types of technical controls, which form part of the body of a secured SNS, are evaluated with special emphasis on the incorporated ISA techniques.
Although a secured SNS is ultimately designed and implemented, the emphasis of this article is on the ISA techniques used to secure the SNS, because they are the main distinguishing factors from the existing ones.

Conclusions and recommendations
The sOcialistOnline is developed and secured by the technical and ISA techniques before being migrated to the production environment.Similarly, the UAT and system testing were performed but are limited to the postulated model and the conclusion is based on the evaluation of the data obtained.Different types of technical controls, which form part of the body of a secured SNS, were evaluated with special emphasis on the incorporated ISA techniques.The SNS is therefore adjudged to be better secured when compared to these inadequate ISA techniques.Notwithstanding this, the effectiveness of these controls and techniques proposed and implemented will be subjected to absolute measurements using a non-incident statistic approach, as this is an on-going study.
It is recommended that SNSs should emulate the ISA efforts implemented in this study, and much more if possible, to raise the users' awareness maximally.Moreover, the terms and conditions, and the user-friendly community guidelines, should always be published on the sites to educate the users in real-time.Accessible and polite languages are also required to enhance the users' understanding and compliance with the SNS's regulations.