The role of CSR in educating consumer on

Dr. Anna Tarabasz, S P Jain School of Global Management The role of CSR in educating consumer on cybersecurity. Comparative analysis of examples from UAE and Poland

The role of CSR in educating consumer on cybersecurity. Comparative analysis of examples from UAE and Poland

Anna Tarabasz, Ph.D. Assistant Professor Digital Marketing and MetricsProgram Manager SP Jain School of Global Management United Arab Emirates email : [email protected] [email protected]

mob: +971 50 118 17 04


Overview With increasing in a stable manner number of Internet users, reaching nowadays 3.68 billion (InternetWorldStats, 2016), the year 2016 emerges as significant caesura, as for the first time the penetration rate of Internet users exceeded half of the World population. Occurring in parallel enormous growth of social networking fosters the vanity and, unfortunately, often leads to social oversharing. More and more sensitive data is available in the World Wide Web and, importantly, according to many researchers (Kupczyk, 2016; CBOS, 2015; Smith, 2014) is voluntarily revealed by the users themselves. Along with the visible trend of stable growth of Internet users, especially among the youngest, a key issue in the field of online security, shall remain increased cyber threats awareness (Tarabasz, 2017) and the privacy management (Symantec, 2015; Trim and Lee, 2016; Ulsch, 2014). Glaring negligence in this regard may indeed lead to serious consequences. Worth quoting arise data presented by Fereira (2016), indicating the fact of steadily increasing attacks on social media accounts, exceeding one billion, reportedly hacked and overtaken in 2014. Moreover, the year before, more than two billion passwords for Facebook and Twitter were stolen and sold online in the black market. In the era of social media public oversharing, driven by “likes, comments and re-twits” competition, ignorance and negligence shall be eradicated. For this reason, Corporate Social Responsibility awaits arising challenge of educational necessity and increasing awareness of average Internet user, with particular emphasis on the youngest consumers. The paper presents literature review and analysis of secondary data resources. At the same time bases on comparative analysis of case studies, originating from United Arab Emirates and Poland. It aims equally to show the functioning regularities of contemporary social media and present possible cyber threats and specificity of turbulent online environment, followed by analysis of case studies from du (mobile network provider) and mBank (retail digital bank), used as an illustrative material. Social oversharing worldwide, in US, Poland and UAE

According to Leiter (2016) currently the most popular social networking solutions gather respectively: 1 billion users of Facebook, 560 million at Twitter, 400 million in Google+, 250 million at LikedIn, 150 million on Instagram and 70 million at Pinterest. Such widespread presence on social networking sites conduces sharing almost all kind of information. This applies to disclosure of sensitive data, especially publication of birth date, e-mail address, photos, marking location, relationship or marital status, interests, beliefs, and statements signed with own name. Another common and clearly visible issue is lack of awareness as per privacy policy. Research done by J. Turow (Smith, 2014), specialist of digital marketing and privacy issues at the University of Pennsylvania’s Annenberg School for Communication, constitutes a solid proof, that 52% of Americans are not able to recognize the purpose of privacy policy1. According to results of his research, ordinary users do not entirely understand the scope of the data, that is being collected on them. They are not at all aware, the manner in which small amounts of data can be used to create 1

According to initial part of the survey they were willing to claim, that the statement „When a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users” is true, while it is simply a legal document that discloses how customer data is managed and used (Smith, 2014)


a much more detailed portrait when matched with information from third-party sites that collect and share various types of customer information with each other. As rightly Turow points out “The general sense among marketers is that people understand that their data is being used, but we’ve found in our research that people don’t truly understand how data mining works. They may realize that one or two pieces of their information are being given out; what they don’t realize is that those one or two data points can be linked with other sources to uncover information they would have never given out in the first place’ (Smith, 2014). Worth recalling here are also the outcomes of valuable research, conducted in English and Spanish, to a nationally representative sample of 1060 teens aged 13-17 and their parents or guardians, done by Pew Research Center (2015), with survey administered online by the GfK Group, using its Knowledge Panel, at the turn of 2014/2016. According to its results 92% of surveyed teens have shared their real name publicly, 91% admitted sharing in such manner their photo, 84% their interests and 82% their birthday date. Moreover, 71% of respondents shared to wide audience their city/town name, same number revealed their school name, 62% disclosed their relationship status to everybody and 53% posted in similar manner their email address. Only, and at the same time as many as 20%, shared their mobile number to wider audience. The above mentioned fearsome data shall without doubt raise the public awareness Unfortunately social media oversharing, defined by Ager (2015) as disclosing intimate details of one's personal life, especially via electronic means of communication in the era of public exhibition, new media and transparency (Bałdys, 2014) and social narcissism (Twenge and Campbell, 2013) is not only a domain of teenagers and kids stroking the keys, as more and more often adults are being mentioned. Many experts have told Pew Research, they think privacy challenges will worsen, as the Internet of Things expands, and people will be increasingly enticed (if only grudgingly) to share personal information in return for the conveniences afforded by digital technology. Moreover, oversharing is not only domain of cradle-countries of social media, but becomes a ‘sin confessed’ wildly around the globe. Not any different appears the situation in Poland in relation to disclosing sensitive data (birth date, e-mail address, photos, marking location, relationship or marital status, interests, beliefs, and statements signed with own name). According to Centrum Badania Opinii Społecznej (Centre for Public Opinion Research) (CBOS, 2015) at least one of the abovementioned information was shared publicly online by 40% of Internet users, and by 71% to some people or companies /institutions. Moreover, according to this report, in social media almost all Internet users aged 1824 publish information about themselves publicly. Further debating survey results done by CBOS, clearly visible becomes the fact, that only one-fifth of Internet users (20%) online does not make available any information about themselves and 40% shares something online only with a limited audience. Especially among the youngest, lingering belief exist, that shared information/status/photo/comment is shared only within ‘narrow circle of friends and friends’ friends’. But how much mistaken is that approach? Assuming, that themselves they have only 300 followers on Facebook and each of these friends has similar number of contacts, while updating their status, sharing their photo and commenting on it, in a glimpse of an eye, such information may become visible to 9000 of people! Similar picture reveals study currently presented by AMEinfo.com, provider of online business information about the Middle East region. According to this data (AMEinfo.com, 2016), in United Arab Emirates, although 75% of social media users do not interact with people previously added to contacts, yet 49% of respondents accepted 50 % of unfamiliar contact requests. Moreover, 58% of respondents share friends’ pictures on social media, while 50% share family


pictures and 39% check in at their location. In addition to that 31% of respondents admit, that they have posted something online that they have later regretted. Last, but not least, among surveyed, 97% of them have experienced at least one form of cyberattack (spam links, inappropriate messages from strangers, fake accounts, viruses from downloaded files, or an account hack). All the above mentioned data is more than disquieting, showing lack of common sense and basic knowledge on cyber security. The same becomes alarming, when taking into consideration awaiting possible threats online. Possible cyber threats

In relation to prior quoted research by Pew Research Center (2015), CBOS (2015) and AMEInfo.com (2016) worth noting are outcomes of Symantec (2015) Report on Norton Mobile Apps Survey, which clearly indicate i.a., that 68% of surveyed people will willingly trade in various types information for free application. Exchanging sensitive data for software use or Internet access constitutes only a proverbial tip of an iceberg of digital trespasses. The most common misdemeanours are often committed (Ulsch, 2014; InfoWire, 2015; Kupczyk, 2016) by setting too easy passwords, not mentioning the links being clicked (phishing), lack on anti-virus software and last, but not least, being too trustworthy to open WiFi. According to prior quoted Fereira (2016) number of attacks on social media accounts is steadily increasing, with more than one billion reportedly stolen in 2014. The year before, more than two billion passwords for Facebook and Twitter were stolen and sold online in the black market. Acting against existing cyber threats is similar to efforts focused on combatting the Lernaean Hydra. Even, if finally manageable, natura horret vacuum, and cyber criminals are developing innovative harmful solutions. Japanese researchers nowadays are indicating new threat arising (AFP, 2017; Harthorne, 2017) with fingerprint and identity theft from flashing the ‘peace’ sign. One may argue, it is impossible, but powerful digital cameras in contemporary smartphones are sufficient in order to zoom enough and retrieve the fingerprint, create its elastic copy and open proverbial Pandora’s box. Possibilities of vulnerability in this regard are enormous – from data leakage, unlicensed access to company premises, authorizing banking transactions to snooping on official documents and full identity theft. The list of possible awaiting cyber threats for individuals is presented in the below mentioned table (Cf. Tab. 1) Tab. 1 List of possible cyber threats awaiting individuals No 1.

Threat type Identity theft

2.

Cyber stalking

3.

Cyber bullying

Threat description Deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name. Use of the Internet or other electronic means to stalk or harass an individual, group, or organization. May include false accusations, defamation, slander and libel. Often includes monitoring, identity theft, threats, vandalism, solicitation for sex, or gathering information that may be used to threaten, embarrass or harass. Type of cyber harassment using electronic forms of contact. Increasingly common especially among teenagers. can be identified by repeated behavior and an intent to harm. can include posting rumors about a person, threats, sexual remarks, disclose victims' personal information, or pejorative labels.


4.

Child predators

5.

6.

Unauthorized access/ information leak Phishing

7.

Site compromise

8.

Spam/malware

9.

Snooping/ Spoofing/ Spying

10.

Botnet

Person, very often claiming to be peer, using the Internet with the intention of contacting minors below the age of consent, soliciting sexual relations. Combined with theft, burglary and/or revealing seemingly uncritical technical information to the public. Exploiting fear, anxiety and system vulnerability urging the unaware users to share their funds. Often combined with stealing passwords, credit card numbers, bank account details and other sensitive information. Compromising a social networking site with malicious code, any visitor to the site would be susceptible to attack or simply gathering end-user personal information. Often combined with phishing, like-jacking or linkjacking, in which the last two instead of referring to “like” or redirecting to desired referral, download the malware or infect the device in different manner. Unwanted messages in email inbox. Junk mail advertising is considered rather as annoying and harmless. However, spam messages may contain links, after activation redirect to a website installing malicious software (malware) onto computer. Snooping (synonymous with sniffing) occurs while login to a website without encryption, with acquiring username and password, equally monitoring the website movement (i.e. capturing the network traffic between affected user and the web). Can mean equally unauthorized access to another person's or company's data, reminding eavesdropping. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. Spoofing refers to actively introducing network traffic pretending to another person/device. Can refer to data transfer or emails sent. Both snooping and spoofing may be used with spying third party Known equally as zombie army, refers to number of Internet-connected devices used by a botnet owner to perform various tasks. Can be used to perform DDoS (Distributed Denial Of Service) Attacks, stealing data, spam sending, or simply allowing the attacker access to the device and its connection.

Source: own elaboration, Tarabasz, A. (2017). Cyber Threat Awareness In Digital Marketing Campaigns. Comparative Analysis Of UAE And Poland. DOI: 10.13140/RG.2.2.32736.69127

Innovative approach to Corporate Social Responsibility Corporate Social Responsibility (CSR) represents a concept, according to which all undertakings at the stage of strategy building shall taken into consideration the interests of social and environmental protection, as well as relationships with various stakeholder groups (Viser, Magurenau and Yadav, 2015). Moreover many researchers underline the important role of CSR in process of communication (Ihlen at al., 2011; McKean, 2014; Cohen-Almagor, 2015; Visser et al, 2015; Diehl et al. 2016) At the same time more and more often in the light of literature review visible becomes the importance of CSR’s approach meeting the market expectations and even exceeding it, as researchers indicate and necessity of companies’ proactive attitude against cybercrime (Trim and Lee, 2014) and educating wider audience about possible threats. And even though such request may not directly comply with Prerequisites for the Standard SA 8000 (Social Accountability 8000)


(SAI, 2017), definitely are remaining in alliance with the AccountAbility 1000 (AA 1000) Standards (AccountAbility, 2017), with particular emphasis on the principle of continuous improvement and willingness to contribute to society on benevolence basis. Due to turbulent environment and digital revolution such activity shall not be avoided. In compliance with arguments of CSR supporters, companies acting in such manner may await costs reduction in exceeding standard relation to energy, water and pollution fees, but as well avoid potential expenses caused by cyber criminals and thus provide better resistance to crises, increasing at the same time shareholder confidence, brand awareness and last but not least, profits. Online campaigns socially responsible Presenting the previously mentioned innovative CSR approach and increasing customer awareness seems to be challenging. Customers seem to trivialize the matter, claiming it is either non applicable in their case or simply denying existence of such problem. Therefore campaigns aiming at increasing their awareness shall be clearly distinctive from other campaigns. To achieve this two extreme approaches are available: showing foolishness of users or fatal consequences. To exemplify such undertaking, article will present case studies of two companies: mBank and du (Cf. Fig. 1) Fig. 1. Examples of educating consumers on cybersecurity mBank (Poland)

Source: mBank (2017)

du (United Arab Emirates)

Source: Du (2017)


mBank (leading retail digital bank from Poland) decided to focus its campaign ‘Nie robisz tego w realu? Nie rób tego w sieci!’ (WirtualneMedia, 2015), on the first type of approach. The campaign, which title translated means ‘Not doing in real? Do not do it on the Net!’, was is targeted at people who use banking services on the web: both on computers and smartphones and hashtagged with #nieróbtegowsieci phrase. It aimed (InfoWire, 2015; Duszczak, 2015) at increasing the awareness of threats, that banking customers may encounter in the network. Its concept was based on emphasizing the analogy between behaviors in the non-Internet and the web. One of the spots portrayed a man dressed in beige trench, with its flaps tilted, as if in an act of exhibitionism, and after visualizing people laughing, or quickly escaping. The final scene of the advertising spot depicted the same man en face, with a hanging plaque around his neck, revealing his customer ID, password, PIN number and his personal ID. Finally campaign claim was revealed: ‘Not doing in real? Do not do it on the Net!’. In this regard mBank was willing to underline, that since some security-related behaviors in the real world appeared suspicious, there was no reason to treat them differently on the web. This campaign was nominated by Marketer+ for award Social Campaign of the Year 2015 in category of Corporate Campaigns and Firm Foundations. Du, mobile operator from United Arab Emirates, incorporated second type of approach. In November 2016 has established a digital campaign ‘Be Safe’, with the hashtag #postwise (Du, 2017). Shocking material was introduced in a form of creative narratives, based on real-life events, that have happened in the UAE and abroad. It provided targeted audience with a glimpse into the minds of cyber-criminals, how they operate, and how seemingly innocent social media posts can spill over into real life and lead to life threatening crimes (Clarke, 2016), like kidnapping, child abuse or burglary. Fig. 2. CSR and cyber threats campaigns websites mBank (Poland)

Source: https://www.mbank.pl/uwazniwsieci/

du (United Arab Emirates)

Source: http://www.du.ae/personal/helpandsupport/mobile/bes afe


Both campaigns, regardless their type of approach and character of campaign itself, have been supported with formal informative websites (Cf. Fig. 2), focusing on types of cyber threats, their consequences, possible prevention and proposed actions, if such issue occurred. Conclusion Regardless multiple cyberattacks occurring every year, in light of referred research (Smith, 2014; Pew Research Center, 2015; CBOS; 2015; AMEInfo.com, 2016) consumers are not aware enough to understand the importance on prevention against possible arising cyber threats and their disastrous potential consequences. In addition to that, Internet users overshare on social media and willingly disclose sensitive data in exchange for free application, and unfortunately are trustworthy to open Wi-Fi. They suffer from serious abuse of identity theft, phishing, snooping, spying and child predators. They expose themselves to cyber criminals by repetitive use of passwords sets (usually based on easy combination of birth date), avoid using anti-virus software and clicking eagerly links from untrusted sources. Digital campaigns aiming at educating online consumers on the topic of cyber threats may raise as a solution in this difficult situation. Such undertaking, imposed by Du (mobile operator from United Arab Emirates) and mBank (retail digital bank from Poland) constitute examples of good practice in this regard. Corporate Social Responsibility (CSR) in this aspect shall not only become factor of competitive advantage in branding and positioning, but rather contribute to business ethics and responsible management. This approach requires focus on educating digital customers in terms of cyber threats and proactive attitude, as prevention is better than cure.

Abstract Along with the enormous growth of social networking, especially among the youngest, a key issue in the field of online security, remains the issue of privacy management. The main aim of this article is to present an innovative attitude to Corporate Social Responsibility, based not only on sustainable development, business ethics and responsible management. This approach requires focus on educating digital customers in terms of cyber threats, with particular emphasis on social oversharing and its possible consequences: identity theft, cyber stalking and bullying, phishing, spam, malware and abuse of child predators. In this regard the paper is showing the functioning regularities of contemporary social media, specificity of turbulent online environment, followed by analysis of case studies from UAE and Poland, used as an illustrative material Keywords: Corporate Social Responsibility, online awareness campaigns, cybersecurity threat Bibliographic references: AccountAbility 1000 (2017). AccounAbility Standards. https://www.accountability.org/standards/ (Accessed 201701-22). AFP (2017). Japan researchers warn on fingerprint theft from ‘peace’ sign. https://www.yahoo.com/tech/japanresearchers-warn-fingerprint-theft-peace-sign-101451701.html (Accessed 2017-01-11). Ager, B. (2015). Oversharing: The Eclipse of Privacy in the Internet Age. DOI: 10.1016/B978-0-08-097086-8.641223

Dr. Anna Tarabasz, S P Jain School of Global Management The role of CSR in educating consumer on cybersecurity. Comparative analysis of examples from UAE and Poland AMEinfo (2016). Cybercrime alert: Nearly half of UAE users add people they http://ameinfo.com/technology/it/social-media-facebook-cyber-threat/ (Accessed 2016-11-23).

don’t

know.

Bałdys, P. (2014). Życie na widoku. Nowe media a kultura transparencji. Media I Społęczeństwo vol 4, pp. 42-55 CBOS (2015). Bezpieczeństwo w Internecie, CBOS report 109/2015. Warszawa: Centrum Badania Opinii Społecznej. Cohen-Almagor, R. (2015). Confronting the Internet’s dark side. Moral and social responsibility on the free highway. New York: Cambridge University Press & Washington: Woodrow Wilson Center Press. Dewey, C. (2015). What offensive tweets of Bush aide say about oversharing http://www.dailyherald.com/article/20150214/business/150219431/ (Accessed 2015-02-14).

age,

Diehl, S., Karmasin, M. and Mueller, B. (2016). Handbook of integrated CSR communication. New York: Springer. Du (2017). Be safe. http://www.du.ae/personal/helpandsupport/mobile/besafe. (Accessed 2017-01-22). Duszczak, P. (2015). Internetowe grzechy Polaków. http://www.networkmagazyn.pl/internetowe_grzechy_polakow. (Accessed 2015-11-13). EDAA (2013). TRUSTe / EDAA research shows digital advertising self-regulatory programme continues to improve consumer attitudes towards interest-based advertising. http://www.edaa.eu/edaa-news/truste-edaa-researchshows-digital-advertising-self-regulatory-programme-continues-to-improve-consumer-attitudes-towards-interestbased-advertising/ (Accessed 2017-01-13) Fereira, O. (2016). The dangers of social media and oversharing. http://singlegadget.com/the-dangers-of-socialmedia-and-oversharing/ (Accessed 2016-05-08). Harthorne, M. (2017). Flashing the peace sign can get your identity stolen. http://www.foxnews.com/tech/2017/01/12/flashing-peace-sign-can-get-your-identity-stolen.html (Accessed 2017-01-12). Ihlen, Ø., Bartlett, J. and May, S.

(2011). The Handbook of Communication and Corporate Social Responsibility. Hoboken: Wiley-Blackwell.

InternetWorldStats (2016) World Internet users and http://www.internetworldstats.com/stats.htm (Accessed 2016-12-21).

2016

population

stats.

InfoWire (2015). Internetowe grzechy Polaków. https://infowire.pl/generic/release/303737/internetowe-grzechypolakow/. (Accessed 2015-11-13) Kupczyk, P. (2016). Użytkownicy nie dbają o prywatność na portalach społecznościowych. http://di.com.pl/uzytkownicy-nie-dbaja-o-prywatnosc-na-portalach-spolecznosciowych-54106. (Accessed 201601-07). Leiter, M. (2016). How to Choose Social Media Platforms. http://www.melissaleiter.com/blog/how-to-choose-socialmedia-platforms. (Accessed 2016-04-06). mBank (2017). Uważni w sieci. https://www.mbank.pl/uwazniwsieci/page/o-kampanii/. (Accessed 2017-01-21). McKean, J.S. (2014). Customer’s new voice: extreme relevancy and experience through volunteered customer Pew Research Center (2015)information. 1st. Ed. Hoboken: John Wiley&Sons. Pew Research Center (2015). Teens, Social Media & Technology Overview. http://www.pewinternet.org/2015/04/09/teens-social-media-technology-2015/ (Accessed 2015-04-09). SAI (2017). Social Accountability International. http://www.sa-intl.org/. (Accessed 2017-01-21). Smith, A. (2014). Half of online Americans don’t know what a privacy policy is. http://www.pewresearch.org/facttank/2014/12/04/half-of-americans-dont-know-what-a-privacy-policy-is/ (Accessed 2017-12-04) Symantec (2015). Internet security threat report. https://www.symantec.com/content/en/us/enterprise/other_resources/21347933_GA_RPT-internet-securitythreat-report-volume-20-2015.pdf. (Accessed 2015-04-01)

Dr. Anna Tarabasz, S P Jain School of Global Management The role of CSR in educating consumer on cybersecurity. Comparative analysis of examples from UAE and Poland Tarabasz, A. (2017). Cyber Threat Awareness In Digital Marketing Campaigns. Comparative Analysis Of UAE And Poland. DOI: 10.13140/RG.2.2.32736.69127 Telecommunications Regulatory Authority (2015). UAE TRA signs an MoU with Dubai Culture on cyber security. https://www.tra.gov.ae/en/media-hub/press-releases/2015/10/21/uae-tra-signs-an-mou-with-dubai-culture-oncyber-security.aspx. (Accessed 2015-10-15). Trim, P., Lee, Y. (2016). Cyber security management. A governance, risk and compliance framework. New York: Routledge. Twenge, J.M.; Campbell, W.K. (2013). The narcissism epidemic. Living in the age of entitlement, New York: Atria Paperback. Ulsch, MacD. (2014). Cyber threat! Tow to manage the growing risk of cyber attacs. 1st. Ed. Hoboken: John Wiley&Sons. Visser, W., Magurenau and Yadav, K. (2015). The CSR International Research Compendium. Volume 3 – society. London: Kaleidoscope Futures. Wirtualne Media (2015). Nie robisz tego w realu? Nie rób tego w sieci! http://www.wirtualnemedia.pl/artykul/nierobisz-tego-w-realu-nie-rob-tego-w-sieci-mbank-ostrzega-przed-zagrozeniami-w-internecie-wideo. (Accessed 2015-12-17)