Legitimate as well as illegitimate organizations and entities are gaining access to information about social media (SM) users through illegal, extralegal, and quasi-legal means. Worse still, many organizations and individuals using SM have become targets and victims of cybercrimes.
SM have also led to an exposure of unethical and illegal conducts within some organizations. One estimate suggested that 36% of social networking users have reported experiencing malware attacks through their profiles. Another study suggested that one in four companies have become cybercrime victims via social networking sites. Likewise, about a quarter of employers surveyed by the Society of Corporate Compliance and Ethics in 2009 had disciplined an employee for improper activities on social networking sites. Organizations that fail to take appropriate technological and behavioral measures related to SM are likely to suffer reputation damages, loss of customers' confidence, and other types of economic losses. The goal of this paper is to develop a framework that provides a simple, explicit mechanism for understanding privacy and security issues associated with SM. To achieve this goal, we draw upon literatures on diverse areas such as institutional theory, marketing and criminology. Specifically, we examine how various institutions from the standpoint of SM superimpose in a unique interaction with SM related technologies’ natures that influence businesses’ and consumers’ privacy and security. We discuss how various features of SM related technologies such as newness (leading to ineffectiveness of existing IT security products), complexity (difficulty to understand SM’s functioning) and attractiveness of SM as a cybercrime target (availability of information with superior targetability and huge size and rapid growth of SM). We also examine how regulative institutions (lack of laws to deal with SM as well as lack of enforcement of existing laws), normative institutions (lack of ethical and professional guidelines) and cognitive institutions (lack of precautionary measures and lack of defensive measures or counterpoison) have contributed to a lack of behavioral and attitudinal measures to ensure privacy and security.