Sensitizing Employees’ Corporate IS Security Risk Perception

Motivated by recent practical observations of employees’ unapproved sourcing of cloud services at work, this study empirically evaluates bring your own cloud (BYOC) policies and social interactions of the IT department to sensitize employees’ security risk perception. Based on social information processing theory, BYOC strategies varying in the level of restriction from the obligatory, recommended, permitted, not regulated, to the prohibited usage of cloud services in the organization as well as social information including IT department’s policies, recommendations and responsiveness, are assessed according to their influence on employees’ perceived security risk to the organization. Results of a mixed-method approach containing expert interviews and survey data of 115 computer users in SME and large-scale enterprises analyzed using Kruskal-Wallis and WarpPLS-SEM identify the organizational-wide prohibition of and IT department’s advices against the cloud service usage at the workplace as the most effective actions to guarantee the protection of the organizational IT assets

Justifying Shadow IT Usage

Employees and/or functional managers increasingly adopt and use IT systems and services that the IS management of the organization does neither provide nor approve. To effectively counteract such shadow IT in organizations, the understanding of employees’ motivations and drivers is necessary. However, the scant literature on this topic primarily focused on various governance approaches at firm level. With the objective to open the black box of shadow IT usage at the individual unit of analysis, we develop a research model and propose a laboratory experiment to examine users’ justifications for violating implicit and explicit IT usage restrictions based on neutralization theory. To be precise, in this research-in-progress, we posit positive associations between shadow IT usage and human tendencies to downplay such kind of rule-breaking behaviors due to necessity, no injury, and injustice. We expect a lower impact of these neutralization effects in the presence of behavioral IT guidelines that explicitly prohibit users to employ exactly those shadow IT systems

Risk and Demographics’ Influence on Security Behavior Intentions

Behavioral information security has become an important aspect of information security. In this study, we extend previous works on developing a comprehensive tool to measure security behaviors (i.e. Security Behavior Intentions scale - SeBIS(Egelman & Peer, 2015)). We extend the work on SeBIS by 1) proposing the use of security domain-specific risk as opposed to a generic risk measure, 2) investigating differences in SeBIS across age, gender, education and experience, and 3) providing suggestions for improving SeBIS measures. Survey results from our study provide support for security risk - device securement relationship, a previously unsupported link. We also uncover the role of demographics in influencing SeBIS. Overall, our study contributes to, and further establishes SeBIS as a predictive tool for measuring security behaviors. doi:10.17705/3JSIS.0001

Appearance of Dark Clouds? - An Empirical Analysis of Users\u27 Shadow Sourcing of Cloud Services

Encouraged by recent practical observations of employees\u27 usage of public cloud services for work tasks instead of mandatory internal support systems, this study investigates end users\u27 utilitarian and normative motivators based on the theory of reasoned action. Partial least squares analyses of survey data comprising 71 computer end users at work, employed across various companies and industries, show that perceived benefits for job performance, social influences of the entire work environment, and employees\u27 lack of identification with the organizational norms and values drive insiders to threaten the security of organizational IT assets

Shadow Systems, Risk, and Shifting Power Relations in Organizations

Drawing on notions of power and the social construction of risk, we build new theory to understand the persistence of shadow systems in organizations. From a single case study in a mid-sized savings bank, we derive two feedback cycles that concern shifting power relations between business units and central IT associated with shadow systems. A distant business-IT relationship and changing business needs can create repeated cost and time pressures that make business units draw on shadow systems. The perception of risk can trigger an opposing power shift back through the decommissioning and recentralization of shadow systems. However, empirical findings suggest that the weakening tendency of formal risk-management programs may not be sufficient to stop the shadow systems cycle spinning if they fail to address the underlying causes for the emergence of shadow systems. These findings highlight long-term dynamics associated with shadow systems and pose “risk” as a power-shifting construct

Causing factors, outcomes, and governance of Shadow IT and business-managed IT: a systematic literature review

Shadow IT and Business-managed IT describe the autonomous deployment/procurement or management of Information Technology (IT) instances, i.e., software, hardware, or IT services, by business entities. For Shadow IT, this happens covertly, i.e., without alignment with the IT organization; for Business-managed IT this happens overtly, i.e., in alignment with the IT organization or in a split responsibility model. We conduct a systematic literature review and structure the identified research themes in a framework of causing factors, outcomes, and governance. As causing factors, we identify enablers, motivators, and missing barriers. Outcomes can be benefits as well as risks/shortcomings of Shadow IT and Business-managed IT. Concerning governance, we distinguish two subcategories: general governance for Shadow IT and Business-managed IT and instance governance for overt Business-managed IT. Thus, a specific set of governance approaches exists for Business-managed IT that cannot be applied to Shadow IT due to its covert nature. Hence, we extend the existing conceptual understanding and allocate research themes to Shadow IT, Business-managed IT, or both concepts and particularly distinguish the governance of the two concepts. Besides, we find that governance themes have been the primary research focus since 2016, whereas older publications (until 2015) focused on causing factors

O ciclo de vida do uso da shadow it no contexto da governança de TI

As pessoas têm adotado, cada vez mais, soluções tecnológicas não fornecidas pelo departamento de Tecnologia da Informação (TI) da organização, para realizar tarefas de trabalho. Essa utilização de tecnologias não autorizadas ou desconhecidas pelo TI é chamado da Shadow IT (SIT), que é um fenômeno que pode ser considerado emergente e está trazendo uma série de desafios para a gestão, além de riscos para a segurança organizacional. Estudos ressaltam a necessidade de se conhecer os tipos de inicialização, transições potenciais, descontinuidade e outras transições do ciclo de vida do uso da SIT. Esta pesquisa trata-se de uma dissertação de mestrado que teve por objetivo analisar o ciclo de vida do uso da SIT no contexto de governança de TI e foi estruturada em dois artigos. O primeiro é uma revisão sistemática de literatura que buscou trazer à luz o que já se conhece sobre os antecedentes e consequentes do uso da SIT nas organizações e apresentar um modelo que represente o seu ciclo de vida. Foram avaliados, de forma quantitativa e qualitativa, 114 artigos dos principais journals e conferências da área de SI. Os resultados demonstraram que os principais antecedentes do uso da SIT são a experiência do usuário, a utilidade percebida e os fatores sociais; e os consequentes são a continuidade e a descontinuidade de uso. O segundo artigo teve como intuito avaliar o modelo proposto por meio de uma survey, para validá-lo de forma quantitativa e medir as relações e os impactos entre dos comportamentais de adoção, o uso da SIT e a continuidade e descontinuidade de uso, moderados pela governança de TI. Os construtos medidos foram: experiência do usuário, utilidade percebida, imitação, risco percebido, neutralização, o uso da SIT, a continuidade e descontinuidade de uso e a governança de TI. Foram obtidas 321 respostas de usuários da SIT, atuantes, predominantemente, no setor financeiro e de TI. Entre os principais resultados foi possível verificar que a experiência do usuário, a utilidade percebida e a imitação afetam positivamente o uso da SIT; e se confirmou a moderação da neutralização nas relações entre os construtos utilidade percebida e imitação. Por fim, constatou-se o efeito positivo do uso da SIT na continuidade de sua utilização, sendo essa relação moderada pela governança de TI.People have increasingly adopted technological solutions not provided by the organization's IT department to conduct work tasks. This use of unauthorized or unknown technologies by the IT department IT is called Shadow IT (SIT). This phenomenon can be considered emerging and is bringing a series of challenges to management and risks to organizational security. Previous studies highlight the need to understand the types of startups, potential transitions, discontinuities, and other transitions in the SIT life cycle. This dissertation aims to analyze the life cycle of SIT usage in the context of IT governance. The research is structured in two articles. The first is a systematic literature review that aimed to bring to light what is already known about the antecedents and consequences of the SIT usage in organizations and to present a model that represents its life cycle. 114 articles from the main IS journals and conferences were evaluated quantitatively and qualitatively. The results showed that the main antecedents of SIT use are user experience, perceived usefulness and social factors. The consequences are continuity and discontinuity of use. The second article sought to analyze the proposed model through a survey in order to validate it quantitatively and measure the relationship between the behavioral factors of adoption, the use of SIT and the continuity and discontinuity of use, moderated by the IT governance. The measured constructs were user experience, perceived usefulness, imitation, perceived risk, neutralization, SIT usage, continuity and discontinuity of use and IT governance. A total of 321 responses were obtained from SIT users, acting in the financial and IT sectors. Among the main results, it was possible to verify that the user experience, perceived usefulness and imitation positively affect the use of SIT. The moderation of neutralization in the relationships between perceived usefulness and imitation constructs with the use of SIT was also confirmed. Finally, the positive effect of using SIT on continuity of use was verified, with this relationship being moderated by IT governance

Causing factors, outcomes, and governance of Shadow IT and business-managed IT: a systematic literature review

Shadow IT and Business-managed IT describe the autonomous deployment/procurement or management of Information Technology (IT) instances, i.e., software, hardware, or IT services, by business entities. For Shadow IT, this happens covertly, i.e., without alignment with the IT organization; for Business-managed IT this happens overtly, i.e., in alignment with the IT organization or in a split responsibility model. We conduct a systematic literature review and structure the identified research themes in a framework of causing factors, outcomes, and governance. As causing factors, we identify enablers, motivators, and missing barriers. Outcomes can be benefits as well as risks/shortcomings of Shadow IT and Business-managed IT. Concerning governance, we distinguish two subcategories: general governance for Shadow IT and Business-managed IT and instance governance for overt Business-managed IT. Thus, a specific set of governance approaches exists for Business-managed IT that cannot be applied to Shadow IT due to its covert nature. Hence, we extend the existing conceptual understanding and allocate research themes to Shadow IT, Business-managed IT, or both concepts and particularly distinguish the governance of the two concepts. Besides, we find that governance themes have been the primary research focus since 2016, whereas older publications (until 2015) focused on causing factors

Sensitizing Employees' Corporate IS Security Risk Perception

Motivated by recent practical observations of employees ’ unapproved sourcing of cloud services at work, this study empirically evaluates bring your own cloud (BYOC) policies and social interactions of the IT department to sensitize employees ’ security risk perception. Based on social information processing theory, BYOC strategies varying in the level of restriction from the obligatory, recommended, permitted, not regulated, to the prohibited usage of cloud services in the organization as well as social information including IT department’s policies, recommendations and responsiveness, are assessed according to their influence on employees ’ perceived security risk to the organization. Results of a mixed-method approach containing expert interviews and survey data of 115 computer users in SME and large-scale enterprises analyzed using Kruskal-Wallis and WarpPLS-SEM identify the organizational-wide prohibition of and IT department’s advices against the cloud service usage at the workplace as the most effective actions to guarantee the protection of the organizational IT assets

Multikonferenz Wirtschaftsinformatik (MKWI) 2016: Technische Universität Ilmenau, 09. - 11. März 2016; Band III

Übersicht der Teilkonferenzen Band III • Service Systems Engineering • Sicherheit, Compliance und Verfügbarkeit von Geschäftsprozessen • Smart Services: Kundeninduzierte Kombination komplexer Dienstleistungen • Strategisches IT-Management • Student Track • Telekommunikations- und Internetwirtschaft • Unternehmenssoftware – quo vadis? • Von der Digitalen Fabrik zu Industrie 4.0 – Methoden und Werkzeuge für die Planung und Steuerung von intelligenten Produktions- und Logistiksystemen • Wissensmanagemen