Exploring the Antecedents of Shadow Information Security Practices

Employees are both the first line of defence in organisations as well as a significant source of vulnerability. Behavioural research in information security (InfoSec) has studied compliance of employees with organisational directives. Less understood are ‘shadow security practices’–a related category of behaviour where employees invent InfoSec workarounds albeit with the intention of still complying with organisational InfoSec directives. In this research-in-progress paper, we present the theoretical development of a model, by conducting in-depth reviews of the relevant and multidisciplinary literatures, to identify the potential antecedents of the employees\u27 intention to perform shadow security

Digitalisierung – Das Ende der Unternehmens-IT?

In vielen Unternehmen wird traditionell die Verantwortung für IT in Produkten und Produktion organisatorisch anders verankert als die Verantwortung für alle anderen IT-Aufgaben, die der so genannten Unternehmens-IT obliegen und in klassischen IT-Abteilungen wahrgenommen werden. Der Digitalisierungstrend verschärft diese Zweiteilung weiter und droht die Unternehmens-IT überflüssig zu machen, obwohl sie vordergründig viel bedeutender werden müsste. Worauf ist diese Entwicklung zurückzuführen? [Aus dem Volltext.

Improvement of Spreadsheet Quality through Reduction of End-User Overconfidence: Case Study

This paper is prompted by and based on earlier research into developers' overconfidence as one of the main causes of spreadsheet errors. Similar to related research, the aim of the paper was to ascertain the existence of overconfidence, and then examine the possibility of its reduction by means of experimental treatment designed for the needs of the research. A quasi-experiment was conducted to this end, in which 62 students of the Faculty of Economics of the University of Novi Sad participated, divided into the experimental and control group. Participants of both groups developed domain free spreadsheets in two iterations each. After the first iterations, students in the experimental group were subjected to experimental treatment: they attended lectures on spreadsheet errors taxonomies supported by real-life examples, and about spreadsheet best practices in the area of spreadsheet error prevention. Results showed that spreadsheet developers who were informed about spreadsheet error taxonomies and spreadsheet best practices create more accurate spreadsheets and are less self-confident in terms of accuracy of their spreadsheets

WORKAROUNDS IN INFORMATION SYSTEMS RESEARCH: A FIVE-YEAR UPDATE

This paper complements an earlier (2019) literature review on workarounds in information systems research by including research that has influenced or been published in core IS outlets during the last five years (2018–2022). Our study captures research that strengthened, widened, and challenged theoretical insights from the previous review. It also provides additional insights and develops seven themes of theoretical insight. The 31 new papers and our updated analysis are most evident in the three themes: Workarounds and power, Temporality of workarounds, and Managing workarounds. We also found additional studies using the term ‘workaround’ differently to the extent that they have not applied the term to the same empirical phenomena, which questions the validity of some theoretical claims. We also found significantly more studies that used quantitative data-collection methods than the previous review

Shadow IT Behavior of Financial Executives in Germany and Italy as an Antecedent to Internal Data Security Breaches

Data security breaches have been consistently identified in literature as significant, negative events. While most of the related research focuses on externally initiated breaches, far fewer studies provide clarity related to internally initiated breaches. The risk of internal breaches may be dramatically increased by shadow information technology (IT). Our study examines German and Italian financial executives’ decisions to engage in shadow IT in combination with two potential mitigation techniques (severity of sanctions in violation of IT policy and outcome effect related to breach risk). While Italian executives act as predicted, German executives engage in a different decision-making process whereby a self-service business culture brought on by perceived increased IT capabilities supersedes the level of cybersecurity awareness and a strong IT usage policy. Results also suggest an outcome effect favoring increased likelihood of breaches may lessen the likelihood of shadow IT usage. Our study adds an international component to existing data security breach and shadow IT research, while also contributing to the IT usage policy, neutralization theory, dynamic capabilities, outcome effect, and self-service literatures

ADOPTED GLOBALLY BUT UNUSABLE LOCALLY: WHAT WORKAROUNDS REVEAL ABOUT ADOPTION, RESISTANCE, COMPLIANCE AND NON-COMPLIANCE

We undertake an exploratory case study to investigate how warehouse employees work around an Enterprise Resource Planning software that cannot be used as designed due to work practices required by local conditions. Our research illustrates how long-standing approaches to studying IS innovation, adoption and diffusion in relation to fixed IT artefacts say little or nothing about important phenomena and practical issues. We draw on theories of work systems and IT innovation, adoption and adaptation to explain both why workarounds are required and how they are enacted. Our context involves the local Hong Kong operations of a global retailer of home textiles. Our 29 interviews at the site reveal many perspectives about how an inadequate information system failed to support essential work practices and how employees at the site responded by creating shadow IS that helped them pursue their business responsibilities and objectives. We draw on a compliance view of technology use to suggest that unreflective compliance can be counterproductive; paradoxically, reflective non-compliance may bring greater benefit to both the organisation and its customers. We conclude with nine implications of our findings for practitioners and for researchers interested in IS innovation, adoption, and diffusion

Conceptualizing Workarounds: Meanings and Manifestations in Information Systems Research

We reviewed papers in core IS outlets that defined the term workaround or presented an example of a workaround. In the analysis, we used Ogden and Richard’s triangle of reference as a theoretical framework to analyze the relationship between 1) the term workaround; 2) theories, definitions, and use of the term; and 3) their empirical basis and empirical workaround behavior that the papers describe. First, we summarize the existing theoretical insights regarding workarounds and investigate their validity. Second, we show that studies have defined and used the term workaround differently to the extent that they have not always applied it to the same empirical phenomena, which raises questions about some theoretical insights’ validity. Third, we suggest a definition for workarounds that we inductively derived from empirical accounts of workaround behavior and, therefore, that adequately describes how researchers commonly use the term and makes it possible to distinguish workarounds from other similar phenomena