To read the full version of this content please select one of the options below:

Missing cloud security awareness: investigating risk exposure in shadow IT

Marc Walterbusch (Department of Accounting and Information Systems, Osnabrück University, Osnabrück, Germany)
Adrian Fietz (Department of Accounting and Information Systems, Osnabrück University, Osnabrück, Germany)
Frank Teuteberg (Department of Accounting and Information Systems, Osnabrück University, Osnabrück, Germany)

Journal of Enterprise Information Management

ISSN: 1741-0398

Article publication date: 10 July 2017

Abstract

Purpose

On account of its easy and intuitive usage as well as obvious advantages (e.g. access to work data from anywhere, at any time and through any means) the evolutionary cloud computing paradigm favors the use of shadow IT. Since many employees are not aware of the associated risks and possible legal violations, unauthorized use of cloud computing services could result in substantial risk exposure for any company. The purpose of this paper is to explore and to extend the body of knowledge concerning the topic of cloud computing with regard to shadow IT.

Design/methodology/approach

The aim of this contribution is to identify the reasons for the use of cloud computing services and the resulting shadow IT from an employee’s perspective, to demonstrate the counteractions a company may take against the unauthorized use of cloud computing services and to elaborate on the inherent opportunities and risks. We follow a mixed-methods approach consisting of a systematic literature review, a cloud computing awareness study, a vignette study and expert interviews.

Findings

Based on a triangulation of the data sets, the paper at hand proposes a morphological box as well as a two-piece belief-action-outcome model, both from an employee’s and employer’s point of view. Our findings ultimately lead to recommendations for action for employers to counteract the risk exposure. Furthermore, also employees are sensitized by means of insights into the topic of unauthorized usage of cloud computing services in everyday working life.

Research limitations/implications

The limitations of the triangulation reflect the limitations of each applied research method. These limitations justify why a mixed-methods approach is favored – rather than relying on a single source of data – because data from various sources can be triangulated.

Practical implications

The paper includes recommendations for action for the handling of the unauthorized usage of cloud computing services within a company, e.g., the set up of a company-wide cloud security strategy and the conduction of an anonymous employee survey to identify the status quo.

Originality/value

This paper fulfills an identified need to explore the usage of cloud computing services within the context of shadow IT.

Keywords

Acknowledgements

The authors thank the reviewers for their constructive comments, the experts for the valuable insights into practice, the participants in the surveys as well as the other project members for their substantive feedback during the research process and particularly Marita Imhorst and Julia Kampe for their help.

Citation

Walterbusch, M., Fietz, A. and Teuteberg, F. (2017), "Missing cloud security awareness: investigating risk exposure in shadow IT", Journal of Enterprise Information Management, Vol. 30 No. 4, pp. 644-665. https://doi.org/10.1108/JEIM-07-2015-0066

Publisher

:

Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited