Impacts on Employee Coping Behaviors of Opportunities and Threats Related to the Use of Shadow IT

Authors

Keywords:

Shadow IT, security, behavior, valence.

Abstract

Shadow IT (SIT) is characterized as (1) the use of unapproved IT resources by employees for the purpose of working more efficiently and (2) usage lacking malicious intent that nevertheless violates company rules and creates additional vulnerabilities that increase the risk of information security incidents. We examine SIT usage behaviors based on coping theory by conducting a survey of 429 SIT users. We contribute to the academic literature, on the one hand, by improving our understanding of the role of the balance between benefits and risks in maximization and/or protection behaviors related to SIT usage. On the other hand, we discuss and enrich the conceptual model of behavioral analysis by identifying cross effects that have not previously been studied. Our managerial contributions highlight the fact that employee maximization of SIT usage can be beneficial for companies in terms of efficiency; however, with regard to information security, it is necessary to go beyond simple awareness because employees may not properly assess the increased risk they cause through their SIT practices.

Author Biographies

Yves Barlette, Montpellier Business School, France.

Dr. Yves BARLETTE is Full Professor of Information Systems at Montpellier Business School, France. His research focuses on behavioral issues related to information security. He has 20 publications appearing in journals such as Systèmes d'Information et Management, International Journal of Information Management, Journal of Organizational Change Management, Journal of Global Information Management, and Production Planning & Control. He also authored 14 books and book chapters.

Yves Barlette is the corresponding author and can be contacted at: y.barlette@montpellier-bs.com

ORCID-iD: 0000-0001-6106-7274

Jean-François Berthevas, La Rochelle University School of Management, France. LITHORAL research center.

Dr. Jean-Francois BERTHEVAS is Associate Professor of Information Systems at La Rochelle University School of Management, France. He is member of the LITHORAL research center. His current research focuses on information security and behavioral issues, and on the digital transformation of organizations. He has published in Systèmes d’Information et Management and is Director of the IAE - La Rochelle University School of Management, France. He has 21 years of experience in business, including 10 years as an IT specialist and 7 years as manager in the field of telecommunications and cybersecurity in major companies (IBM GNS, AT&T GNS, Engie).

E-mail: jean-francois.berthevas@univ-lr.fr

ORCID-iD: 0000-0002-1249-6061

Isabelle Sueur, La Rochelle University, France. LITHORAL research center.

Dr. Isabelle Sueur is Professor of Marketing and Data Analysis at La Rochelle University. Her past research work is devoted to consumer behavior, particularly in the area of persuasion processes (advertising effectiveness and loyalty). She is a member of the LITHORAL research center of the University’s  institute for smart urban coastal sustainability  and currently serves as Vice President of the University’s governing board.

E-mail: isabelle.sueur@univ-lr.fr

ORCID-iD: 0000-0001-9962-3395

References

Allen, D., Burton, F.G., Smith, S.D., Wood, D.A. (2019). Shadow IT Use, Outcome Effects, and Subjective Performance Evaluation. Journal of Strategic Innovation and Sustainability, 14(3), 29–42.

Ajzen, I. (1991) The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50(2),‎ 79–211.

Baillette, P., Barlette, Y., Leclercq-Vandelannoitte, A. (2018). Bring your own device in organizations: Extending the reversed IT adoption logic to security paradoxes for CEOs and end users. International Journal of Information Management, 43, 76–84.

Baillette, P., Barlette, Y. (2020). Coping Strategies and Paradoxes Related to BYOD Information Security Threats in France. Journal of Global Information Management, 28(2), 1-28.

Bala, H., Venkatesh, V. (2016). Adaptation to Information Technology: A Holistic Nomological Network from Implementation to Job Outcomes. Management Science, 62(1), 156–179.

Bandura, A. (1982). Self-efficacy mechanism in human agency. American Psychologist, 37, 122–147.

Barlette, Y., Jaouen, A. (2019). Information security in SMEs: determinants of CEOs’ protective and supportive behaviors. Systèmes d’Information et Management, 24(3), 7-40.

Barlette, Y., Jaouen, A., Baillette, P. (2021). Bring Your Own Device (BYOD) as Reversed IT Adoption: Insights into Managers’ Coping Strategies. International Journal of Information Management, 56, 1–16.

Beaudry, A., Pinsonneault, A. (2005). Understanding user responses to information technology: A coping model of user adaptation. MIS Quarterly, 29(3), 493–524.

Berthevas, J-F. (2021). How protection motivation and social bond factors influence information security behavior. Systèmes d’Information et Management, 26(2), 77-115.

Bhattacherjee, A., Davis, C.J., Connolly, A.J., Hikmet, N. (2018). User response to mandatory IT use: A coping theory perspective. European Journal of Information Systems, 27(4), 395–414.

Carver, C.S., Scheier, M.F., Weintraub, J.K. (1989). Assessing coping strategies: A theoretically based approach. Journal of Personality and Social Psychology, 56, 267–283.

Chen, Y., Zahedi F. M. (2016). Individuals’ internet Security Perceptions and Behaviors: Polycontextual Contrasts between the United States and China. MIS Quarterly, 40(3), 205–222.

Citrix, (2020). Emerging from Digital Shock. https://www.citrix.com/content/dam/citrix/en_us/documents/other/censuswide-citrix-executive-summary.pdf, accessed 19/12/2022.

Crossler, R.E., Bélanger, F., Ormond, D. (2019). The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats. Information Systems Frontiers, 21, 343–357.

D’Arcy, J., Devaraj, S. (2012). Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model. Decision Sciences, 43(6), 1091–1124.

D’Arcy, J., Teh, P.L. (2019). Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management, 56(7), 103–151.

Elie-Dit-Cosaque, C.M., Straub, D.W. (2011). Opening the black box of system usage: User adaptation to disruptive IT. European Journal of Information Systems, 20(5), 589–607.

Forbes. (2019). Perception Gaps in Cyber Resilience: Where Are Your Blind Spots? The hidden risks of shadow IT, cloud and cyber insurance. https://www.ibm.com/downloads/cas/kdl0mbn0, accessed 19/12/2022.

Fürstenau, D., Rothe, H., Sandner, M. (2017). Shadow Systems, risk, and shifting power relations in organizations. Communications of the Association for Information Systems, 41(3), 43–61.

Fürstenau, D., Rothe, H., Sandner, M. (2021). Leaving the Shadow: A Configurational Approach to Explain Post-identification Outcomes of Shadow IT System, Business et Information Systems Engineering, 63(2), 97–111.

Gozman, D., Willcocks, L. (2015). Crocodiles in the Regulatory Swamp: Navigating the Dangers of Outsourcing, SaaS and Shadow IT. 36th International Conference on Information Systems (ICIS), Fort Worth, USA.

Guo, K.H., Yuan, Y., Archer, N.P., Connelly, C.E. (2011). Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. Journal of Management Information Systems, 28(2), 203–236.

Györy, A., Cleven, A., Uebernickel, F., Brenner, W. (2012). Exploring the shadows: IT governance approaches to user-driven innovation. 20th European Conference on Information Systems (ECIS), Barcelona, Spain.

Haag, S. (2015). Appearance of Dark Clouds? - An Empirical Analysis of Users’ Shadow Sourcing of Cloud Services. In 12th International Tagung Wirtschaftsinformatik, Osnabrück, S., 1438–1452.

Haag, S., Eckhardt, A. (2014). Normalizing the Shadows: The Role of Symbolic Models for Individuals’ Shadow IT Usage. 35th International Conference on Information Systems (ICIS), Auckland, New Zealand.

Haag, S., Eckhardt, A. (2015). Justifying Shadow IT Usage. 19th Pacific Asia Conference on Information Systems (PACIS), Singapore.

Haag, S., Eckhardt, A., Bozoyan, C. (2015). Are shadow system users the better IS users? Insights of a lab experiment. 36th International Conference on Information Systems (ICIS). Fort Worth, USA.

Haag, S., Eckhart, A. (2017). Shadow-It. Business et Information Systems Engineering, 59(6), 469–473.

Haag, S., Eckhart, A., Schwartz, A. (2019). The Acceptance of Justifications among Shadow IT Users and Nonusers – An Empirical Analysis. Information & Management, 56(5), 731–741.

Hair, J.F., Hult, G.T. M., Ringle, C.M., Sarstedt, M. (2017). A primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Thousand Oaks: Sage.

Hair, J.F., Sarstedt, M., Ringle, C.M., Gudergan, S.P. (2018). Advanced issues in partial least squares structural equation modeling. Thousand Oaks: Sage Publications.

Heath, C., Tversky, A. (1991). Preference and belief: Ambiguity and competence in choice under uncertainty. Journal of Risk and Uncertainty, 4(1), 5-28.

Henseler, J., Ringle, C.M., Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115–135.

Ifinedo, P. (2012). Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory. Computers et Security, 31(1), 83–95.

Junglas, I., Goel, L., Ives, B., Harris, J. (2019). Innovation at work: The relative advantage of using consumer IT in the workplace. Information Systems Journal, 29, 317– 339.

Kahneman, D., Tversky, A. (1979). Prospect Theory: An Analysis of Decisions Under Risk. Econometrica, 47(2), 313–327.

Kim, D. J., Ferrin, D. L., et Rao, H. R. (2009). Trust and satisfaction, two stepping stones for successful E-commerce relationships: A longitudinal exploration. Information Systems Research, 20(2), 237–257.

Klotz, S., Westner, M., Strahringer, S. (2020). From Shadow IT to Business-managed IT and Back Again: How Responsibility for IT Instances Evolves Over Time. PACIS Proceedings. 94.

Kopper, A., Westner, M. (2016). Towards a Taxonomy for Shadow IT. 22nd Americas Conference on Information Systems (AMCIS), San Diego, USA, 1–10.

Kopper, A., Westner, M., Strahringer, S. (2020). From Shadow IT to Business-managed IT: a qualitative comparative analysis to determine configurations for successful management of IT by business entities. Information Systems E-Business Management, 18, 209-257.

Laumer, S., Maier, C., Weitzel, T. (2017). Information quality, user satisfaction, and the manifestation of workarounds: a qualitative and quantitative study of enterprise content management system users. European Journal of Information Systems, 26(4), 333–360.

Lazarus, R.S., Folkman, S. (1984). Stress, appraisal, and coping. New York: Springer Publishing Company.

Leclercq-Vandelannoitte, A., Bertin, E. (2018). From sovereign IT governance to liberal IT governmentality? A Foucauldian analogy. European Journal of Information Systems, 27(3), 326–346.

Lee, N., Cadogan, J.W. (2013). Problems with formative and higher-order reflective variables. Journal of Business Research, 66, 242–247.

Lee, Y., Larsen, K.R. (2009). Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.

Lee, C., Lee, C.C., Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59, 60–70.

Leonardi, P.M. (2012). Car Crashes Without Cars: Lessons about Simulation Technology and Organizational Change from Automotive Design. Cambridge, MA: MIT Press.

Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, (45), 13-24.

Liang, H., Xue, Y. (2009). Avoidance of information technology threats: A theoretical perspective. MIS Quarterly, 33(1), 71–90.

Liang, H., Xue, Y., Pinsonneault, A., Wu, Y. (2019). What Users Do Besides Problem-focused Coping When Facing IT Security Threats: An Emotion-Focused Coping Perspective. MIS Quarterly, 43(2), 373–394.

Lin, J., Wang, B., Wang, N., Lu, Y. (2014). Understanding the evolution of consumer trust in mobile commerce: A longitudinal study. Information Technology and Management, 15(1), 37–49.

Mahalanobis, P.C. (1936). On the generalized distance in statistics. Proceedings of the National Institute of Sciences of India, 2(1), 49–55.

ManageEngine. (2021). The 2021 Digital Readiness Survey. https://www.manageengine.com/the-digital-readiness-survey-2021/index.html, accessed 19/12/2022.

Menard, P., Bott, G.J., Crossler, R.E. (2017). User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of Management Information Systems, 34(4), 1203–1230.

Mehrotra, A. (2020). 2021 Will Be the Year of Shadow IT or Augmented IT: Your Action will be Decisive. Data Driven Investor. https://medium.com/datadriveninvestor/2021-will-be-the-year-of-shadow-it-or-augmented-it-your-action-will-be-decisive-17a3fce839ee, accessed 19/12/2022.

Montesdioca, G., Maçada, A.C. (2015). Measuring user satisfaction with information security practices. Computers et Security, 48, 267–280.

Moody, G.D., Siponen, M., Pahnila, S. (2018). Toward a Unified Model of Information Security Policy Compliance. MIS Quarterly, 42(3), 285–311.

Moore, G.C., Benbasat, I. (1991). Development of an instrument to measure the perceptions of adopting an information technology innovation. Information Systems Research, 2(3), 192–222.

Mou, J., Shin, D.-H., Cohen, J. (2016). Health beliefs and the valence framework in health information seeking behaviors. Information Technology et People, 29(4), 876–900.

Myers, N., Starliper, M., Summers, S., Wood, D. (2017). The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making. Accounting Horizons, 31(3), 105–123.

Ng, B.-Y., Kankanhalli, A., Xu, Y. (2009). Studying Users’ Computer Security Behavior: A Health Belief Perspective. Decision Support Systems, 46(3), 815–825.

Orlikowski, W.J. (2000). Using Technology and Constituting Structures: A Practice Lens for Studying Technology in Organisations. Organisation Science, 11(4), 404–428.

Parker, S. K., & Wall, T. D. (1998). Job and work design: Organizing work to promote well-being and effectiveness. Thousand Oaks, CA: Sage

Parsons, K.M. Young, E., Butavicius, M.A., McCormac, A. (2015). The Influence of Organizational Information Security Culture on Information Security Decision Making. Journal of Cognitive Engineering and Decision Making, 9(2), 117–129.

Peter, J. P., et Tarpey, L. X. (1975). A comparative analysis of three consumer decision strategies. Journal of Consumer Research, 2(1), 29–37.

Petter, S., Straub, D., Rai, A. (2007). Specifying formative constructs in Information Systems Research. MIS Quarterly, 31(4), 623–656.

Podsakoff, P.M., MacKenzie, S.B., Lee, J.-Y., Podsakoff, N.P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903.

Ponemon Institute. (2021). The Cost of Cloud Compromise and Shadow IT. https://www.proofpoint.com/us/resources/webinars/cost-cloud-compromise-and-shadow-it, accessed 19/12/2022.

Richter, S., Waizenegger, L., Steinhueser, M., Richter, A. (2019). Knowledge Management in the Dark: The Role of Shadow IT in Practices in Manufacturing. International Journal of Knowledge Management, 15(2), 1–19.

Ringle, C.M., Wende, S., & Becker, J.-M. (2022). SmartPLS 4. Boenningstedt: SmartPLS. https://www.smartpls.com, accessed 19/12/2022.

Rogers, R.W. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In J. T. Cacioppo et R. E. Petty (Eds.), Social psychophysiology: A sourcebook (p. 153-176). New York: Guilford Press.

Salo, M., Makkonen, M., Hekkala, R. (2020). The Interplay of IT Users' Coping Strategies: Uncovering Momentary Emotional Load, Routes, and Sequences. MIS Quarterly, 44(3), 1143-1175.

Scheier, M. F., Carver, C. S., Bridges, M. W. (1994). Distinguishing optimism from neuroticism (and trait anxiety, self-mastery, and self-esteem): A reevaluation of the Life Orientation Test. Journal of Personality and Social Psychology, 67(6), 1063-1078.

Silic, M., Back, A. (2014). Shadow IT: A View from behind the Curtain. Computers & Security, 45, 274–283.

Silic, M., Barlow, J.B., Back, A. (2017). A new perspective on neutralization and deterrence: predicting shadow IT usage. Information & Management, 54, 1023–1037.

Simmering, M.J., Fuller, C.M., Richardson, H.A., Ocal, Y., Atinc, G.M. (2015). Marker variable choice, reporting, and interpretation in the detection of common method variance. Organizational Research Methods, 18(3), 473–511.

Siponen, M., Mahmood, M.A., Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224.

Spierings, A., Kerr, D., Houghton, H. (2017). Issues that support the creation of ICT workarounds: towards a theoretical understanding of feral information systems. Information Systems Journal, 27, 775–794.

Sykes, T. A. (2015). Support Structures and Their Impacts on Employee Outcomes: A Longitudinal Field Study of an Enterprise System Implementation. MIS Quarterly, 39(2), 473–495.

Sykes, G.M., Matza, D. (1957). Techniques of neutralization: a theory of delinquency. American Sociological Review, 22, 664–670.

Tu, Z., Turel, O., Yuan, Y., Archer, N. (2015). Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination. Information & Management, 52(4), 506–517.

Vance, A., Siponen, M., Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49(3‑4), 190–198.

Venkatesh, V., Morris, M., Davis, G., Davis, F. (2003). User Acceptance of Information Technology: Toward a Unified View. MIS Quarterly, 27(3), 425–478.

Wang, J., Li, Y., Rao, H. R. (2016). Overconfidence in Phishing Email Detection. Journal of the Association for Information Systems, 17(11), 759-783.

Walterbusch, M., Fietz, A., Teuteberg, F. (2017). Missing cloud security awareness: investigating risk exposure in shadow IT. Journal of Enterprise Information Management, 30(4), 644–665.

Workman, M., Bommer, W.H., Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816.

Yazdanmehr, A., Wang, J, Yang, Z. (2020). Peers matter: The moderating role of social influence on information security policy compliance. Information Systems Journal, 30, 791– 844.

Zhou, Z., Jin, X.-L., Fang, Y., Vogel, D. (2015). Toward a theory of perceived benefits, affective commitment, and continuance intention in social virtual worlds: Cultural values (indulgence and individualism) matter. European Journal of Information Systems, 24(3), 247–261.

Zimmermann, S., Rentrop, C., Felden, C. (2014). Managing Shadow IT Instances: A Method to Control Autonomous IT Solutions in the Business Departments, AMCIS 2014 Proceedings.

Published

2024-04-22

How to Cite

Barlette, Y., Berthevas, J.-F., & Sueur, I. (2024). Impacts on Employee Coping Behaviors of Opportunities and Threats Related to the Use of Shadow IT. Systèmes d’Information Et Management (French Journal of Management Information Systems), 28(4), Page 71–108. Retrieved from https://revuesim.org/index.php/sim/article/view/1259

Issue

Vol. 28 No. 4 (2023): Varia

Section

Empirical research

License

The author bears the responsibility for checking whether material submitted is subject to copyright or ownership rights (e.g. figures, tables, photographs, illustrations, trade literature and data). The author will need to obtain permission to reproduce any such items, and include these permissions with their final submission.

It is our policy to ask all contributors to transfer for free the copyright in their contribution to the journal owner. There are two broad reasons for this:

  • ownership of copyright by the journal owner facilitates international protection against infringement of copyright, libel or plagiarism;
  • it also ensures that requests by third parties to reprint or reproduce a contribution, or part of it, in either print or electronic form, are handled efficiently in accordance with our general policy which encourages dissemination of knowledge within the framework of copyright.

 

In conformity with the French law, the author keeps the 'moral rights' related to the article:

  • The 'authorship right': It is the author's right to have his name associated with each publication and exploitation of the article.
  • The 'integrity right': It can be claimed by the author if he finds that during an exploitation, his work has been distorted (cutting, reassembly...).