A Multiple Case Study on the Nature and Management of Shadow Information Technology

ABSTRACT In several organizations, business workgroups autonomously implement information technology (IT) outside the purview of the IT department. Shadow IT, evolving as a type of workaround from nontransparent and unapproved end-user computing (EUC), is a term used to refer to this phenomenon, which challenges norms relative to IT controllability. This report describes shadow IT based on case studies of three companies and investigates its management. In 62 percent of cases, companies decided to reengineer detected instances or reallocate related subtasks to their IT department. Considerations of risks and transaction cost economics with regard to specificity, uncertainty, and scope explain these actions and the resulting coordination of IT responsibilities between the business workgroups and IT departments. This turns shadow IT into controlled business-managed IT activities and enhances EUC management. The results contribute to the governance of IT task responsibilities and provide a way to formalize t...

[1]  O. Williamson The Economics of Governance , 2005 .

[2]  Joline Morrison,et al.  Factors influencing risks and outcomes in end-user development , 1996, Proceedings of HICSS-29: 29th Hawaii International Conference on System Sciences.

[3]  Carla L. Wilkin,et al.  A Review of IT Governance: A Taxonomy to Inform Accounting Information Systems , 2010, J. Inf. Syst..

[4]  Jee-Hae Lim,et al.  A content analysis of auditors' reports on IT internal control weaknesses: The comparative advantages of an automated approach to control weakness identification , 2013, Int. J. Account. Inf. Syst..

[5]  Roger S. Debreceny,et al.  IT Governance and Process Maturity: A Multinational Field Study , 2013, J. Inf. Syst..

[6]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[7]  Carol V. Brown,et al.  Horizontal Allocation of Decision Rights for On-Premise Applications and Software-as-a-Service , 2013, J. Manag. Inf. Syst..

[8]  Pamela Baxter,et al.  Qualitative Case Study Methodology: Study Design and Implementation for Novice Researchers , 2008 .

[9]  U. Flick An introduction to qualitative research, 4th ed. , 2009 .

[10]  Elaine H. Ferneley,et al.  Covert End User Development: A Study of Success , 2007, J. Organ. End User Comput..

[11]  Veda C. Storey,et al.  Central IT or Shadow IT? Factors Shaping Users' Decision to Go Rogue With IT , 2014, ICIS.

[12]  R. Coase The Nature of the Firm , 1937 .

[13]  Florian Matthes,et al.  Generating Visualizations of Enterprise Architectures using Model Transformations , 2007, Enterp. Model. Inf. Syst. Archit. Int. J. Concept. Model..

[14]  Maryam Alavi,et al.  Strategies for End-User Computing: An Integrative Framework , 1987, J. Manag. Inf. Syst..

[15]  P. Weill,et al.  IT Governance , 2017 .

[16]  Raymond R. Panko,et al.  Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks , 2006, Commun. Assoc. Inf. Syst..

[17]  Maryam Alavi,et al.  Managing the Risks Associated with End-User Computing , 1985, J. Manag. Inf. Syst..

[18]  Walter Brenner,et al.  European Conference on Information Systems ( ECIS ) 5-15-2012 EXPLORING THE SHADOWS : IT GOVERNANCE APPROACHES TO USER-DRIVEN INNOVATION , 2012 .

[19]  Daniel Fürstenau,et al.  Shadow IT Systems: Discerning the Good and the evil , 2014, ECIS.

[20]  Carol V. Brown,et al.  The management of end-user computing: status and directions , 1993, CSUR.

[21]  Michael D. Myers,et al.  Qualitative Research in Information Systems , 1997, MIS Q..

[22]  A. J. Gilbert Silvius,et al.  Factors influencing Non-Compliance behavior towards Information Security Policies , 2012, CONF-IRM.

[23]  Jens Dibbern,et al.  Outsourcing of Information Systems Functions in Small and Medium Sized Enterprises: A Test of a Multi-Theoretical Model , 2009, Bus. Inf. Syst. Eng..

[24]  Nelson E. King,et al.  Enacting computer workaround practices within a medication dispensing system , 2008, Eur. J. Inf. Syst..

[25]  Lars Bækgaard,et al.  Dilemmas in Enterprise Architecture Research and Practice from a Perspective of Feral Information Systems , 2013, 2013 17th IEEE International Enterprise Distributed Object Computing Conference Workshops.

[26]  John F. Rockart,et al.  End-user computing: are you a leader or a laggard , 1986 .

[27]  Michael R. Grimaila,et al.  Mitigating Security Risks for End User Computing Application (EUCA) Data , 2010, 2010 IEEE Second International Conference on Social Computing.

[28]  O. Williamson The Economic Institutions of Capitalism: Firms, Markets, Relational Contracting , 1985 .

[29]  Andreas Eckhardt,et al.  Normalizing the Shadows - The Role of Symbolic Models for Individuals' Shadow IT Usage , 2014, ICIS.

[30]  Andrea Back,et al.  Shadow it – A View from Behind the Curtain , 2014, Comput. Secur..

[31]  Christopher Rentrop,et al.  Shadow IT evaluation model , 2012, 2012 Federated Conference on Computer Science and Information Systems (FedCSIS).

[32]  Philip Koopman,et al.  Work-arounds, Make-work, and Kludges , 2003, IEEE Intell. Syst..

[33]  Suzanne Rivard,et al.  An assessment of the use of Transaction Cost Theory in information technology outsourcing , 2011, J. Strateg. Inf. Syst..

[34]  Maria Jean Johnstone Hall A risk and control-oriented study of the practices of spreadsheet application developers , 1996, Proceedings of HICSS-29: 29th Hawaii International Conference on System Sciences.

[35]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[36]  Suzanne Rivard,et al.  A transaction cost model of IT outsourcing , 2004, Inf. Manag..

[37]  K. Jamieson,et al.  The Rise and Fall of a Shadow System: Lessons for Enterprise System Implementation , 2004 .

[38]  Nils Urbach,et al.  Understanding IT Governance Success And Its Impact: Results From An Interview Study , 2013, ECIS.

[39]  Sandy Behrens,et al.  Shadow systems: the good, the bad and the ugly , 2009, CACM.

[40]  O. Williamson The Economics of Organization: The Transaction Cost Approach , 1981, American Journal of Sociology.

[41]  O. Williamson Transaction-Cost Economics: The Governance of Contractual Relations , 1979, The Journal of Law and Economics.

[42]  Christopher Rentrop,et al.  On the Emergence of Shadow IT - a Transaction Cost-Based Approach , 2014, ECIS.

[43]  Ravi Sen,et al.  A Qualitative Analysis Of The Role of Users, Vendors, and Governments in the Standards Development Process , 2006, Commun. Assoc. Inf. Syst..

[44]  Yajiong Xue,et al.  Information Technology Governance in Information Technology Investment Decision Processes: The Impact of Investment Characteristics, External Environment, and Internal Context , 2008, MIS Q..

[45]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[46]  Sandra Barker,et al.  Developers, Decision Makers, Strategists or Just End-users? Redefining End-User Computing for the 21st Century: A Case Study , 2011, J. Organ. End User Comput..

[47]  Ashley A. Bush,et al.  A Comparison of Transaction Cost, Agency, and Knowledge-Based Predictors of IT Outsourcing Decisions: A U.S.-Japan Cross-Cultural Field Study , 2007, J. Manag. Inf. Syst..

[48]  Jerry N. Luftman Assessing Business-IT Alignment Maturity , 2000, Commun. Assoc. Inf. Syst..

[49]  Steven L. Alter,et al.  USF Scholarship: a digital repository @ Gleeson Library | Geschke Center , 2016 .

[50]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[51]  Andreas Norrman,et al.  Ericsson’s Proactive Supply Chain Risk Management-approach After a Serious Supplier Accident , 2004 .

[52]  Luke Houghton,et al.  What Drives the End User to Build a Feral Information System? , 2012, ACIS.

[53]  Daniel Port,et al.  End User Computing: The Dark Matter (and Dark Energy) of Corporate IT , 2012, 2012 45th Hawaii International Conference on System Sciences.

[54]  Ronald B. Wilkes,et al.  End-User Computing Strategy: An Examination of Its Impact on End-User Satisfaction , 2007 .

[55]  Wynne W. Chin,et al.  The Impact of Human Asset Specificity on the Sourcing of Application Services , 2005, ECIS.

[56]  E. G. Furubotn,et al.  Institutions and Economic Theory: The Contribution of the New Institutional Economics , 2005 .

[57]  R. Yin Case Study Research: Design and Methods , 1984 .

[58]  Sandy Behrens,et al.  Why Do Shadow Systems Exist after an ERP Implementation? Lessons from a Case Study , 2004, PACIS.

[59]  Isaca COBIT 5: Enabling Information , 2013 .

[60]  David S. Bowles ALARP EVALUATION: USING COST EFFECTIVENESS AND DISPROPORTIONALITY TO JUSTIFY RISK REDUCTION , 2003 .

[61]  John F. Rockart,et al.  The management of end user computing , 1983, CACM.

[62]  Christopher Rentrop,et al.  Shadow IT - Management and Control of Unofficial IT , 2012, ICDS 2012.

[63]  Alexander Benlian,et al.  The Dual Role of IS Specificity in Governing Software as a Service , 2012, ICIS.