Appearance of Dark Clouds? - An Empirical Analysis of Users' Shadow Sourcing of Cloud Services

Encouraged by recent practical observations of employees' usage of public cloud services for work tasks instead of mandatory internal support sys- tems, this study investigates end users' utilitarian and normative motivators based on the theory of reasoned action. Partial least squares analyses of survey data comprising 71 computer end users at work, employed across various com- panies and industries, show that perceived benefits for job performance, social influences of the entire work environment, and employees' lack of identifica- tion with the organizational norms and values drive insiders to threaten the se- curity of organizational IT assets.

[1]  Brian R. Dineen,et al.  Supervisory guidance and behavioral integrity: relationships with employee citizenship and deviant behavior. , 2006, The Journal of applied psychology.

[2]  Steven L. Alter,et al.  USF Scholarship: a digital repository @ Gleeson Library | Geschke Center , 2016 .

[3]  Sven Graupner,et al.  The Future of Enterprise IT in the Cloud , 2012, Computer.

[4]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[5]  Peter A. Todd,et al.  Assessing IT usage: the role of prior experience , 1995 .

[6]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[7]  R. Bennett,et al.  How management style moderates the relationship between abusive supervision and workplace deviance: An uncertainty management theory perspective. , 2009 .

[8]  I. Ajzen,et al.  Predicting dishonest actions using the theory of planned behavior , 1991 .

[9]  Hao Wang,et al.  Predicting the Usage of P2P Sharing Software: The Role of Trust and Perceived Risk , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[10]  A. O'Leary-Kelly,et al.  Monkey See, Monkey Do: The Influence of Work Groups on the Antisocial Behavior of Employees , 1998 .

[11]  Björn Niehaves,et al.  Individualization of Information Systems - Analyzing Antecedents of IT Consumerization Behavior , 2013, ICIS.

[12]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[13]  Y. Vardi,et al.  Misbehavior in Organizations: A Motivational Framework , 1996 .

[14]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[15]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[16]  Sandy Behrens,et al.  Shadow systems: the good, the bad and the ugly , 2009, CACM.

[17]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[18]  Paul A. Pavlou,et al.  Building Effective Online Marketplaces with Institution-Based Trust , 2004, Inf. Syst. Res..

[19]  Timothy Paul Cronan,et al.  Modeling IT Ethics: A Study in Situational Ethics , 1998, MIS Q..

[20]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[21]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[22]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[23]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[24]  R. Axelrod An Evolutionary Approach to Norms , 1986, American Political Science Review.

[25]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[26]  L. Doob The psychology of social norms. , 1937 .

[27]  Andreas Eckhardt,et al.  Organizational cloud service adoption: a scientometric and content-based literature analysis , 2014, Journal of Business Economics.

[28]  A. Pruyn,et al.  THE IMPACT OF EMPLOYEE COMMUNICATION AND PERCEIVED EXTERNAL PRESTIGE ON ORGANIZATIONAL IDENTIFICATION , 2000 .

[29]  Andreas Eckhardt,et al.  Normalizing the Shadows - The Role of Symbolic Models for Individuals' Shadow IT Usage , 2014, ICIS.

[30]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[31]  Eruani Zainuddin Secretly SaaS-ing: Stealth Adoption of Software-as-a-Service from the Embeddedness Perspective , 2012, ICIS.

[32]  Charles D. Barrett Understanding Attitudes and Predicting Social Behavior , 1980 .

[33]  S. Robinson,et al.  THE IMP ACT OF COMMUNITY VIOLENCE AND AN ORGANIZATION ' S PROCEDURAL JUSTICE CLIMATE ON WORKPLACE AGGRESSION , 2003 .

[34]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[35]  I. Ajzen The theory of planned behavior , 1991 .

[36]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[37]  Jason Bennett Thatcher,et al.  Conceptualizing models using multidimensional constructs: a review and guidelines for their use , 2012, Eur. J. Inf. Syst..

[38]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[39]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[40]  Fred A. Mael,et al.  Social identity theory and the organization , 1989 .

[41]  Paul A. Pavlou,et al.  Encouraging Citizen Adoption of eGovernment by Building Trust , 2002, Electron. Mark..

[42]  Patrick D. Dunlop,et al.  Workplace deviance, organizational citizenship behavior, and business unit performance: the bad apples do spoil the whole barrel , 2004 .

[43]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[44]  Trevor T. Moores,et al.  Ethical Decision Making in Software Piracy: Initial Development and a Test of a Four-Component Model , 2006, MIS Q..

[45]  Daniel Beimborn,et al.  Enterprise App Stores for Mobile Applications - Development of a Benefits Framework , 2013, AMCIS.

[46]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[47]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[48]  Jungjoo Jahng,et al.  An empirical investigation into the utilization-based information technology success model: integrating task-performance and social influence perspective , 2007, J. Inf. Technol..

[49]  Magid Igbaria,et al.  Personal Computing Acceptance Factors in Small Firms: A Structural Equation Model , 1997, MIS Q..

[50]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[51]  J. Pfeffer,et al.  A social information processing approach to job attitudes and task design. , 1978, Administrative science quarterly.

[52]  Lori N. K. Leonard,et al.  What influences IT ethical behavior intentions - planned behavior, reasoned action, perceived importance, or individual characteristics? , 2004, Inf. Manag..

[53]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[54]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[55]  S. Chaiken,et al.  The psychology of attitudes. , 1993 .

[56]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[57]  Sven Laumer,et al.  Who influences whom? Analyzing workplace referents' social influence on IT adoption and non-adoption , 2009, J. Inf. Technol..

[58]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[59]  Andreas Eckhardt,et al.  Sensitizing Employees' Corporate IS Security Risk Perception , 2014, ICIS.

[60]  E. Morrison,et al.  Taking Charge At Work: Extrarole Efforts to Initiate Workplace Change , 1999 .

[61]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[62]  Walter Brenner,et al.  European Conference on Information Systems ( ECIS ) 5-15-2012 EXPLORING THE SHADOWS : IT GOVERNANCE APPROACHES TO USER-DRIVEN INNOVATION , 2012 .

[63]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[64]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[65]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[66]  Karen D. Loch,et al.  Evaluating ethical decision making and computer use , 1996, CACM.