Shadow IT in Higher Education: Survey and Case Study for Cybersecurity

Thumbnail Image

Files

Shadow-IT-in-Higher-Education.pdf (677.73 KB)

Links to Files

https://www.tandfonline.com/doi/full/10.1080/01611194.2022.2103754

Permanent Link

http://hdl.handle.net/11603/23994
 https://doi.org/10.1080/01611194.2022.2103754

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

https://orcid.org/0000-0002-5281-7640
 https://orcid.org/0000-0002-3686-7242
 https://orcid.org/0000-0002-0814-9956
 https://orcid.org/0000-0003-1130-4678
 https://orcid.org/0000-0002-9037-537X
 https://orcid.org/0000-0002-6751-0828
 https://orcid.org/0000-0001-7997-4067

Date

Type of Work

journal articles
preprints
Text

Department

Program

Citation of Original Publication

Selma Gomez Orr, Cyrus Jian Bonyadi, Enis Golaszewski, Alan T. Sherman, Peter A. H. Peterson, Richard Forno, Sydney Johns & Jimmy Rodriguez (2022) Shadow IT in higher education: survey and case study for cybersecurity, Cryptologia, DOI: 10.1080/01611194.2022.2103754

Rights

This is the submitted manuscript of an article published by Taylor & Francis in Cryptologia on 12 Oct 2022, available online: http://www.tandfonline.com/10.1080/01611194.2022.2103754.

Subjects

UMBC Cyber Defense Lab

Abstract

We explore shadow information technology (IT) at institutions of higher education through a two-tiered approach involving a detailed case study and comprehensive survey of IT professionals. In its many forms, shadow IT is the software or hardware present in a computer system or network that lies outside the typical review process of the responsible IT unit. We carry out a case study of an internally built legacy grants management system at the University of Maryland, Baltimore County that exemplifies the vulnerabilities, including cross-site scripting and SQL injection, typical of such unauthorized and ad-hoc software. We also conduct a survey of IT professionals at universities, colleges, and community colleges that reveals new and actionable information regarding the prevalence, usage patterns, types, benefits, and risks of shadow IT at their respective institutions. Further, we propose a security-based profile of shadow IT, involving a subset of elements from existing shadow IT taxonomies, that categorizes shadow IT from a security perspective. Based on this profile, survey respondents identified the predominant form of shadow IT at their institutions, revealing close similarities to findings from our case study. Through this work, we are the first to identify possible susceptibility factors associated with the occurrence of shadow IT related security incidents within academic institutions. Correlations of significance include the presence of certain graduate schools, the level of decentralization of the IT department, the types of shadow IT present, the percentage of security violations related to shadow IT, and the institution’s overall attitude toward shadow IT. The combined elements of our case study, profile, and survey provide the first comprehensive view of shadow IT security at academic institutions, highlighting tension between its risks and benefits, and suggesting strategies for managing it successfully