Shadow IT in Higher Education: Survey and Case Study for Cybersecurity
| dc.contributor.author | Gomez Orr, Selma | |
| dc.contributor.author | Jian Bonyadi, Cyrus | |
| dc.contributor.author | Golaszewski, Enis | |
| dc.contributor.author | Sherman, Alan T. | |
| dc.contributor.author | Peterson, Peter A. H. | |
| dc.contributor.author | Forno, Richard | |
| dc.contributor.author | Johns, Sydney | |
| dc.contributor.author | Rodriguez, Jimmy | |
| dc.date.accessioned | 2022-01-13T16:43:40Z | |
| dc.date.available | 2022-01-13T16:43:40Z | |
| dc.description.abstract | We explore shadow information technology (IT) at institutions of higher education through a two-tiered approach involving a detailed case study and comprehensive survey of IT professionals. In its many forms, shadow IT is the software or hardware present in a computer system or network that lies outside the typical review process of the responsible IT unit. We carry out a case study of an internally built legacy grants management system at the University of Maryland, Baltimore County that exemplifies the vulnerabilities, including cross-site scripting and SQL injection, typical of such unauthorized and ad-hoc software. We also conduct a survey of IT professionals at universities, colleges, and community colleges that reveals new and actionable information regarding the prevalence, usage patterns, types, benefits, and risks of shadow IT at their respective institutions. Further, we propose a security-based profile of shadow IT, involving a subset of elements from existing shadow IT taxonomies, that categorizes shadow IT from a security perspective. Based on this profile, survey respondents identified the predominant form of shadow IT at their institutions, revealing close similarities to findings from our case study. Through this work, we are the first to identify possible susceptibility factors associated with the occurrence of shadow IT related security incidents within academic institutions. Correlations of significance include the presence of certain graduate schools, the level of decentralization of the IT department, the types of shadow IT present, the percentage of security violations related to shadow IT, and the institution’s overall attitude toward shadow IT. The combined elements of our case study, profile, and survey provide the first comprehensive view of shadow IT security at academic institutions, highlighting tension between its risks and benefits, and suggesting strategies for managing it successfully | en_US |
| dc.description.sponsorship | We thank UMBC CIO Jack Suess for suggesting that we analyze SAMS, for granting us access to do so, and for his insights on the survey findings. Thanks to Damian Doyle and UMBC CSO Mark Cather for providing technical support for the case study. Suess and Doyle also helped shape the content of the survey instrument. The following students also participated in the case study: Richard Baldwin, Alex Bassford, Scott Bohon, Casey Borror, Daniel Dominguez, Elias Enamorado, Maksim Eren, Akshita Gorti, Gabriel Onana, Cabel Pinkney, Mykah Rather, Firew Shafi, Ken Studley, Johnny Truong, Charles Varga, Ryan Wnuk-Fink, and Armand Yonkeu. Thanks also to Glenn Mains of the Prince George’s County Office of In formation Technology for his valuable contributions in the development of our security profile and for his helpful comments on the survey instrument. Thomas Penniston of UMBC’s Department of Information Technology provided valuable assistance for the survey deployment in Qualtrics, as well as feedback on the survey instrument. Linda Oliva led the design and assessment of the educational aspects of the student research study. We thank Ming Chow, Josiah Dykstra, and Oliva for helpful comments. This work was supported in part by the National Science Foundation under SFS grants DGE-1241576, 1753681, and 1819521. Sherman, Bassford, and Johns were also supported in part by the U.S. Department of Defense under CySP grants H98230-17-1-0387, H98230-18-1-0321, and H98230-19-1-0308. | en_US |
| dc.description.uri | https://www.tandfonline.com/doi/full/10.1080/01611194.2022.2103754 | en_US |
| dc.format.extent | 63 pages | en_US |
| dc.genre | journal articles | en_US |
| dc.genre | preprints | en_US |
| dc.identifier | doi:10.13016/m2ncoc-lqto | |
| dc.identifier.citation | Selma Gomez Orr, Cyrus Jian Bonyadi, Enis Golaszewski, Alan T. Sherman, Peter A. H. Peterson, Richard Forno, Sydney Johns & Jimmy Rodriguez (2022) Shadow IT in higher education: survey and case study for cybersecurity, Cryptologia, DOI: 10.1080/01611194.2022.2103754 | |
| dc.identifier.uri | http://hdl.handle.net/11603/23994 | |
| dc.identifier.uri | https://doi.org/10.1080/01611194.2022.2103754 | |
| dc.language.iso | en_US | en_US |
| dc.publisher | Taylor and Francis | |
| dc.relation.isAvailableAt | The University of Maryland, Baltimore County (UMBC) | |
| dc.relation.ispartof | UMBC Computer Science and Electrical Engineering Department Collection | |
| dc.relation.ispartof | UMBC Faculty Collection | |
| dc.relation.ispartof | UMBC Student Collection | |
| dc.rights | This is the submitted manuscript of an article published by Taylor & Francis in Cryptologia on 12 Oct 2022, available online: http://www.tandfonline.com/10.1080/01611194.2022.2103754. | en_US |
| dc.subject | UMBC Cyber Defense Lab | en_US |
| dc.title | Shadow IT in Higher Education: Survey and Case Study for Cybersecurity | en_US |
| dc.type | Text | en_US |
| dcterms.creator | https://orcid.org/0000-0002-5281-7640 | en_US |
| dcterms.creator | https://orcid.org/0000-0002-3686-7242 | en_US |
| dcterms.creator | https://orcid.org/0000-0002-0814-9956 | |
| dcterms.creator | https://orcid.org/0000-0003-1130-4678 | |
| dcterms.creator | https://orcid.org/0000-0002-9037-537X | |
| dcterms.creator | https://orcid.org/0000-0002-6751-0828 | |
| dcterms.creator | https://orcid.org/0000-0001-7997-4067 |