Shadow IT in higher education: survey and case study for cybersecurity

IF 0.3 4区工程技术 Q4 COMPUTER SCIENCE, THEORY & METHODS

Cryptologia Pub Date : 2022-10-12 DOI:10.1080/01611194.2022.2103754

Selma Gomez Orr, C. Bonyadi, Enis Golaszewski, Alan T. Sherman, Peter A. H. Peterson, R. Forno, Sydney Johns, Jimmy Rodriguez

{"title":"Shadow IT in higher education: survey and case study for cybersecurity","authors":"Selma Gomez Orr, C. Bonyadi, Enis Golaszewski, Alan T. Sherman, Peter A. H. Peterson, R. Forno, Sydney Johns, Jimmy Rodriguez","doi":"10.1080/01611194.2022.2103754","DOIUrl":null,"url":null,"abstract":"We explore shadow information technology (IT) at institutions of higher education through a two-tiered approach involving a detailed case study and comprehensive survey of IT professionals. In its many forms, shadow IT is the software or hardware present in a computer system or network that lies outside the typical review process of the responsible IT unit. We carry out a case study of an internally built legacy grants management system at the University of Maryland, Baltimore County that exemplifies the vulnerabilities, including cross-site scripting and SQL injection, typical of such unauthorized and ad-hoc software. We also conduct a survey of IT professionals at universities, colleges, and community colleges that reveals new and actionable information regarding the prevalence, usage patterns, types, benefits, and risks of shadow IT at their respective institutions. Further, we propose a security-based profile of shadow IT, involving a subset of elements from existing shadow IT taxonomies, that categorizes shadow IT from a security perspective. Based on this profile, survey respondents identified the predominant form of shadow IT at their institutions, revealing close similarities to findings from our case study. Through this work, we are the first to identify possible susceptibility factors associated with the occurrence of shadow IT related security incidents within academic institutions. Correlations of significance include the presence of certain graduate schools, the level of decentralization of the IT department, the types of shadow IT present, the percentage of security violations related to shadow IT, and the institution’s overall attitude toward shadow IT. The combined elements of our case study, profile, and survey provide the first comprehensive view of shadow IT security at academic institutions, highlighting tension between its risks and benefits, and suggesting strategies for managing it successfully.","PeriodicalId":55202,"journal":{"name":"Cryptologia","volume":" ","pages":""},"PeriodicalIF":0.3000,"publicationDate":"2022-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cryptologia","FirstCategoryId":"5","ListUrlMain":"https://doi.org/10.1080/01611194.2022.2103754","RegionNum":4,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 1

Abstract

We explore shadow information technology (IT) at institutions of higher education through a two-tiered approach involving a detailed case study and comprehensive survey of IT professionals. In its many forms, shadow IT is the software or hardware present in a computer system or network that lies outside the typical review process of the responsible IT unit. We carry out a case study of an internally built legacy grants management system at the University of Maryland, Baltimore County that exemplifies the vulnerabilities, including cross-site scripting and SQL injection, typical of such unauthorized and ad-hoc software. We also conduct a survey of IT professionals at universities, colleges, and community colleges that reveals new and actionable information regarding the prevalence, usage patterns, types, benefits, and risks of shadow IT at their respective institutions. Further, we propose a security-based profile of shadow IT, involving a subset of elements from existing shadow IT taxonomies, that categorizes shadow IT from a security perspective. Based on this profile, survey respondents identified the predominant form of shadow IT at their institutions, revealing close similarities to findings from our case study. Through this work, we are the first to identify possible susceptibility factors associated with the occurrence of shadow IT related security incidents within academic institutions. Correlations of significance include the presence of certain graduate schools, the level of decentralization of the IT department, the types of shadow IT present, the percentage of security violations related to shadow IT, and the institution’s overall attitude toward shadow IT. The combined elements of our case study, profile, and survey provide the first comprehensive view of shadow IT security at academic institutions, highlighting tension between its risks and benefits, and suggesting strategies for managing it successfully.

查看原文本刊更多论文

高等教育中的影子IT：网络安全调查与案例研究

我们通过两层方法探索高等教育机构的影子信息技术（IT），包括详细的案例研究和对IT专业人员的全面调查。在许多形式中，影子IT是计算机系统或网络中存在的软件或硬件，不在负责IT部门的典型审查过程中。我们对马里兰大学巴尔的摩县分校内部构建的遗留拨款管理系统进行了案例研究，该系统举例说明了此类未经授权和特定软件的典型漏洞，包括跨站点脚本和SQL注入。我们还对大学、学院和社区学院的IT专业人员进行了一项调查，揭示了有关各自机构影子IT的流行率、使用模式、类型、好处和风险的新的可操作信息。此外，我们提出了一个基于安全的影子IT概要文件，涉及现有影子IT分类法中的元素子集，从安全角度对影子IT进行分类。根据这一概况，调查对象确定了其机构中影子IT的主要形式，这与我们的案例研究结果非常相似。通过这项工作，我们首次确定了与学术机构内部影子IT相关安全事件发生相关的可能易感性因素。重要的相关性包括某些研究生院的存在、IT部门的权力下放程度、存在的影子IT类型、与影子IT相关的安全违规百分比以及该机构对影子IT的总体态度，和调查首次全面了解了学术机构的影子IT安全，强调了其风险和收益之间的紧张关系，并提出了成功管理它的策略。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Cryptologia 工程技术-计算机：理论方法

自引率

33.30%

发文量

审稿时长

24 months

期刊介绍： Cryptologia is the only scholarly journal in the world dealing with the history, the technology, and the effect of the most important form of intelligence in the world today - communications intelligence. It fosters the study of all aspects of cryptology -- technical as well as historical and cultural. The journal"s articles have broken many new paths in intelligence history. They have told for the first time how a special agency prepared information from codebreaking for President Roosevelt, have described the ciphers of Lewis Carroll, revealed details of Hermann Goering"s wiretapping agency, published memoirs - written for it -- of some World War II American codebreakers, disclosed how American codebreaking affected the structure of the United Nations.