Cyber Threats of Shadow IT in Dutch Higher Education and Research
Summary
Usage of IT (information technology) in higher education institutions (HEIs) is influenced by the sector’s diverse user needs and culture of academic freedom, openness, and innovation. Besides the IT managed by the institution, this context gives rise to the phenomenon of shadow IT: “hardware, software, or services built, introduced, and/or used for the job without explicit approval or even knowledge of the organization” (Haag & Eckhardt, 2017). Existing research often mentions that this loss of control has severe cybersecurity consequences, but technical details of the consequences are seldom provided. This thesis aims to model the role of shadow IT in HEIs’ threat landscapes, to gain deeper insights into the risks as a first step towards cybersecurity risk management for this phenomenon. In a sequential approach, we first conducted two literature reviews on definitions and known cybersecurity consequences. Then, we interviewed eleven information security professionals from HEIs about the shadow IT occurrences and threats they perceive in their organization. These interviews were qualitatively analyzed to systematically identify occurrences and threats until code saturation occurred. This method allowed us to provide a rich set of observed occurrences and threat components by experts, which could then be structured into an occurrence-vulnerability view and several threat diagrams, representing the most important attack paths associated with shadow IT. This specific modeling of threats also allowed us to relate these threats to countermeasures. We conclude that cyber problems related to shadow IT are very diverse, and highly dependent on the prevention, detection and mitigation measures already taken by institutions. The role of shadow IT in the threat landscape can be very manageable if the institution accounts for its existence. Based on the results, we provide guidance for prevention, but also recommend ways in which institutions can responsibly allow and account for shadow IT.