7 Shadow IT
In this chapter
Although shadow IT could be considered as an example of a workaround the topic has a life (and a chapter) of its own, mainly because surveys consistently indicate that there is widespread use of shadow IT in organisations. Workarounds certainly carry risks but these are limited to an extent as the workarounds are developed on IT-approved systems. This is not the case with shadow IT and that brings with it additional risks, especially around IT security.
Are ‘workaround’ and ‘shadow IT’ synonyms?
In the context of this book the question is whether these two terms are synonyms. There is a view that workarounds are more short term in duration and developed and used by an individual employee experiencing a problem with the effective use of an enterprise application. Shadow IT, on the other hand, tends to be used by individuals and groups of employees for a longer duration.
An early, and very detailed, description of the use of shadow applications is presented by Handel (2011) with many examples from a major aerospace company. However, the paper does not refer to ‘shadow IT’ as a generic description, only to the fact that these applications exist in the shadows of the organisation.
The definition of ‘Shadow IT’ is generally attributed to the work of Rentrop and Zimmerman (2012).
“Shadow IT describes the supplement of “official” IT by several, autonomous developed IT systems, processes and organizational units, which are located in the business departments. These systems are generally not known, supported and accepted by the official IT department.”
Contemporary with the emergence of this definition comes the concept of ‘feral IT’ by Thatte (2012).
“Feral practices can be broadly defined as usage of information technology which deviates from organizational norms and exists beyond the control and/or knowledge of the organizational IT management.”
The authors make a case for there being a difference between ‘shadow IT’ and ‘feral IT’ but it would seem that there may have been an aversion to the adoption of ‘feral’ through its identification with animals. ‘Shadow’ has no such connotations and is now certainly much more widely used. The paper by Thatte has only been cited 19 times since publication. Raković (2020) plots the occurrence of the terms shadow IT, feral IT and IT workarounds which confirms the dominance of shadow IT as the preferred descriptor, and also the significant increase in the publication of research papers on these topics since around 2014.
The extent to which shadow IT can be regarded as a workaround is considered by Shaikh (2021) in which he matches the characteristics of shadow IT to the five voices framework developed by Alter (2014).
Does it make any difference?
When it comes to Shadow IT it seems that there is much less reluctance on the part of employees to respond to an external survey of whether they use Shadow IT applications. One reason for this could be that they do not need to disclose confidential information about how they use shadow applications, just the brand of the softwarr application. A search on Google (other search services are available!) will quickly locate a number of surveys on shadow IT adoption. Given the potential shelf life of this book there is little point in highlighting the outcomes of these surveys other than to note that around 80% of employees seem to be using a shadow IT application.
Some examples include
- Productivity apps such as Trello and Asana
- Employee experience applications such as Simplrr and Kazoo
- Cloud storage, file-sharing, and document-editing applications such as Dropbox, Google Docs, Google Drive, and Microsoft OneDrive
- Communication and messaging apps including Slack, WhatsApp, Zoom, Signal, Telegram, on personal email accounts
Many of the case studies of workarounds refer to the use of Excel as either a database or as a financial planning application to aggregate data before uploading it in to the business application. Excel is of course an IT-supported application but it could be that an employee uses their own instance of Excel to aggregate data.
As a result of the significant increase in remote and hybrid working employees might well bring these applications to the workplace because they already use them in their personal lives. Another factor is that clients and customers may decide to invite employees they work with on a regular basis to use the services that they have adopted.
The risks associated with these shadow IT applications are significant, especially in terms of information security. A workaround on a monitored application should still maintain the security management imposed by IT. That will not be the case with a shadow IT application. USB drives are a very common example of how easily security protocols can be breached. It seems that more attention is being paid to the management of shadow IT by IT managers because of the security implications for the organisation within the context of a ISO 27001 information security policy.
What is not mentioned in any detail in the research papers is the extent to which shadow IT applications are not backed up by their owners.
Literature reviews
Two substantial reviews of the research literature on shadow IT have been published. The review by Klotz et al (2019) of 126 research papers published up to around 2017 takes into account a taxonomy for shadow IT developed by Kopper (2016) a co-author of Klotz. The scale of the published literature over the period from the early studies in 2010 is an indication of the high level of academic interest in Shadow IT.
Raković (2020) reviews 90 papers and focuses in particular on management issues relating to shadow IT.
There is also an interesting perspective on the reasons why employees adopt shadow IT (Haag 2019) which considers 82 citations. However, there is virtually no consideration of the concept of ‘workarounds’ in these papers, although de Vargas Pinto (2022) considers the relationship in some detail.
Workarounds in software development
Another aspect of IT management where workarounds are widely recognised and adopted is in the process of software development. This is a subject that has been quite widely studied and using workarounds for this purpose is regarded as ‘good practice’. Two recent papers by Song (2020) and Lamothe (2020) provide a starting point to gain an understanding of this practice.
The bottom line
Up to this point in the book I have been focusing on what might be regarded as the classic example of workarounds, where an employee develops a way of improving their personal productivity with an IT-supported enterprise application. Although this is a short chapter, introducing shadow IT and API development as similar in principle and in practice to the established view of workarounds suggests that IT teams are facing significant internal management problems at the same time as they are seeking to introduce upgrades to current systems (notablywith AI) and new applications. Chapter 6 focuses specifically on workarounds in clinical systems, which as discussed in Chapter 3 have similarities but also differences to enterprise systems.
References
Daohan Song, Hao Zhong, & Li Jia. (2020). The symptom, cause and repair of workaround. ASE ’20, September 21–25, virtual event, Australia.
de Vargas Pinto, A., Beerepoot, I. & Gastaud Maçada, A.C., (2022). Encourage autonomy to increase individual work performance: the impact of job characteristics on workaround behavior and shadow IT usage. Information Technology and Management. https://doi.org/10.1007/s10799-022-00368-6
De Vargas Pinto, A., Gastaud Macada, A. C. & Mallman, G.L. (2018). Workaround behaviour in information systems research. Revista de Gestão, 25(4) 430-446.
Haag, S., Eckhardt, A. & Shwarz, A. (2019). The acceptance of justifications among shadow IT users and nonusers – an empirical analysis. Information & Management, 56, 731–741.
Handel, M. & Poltrock, S. (2011). Working around official applications: experiences from a large engineering project. CSCW 2011, March 19–23, Hangzhou, China.
Hulsebosch, M. (2023). An analysis of Cloud-based Shadow IT and a framework for managing its risks and opportunities. (Thesis). University of Twente.
Jarrahi, M.H., Reynolds, R & Eshragi, A. (2020). Personal knowledge management and enactment of personal knowledge infrastructures as shadow IT. Information and Learning Sciences, November. DOI: 10.1108/ILS-11-2019-0120
Klotz, S., Kopper, A., Westner, M., & Strahringer, S. (2019). Causing factors, outcomes, and governance of Shadow IT and business-managed IT: a systematic literature review. International Journal of Information Systems and Project Management, 7,1, 1 5-43.
Kopper, A, & Westner, M., (2016). Towards a taxonomy for shadow IT. Twenty-second Americas Conference on Information Systems, San Diego.
Lamothe, M, & Shang, W. Weiyi (2020). When APIs are intentionally bypassed: an exploratory study of API workarounds. ICSE ’20, May 23–29, Seoul, Republic of Korea.
Raković, L., Sakal, M., Matković, P., & Marić, M. (2020). Shadow IT – a systematic literature review. Information Technology and Control, 49(1), 144-160. https://doi.org//10.5755/j01.itc.49.1.23801
Rentrop, C. & Zimmerman, S. (2012). Shadow IT Evaluation Model. Proceedings of the Federated Conference on Computer Science and Information Systems, 1023–1027. ISBN 978-83-60810-51-4
Rentrop, C. & Zimmerman, S. (2012). Shadow IT management and control of unofficial IT. CDS 2012: The Sixth International Conference on Digital Society. ISBN: 978-1-61208-176-2
Shaikh, A. (2021). Shadow-IT system as a workaround: a theoretical review. MENACIS2021, 29. https://aisel.aisnet.org/menacis2021
Silic, M. & Bach, A. (2014). Shadow IT– a view from behind the curtain. Computers & Security, 45, 274-283.
Spierings, A, Kerr, D. & Houghton, L. (2017). Issues that support the creation of ICT workarounds: towards a theoretical understanding of feral information systems. Information Systems Journal. https://doi.org/10.1111/isj.12123
Steinhueser, M., Waizenegger, L., Vodanovich, S. & Richter, A. (2017). Knowledge management without management – shadow IT in knowledge-intensive manufacturing practice. Proceedings of the 25th European Conference on Information Systems (ECIS), Guimarães, Portugal, June 5-10, 2017, 1647-1662. ISBN 978-989-207655. Research Papers http://aisel.aisnet.org/ecis2017_rp/106
Zimmermann, S. & Rentrop, C. (2014). On the emergence of shadow IT – a transaction cost-based approach. Proceedings of the European Conference on Information Systems (ECIS) 2014, Tel Aviv, Israel, June 9-11. ISBN 978-0-9915567-0-0. http://aisel.aisnet.org/ecis2014/proceedings/track15/11