{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,5]],"date-time":"2026-04-05T03:00:22Z","timestamp":1775358022240,"version":"3.50.1"},"reference-count":68,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2017,7,10]],"date-time":"2017-07-10T00:00:00Z","timestamp":1499644800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JEIM"],"published-print":{"date-parts":[[2017,7,10]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>On account of its easy and intuitive usage as well as obvious advantages (e.g. access to work data from anywhere, at any time and through any means) the evolutionary cloud computing paradigm favors the use of shadow IT. Since many employees are not aware of the associated risks and possible legal violations, unauthorized use of cloud computing services could result in substantial risk exposure for any company. The purpose of this paper is to explore and to extend the body of knowledge concerning the topic of cloud computing with regard to shadow IT.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The aim of this contribution is to identify the reasons for the use of cloud computing services and the resulting shadow IT from an employee\u2019s perspective, to demonstrate the counteractions a company may take against the unauthorized use of cloud computing services and to elaborate on the inherent opportunities and risks. We follow a mixed-methods approach consisting of a systematic literature review, a cloud computing awareness study, a vignette study and expert interviews.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Based on a triangulation of the data sets, the paper at hand proposes a morphological box as well as a two-piece belief-action-outcome model, both from an employee\u2019s and employer\u2019s point of view. Our findings ultimately lead to recommendations for action for employers to counteract the risk exposure. Furthermore, also employees are sensitized by means of insights into the topic of unauthorized usage of cloud computing services in everyday working life.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>The limitations of the triangulation reflect the limitations of each applied research method. These limitations justify why a mixed-methods approach is favored \u2013 rather than relying on a single source of data \u2013 because data from various sources can be triangulated.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>The paper includes recommendations for action for the handling of the unauthorized usage of cloud computing services within a company, e.g., the set up of a company-wide cloud security strategy and the conduction of an anonymous employee survey to identify the status quo.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper fulfills an identified need to explore the usage of cloud computing services within the context of shadow IT.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/jeim-07-2015-0066","type":"journal-article","created":{"date-parts":[[2017,5,19]],"date-time":"2017-05-19T07:15:47Z","timestamp":1495178147000},"page":"644-665","source":"Crossref","is-referenced-by-count":28,"title":["Missing cloud security awareness: investigating risk exposure in shadow IT"],"prefix":"10.1108","volume":"30","author":[{"given":"Marc","family":"Walterbusch","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Adrian","family":"Fietz","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Frank","family":"Teuteberg","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020120620483491500_ref001","unstructured":"AIS (2010), \u201cAIS: MIS journal rankings\u201d, available at: http:\/\/ais.affiniscape.com\/displaycommon.cfm?an=1&subarticlenbr=432 (accessed December 13, 2013)."},{"issue":"9","key":"key2020120620483491500_ref002","doi-asserted-by":"crossref","first-page":"1108","DOI":"10.1177\/0146167204264079","article-title":"Explaining the discrepancy between intentions and actions: the case of hypothetical bias in contingent valuation","volume":"30","year":"2004","journal-title":"Personality & Social Psychology Bulletin"},{"issue":"1","key":"key2020120620483491500_ref003","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1086\/268432","article-title":"The use of vignettes in survey research","volume":"42","year":"1978","journal-title":"Public Opinion Quarterly"},{"issue":"3","key":"key2020120620483491500_ref004","doi-asserted-by":"crossref","first-page":"250","DOI":"10.1108\/17410391311325225","article-title":"Cloud computing adoption by SMEs in the north east of England: a multi-perspective framework","volume":"26","year":"2013","journal-title":"Journal of Enterprise Information Management"},{"issue":"9","key":"key2020120620483491500_ref005","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1361-3723(12)70090-8","article-title":"Insuring cyber-assets","volume":"2012","year":"2012","journal-title":"Computer Fraud & Security"},{"issue":"4","key":"key2020120620483491500_ref006","doi-asserted-by":"crossref","first-page":"307","DOI":"10.1080\/13645570050178594","article-title":"\u2018I wanna tell you a story\u2019: exploring the application of vignettes in qualitative research with children and young people","volume":"3","year":"2000","journal-title":"International Journal of Social Research Methodology"},{"key":"key2020120620483491500_ref007","first-page":"1713","article-title":"Why do shadow systems exist after an ERP implementation? Lessons from a case study","year":"2004"},{"issue":"2","key":"key2020120620483491500_ref008","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1145\/1461928.1461960","article-title":"Shadow systems: the good, the bad and the ugly","volume":"52","year":"2009","journal-title":"Communications of the ACM"},{"key":"key2020120620483491500_ref009","unstructured":"BITKOM (2012), \u201cVerlorene handys sind keine seltenheit (lost phones are not uncommon)\u201d, Presseinformation, July, available at: www.bitkom.org\/de\/presse\/74532_72651.aspx (accessed October 15, 2013)."},{"key":"key2020120620483491500_ref010","volume-title":"Cross Currents: Cultures, Communities, Technologies","year":"2013","edition":"1st ed."},{"key":"key2020120620483491500_ref011","first-page":"1","article-title":"Reconstructing the giant: on the importance of rigour in documenting the literature search process","year":"2009"},{"key":"key2020120620483491500_ref012","unstructured":"Bryman, A. (2004), \u201cTriangulation in the SAGE encyclopedia of social science research methods\u201d, pp. 1142-1143."},{"issue":"2","key":"key2020120620483491500_ref013","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1016\/j.dss.2004.02.002","article-title":"Incorporating an ethical perspective into problem formulation: implications for decision support systems design","volume":"40","year":"2005","journal-title":"Decision Support Systems"},{"issue":"4","key":"key2020120620483491500_ref014","doi-asserted-by":"crossref","first-page":"1093","DOI":"10.1287\/isre.1120.0423","article-title":"Research commentary: generalizability of information systems research using student subjects \u2013 a reflection on our practices and recommendations for future research","volume":"23","year":"2012","journal-title":"Information Systems Research"},{"key":"key2020120620483491500_ref015","unstructured":"Core (2008), \u201cERA Conference Rating\u201d, Core, available at: http:\/\/core.edu.au\/cms\/images\/downloads\/conference\/08sort acronymERA2010_conference_list.pdf (accessed December 13, 2003)."},{"key":"key2020120620483491500_ref016","first-page":"1","article-title":"Normalizing the shadows \u2013 the role of symbolic models for individuals \u2019 shadow IT usage","year":"2014"},{"issue":"1","key":"key2020120620483491500_ref017","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1177\/0038038587021001008","article-title":"The vignette technique in survey research","volume":"21","year":"1987","journal-title":"Sociology"},{"key":"key2020120620483491500_ref018","article-title":"Shadow IT systems: discerning the good and the evil","year":"2014"},{"issue":"1","key":"key2020120620483491500_ref019","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1108\/JEIM-08-2013-0065","article-title":"Understanding determinants of cloud computing adoption using an integrated TAM-TOE model","volume":"28","year":"2015","journal-title":"Journal of Enterprise Information Management"},{"issue":"6","key":"key2020120620483491500_ref020","first-page":"7","article-title":"Public sector clouds beginning to Blossom","volume":"15","year":"2011","journal-title":"IEEE Computer Society"},{"key":"key2020120620483491500_ref021","first-page":"1","article-title":"Exploring the shadows: IT governance approaches to user-driven innovation","year":"2012"},{"key":"key2020120620483491500_ref022","first-page":"1438","article-title":"Appearance of dark clouds? An empirical analysis of users\u2019 shadow sourcing of cloud services","year":"2015"},{"issue":"3","key":"key2020120620483491500_ref023","doi-asserted-by":"crossref","first-page":"257","DOI":"10.2307\/249656","article-title":"The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions","volume":"20","year":"1996","journal-title":"MIS Quarterly"},{"issue":"3","key":"key2020120620483491500_ref024","doi-asserted-by":"crossref","first-page":"381","DOI":"10.1111\/1467-9566.00107","article-title":"Considering the vignette technique and its application to a study of drug injecting and HIV risk and safer behaviour","volume":"20","year":"1998","journal-title":"Sociology of Health and Illness"},{"key":"key2020120620483491500_ref025","first-page":"1","article-title":"Home is safer than the cloud!: Privacy concerns for consumer cloud storage","year":"2011"},{"issue":"6","key":"key2020120620483491500_ref026","first-page":"872","article-title":"Integrating cloud computing in supply chain processes: a comprehensive literature review","volume":"28","year":"2016","journal-title":"Journal of Enterprise Information Management"},{"issue":"161","key":"key2020120620483491500_ref027","first-page":"161","article-title":"Understanding socio-technical impacts arising from software-as-a-service usage in companies","volume":"58","year":"2016","journal-title":"Business & Information Systems Engineering"},{"key":"key2020120620483491500_ref028","first-page":"1","article-title":"An evolution of morphological analysis applications in systems engineering","year":"2010"},{"key":"key2020120620483491500_ref029","first-page":"1","article-title":"The rise and fall of a shadow system: lessons for enterprise system implementation","year":"2004"},{"key":"key2020120620483491500_ref030","first-page":"19","article-title":"The upside of shadow IT","year":"2012"},{"issue":"6","key":"key2020120620483491500_ref031","doi-asserted-by":"crossref","first-page":"363","DOI":"10.1007\/s12599-015-0387-z","article-title":"Innovation through BYOD? The influence of IT consumerization on individual IT innovation behavior","volume":"57","year":"2015","journal-title":"Business & Information Systems Engineering"},{"key":"key2020120620483491500_ref032","first-page":"441","article-title":"Digital natives and mobile phones: a survey of practices and attitudes about privacy and security","volume-title":"2010 IEEE International Symposium on Technology and Society, IEEE","year":"2010"},{"key":"key2020120620483491500_ref033","unstructured":"Mcfedries, P. (2012), \u201cCloud computing: beyond the hype\u201d, HP Technology Series, HP Press, San Francisco, CA."},{"key":"key2020120620483491500_ref034","first-page":"466","article-title":"Understanding the cloud computing ecosystem: results from a quantitative content analysis","year":"2011"},{"key":"key2020120620483491500_ref035","first-page":"1","article-title":"The NIST definition of cloud computing","year":"2011"},{"issue":"1","key":"key2020120620483491500_ref036","doi-asserted-by":"crossref","first-page":"1","DOI":"10.2307\/20721412","article-title":"Information systems innovation for environmental sustainability","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020120620483491500_ref037","unstructured":"Meuser, M. and Nagel, U. (2008), \u201cExpertInneninterview: Zur Rekonstruktion spezialisierten Sonderwissens (expert interviews: for reconstructing special knowledge)\u201d, in Becker, R. and Kortendiek, B. (Eds), Handbuch Frauen-und Geschlechterforschung SE \u2013 43, VS Verlag f\u00fcr Sozialwissenschaften, Wiesbaden, pp. 368-371."},{"issue":"4","key":"key2020120620483491500_ref038","doi-asserted-by":"crossref","first-page":"379","DOI":"10.1037\/0003-066X.38.4.379","article-title":"In defense of external invalidity","volume":"38","year":"1983","journal-title":"American Psychologist"},{"key":"key2020120620483491500_ref039","first-page":"851","article-title":"Benefits of cloud computing: literature review in a maturity model perspective","volume":"37","year":"2015","journal-title":"Communications of the Association for Information Systems"},{"key":"key2020120620483491500_ref040","first-page":"357","article-title":"The impact of shadow IT systems on perceived information credibility and managerial decision making","volume":"305","year":"2015","journal-title":"Information Sciences"},{"key":"key2020120620483491500_ref041","article-title":"The need for enterprise-grade file sharing and synchronization","author":"Osterman Research","year":"2012"},{"key":"key2020120620483491500_ref042","unstructured":"Raden, N. (2005a), \u201cShedding light on shadow IT: is excel running your business?\u201d, Hired Brains, Inc., available at: http:\/\/dssresources.com\/papers\/features\/raden\/raden02262005.html (accessed December 7, 2013)."},{"key":"key2020120620483491500_ref043","first-page":"3","article-title":"Shadow IT: a lesson for BI","year":"2005","journal-title":"Information Management"},{"key":"key2020120620483491500_ref044","first-page":"1023","article-title":"Shadow IT evaluation model","year":"2012"},{"key":"key2020120620483491500_ref045","first-page":"98","article-title":"Shadow IT management and control of unofficial IT","year":"2012"},{"key":"key2020120620483491500_ref046","volume-title":"Cloud Computing: Implementation, Management, and Security","year":"2009"},{"key":"key2020120620483491500_ref047","first-page":"371","article-title":"Informal eCollaboration channels: shedding light on \u2018Shadow CIT\u2019","year":"2008"},{"key":"key2020120620483491500_ref048","doi-asserted-by":"crossref","first-page":"274","DOI":"10.1016\/j.cose.2014.06.007","article-title":"Shadow IT \u2013 a view from behind the curtain","volume":"45","year":"2014","journal-title":"Computers and Security"},{"key":"key2020120620483491500_ref049","first-page":"1","article-title":"Factors influencing non-compliance behavior towards information security policies","year":"2012"},{"issue":"7-8","key":"key2020120620483491500_ref050","doi-asserted-by":"crossref","first-page":"334","DOI":"10.1016\/j.im.2012.06.004","article-title":"New insights into the problem of software piracy: the effects of neutralization, shame, and moral beliefs","volume":"49","year":"2012","journal-title":"Information & Management"},{"key":"key2020120620483491500_ref051","unstructured":"Spafford, B.G. (2004), \u201cThe dangers that lurk behind shadow IT\u201d, Datamation, February, available at: www.datamation.com\/career\/article.php\/3308481\/The-Dangers-that-Lurk-Behind-Shadow-IT.htm (accessed June 5, 2013)."},{"issue":"4","key":"key2020120620483491500_ref052","doi-asserted-by":"crossref","first-page":"9:1","DOI":"10.1147\/JRD.2016.2569858","article-title":"Passive security intelligence to analyze the security risks of mobile\/BYOD activities","volume":"60","year":"2016","journal-title":"IBM Journal of Research and Development"},{"key":"key2020120620483491500_ref053","first-page":"132","article-title":"Shining the light on shadow staff. Understanding and Minimizing Hidden Staff Costs","author":"Strategy&","year":"2003"},{"key":"key2020120620483491500_ref054","unstructured":"Teddlie, C. and Tashakkori, A. (2003), \u201cMajor issues and controversies in the use of mixed methods in the social and behavioral sciences\u201d, in Tashakkor, A. and Teddlie, C. (Eds), Handbook of Mixed Methods in Social and Behavioral Research, Sage Publications, Thousand Oaks, CA, pp. 3-50."},{"key":"key2020120620483491500_ref055","volume-title":"Foundations of Mixed Methods Research","year":"2009"},{"key":"key2020120620483491500_ref056","first-page":"1","article-title":"Green icts? Awareness and adoption: a case study of university freshmen in Thailand","year":"2012"},{"key":"key2020120620483491500_ref057","first-page":"32","article-title":"Tracking down rogue IT","year":"2012","journal-title":"Security Manager\u2019s Journal"},{"key":"key2020120620483491500_ref058","unstructured":"Varonis (2013), \u201cBring your own demise\u201d, Research paper, pp. 1-14, available at: https:\/\/info.varonis.com\/bring-your-own-demise-report"},{"issue":"1","key":"key2020120620483491500_ref059","doi-asserted-by":"crossref","first-page":"21","DOI":"10.25300\/MISQ\/2013\/37.1.02","article-title":"Bridging the qualitative-quantitative divide: guidelines for conducting mixed methods research in information systems","volume":"37","year":"2013","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020120620483491500_ref060","doi-asserted-by":"crossref","first-page":"21","DOI":"10.25300\/MISQ\/2013\/37.1.02","article-title":"Bridging the qualitative-quantitative divide: guidelines for conducting mixed methods research in information systems","volume":"37","year":"2013","journal-title":"MIS Quarterly"},{"issue":"4","key":"key2020120620483491500_ref061","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1353-4858(13)70049-7","article-title":"Bringing IT out of the shadows","volume":"2013","year":"2013","journal-title":"Network Security"},{"key":"key2020120620483491500_ref062","unstructured":"Webster, J. and Watson, R.T. (2002), \u201cAnalyzing the past to prepare for the future: writing a literature review\u201d, in Jonas, W. and Crawford, C. (Eds), MIS Quarterly, Vol. 26 No. 2, pp. 13-23."},{"issue":"4","key":"key2020120620483491500_ref063","doi-asserted-by":"crossref","first-page":"280","DOI":"10.1007\/s11576-007-0064-z","article-title":"Forschungsmethoden der Wirtschaftsinformatik Eine empirische Untersuchung (research methods in information systems research: an empirical study)","volume":"49","year":"2007","journal-title":"Wirtschaftsinformatik"},{"key":"key2020120620483491500_ref064","unstructured":"Worthen, B. (2007), \u201cUser management \u2013 users who know too much and the CIOs who fear them\u201d, available at: www.cio.com\/article\/28821\/User_Management_Users_Who_Know_Too_Much_and_the_CIOs_Who_Fear_Them_ (accessed June 5, 2013)."},{"key":"key2020120620483491500_ref065","first-page":"1","article-title":"Towards a process model for computer-supported collaborative morphological analysis","year":"2015"},{"key":"key2020120620483491500_ref066","first-page":"1","article-title":"On the emergence of shadow IT \u2013 a transaction cost-based approach","year":"2014"},{"key":"key2020120620483491500_ref067","first-page":"1","article-title":"Managing shadow IT instances \u2013 a method to control autonomous IT solutions in the business departments","year":"2014"},{"key":"key2020120620483491500_ref068","volume-title":"Entdecken, Erfinden, Forschen im Morphologischen Weltbild (Discovering, Inventing, Researching in the Morphological Picture of the World)","year":"1966"}],"container-title":["Journal of Enterprise Information Management"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/JEIM-07-2015-0066\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/JEIM-07-2015-0066\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T22:31:40Z","timestamp":1753396300000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/jeim\/article\/30\/4\/644-665\/198104"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,10]]},"references-count":68,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,7,10]]}},"alternative-id":["10.1108\/JEIM-07-2015-0066"],"URL":"https:\/\/doi.org\/10.1108\/jeim-07-2015-0066","relation":{},"ISSN":["1741-0398"],"issn-type":[{"value":"1741-0398","type":"print"}],"subject":[],"published":{"date-parts":[[2017,7,10]]}}}