​Rethinking Shadow IT and Cybersecurity: A Study on Employees Behaviour in Storing Data on Company-Approved Software

This research aims to develop a long-term behavioural intervention for shadow IT behaviours of employees utilising Mechanisms of Action. Additionally, this project aims to closely connect and mutually reinforce the scientific fields of behavioral change and cybersecurity. 

This leads to the research question: Which Mechanisms (of Action) can (C)ISOs use to increase data storage on company-approved software over the long term? 

• Establish a multidisciplinary shadow IT framework of the influencing factors of Shadow IT Behaviour and the accompanying Mechanisms of Action. 
• Create a ranked list of clusters of Mechanisms of Action based on long-term effect, implementability and maintainability. 
• Develop and validate technical and non-technical measurement tools and an evidence-based behavioural intervention to determine and increase the amount of data storage outside of company-approved software. 

01 September 2024 - 02 February 2029

The literature review will analyse the driving factors behind shadow IT behaviours and connect them with mechanisms of action. Utilising the nominal group technique, CISOs and behavioural cybersecurity experts will cluster and rank these mechanisms. The longitudinal study will then develop technical, using log-data, and non-technical measurement tools based on the mechanisms used in the intervention. The longitudinal study will be conducted over three months, encompassing a control, benchmark, and intervention group. 

The PhD trajectory is expected to run from September 1, 2024, to February 2, 2029. During this period, we are continuously looking for partners. 

During the PhD trajectory, we are looking for: 

• CISOs to discuss which mechanisms influence the increase of data storage on company-approved software. 
• Behavioural cybersecurity change experts to discuss which mechanisms influence the increase of data storage on company-approved software. 
• Companies that want to increase data storage by employees on company-approved software. 

Do you see yourself in one or more of these roles, feel free to reach out! However, do you have a unique perspective, that we have overlooked? Reach out as well! See contact details at the bottom of the page. 

AWAREWAYS: Sjoerd van Veldhuizen & Maarten Timmerman

Radboud Universiteit: Prof. Dr. Ir. Wolter Pieters van het Behavioural Science Institute (BSI).  

Fleur van leusden

Practice and scientific: 

• The interdisciplinary framework of shadow IT allows future researchers to contextualise their mono-disciplinary studies. It also offers (C)ISO’s and other practitioners involved in achieving compliance a clearer view of the complex decision-making process involved with shadow IT behaviours. 
• The approach used for clustering the Mechanisms of Action (MoAs) provides a basis for replication and refinement for both practitioners and researchers. 
• The technical measurements provide researchers and practitioners with a method to quantify shadow IT behaviour, and the intervention provides (C)ISO’s and other practitioners with an evidence-based behavioural intervention to increase data storage on company-approved software. 

Education: 

• The knowledge generated by this research will be embedded in the HU Master Digital Security. Additionally, it will be primarily made available through publications in trade, such as ISCACA and OWASP, and scientific journals. Finally, insights will also be shared through a LinkedIn Newsletter.  

LinkedIn page for newsletter