2026-06-25 –, Session 4 Language: English
The digital ecosystem provides vast opportunities to get things done in work and education. At the same time, the growing number of hardware, software, and services used without explicit approval or knowledge of the organisation, commonly referred to as shadow IT, creates new attack vectors and challenges cybersecurity management. This talk combines findings from three studies that explore shadow IT occurrences, influencing factors, and attitudes in higher education and corporate contexts.
Interviews with IT and security experts at higher education institutions provide a comprehensive overview of observed shadow IT types and related cyber threats, with cloud services and self-acquired or self-developed software as the most common forms. A mixed-methods study in a corporate setting uncovers different types of shadow IT and reveals a variety of mindsets towards its use, alongside an awareness–action gap between perceived risks and behavior. Finally, we introduce a newly developed assessment tool that identifies eight components of shadow IT attitudes and demonstrates meaningful associations with shadow IT behaviors. Together, these findings contribute to understanding the human aspects of security and inform responsible governance practices.
Shadow IT, the act of using unauthorized IT in the workplace, is widely spread over organizations, taking various forms. While shadow IT provides flexibility and supports researchers, educators, and employees in getting their work done, it creates new attack vectors and challenges for cybersecurity management and IT administrators. In this talk, we will combine the results of several research studies.
The first study in this series was conducted in collaboration with SURF and focused on higher education institutions. Based on semi-structured interviews with IT and security experts, the results provide a comprehensive overview of observed shadow IT types and related cyber threats. Cloud services, as well as self-acquired and self-produced software, emerged as the most common forms of shadow IT. The main cybersecurity threats are caused by outdated software and the lack of visibility in this regard. Beyond mapping occurrences and threats, this study opened a broader research line on shadow IT and human factors, shifting attention toward stakeholder needs, perceptions, and practices in complex digital ecosystems.
Building on this foundation, the second study employed a mixed-methods approach in a corporate context, consisting of a survey with 450 responses and follow-up interviews with 32 employees. The findings uncover different types of shadow IT mindsets. Participants often employed a combination of these mindsets. Despite awareness of significant risks, gaps exist in acting upon this awareness, resulting in an awareness–action gap.
Finally, the talk introduces a newly developed assessment tool based on previous work on shadow IT mindsets. Component analysis identified an eight-component structure with meaningful associations with shadow IT behaviors, particularly the use of self-built applications. These results suggest that usage patterns operate along functional dimensions rather than purely risk-based orientations.
Dr. Kate Labunets is an Assistant Professor at Utrecht University and co-chair and founding member of the ACCSS Working Group on Human Factors in Cyber Security. Her research focuses on human factors in cybersecurity, usability of security mechanisms, and security behaviour. The goal of her research is to make security decisions and practices more effective, evidence-based, and user-centred. Kate has delivered invited talks across academia, industry, and policy, including USENIX Security, ICT.Open, VERSEN SENSymposium, and BEREC’s Stakeholder Forum, and was a keynote speaker at OWASP Global AppSec EU 2025 in Barcelona.