Towards a Taxonomy for Shadow IT

4 downloads 50080 Views 263KB Size Report
Consumerization and Cloud Computing it has been growing rapidly in the recent past ..... personal mobile devices for work, development of spreadsheet applications or ..... “Shadow IT Systems: Discerning the Good and the Evil,” in ECIS 2014.
Americas Conference on Information Systems

Towards a Taxonomy for Shadow IT

Journal: Manuscript ID Submission Type:

Track:

Abstract:

22nd Americas Conference on Information Systems AMCIS-0258-2016.R1 Regular (Complete) Paper User-driven IT: consumerization, BYOD & consumers as end-users < Enduser Information Systems, Innovation, and Organizational Change (SIGOSRA) In a comprehensive literature review, we identified 21 different terms used for Shadow IT related concepts. This variety makes it difficult to identify related research and build upon it. To address this ambiguity, we reduce the different terms to six distinct concepts by developing a taxonomy and examining their relation¬ships. We do so by using a rigorous iterative methodology to identify common characteristics and to classify terms along them. By clustering the results, we derive and visualize the taxonomy. The identified concepts are Feral Practices, Workarounds, Shadow IT, Shadow Systems, Un-enacted Projects, and Shadow Sourcing. We elaborate on the concepts along their characteristics and clearly define and delimit them. As a result, we create a guide for their usage, increase search- and comparability, and unify existing knowledge.

Page 1 of 10

Americas Conference on Information Systems

Towards a Taxonomy for Shadow IT

Towards a Taxonomy for Shadow IT Full Paper

Andreas Kopper TU Dresden [email protected]

Markus Westner OTH Regensburg [email protected]

Abstract In a comprehensive literature review, we identified 21 different terms used for Shadow IT related concepts. This variety makes it difficult to identify related research and build upon it. To address this ambiguity, we reduce the different terms to six distinct concepts by developing a taxonomy and examining their relationships. We do so by using a rigorous iterative methodology to identify common characteristics and to classify terms along them. By clustering the results, we derive and visualize the taxonomy. The identified concepts are Feral Practices, Workarounds, Shadow IT, Shadow Systems, Un-enacted Projects, and Shadow Sourcing. We elaborate on the concepts along their characteristics and clearly define and delimit them. As a result, we create a guide for their usage, increase search- and comparability, and unify existing knowledge.

Keywords Shadow IT, Shadow Systems, Shadow Sourcing, Feral Practices, Workarounds, taxonomy, terminology.

Introduction Software, hardware, and IT service processes which are deployed autonomously within business departments without the involvement of the organizational IT department (Haag and Eckhardt 2014a; Zimmermann and Rentrop 2014) can be considered as Shadow IT. Therefore, IT departments usually do not know about instances of Shadow IT (Rentrop and Zimmermann 2012b). Examples of Shadow IT include the usage of unsanctioned desktop applications, spreadsheet solutions, personal public cloud services, or mobile devices. Negative aspects of the phenomenon such as security, compliance, and efficiency issues as well as positive ones such as faster technical innovation and flexibility are recognized in literature (Kopper and Westner 2016). Estimations indicate a large extent of dissemination of the phenomenon in organizations (Chua et al. 2014; Walters 2013; Zimmermann and Rentrop 2014). Due to trends such as Consumerization and Cloud Computing it has been growing rapidly in the recent past and it is expected to do so even further (Gartner 2014; Silic and Back 2014). Despite growing significance of the topic, researchers use many different terms for similar concepts around Shadow IT or they use the same terms to describe different concepts. This leads to scattered contributions and makes it difficult to identify and build upon previous work in the field (Šmite et al. 2014). By building on our previous comprehensive literature review (Kopper and Westner 2016) we identified 21 different terms used for Shadow IT related concepts (Figure 5). This paper addresses the ambiguity of Shadow IT terms. To reduce the underlying complexity we aggregate the different terms into concepts based on their shared characteristics by creating a taxonomy for Shadow IT (Hanelt et al. 2015). This enables us to study the relationships among the abstract concepts and contributes to future research by increasing understandability and transferability of knowledge (Šmite et al. 2014) about Shadow IT. Taxonomies as a method thereby are well recognized in information systems (IS) research to provide structure and organization of knowledge about a topic (Nickerson et al. 2013). In the following sections, we describe our methodology, present the resulting taxonomy and explain each of the identified concepts before concluding our research.

Methodology Taxonomies describe relationships between terms and represent hierarchical classifications of a topic or area (Šmite et al. 2014). They originate from biology but are increasingly used in IS and other disciplines

Twenty-second Americas Conference on Information Systems, San Diego, 2016

1

Americas Conference on Information Systems

Page 2 of 10

Towards a Taxonomy for Shadow IT

(Geiger et al. 2011; Šmite et al. 2014). They are largely developed ad hoc without a conceptual, theoretical, or empirical foundation (Nickerson et al. 2013). To follow a reliable and valid process, we build on the taxonomy development method proposed by Nickerson et al. (2013) (Figure 1). A Ex. Research Get resources

B Extraction

2 Conduct LitRev, 1 identify relevant resources

C Taxonomy Derive taxonomy and visualize results

Build dimensions and code resources Identify (new) subset of resources and their terms

N

Ending cond. met?

Y

3 Dimension 1

Cluster terms to 5 concepts based on results

Identify common 3 characteristics, (re)group them into dimensions

Derive taxonomy 6 matrix

(Re)code 4 resources along dimensions

7

Visualize taxonomy

Term 2 1

Concept Charact. 1 Charact. 2

Res. 1

A1

A

Res. 2

A2

A





Res. n

Z

5



4

X X …

Z 6

A Z

… X

X X

Figure 1. Taxonomy development method adapted from Nickerson et al. (2013), p. 345 As Figure 1 shows, the method by Nickerson et al. is based on the idea of classifying objects into mutually exclusive and collectively exhaustive characteristics using an iterative approach. The figure’s left part represents the taxonomy development process and the right part an illustrative coding table. The original model suggests an empirical-to-conceptual approach if significant data about the objects of interest is available or conceptual-to-empirical if not. Data availability made it possible to use an empirical-toconceptual approach. We preceded with an (1) extensive literature search to identify relevant resources and data related to the domain of interest (Hanelt et al. 2015). We then defined a meta-characteristic our taxonomy should be based on, “Characteristics of Shadow IT related concepts”. After that we (2) identified a subset of the resources, coded each of the primarily used Shadow IT related terms, and (3) identified common characteristics based on the meta-characteristic (Nickerson et al. 2013). In addition to (4) categorizing each resource along the identified characteristics, we also coded relevant definitions or context descriptions that indicate the use of the terms, the context of the study, and general information about the source (Šmite et al. 2014). During multiple iterations of analyzing new subsets of resources, we grouped related characteristics to dimensions, each containing characteristics that are mutually exclusive and collectively exhaustive (Šmite et al. 2014). That means that every resource or term has to be mapped to exactly one characteristic of each dimension. During the process, some characteristics proved to be irrelevant or needed to be regrouped or rearranged. We repeated the iterations until objective (e.g., all objects examined, unique dimensions, at least one object/term per characteristic in every dimension) and subjective ending conditions (i.e., concise, robust, comprehensive, extendible, explanatory) as defined by Nickerson et al. (2013) were met. We then (5) clustered terms to distinct concept groups with similar characteristics based on our classification and coding results. By statistically analyzing the characteristic mappings we (6) derived classifications for the identified concepts, building the taxonomy matrix. Not satisfied with a matrix to represent the end result for a taxonomy, we opted for an (7) ad-hoc visualization approach (Šmite et al. 2014) capable of dealing with the (relatively) small amount of dimensions and intuitive to comprehend.

Results Taxonomy A) Existing Research: Following Bandara et al. (2011), Brocke et al. (2009), and Levy and Ellis (2006) we started with a rigorous literature review as described in our methodology section (step 1). After an adhoc search to identify relevant keywords we queried databases commonly used for IS specific research (ABI/INFORM, AISeL, Business Source Complete, Emerald Insight, IEEE Xplore, Science Direct) (Bandara et al. 2011). We used the keywords shadow, feral, workaround, un-enacted, unsanctioned, and schatten and combined them with IT, systems, projects, systeme, and projekte to search in title, abstract, keywords, and full text. Also, we limited results to peer-reviewed journal and conference publications with more than five pages, written in English or German, and published between January 2000 and January 2016. After a backward/forward reference and backward/forward author search (Levy and Ellis 2006) we ended up with

Twenty-second Americas Conference on Information Systems, San Diego, 2016

2

Page 3 of 10

Americas Conference on Information Systems

Towards a Taxonomy for Shadow IT

58 different resources after deduplication, thereof 20 journal and 38 conference articles. Figure 5 (appendix) shows the full list of identified resources including coding results from the next section. We could not identify any publication about an overarching taxonomy of Shadow IT related concepts. However, authors usually acknowledge that there are alternative terms and concepts in the field. Only one publication suggests a taxonomy for one of the identified concepts “Un-enacted projects” (Buchwald and Urbach 2012). B) Extraction: Following the process outlined in our methodology section we identified the primary Shadow IT related term of each resource (step 2), iteratively identified common characteristics and grouped them into dimensions (step 3). After regrouping, adding, and removing characteristics multiple times we ended up with five dimensions and ten characteristics in total (Figure 2). Figure 5 (appendix) shows the final mapping of each resource to the characteristics (step 4). While mapping was possible unambiguously for most of the resources based on their contents, we made a logical deduction for resources lacking explicit information (i.e., we inferred the possibility of both shadow and official infrastructure if not defined but possible in the context). Dimension Characteristic Unofficial IT Novelty Misuse of official IT Creation Perspective Outcome Devices Artifact Applications Infrastructure Scale

Shadow infrastructure Official infrastructure Group Individual

Description Unofficial IT artifacts are created or exist in addition to the officially mandated IT Existing corporate systems used in a way not consistent with their design or official rules Lexical choice for the concept focuses on the creation/development of an artifact Lexical choice for the concept focuses on artifacts/deliveries Objects of observation include devices or hardware in general Objects of observation include applications/services or software in general Artifacts are deployed on unofficial infrastructure within the corporate network (e.g. on unofficial server) or outside (e.g. unapproved IaaS/PaaS/SaaS) or represent shadow infrastructure themselves (e.g. private mobile devices, servers, etc.) Artifacts are deployed on official servers within the corporate network or on approved IaaS/PaaS Single occurrence created or used by larger group (e.g. developer team) or even a whole business unit of an organization Single occurrence created or used by one or only few individuals/users/employees

Figure 2. Identified dimensions and characteristics C) Final Taxonomy: Building on the previous coding results, we clustered the terms into six distinct concepts and derived their characteristics based on the mappings (Figure 3). The mapping was clear in all of the cases but one where we decided for Shadow Systems to map to “Group & individual” for logical reasons.

Concept Feral Practices Workarounds Shadow IT Shadow Systems Un-enacted Projects Shadow Sourcing

Perspective

Artifact

Infrastructure

Scale

U no ffi ci a M is u l IT se o U no f of fi c ff. i Cr IT & al I T ea tio mis us n O e ut co m e Cr ea tio n D & ev ou ic tc es om Ap e pl ic at D io ev ns ice s& Sh ap ad pl ow ic a O i n ffi fra tion ci s s al tr uc in Sh tu ad fra r st ow ru e ct Gr & ur of ou e fic p ia In li nf di r. vi du G al ro up & in di vi du al

Novelty

X

X

X X X X X

X X X X X

X

X

X

X X

X X X

X X

X X X X

X X X X

Figure 3. Taxonomy matrix We created an ad-hoc visual representation of the taxonomy matrix for a more intuitive comprehension (Figure 4). As we identified some of the concepts as subtypes of others, we also ordered them hierarchically. In the following section, we describe every identified concept beginning with a short explanation, alternative terms, and a representative definition along with their characteristics as shown in Figure 4.

Concepts Feral Practices is an overarching concept which subsumes all other Shadow IT related concepts. Literature on that abstract level is sparse and uses inconsistent terms to describe very similar ideas such as Organizational IT Standards Deviation or IS Portfolio Drift. Thatte et al. (2012) define Feral Practices as “the usage of information technology which deviates from the standard organizational norms and which exists beyond the control and/or knowledge of the organizational IT management” (p. 1). Deriving the term from the term Feral IT, it enables Thatte et al. (2012) not only to focus on technical artifacts and usage behaviors (outcome) but also on end user perceptions that trigger their creation.

Twenty-second Americas Conference on Information Systems, San Diego, 2016

3

Americas Conference on Information Systems

Page 4 of 10

Towards a Taxonomy for Shadow IT

In a similar way, Feral Practices also characterize both unofficial IT introduced in addition to official IT (Shadow IT) as well as usage of existing official IT in a feral or unintended manner (Workarounds) (Dittes et al. 2015; Singh 2015; Thatte et al. 2012). As a consequence, the concept covers IT residing outside (shadow) and inside the organizational (non-shadow) IT infrastructure (Thatte et al. 2012) as characterized in organizational infrastructure standards (Dittes et al. 2015). The boundaries between those two become blurred when not only unofficial software but also hardware artifacts are introduced to the organizational infrastructure triggered by trends such as Consumerization of IT or Bring Your Own Device (BYOD) (Thatte et al. 2012). Feral Practices can arise from both individuals and groups (Singh 2015; Thatte et al. 2012) violating organizational IT standards (Dittes et al. 2015). Unofficial IT & misuse Creation & outcome Devices & Misuse of official IT applications Outcome

Unofficial IT Shadow IT (36%) Shadow Systems (27%)

Applications

Group & individual

Creation

Characteristic Characteristic

Un-enacted Projects (9%)

Workarounds (14%) Official infrastructure

Concept (% of literature identified using concept)

Feral Practices (5%)

Shadow Sourcing (9%) Shadow & official infrastructure

Individual

Shadow infrastructure

Figure 4. Taxonomy Workarounds primarily focus on the anomalous (mis-)use of existing systems (Bijan Azad 2012) to overcome constraints of these systems which prevent users from completing work task (Huuskonen and Vakkari 2013). They are created as temporal solutions but can also lead to longer term changes (Alter 2014). Alter (2014) defines a Workaround as “a goal-driven adaptation, improvisation, or other change to one or more aspects of an existing work system in order to overcome, bypass, or minimize the impact of obstacles, exceptions, anomalies, mishaps, established practices, management expectations, or structural constraints that are perceived as preventing that work system or its participants from achieving a desired level of efficiency, effectiveness, or other organizational or personal goals” (p. 1044). A common theme in literature is the occurrence of Workarounds after implementations of large information systems such as ERP systems. These officially mandated systems are usually designed to establish formalized processes (Röder et al. 2014) but face resistance if users deem the system inadequate to use for their work (Silva and Fulk 2012). Workarounds are used to circumvent rigid work processes of the systems (Boudreau and Robey 2005) to better fit them to the real context of use (Huuskonen and Vakkari 2013). The focus on small adaptations (Huuskonen and Vakkari 2013) to official information systems implies that the concept of Workarounds is generally centered around applications deployed on official infrastructure. We also recognize Workarounds as a phenomenon primarily appearing on a small scale individual level (Boudreau and Robey 2005; Huuskonen and Vakkari 2013), not requiring large resources or skills for development. Even if carried out by individuals, Workarounds may be tolerated (Röder et al. 2014) or even supported by the local managers (Davison and Ou 2015). Shadow IT is the most widely used concept by researchers and it describes unofficial supplements to the official IT portfolio (Rentrop and Zimmermann 2012b). Zimmermann and Rentrop (2014) define Shadow IT as “process supporting IT systems, IT service processes, and IT staff which are deployed autonomously within business departments and by IT users. Thereby, Shadow IT entities are involved neither technically nor strategically in the IT service management of the organization, and therefore, neither included in the asset and configuration management nor in the service portfolio" (p. 3). Creators of Shadow IT primarily see it as a way to enhance work performance even if that means a violation of organizational IT norms (Györy et al. 2012; Haag and Eckhardt 2014a). Shadow IT may create opportunities for increased flexibility and innovation but also imposes security, compliance, or efficiency risks (Zimmermann et al. 2014). The phenomenon gained more attention in recent years due to the increasing consumerization of technology (Ortbach 2015). Employees are using their privately-owned mobile devices for work,

Twenty-second Americas Conference on Information Systems, San Diego, 2016

4

Page 5 of 10

Americas Conference on Information Systems

Towards a Taxonomy for Shadow IT

substituting company phones without their firm’s agreement (Gaß et al. 2015; Györy et al. 2012; Klesel et al. 2015; Ortbach 2015) and also bring along their self-developed or privately procured apps to the organizational environment (Beimborn and Palitza 2013; Gozman and Willcocks 2015). Additionally, cloud-based delivery models enable easy access to personal IT resources in organizational environments (Andriole 2015) which can be used independently of location or device (Walterbusch 2014). Shadow IT artifacts may include devices, applications, or services (Gaß et al. 2015; Rentrop and Zimmermann 2012a; Silic and Back 2014; Walters 2013). Unofficial devices introduced to the organizational infrastructure can be, e.g., personal mobile phones, self-procured notebooks, servers, network routers, printers (Rentrop and Zimmermann 2012b), or other peripherals (Haag and Eckhardt 2014a). Unofficial applications can occur as on-premise applications from small spreadsheet solutions to large ERP systems (Kretzer and Maedche 2014; Silic and Back 2014) or on-demand cloud services in a similarly broad range of scale (Haag and Eckhardt 2014a). These instances may be (self-)developed or procured (purchased or free of charge) (Haag and Eckhardt 2014a; Rentrop and Zimmermann 2012b). Some Shadow IT occurrences are usually driven by individual employees on a small scale, such as usage of personal mobile devices for work, development of spreadsheet applications or sourcing of (consumer) cloud solutions (Gozman and Willcocks 2015; Haag and Eckhardt 2015; Ortbach 2015). However, also functional managers adopt and use unofficial IT (Haag and Eckhardt 2014a; Walterbusch 2014). Also whole business units can deploy Shadow IT on a large scale without the involvement of the corporate IT department (Györy et al. 2012; Zimmermann et al. 2014). Development can occur by groups of internal professionals or external developers/vendors accountable to the business unit (Andriole 2015). In extreme cases, cloudenabled vendors could substitute the official IT department and assume development of cloud-enabled applications, including maintenance and operation of the infrastructure (Chua et al. 2014). The concept Shadow Systems shares many similarities with Shadow IT but describes a smaller subset mainly focusing on small unofficial applications supplementing large corporate (ERP) systems and also large shadow systems built to substitute official ERP or enterprise systems in general (Behrens 2009; Haag et al. 2015; Huber et al. 2016; Houghton and Kerr 2006; Jones et al. 2004; Kretzer 2015; Spierings 2012). Alternative terms include Workaround Systems and Feral Systems. Following Kerr et al.’s (2007) definition of Feral Systems, a Shadow System can be defined as “an information system that is developed by individuals or groups of employees to help them with their work, but is not condoned by management nor is part of the corporation’s accepted information technology infrastructure. Its development is designed to circumvent existing organizational information systems” (p. 142). Shadow Systems are different from Workarounds as their purpose is to permanently circumvent generally functional systems in comparison to temporarily bypassing a recognized problem in a system without development efforts (Kerr et al. 2007). The majority of resources using the concept Shadow Systems do so in an ERP (post) implementation context (Tambo and Bækgaard 2013). Though one of the design goals of enterprise systems is to centralize scattered information stored in spreadsheets or local databases and standardize business processes, users resist these efforts by sticking to their familiar systems or react by introducing new ones that better fit their individual needs (Bob-Jones et al. 2008; Kerr et al. 2007; Spierings 2012). Reasons for this resistance are deficiencies of the formal, often complex systems (Behrens 2009; Fürstenau and Rothe 2014; Kerr et al. 2007; Lyytinen and Newman 2015; Tambo and Bækgaard 2013), missing flexibility to adapt the standardized, rigid systems (Houghton and Kerr 2006; Jones et al. 2004), and long implementation cycles often caused by heavyweight waterfall models (Kretzer 2015; Tambo and Bækgaard 2013) where lead times for changes can be up to 6 months (Behrens and Sedera 2004). Shadow Systems can be beneficial by meeting individual needs (Behrens and Sedera 2004) and providing an opportunity for low-cost innovation and rapid response to changing business requirements (Tambo and Bækgaard 2013). However, due to the typically disintegrated nature of Shadow Systems they can create redundant workload, data integrity and quality problems (Behrens and Sedera 2004; Tambo and Bækgaard 2013) such as inaccurate forecasts from business analytics tools (Kerr and Houghton 2008). The described artifacts of Shadow Systems focus only on applications and do not specifically distinguish between shadow and non-shadow infrastructure. We therefore consider both possibilities. Shadow Systems are largely represented by small individually developed (Excel) spreadsheet or (Access) database solutions

Twenty-second Americas Conference on Information Systems, San Diego, 2016

5

Americas Conference on Information Systems

Page 6 of 10

Towards a Taxonomy for Shadow IT

(Berente et al. 2008; Houghton and Kerr 2006; Kerr and Houghton 2008; Kerr et al. 2007) that are “boltedon” to the authorized (ERP) systems (Bob-Jones et al. 2008; Lyytinen and Newman 2015). Other examples include unofficial project management tools (Berente et al. 2008), small individually developed applications automating users’ tasks (Spierings 2012) and VBA solutions for prototyping (Ebeling et al. 2013). Many of the mentioned artifacts are small-scale solutions and developed by individual users to increase their own performance (Haag et al. 2015; Jones et al. 2004). However, they can also be large systems which replicate functionality and data of whole ERP systems and need a larger group involved in its development (Jones et al. 2004). Authors recognize that not only individuals but also groups or rather whole business units can be involved in the implementation of Shadow Systems (Behrens and Sedera 2004; Fürstenau and Rothe 2014; Houghton and Kerr 2006; Kerr et al. 2007). Un-enacted Projects are unofficial projects which may deal with the creation of Shadow Systems and/or result in other non-IT related outcomes (Blichfeldt and Eskerod 2008; Buchwald et al. 2014). A similar concept specifically focused on IT artifacts is Covert End User Development (Ferneley 2007). Buchwald and Urbach (2012) define Un-enacted Projects as “unofficial projects that have never been subject to any official evaluation process but do exist, although they are not known to or are included in the project portfolio of a company” (p.2). Although they are a possible source of innovation (Buchwald et al. 2015), they also tie up valuable resources which are then not available for official projects anymore (Blichfeldt and Eskerod 2008; Buchwald and Urbach 2012). The artifacts resulting from Un-enacted Projects can be applications (i.e., Shadow Systems) in an IS context (Ferneley 2007) but can also be changed work procedures in non-IS contexts (Blichfeldt and Eskerod 2008; Buchwald et al. 2015). The resulting Shadow Systems may operate on official infrastructure or separate (shadow) IT infrastructure hidden from corporate IT services (Buchwald et al. 2014). Buchwald and Urbach (2012) developed a taxonomy of Un-enacted Projects including Pilot Studies, Bottom-up Initiatives, Project Finalizations, Strategic Un-enacted Projects, and Executive Level Orders. The scale of such projects can be as small as individual employees engaging (bottom-up) in minor development activities (Buchwald et al. 2014; Buchwald et al. 2015) and assuming the roles of designer, developer, and tester (Ferneley 2007). They can also be smaller projects involving one or more employees including middle managers (Blichfeldt and Eskerod 2008) or even large projects involving stakeholder groups from both inside and outside the organization covertly developing Shadow Systems (Ferneley 2007). Shadow Sourcing deals with the introduction of unofficial public cloud products/services to the corporate environment. Alternative terms for that concept include Personal Cloud Adoption (Ahuja and Gallupe 2015), End-user Designed Cloud Computing (Hetzenecker et al. 2012) and Stealth Adoption of SaaS (Zainuddin 2012). Haag and Eckhardt (2014b) define Shadow Sourcing as “the employee-driven unapproved usage of public, third party […] services at the workplace to substitute or complement the organizational information systems or services that are approved and centrally managed by the IT department” (p. 3). Due to its wording we consider Shadow Sourcing to be a subtype of Un-enacted Projects (creation of unofficial IT). Such projects are usually considerably smaller in scale as also people without development skills are able to deploy IT services (Hetzenecker et al. 2012). Shadow Sourcing can provide access to unofficial cloud services outside of the corporate firewall (Ahuja and Gallupe 2015) and can therefore involve shadow infrastructure not in control by the corporate IT department (Haag 2015). The resulting artifacts of Shadow Sourcing are products/services procured from external marketplaces (Ahuja and Gallupe 2015) or simply accessed through browsers, decreasing the role of the specific end device used (Haag 2015). Shadow Sourcing is for the most part seen as a small-scale phenomenon driven independently by individuals (Ahuja and Gallupe 2015; Haag 2015) but also extending to organizational unit managers (Zainuddin 2012) sourcing larger cloud-based information systems.

Conclusion In this paper, we used a taxonomy development method proposed by Nickerson et al. (2013) to classify and show the relationships between Shadow IT related concepts. The overarching concept Feral Practices is the least represented in literature and there are no common terms yet. Although Workarounds are focused on

Twenty-second Americas Conference on Information Systems, San Diego, 2016

6

Page 7 of 10

Americas Conference on Information Systems

Towards a Taxonomy for Shadow IT

usage of official IT not consistent with their design, an overlap with Shadow Systems, focused on additional unofficial IT, can be recognized in some studies. Both of them are often reported in an ERP context and the differences can blur. As we consider Shadow Systems to be a subtype of Shadow IT, they share many characteristics. While Shadow Systems are often reported in the form of small (spreadsheet-based) workaround systems in an ERP context, Shadow IT is more often used in the context of Consumerization, BYOD, and Cloud. As the average year of publication for studies using Shadow Systems (or related terms) is 2010 and for Shadow IT 2014, we hypothesize that the latter is now used to also include more recent trends that drive the phenomenon without being limited to the “systems” aspect. Un-enacted Projects strongly focus on Project Portfolio Management and the development perspective and Shadow Sourcing solely on Cloud services. In our paper, we clearly define and delimit these concepts to reduce term diversity and provide a guide for their usage. To increase searchability and unify research efforts, we therefore motivate future scholars to focus on the most used concept Shadow IT and only use one of the other concepts if their characteristics match the object of investigation. While we based our study on a rigorous and proven taxonomy development method, we cannot assure the general validity of the results (Hanelt et al. 2015). Nickerson et al. (2013) describe the goal to develop “useful” taxonomies as it is not possible to define one “best” version for a field. Also, a taxonomy may be a “moving target” and can change over time (Nickerson et al. 2013). We expect for example the concept Shadow Sourcing, if receiving more academic attention, to develop towards a “group” level scale as we hypothesize that Cloud vendors are increasingly working with business units directly (Zainuddin 2012) on larger systems without the involvement of the IT department. Future researchers may use our documented approach to update, revise, and extend our taxonomy.

References Ahuja, S., and Gallupe, B. 2015. “A Foundation for the Study of Personal Cloud Computing in Organizations,” in AMCIS 2015 Proceedings. Alter, S. 2014. “Theory of Workarounds,” Communications of the ACM (34:1), pp. 1041–1066. Andriole, S. J. 2015. “Who Owns IT?” Communications of the ACM (58:3), pp. 50–57. Bandara, W., Miskon, S., and Fielt, E. 2011. “A Systematic, Tool-Supported Method for Conducting Literature Reviews in Information Systems,” in ECIS 2011 Proceedings. Behrens, S. 2009. “Shadow Systems: The Good, the Bad and the Ugly,” Communications of the ACM (52:2), pp. 124–129. Behrens, S., and Sedera, W. 2004. “Why Do Shadow Systems Exist after an ERP Implementation? Lessons from a Case Study,” in PACIS 2004 Proceedings. Beimborn, D., and Palitza, M. 2013. “Enterprise App Stores for Mobile Applications: Development of a Benefits Framework,” in AMCIS 2013 Proceedings. Berente, N., Yoo, Y., and Lyytinen, K. 2008. “Alignment or Drift? Loose Coupling over Time in NASA's ERP Implementation,” in ICIS 2008 Proceedings. Bijan Azad, N. K. 2012. “Institutionalized Computer Workaround Practices in a Mediterranean Country: An Examination of Two Organizations,” European Journal of Information Systems (21:4), pp. 358– 372. Blichfeldt, B. S., and Eskerod, P. 2008. “Project Portfolio Management: There’s More to It Than What Management Enacts,” International Journal of Project Management (26:4), pp. 357–365. Bob-Jones, B., Newman, M., and Lyytinen, K. 2008. “Picking up the Pieces after A "Successful" Implementation: Networks, Coalitions and ERP Systems,” in AMCIS 2008 Proceedings. Boudreau, M.-C., and Robey, D. 2005. “Enacting Integrated Information Technology: A Human Agency Perspective,” Organization Science (16:1), pp. 3–18. Brocke, J., Simons, A., Niehaves, B., Niehaves, B., Reimer, K., Plattfaut, R., and Cleven, A. 2009. “Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process,” in ECIS 2009 Proceedings. Buchwald, A., and Urbach, N. 2012. “Exploring the Role of Un-Enacted Projects in IT Project Portfolio Management,” in ICIS 2012 Proceedings. Buchwald, A., Urbach, N., and Ahlemann, F. 2014. “Understanding the Organizational Antecedents of Bottom-up Un-Enacted-Projects,” in ECIS 2014 Proceedings.

Twenty-second Americas Conference on Information Systems, San Diego, 2016

7

Americas Conference on Information Systems

Page 8 of 10

Towards a Taxonomy for Shadow IT

Buchwald, A., Urbach, N., and Mähring, M. 2015. “Understanding Employee Engagement in Un-Official Projects – A Conceptual Model Based on Psychological Empowerment and Constructive Deviance,” in ICIS 2015 Proceedings. Chua, C., Storey, V., and Chen, L. 2014. “Central IT or Shadow IT? Factors Shaping Users’ Decision to Go Rogue with IT,” in ICIS 2014 Proceedings. Davison, R., and Ou, C. 2015. “Subverting Organisational IT Policy: A Case in China,” in AMCIS 2015 Proceedings. Dittes, S., Urbach, N., Ahlemann, F., Smolnik, S., and Müller, T. 2015. “Why Don't You Stick to Them? Understanding Factors Influencing and Counter-Measures to Combat Deviant Behavior Towards Organizational IT Standards,” in Wirtschaftsinformatik Proceedings 2015. Ebeling, B., Köpp, C., and Breitner, M. 2013. “Diskussion eines Prototyps für das dezentrale Management von Forschungsressourcen an deutschen Hochschulinstituten,” in Wirtschaftsinformatik Proceedings 2013. Ferneley, E. H. 2007. “Covert End User Development: A Study of Success,” Journal of Organizational and End User Computing (19:1), pp. 62–71. Fürstenau, D., and Rothe, H. 2014. “Shadow IT Systems: Discerning the Good and the Evil,” in ECIS 2014 Proceedings. Gartner 2014. Embracing and Creating Value from Shadow IT. https://www.gartner.com/technology/reprints.do?id=1-2AG5N3Q&ct=150223&st=sb. Accessed 2 July 2015. Gaß, O., Ortbach, K., Kretzer, M., Maedche, A., and Niehaves, B. 2015. “Conceptualizing Individualization in Information Systems – A Literature Review,” Communications of the Association for Information Systems (37:1), pp. 64–88. Geiger, D., Seedorf, S., Schulze, T., Nickerson, R. C., and Schader, M. 2011. “Managing the Crowd: Towards a Taxonomy of Crowdsourcing Processes,” in AMCIS 2011 Proceedings. Gozman, D., and Willcocks, L. 2015. “Crocodiles in the Regulatory Swamp: Navigating the Dangers of Outsourcing, SaaS and Shadow IT,” in ICIS 2015 Proceedings. Györy, A., Cleven, A., Uebernickel, F., and Brenner, W. 2012. “Exploring the Shadows: IT Governance Approaches to User-Driven Innovation,” in ECIS 2012 Proceedings. Haag, S. 2015. “Appearance of Dark Clouds? An Empirical Analysis of Users' Shadow Sourcing of Cloud Services,” in Wirtschaftsinformatik Proceedings 2015. Haag, S., and Eckhardt, A. 2014a. “Normalizing the Shadows: The Role of Symbolic Models for Individuals’ Shadow IT Usage,” in ICIS 2014 Proceedings. Haag, S., and Eckhardt, A. 2014b. “Sensitizing Employees’ Corporate IS Security Risk Perception,” in ICIS 2014 Proceedings. Haag, S., and Eckhardt, A. 2015. “Justifying Shadow IT Usage,” in PACIS 2015 Proceedings. Haag, S., Eckhardt, A., and Bozoyan, C. 2015. “Are Shadow System Users the Better IS Users? – Insights of a Lab Experiment,” in ICIS 2015 Proceedings. Hanelt, A., Hildebrandt, B., and Polier, J. 2015. “Uncovering the Role of IS in Business Model Innovation - A Taxonomy-Driven Approach to Structure the Field,” in ECIS 2015 Proceedings. Hetzenecker, J., Sprenger, S., Kammerer, S., and Amberg, M. 2012. “The Unperceived Boon and Bane of Cloud Computing: End-User Computing vs. Integration,” in AMCIS 2012 Proceedings. Houghton, L., and Kerr, D. V. 2006. “A Study into the Creation of Feral Information Systems as a Response to an ERP Implementation within the Supply Chain of a Large Government-Owned Corporation,” International Journal of Internet & Enterprise Management (4:2), pp. 135–147. Huber, M., Zimmermann, S., Rentrop, C., and Felden, C. 2016. “The Relation of Shadow Systems and ERP Systems—Insights from a Multiple-Case Study,” Systems (4:1), p. 11. Huuskonen, S., and Vakkari, P. 2013. ““I Did It My Way”: Social Workers as Secondary Designers of a Client Information System,” Information Processing & Management (49:1), pp. 380–391. Jones, D., Behrens, S., Jamieson, K., and Tansley, E. E. 2004. “The Rise and Fall of a Shadow System: Lessons for Enterprise System Implementation,” in ACIS 2004 Proceedings. Kerr, D., and Houghton, L. 2008. “Feral Systems: The Likely Effects on Business Analytics Functions in an Enterprise Resource Planning System Environment,” in ACIS 2008 Proceedings. Kerr, D., Houghton, L., and Burgess, K. 2007. “Power Relationships That Lead to the Development of Feral Systems,” Australasian Journal of Information Systems (14:2), pp. 141–152. Klesel, M., Mokosch, G., and Niehaves, B. 2015. “Putting Flesh on the Duality of Structure: The Case of IT Consumerization,” in AMCIS 2015 Proceedings.

Twenty-second Americas Conference on Information Systems, San Diego, 2016

8

Page 9 of 10

Americas Conference on Information Systems

Towards a Taxonomy for Shadow IT

Koopman, P., and Hoffman, R. R. 2003. “Work-Arounds, Make-Work, and Kludges,” Intelligent Systems, IEEE (18:6), pp. 70–75. Kopper, A., and Westner, M. 2016. “Deriving a Framework for Causes, Consequences, and Governance of Shadow IT from Literature,” in MKWI 2016 Proceedings. Kretzer, M. 2015. “Linking Report Individualization and Report Standardization: A Configurational Perspective,” in ECIS 2015 Proceedings. Kretzer, M., and Maedche, A. 2014. “Generativity of Business Intelligence Platforms: A Research Agenda Guided by Lessons from Shadow IT,” in Proceedings of the MKWI 2014. Levy, Y., and Ellis, T. J. 2006. “A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research,” Informing Science: International Journal of an Emerging Transdiscipline (9:1), pp. 181–212. Lyytinen, K., and Newman, M. 2015. “A Tale of Two Coalitions: Marginalising the Users While Successfully Implementing an Enterprise Resource Planning System,” Information Systems Journal (25:2), pp. 71–101. Nickerson, R. C., Varshney, U., and Muntermann, J. 2013. “A Method for Taxonomy Development and Its Application in Information Systems,” European Journal of Information Systems (22:3), pp. 336–359. Ortbach, K. 2015. “Unraveling the Effect of Personal Innovativeness on Bring-Your-Own-Device (BYOD) Intention: The Role of Perceptions Towards Enterprise-Provided and Privately-Owned Technologies,” in ECIS 2015 Proceedings. Rentrop, C., and Zimmermann, S. 2012a. “Shadow IT Evaluation Model,” in FedCSIS 2015 Proceedings. Rentrop, C., and Zimmermann, S. 2012b. “Shadow IT: Management and Control of Unofficial IT,” in ICIS 2012 Proceedings. Röder, N., Wiesche, M., and Schermann, M. 2014. “A Situational Perspective on Workarounds in ItEnabled Business Processes: A Multiple Case Study,” in ECIS 2014 Proceedings. Schalow, P., Winkler, T., Repschlaeger, J., and Zarnekow, R. 2013. “The Blurring Boundaries of WorkRelated and Personal Media Use: A Grounded Theory Study on the Employee's Perspective,” in ECIS 2013 Proceedings. Silic, M., and Back, A. 2014. “Shadow IT: A View from behind the Curtain,” Computers & Security (45), pp. 274–283. Silva, L., and Fulk, H. K. 2012. “From Disruptions to Struggles: Theorizing Power in ERP Implementation Projects,” Information and Organization (22:4), pp. 227–251. Singh, H. 2015. “Emergence and Consequences of Drift in Organizational Information Systems,” in PACIS 2015 Proceedings. Šmite, D., Wohlin, C., Galviņa, Z., and Prikladnicki, R. 2014. “An Empirically Based Terminology and Taxonomy for Global Software Engineering: Empirical Software Engineering,” Empirical Software Engineering (19:1), pp. 105–153. Spierings, A. 2012. “What Drives the End User to Build a Feral Information System?” in ACIS 2012 Proceedings. Tambo, T., and Bækgaard, L. 2013. “Dilemmas in Enterprise Architecture Research and Practice from a Perspective of Feral Information Systems,” in EDOCW 2013 Proceedings. Thatte, S., Grainger, N., and McKay, J. 2012. “Feral Practices,” in ACIS 2012 Proceedings. Walterbusch, M. 2014. “Schatten-IT: Implikationen und Handlungsempfehlungen für Mobile Security,” HMD Praxis der Wirtschaftsinformatik (51:1), pp. 24–33. Walters, R. 2013. “Bringing IT out of the Shadows,” Network Security (2013:4), pp. 5–11. Winkler, T. J., and Brown, C. V. 2013. “Horizontal Allocation of Decision Rights for On-Premise Applications and Software-as-a-Service,” Journal of Management Information Systems (30:3), pp. 13–48. Zainuddin, E. 2012. “Secretly Saas-Ing: Stealth Adoption of Software-as-a-Service from the Embeddedness Perspective,” in ICIS 2012 Proceedings. Zimmermann, S., and Rentrop, C. 2012. “Schatten-IT,” HMD Praxis der Wirtschaftsinformatik (49:6), pp. 60–68. Zimmermann, S., and Rentrop, C. 2014. “On the Emergence of Shadow IT: A Transaction Cost-Based Approach,” in ECIS 2014 Proceedings. Zimmermann, S., Rentrop, C., and Felden, C. 2014. “Managing Shadow IT Instances: A Method to Control Autonomous IT Solutions in the Business Departments,” in AMCIS 2014 Proceedings.

Twenty-second Americas Conference on Information Systems, San Diego, 2016

9

Americas Conference on Information Systems

Page 10 of 10

Towards a Taxonomy for Shadow IT

0

W or ka r ou n ds

Sh a dow IT

A lter 2 0 1 4 W or k a r ou n ds Bija n A za d 2 0 1 2 W or k a r ou n ds Bou dr ea u a n d Robey 2 0 0 5 W or k a r ., Sh a dow Sy s. Da v ison a n d Ou 2 0 1 5 IT policy su bv er sion H u u sk on en a n d V a kka r i 2 0 1 3 W or k a r ou n ds Koopm a n a n d H offm a n 2 0 0 3 W or k a r ou n ds Röder et a l. 2 0 1 4 W or k a r ou n ds Silv a a n d Fu lk 2 0 1 2 W or k a r ., Sh a dow Sy s.

GEN GEN ERP IT ST ERP GEN BPM ERP

A n dr iole 2 0 1 5 Beim bor n a n d Pa lit za 2 0 1 3 Ch u a et a l. 2 0 1 4 Ga ß et a l. 2 0 1 5 Gozm a n a n d W illcocks 2 0 1 5 Gy ör y et a l. 2 0 1 2 H a a g a n d Eckh a r dt 2 0 1 4 a H a a g a n d Eckh a r dt 2 0 1 5 Klesel et a l. 2 0 1 5 Kr etzer a n d Ma edch e 2 0 1 4 Or t ba ch 2 0 1 5 Ren t r op a n d Zim m . 2 0 1 2 a Ren t r op a n d Zim m . 2 0 1 2 b Sch a low et a l. 2 0 1 3 Silic a n d Ba ck 2 0 1 4 W a lter bu sch 2 0 1 4 W a lter s 2 0 1 3 W in kler a n d Br ow n 2 0 1 3 Zim m er m . a n d Ren tr op 2 0 1 2 Zim m er m . a n d Ren tr op 2 0 1 4 Zim m er m a n n et a l. 2 0 1 4

IT G MOB GEN IND CLD IT G,SEC GEN GEN IT C BI MOB IT G IT G IT C GEN CLD, MOB SEC,CLD IT G,CLD IT G IT G IT G

Beh r en s 2 0 0 9 Beh r en s a n d Seder a 2 0 0 4 Ber en t e et a l. 2 0 0 8 Bob-Jon es et a l. 2 0 0 8 Ebelin g et a l. 2 0 1 3 Fü r sten a u a n d Rot h e 2 0 1 4 H a a g et a l. 2 0 1 5 Sh a dow H ou g h t on a n d Ker r 2 0 0 6 H u ber et a l. 2 0 1 6 Sy stem s Jon es et a l. 2 0 0 4 Ker r a n d Hou g h t on 2 0 0 8 Ker r et a l. 2 0 0 7 Kr etzer 2 0 1 5 Ly y tin en a n d New m a n 2 0 1 5 Spier in g s 2 0 1 2 T a m bo a n d Bæ k g a a r d 2 0 1 3

Un en a ct ed Pr ojects

Blich feldt a n d Esker od 2 0 0 8 Bu ch w a ld a n d Ur ba ch 2 0 1 2 Bu ch w a ld et a l. 2 0 1 4 Bu ch w a ld et a l. 2 0 1 5 Fer n eley 2 0 0 7

A h u ja a n d Ga llu pe 2 0 1 5 Haag 2 01 5 Sh a dow H a a g a n d Eckh a r dt 2 0 1 4 b Sou r cin g H etzen eck er et a l. 2 0 1 2 Za in u ddin 2 0 1 2 T ot a l

Sh a dow IT Sh a dow IT Sh a dow IT In div idu a liz. in IS Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT IT Con su m er iza t ion Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT Sh a dow IT

Sh a dow Sy stem s ERP Sh a dow Sy stem s ERP Sh a dow Sy stem s ERP W or k a r . Sy s., Sh . Sy s. ERP Sh a dow Sy stem s PT Sh a dow IT Sy stem s EA Sh a dow Sy stem s GEN Fer a l Sy st em s ERP Sh a dow Sy stem s ERP Sh a dow Sy stem s ERP Fer a l Sy st em s ERP Fer a l Sy st em s ERP,BI W or k a r ou n d Sy st em s BI Sh a dow Sy stem s ERP Fer a l Sy st em s GEN Fer a l In for m a tion Sy s. EA Un -en a ct ed Pr ojects Un -en a ct ed Pr ojects Bott om -u p Un -en . Pr . Un -officia l Pr ojects Cov er t En d User Dev . Per son a l Clou d A dopt . Sh a dow Sou r cin g Sh a dow Sou r cin g En d-u ser Des. Clou d Stea lt h A dopt. of Sa a S

58

0 X X X X X X X X X X X X X X X X X X X X X 21 X X X

X X X X X X X X X X X X 15 PPM X PPM X PPM X PPM X EUD X 5 CLD, IT C X CLD X CLD X CLD, EA X CLD X 5 46

0 X X X X X X X X 8

0

X X X 3

0

0

X

0

1

0

0

0 8

0 4

0

0

0

X X X 3

0 X X X X X X X X 8 0 X X X X X X X X X X X X X X X X X X X X X 21 0 X X X X X X X X X X X X X X X X 16 0

0 X X X X X 5 0 X X X X X 5 0 10 45

0

0 3

0

0 X X X

X X X 3

0

X

0

X X X X 7

1 X X X X X X X X X

0

0 X X X X X X X X 8

0 X X X X X X X X

0

0

X X X X X X

X X X X X X X

X

X X X X

X X

0

X X X X X 17 X X X X

X

1

X X X

X X

9

X X X X X X X

X

X 3

0

0 25

0

2

X X X X X X 13 X X X X X 5

X X X 11 X X

X X X

X

X X X X X X X

Group & individual X

X X

X X

X X X 18 4

0 X

X

X

13 X X X X X 0 5 X X X X X 0 5 1 32

1 X X X X X X X X 8

X X 2

X

X

2 X X X X X X

Individual

Group

X

X

X

0

X X X 3

Sca le

X

X

1

Shadow & official infr.

Official infrastructure

In fr a str u ctu r e

Shadow infrastructure

Devices & applications

Devices

A r tefa ct

Applications

Outcome

Creation & outcome

Per spect iv e

Creation

Con t ext focu s IT ST PFM IT ST

Unoff. IT & misuse

Pr i m a r y Sh a dow IT r el a t ed t er m (s) Or g . IT St d. Dev ia t ion IS Por t folio Dr ift Fer a l Pr a ctices

Con cept Resou r ce Dit tes et a l. 2 0 1 5 Fer a l Sin g h 2 0 1 5 Pr a ctices T h a tt e et a l. 2 0 1 2

Nov elt y

Misuse of official IT

IND In div idu a liza tion of IT ITC IT Con su m er iza tion ITST IT Sta n da r ds MOB Mobile/Br in g -y ou r -ow n -d. PFM Por tfolio Ma n a g em en t PPM Pr oject Por tfolio Mg m t PT Pr otot y pe SEC Secu r ity

Unofficial IT

Con t ext focu s BI Bu sin ess In tellig en ce BPM Bu sin ess Pr ocess Mg m t . CLD Clou d EA En t er pr ise A r ch it ectu r e ERP En t er pr ise Resou r ce Pl. EUD En d User Dev elopm en t GEN Gen er a l focu s

1

X X X X 8

7 X X

X X

X 0 0 0 2 3 X X X X X X X X X X 5 0 0 1 4 0 9 1 0 38 3 32 23

Figure 5. Literature search and coding results Twenty-second Americas Conference on Information Systems, San Diego, 2016

10