Mario Silic

Shadow IT - A view from behind the curtain

Shadow IT is a currently misunderstood and relatively unexplored phenomena. It represents all hardware, software, or any other solutions used by employees inside of the organisational ecosystem which have not received any formal IT department approval. But how much do we know about this phenomenon? What is behind the curtain? Is security in organisations jeopardised? In the research study reported here, we conducted an in-depth analysis of the organisational Shadow IT software database, reporting the view from behind the curtain. The study used triangulation approach to investigate the Shadow IT phenomena and its findings open Pandoras Box as they lay a new picture of what Shadow IT looks like from the software perspective. Our study revealed that greynet, content apps, and utility tools are the most used shadow systems. This study offers important insights on the Shadow IT phenomena for information management professionals and provides new research directions for academia.

Dual-use open source security software in organizations - Dilemma: Help or hinder?

Dual-use technology can be used for both peaceful and harmful purposes. While the new type of anonymous, invisible and devastating security threats (malware, worms and viruses) shape contemporary warfare, organizations are challenged by the undefined risks of open source dual-use security tools. The dual-use dilemma is very important. It has not received adequate academic focus: questions such as increased or decreased risk, facilitation of security breaches, and the impact on security awareness have not been clarified or studied. This research closes existing gaps by studying the open source dual-use security software challenges that organizations should consider when using this technology. We utilize a triangulation approach with three independent data sources to conduct a detailed analysis of this phenomenon. Our study has found that the dual-use technology has both positive and negative effects on information system security. The ease of use of the dual-use security software facilitates security breaches and enterprises are using vulnerable open source security libraries and frameworks to develop their own in-house applications. On a positive note, open source dual-use security software is used as a powerful defense tool against attackers. Our study also found that security awareness is the key to maintaining the right level of information security risk in the dual-use context. Dual-use can also be of a great help to organizations in leveraging their information system security.

Information security: Critical review and future directions for research

Purpose – The purpose of this literature review is to analyze current trends in information security and suggest future directions for research. Design/methodology/approach – The authors used literature review to analyze 1,588 papers from 23 journals and 5 conferences. Findings – The authors identified 164 different theories used in 684 publications. Distribution of research methods showed that the subjective-argumentative category accounted for 81 per cent, whereas other methods got very low focus. This research offers implications for future research directions on information security. They also identified existing knowledge gaps and how the existing themes are studied in academia. Research limitations/implications – The literature review did not include some dedicated security journals (i.e. Cryptography). Practical implications – The study reveals future directions and trend that the academia should consider. Originality/value – Information security is top concern for organizations, and this research analyzed how academia dealt with the topic since 1977. Also, the authors suggest future directions for research suggesting new research streams.

Factors impacting information governance in the mobile device dual‐use context

Purpose – The purpose of this paper is to reveal factors that impact information governance within the mobile technology implementation in organizations in the dual‐use context.Design/methodology/approach – Case study methodology was used and 15 semi‐structured interviews were conducted with records and information management (RIM) and information security professionals from different types of organizations.Findings – There are three main findings. First, stakeholder support is critical to drive the change and leverage organizational security culture. Second, records mobility with data security dimension represents the biggest challenge for RIM stakeholders. Third, mobile strategy and security framework are two must‐win areas for a successful mobile implementation.Research limitations/implications – The paper does not include any end‐user perspective in interviews and this end‐user context is missing.Practical implications – Awareness through education and training of employees needs to be given very part...

Information Security and Open Source Dual Use Security Software: Trust Paradox

Nmap, free open source utility for network exploration or security auditing, today counts for thirteen million lines of code representing four thousand years of programming effort. Hackers can use it to conduct illegal activities, and information security professionals can use it to safeguard their network. In this dual-use context, question of trust is raised. Can we trust programmers developing open source dual use security software? Motivated by this research question, we conducted interviews among hackers and information security professionals, and explored ohloh.net database. Our results show that contributors behind open source security software (OSSS) are hackers, OSSS have important dual-use dimension, information security professionals generally trust OSSS, and large organizations will avoid adopting and using OSSS.

The Influence of Risk Factors in Decision-Making Process for Open Source Software Adoption

“Nobody ever got fired for buying IBM,” was a widely used cliche in the 1970s in the corporate IT (information technology) world. Since then, the traditional process of purchasing software has dramatically changed, challenged by the advent of open source software (OSS). Since its inception in the 1980s, OSS has matured, grown, and become one of the important driving forces of the enterprise ecosystem. However, it has also brought important IT security risks that are impacting the OSS IT adoption decision-making process. The recent Heartbleed bug demonstrated the grandeur of the issue. While much of the noise relates to the amplification of perceived risks by the popular mass media coverage, the effect is that many enterprises, mainly for risk reasons, have still chosen not to adopt OSS. We investigated “how do information security related characteristics of OSS affect the risk perception and adoption decision of OSS” by conducting an online survey of 188 IT decision-makers. The proposed Open Source Risk Adoption Model offers novel insights on the importance of the perceived risk antecedents. Our research brings new theoretical contributions, such as understanding the perceived IT security risk (PISR) relationship with adoption intention (AI) in the OSS context, for researchers and important insights for IT information professionals. We have found that IT security risk has a significant role in OSS adoption intention. Our results offer possible future research directions and extend existing theoretical understanding of OSS adoption.

Atos - Towards Zero Email Company

In 2011, the CEO of Atos, Thierry Breton, announced an unprecedented move for Atos. The global information services giant become a “zero” email company with the objective of eradicating internal e-mail use and replacing it with blueKiwi – enterprise social network software. This case serves to teach the challenges and key lessons behind the social collaboration transformation in a large organisation where 76,000 employees switched to a new mode of collaboration. The approach of how to become a “zero” email company is detailed, highlighting the importance of the first-order and second-order change. The case helps to understand what it takes to shift organisational culture and employee mindset, as well as what challenges and barriers need to be overcome to make such an important step on a large organisational scale.

Employee Acceptance and Use of Unified Communications and Collaboration in a Cross-Cultural Environment

At the tip of the iceberg of the global financial crisis organizations are looking for economies of scale to survive in these challenging times. The Unified Communications and Collaboration (UC&C) platform is the perfect answer to support an organizations new strategies, aiming to increase employee productivity while decreasing costs. Our study combines recent collaboration research theories with the Unified Theory of Acceptance and Use of Technology (UTAUT). The authors aim to close the existing research gap by extending previous research with a cross-cultural dimension. They conducted an international field study in 34 countries involving 120 employees who were users of UC&C technology. The authors found that the UTAUT constructs are mainly validated in areas in which results suggest that performance expectancy and social influence are the most influential drivers in employee acceptance and use of UC&C in organizations.

Open Source Software Adoption: Lessons from Linux in Munich

It took 10 years for the city of Munich to migrate 15,000 PCs from Windows to the Linux operating system. Was it worth it? This article focuses on how to effectively cope with open source software (OSS) adoption in an organizational context. Based on the Linux in Munich case, the authors present challenges and risks for IT decision makers and propose recommendations for evaluating and calculating the risks of OSS adoption.

A new perspective on neutralization and deterrence: Predicting shadow IT usage

This study examines the role of neutralization and deterrence in discouraging employees from using Shadow IT: tools, services and systems used in an organization but not authorized by the IT department. Our study provides a unique contribution to the IT security literature by studying effects of neutralization on both intentions (self-reported) and actual behavior, as well as examining the role of shame as a mediator. We surveyed employees from four organizations and found that the “metaphor of the ledger” neutralization technique predicts Shadow IT intention and actual Shadow IT usage. We also find that neutralization and deterrence effects influence shame.