Shadow IT Behavior of Financial Executives in Germany and Italy as an Antecedent to Internal Data Security Breaches

Abstract

Data security breaches have been consistently identified in literature as significant, negative events. While most of the related research focuses on externally initiated breaches, far fewer studies provide clarity related to internally initiated breaches. The risk of internal breaches may be dramatically increased by shadow information technology (IT). Our study examines German and Italian financial executives’ decisions to engage in shadow IT in combination with two potential mitigation techniques (severity of sanctions in violation of IT policy and outcome effect related to breach risk). While Italian executives act as predicted, German executives engage in a different decision-making process whereby a self-service business culture brought on by perceived increased IT capabilities supersedes the level of cybersecurity awareness and a strong IT usage policy. Results also suggest an outcome effect favoring increased likelihood of breaches may lessen the likelihood of shadow IT usage. Our study adds an international component to existing data security breach and shadow IT research, while also contributing to the IT usage policy, neutralization theory, dynamic capabilities, outcome effect, and self-service literatures.