Poster: The Unknown Unknown: Cybersecurity Threats of Shadow IT in Higher Education

The growing number of employee-introduced IT solutions creates new attack vectors and challenges for cybersecurity management and IT administrators. These unauthorised hardware, software, or services are called shadow IT. In higher education, the diversity of the shadow IT landscape is even more prominent due to the flexible needs of researchers, educators, and students. We studied shadow IT and related cyber threats in higher education via interviews with 11 IT and security experts. Our results provide a comprehensive overview of observed shadow IT types and related cyber threats. The findings revealed prevalent cloud and self-acquired software use as common shadow IT, with cybersecurity risks resulting from outdated software and visibility gaps. Our findings led to advice for practitioners: manage shadow IT responsibly with cybersecurity best practices, consider stakeholder needs, support educators and researchers, and offer usable IT solutions.