The topic for this proposed study is information security governance and risk management (Capella University, n.d.). The purpose of this generic qualitative inquiry is to explore US higher education leaders' awareness of, attentiveness to, and risk management practices around shadow IT. At this stage in the research, shadow IT will be defined as "all hardware, software, or any other solutions used by employees inside of the organizational ecosystem which has not received any formal IT department approval" ((Silic & Back, 2014, p. 274). The target population will be public Research I (RI) higher education CIOs, CTOs, VPs, Provosts, Presidents, Chancellors, and CISOs in the United States (US).

Data Collection Guide

Research Question:

• What are US RI higher education institutions risk management practices around shadow IT?

Interview Questions:

Background

1. Could you please introduce yourself and describe your role within the institution, particularly in relation to IT risk management?

2. Can you give an overview of the institution's current IT risk management strategy?

Shadow IT

3. Can you define 'Shadow IT' as per your understanding? How does it affect the operations of your institution?

4. Can you give examples of Shadow IT that are currently being used or have been used in the past in your institution?

5. How have these instances of Shadow IT been identified by your institution?

6. Could you describe any challenges that the institution has faced or is facing due to Shadow IT?

Risk Management/Mitigation

7. What steps or measures are being taken by your institution to manage the risks associated with Shadow IT?

8. Can you elaborate on the process followed for assessing the risk associated with Shadow IT at your institution?

9. Are there specific policies or guidelines in place to deal with Shadow IT? If so, could you please discuss them?

Awareness

10. How does your institution promote awareness and education around Shadow IT risk management among faculty, staff, and students?

11. Can you describe a situation where Shadow IT was discovered and how it was addressed?

12. What tools or technology does your institution employ to detect and mitigate the risk of Shadow IT?

13. Can you speak on the role of the institution's leadership in shaping policies and practices around Shadow IT risk management?

14. How does your institution balance the need for innovation and digital transformation with the potential risks of Shadow IT?

Lessons Learned/Future Plans

15. What are the key lessons your institution has learned from managing Shadow IT?

16. Can you talk about any ongoing or planned initiatives aimed at improving the risk management of Shadow IT?

17. To what extent does your institution collaborate with other institutions in sharing knowledge and best practices around Shadow IT risk management?

18. How do you see the future of Shadow IT risk management in your institution and in higher education more broadly?

Open Ending

19. Is there any other information you would like to share regarding Shadow IT and your institution's practices or experiences that we haven't already covered?

Comment on the post and ask questions?