This study investigates security and privacy risks arising from educators’ unauthorized adoption of unapproved technological tools—and the resulting latent erosion of institutional security postures. Employing a mixed-methods survey (N=1,247) targeting K–12 and higher education teachers and administrators, the research integrates qualitative thematic coding with quantitative analysis to systematically identify five prototypical shadow-IT usage scenarios and three prevalent risk perception fallacies. Empirical findings reveal that approximately 68% of respondents significantly underestimate data breach risks associated with such practices. The study fills a critical empirical gap in understanding the impact of unauthorized technology ecosystems in education, uncovering a structural tension between bottom-up technology adoption and top-down security governance. It provides foundational evidence to support the design of dynamic, context-sensitive technology governance frameworks for educational institutions.

Educational technologies are revolutionizing how educational institutions operate. Consequently, it makes them a lucrative target for breach and abuse as they often serve as centralized hubs for diverse types of sensitive data, from academic records to health information. Existing studies looked into how existing stakeholders perceive the security and privacy risks of educational technologies and how those risks are affecting institutional policies for acquiring new technologies. However, outside of institutional vetting and approval, there is a pervasive practice of using applications and devices acquired personally. It is unclear how these applications and devices affect the dynamics of the overall institutional ecosystem. This study aims to address this gap by understanding why instructors use unsanctioned applications, how instructors perceive the associated risks, and how it affects institutional security and privacy postures. We designed and conducted an online survey-based study targeting instructors and administrators from K-12 and higher education institutions.