research-article

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group

Authors:

Andreas Poller,

Felix Anand Epp,

Katharina Kinder-KurlandaAuthors Info & Claims

CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

Pages 2489 - 2503

https://doi.org/10.1145/2998181.2998191

Published: 25 February 2017 Publication History

Abstract

Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and routines remains unclear. We studied how security consultancy affected organizational routines in a software development group. Security consultants tested their product, reported vulnerabilities, and delivered a security training. We followed the group during and after consultancy events. As a result of the consultancy, group members improved their understanding of security issues, but could not effect a change of routines within the given organizational structure. They handled vulnerabilities in a stabilization routine without changes in feature development, where security remained intangible. Interestingly, group members acknowledged an unfulfilled need for change but defended the structure inhibiting change. Security initiatives need to consider this interplay of structure and situated practice, and manage change in addition to providing expertise and tools.

References

[1]

K. Beck et al. 2001. Manifesto for Agile Software Development. (2001). http://agilemanifesto.org/

[2]

K. Beznosov and P. Kruchten. 2004. Towards agile security assurance. In Proc. NSPW '04. ACM, 47--54.

Digital Library

[3]

M. Bishop. 2007. About Penetration Testing. IEEE Security & Privacy 5, 6 (Nov 2007), 84--87.

Digital Library

[4]

B. W. Boehm. 1991. Software risk management: principles and practices. IEEE Software 8, 1 (Jan 1991), 32--41.

Digital Library

[5]

S. R. Clegg, C. Hardy, and W. R. Nord. 1996. Handbook of Organization Studies. SAGE Publications.

[6]

A. Cockburn and J. Highsmith. 2001. Agile software development, the people factor. Computer 34, 11 (Nov 2001), 131--133.

Digital Library

[7]

G. Conti and J. Caroland. 2011. Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat. IEEE Security & Privacy 9, 4 (July 2011), 48--51.

Digital Library

[8]

M. S. Feldman. 2003. A performative perspective on stability and change in organizational routines. Industrial and Corporate Change 12, 4 (2003), 727--752.

[9]

M. S. Feldman and B. T. Pentland. 2003. Reconceptualizing Organizational Routines as a Source of Flexibility and Change. Administrative Science Quarterly 48, 1 (2003), 94--118.

[10]

D. Geer and J. Harthorne. 2002. Penetration testing: a duet. In Proc. ACSAC'02. 185--195.

Digital Library

[11]

A. Giddens. 1984. The constitution of society: Outline of the theory of structuration. University of California Press.

[12]

K. M. Goertzel, T. Winograd, H. L. McKinley, L. J. Oh, M. Colon, T. McGibbon, E. Fedchak, and R. Vienneau. 2007. Software Security Assurance: A State-of-the-Art Report. Technical Report. IATAC & DACS.

[13]

M. G. Graff and K. R. van Wyk. 2003. Secure Coding: Principles and Practices. O'Reilly.

Digital Library

[14]

A. Guzzi, A. Bacchelli, Y. Riche, and A. van Deursen. 2015. Supporting Developers' Coordination in the IDE. In Proc. CSCW '15. ACM, 518--532.

Digital Library

[15]

J. Highsmith and A. Cockburn. 2001. Agile software development: the business of innovation. Computer 34, 9 (Sep 2001), 120--127.

Digital Library

[16]

M. Howard and S. Lipner. 2006. The Security Development Lifecycle. Microsoft Press.

Digital Library

[17]

J. A. Howard-Grenville. 2005. The Persistence of Flexible Organizational Routines: The Role of Agency and Organizational Context. Organization Science 16, 6 (2005), 618--636.

Digital Library

[18]

B. Latour. 2005. Reassembling the Social - An Introduction to Actor-Network-Theory. Oxford University Press.

[19]

M. Lavallée and P. N. Robillard. 2015. Why Good Developers Write Bad Code: An Observational Case Study of the Impacts of Organizational Factors on Software Quality. In Proc. ICSE '15. IEEE, 677--687.

Digital Library

[20]

H. Leung. 2001. Organizational factors for successful management of software development. The Journal of Computer Information Systems 42, 2 (2001), 26.

[21]

S. Matthiesen, P. Bjørn, and L. M. Petersen. 2014. "Figure out How to Code with the Hands of Others": Recognizing Cultural Blind Spots in Global Software Development. In Proc. CSCW '14. ACM, 1107--1119.

Digital Library

[22]

G. McGraw. 2006. Software Security: Building Security In. Addison-Wesley.

Digital Library

[23]

W. Orlikowski. 1992. The duality of technology: Rethinking the concept of technology in organizations. Organization science 3, 3 (1992), 398--427.

Digital Library

[24]

C. C. Palmer. 2001. Ethical hacking. IBM Systems Journal 40, 3 (2001), 769--780.

Digital Library

[25]

M. Poppendieck. 2002. Wicked projects. Software Development Magazine 10, 5 (May 2002), 72--76.

[26]

B. Ramesh, L. Cao, and R. Baskerville. 2010. Agile requirements engineering practices and challenges: an empirical study. Information Systems J. 20, 5 (2010), 449--480.

[27]

K. Schwaber and M. Beedle. 2002. Agile Software Development with Scrum. Prentice Hall.

Digital Library

[28]

K. Schwaber and J. Sutherland. 2013. The Scrum Guide. http://scrumguides.org/.

[29]

C. Severance. 2016. Bruce Schneier: The Security Mindset. Computer 49, 2 (Feb 2016), 7--8.

Digital Library

[30]

I. Steinmacher, T. Conte, M. A. Gerosa, and D. Redmiles. 2015. Social Barriers Faced by Newcomers Placing Their First Contribution in Open Source Software Projects. In Proc. CSCW '15. ACM, 1379--1392.

Digital Library

[31]

D. L. Stone and E. R. Eddy. 1996. A model of individual and organizational factors affecting quality-related outcomes. J. of Quality Management 1, 1 (1996), 21--48.

[32]

L. A. Suchman. 1987. Plans and Situated Actions: The Problem of Human-machine Communication. Cambridge University Press, NY, NY, USA.

Digital Library

[33]

H. H. Thompson. 2003. Why security testing is hard. IEEE Security & Privacy 1, 4 (july-aug. 2003), 83--86.

Digital Library

[34]

R. Werlinger, K. Hawkey, D. Botta, and K. Beznosov. 2009. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. Int. J. of Human-Computer Studies 67, 7 (2009), 584--606.

Digital Library

[35]

L. Williams. 2012. What Agile Teams Think of Agile Principles. Commun. ACM 55, 4 (April 2012), 71--76.

Digital Library

[36]

S. Xiao, J. Witschey, and E. Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In Proc. CSCW '14. ACM, 1095--1106.

Digital Library

[37]

J. Xie, H. Lipford, and B.-T. Chu. 2012. Evaluating Interactive Support for Secure Programming. In Proc. CHI '12. ACM, 2707--2716.

Digital Library

Cited By

Kocksch LJensen T(2024)The Mundane Art of Cybersecurity: Living with Insecure IT in Danish Small- and Medium-Sized EnterprisesProceedings of the ACM on Human-Computer Interaction10.1145/36868938:CSCW2(1-17)Online publication date: 8-Nov-2024
https://dl.acm.org/doi/10.1145/3686893
Karanassios CHadan HZhang-Kennedy LAssal H(2024)Towards Security-Focused Developer PersonasProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685406(1-18)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685406
Kocksch LKocksch L(2024)TrainingFragile Computing10.1007/978-981-99-9807-4_4(115-156)Online publication date: 18-Jun-2024
https://doi.org/10.1007/978-981-99-9807-4_4
Show More Cited By

Index Terms

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group
1. Social and professional topics
  1. Professional topics
    1. Computing and business
    2. Management of computing and information systems
      1. Project and people management
2. Software and its engineering
  1. Software creation and management
    1. Software development process management
  2. Software notations and tools
    1. Software configuration management and version control systems

Recommendations

Best managerial practices in agile development
ACMSE '14: Proceedings of the 2014 ACM Southeast Conference

Agile development has been gaining momentum over the year. It practices are perceived by some to be the best for software development. This work investigates agile best development and managerial practices, specially the benefits for optimizing the ...
Challenges Faced While Simultaneously Implementing CMMI and Scrum: A Case Study in the Tax Preparation Software Industry
ITNG '12: Proceedings of the 2012 Ninth International Conference on Information Technology - New Generations

CMMI certification is a major accomplishment for a software organization, and is often required for an organization to stay competitive. This work is a case study of the challenges faced by a growing tax preparation software company during its attempt ...
Customising agile methods to software practices at Intel Shannon
Including a special section on business agility and diffusion of information technology

Tailoring of methods is commonplace in the vast majority of software development projects and organisations. However, there is not much known about the tailoring and engineering of agile methods, or about how these methods can be used to complement each ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

February 2017

2556 pages

ISBN:9781450343350

DOI:10.1145/2998181

General Chairs:
Charlotte P. Lee
University of Washington
,
Steve Poltrock
Retired
,
Program Chairs:
Louise Barkhuus
Stockholm University and Cornell Tech
,
Marcos Borges
Universidade Federal do Rio de Janeiro
,
Wendy Kellogg
IBM T.J. Watson Research Center

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 February 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Federal Ministry of Education and Research Germany

Conference

CSCW '17

Sponsor:

SIGCHI

CSCW '17: Computer Supported Cooperative Work and Social Computing

February 25 - March 1, 2017

Oregon, Portland, USA

Acceptance Rates

CSCW '17 Paper Acceptance Rate 183 of 530 submissions, 35%;

Overall Acceptance Rate 2,235 of 8,521 submissions, 26%

Upcoming Conference

CSCW '25

Sponsor:
sigchi

Computer-Supported Cooperative Work and Social Computing

October 18 - 22, 2025

Bergen , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

52
Total Citations
View Citations
990
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)12

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kocksch LJensen T(2024)The Mundane Art of Cybersecurity: Living with Insecure IT in Danish Small- and Medium-Sized EnterprisesProceedings of the ACM on Human-Computer Interaction10.1145/36868938:CSCW2(1-17)Online publication date: 8-Nov-2024
https://dl.acm.org/doi/10.1145/3686893
Karanassios CHadan HZhang-Kennedy LAssal H(2024)Towards Security-Focused Developer PersonasProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685406(1-18)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685406
Kocksch LKocksch L(2024)TrainingFragile Computing10.1007/978-981-99-9807-4_4(115-156)Online publication date: 18-Jun-2024
https://doi.org/10.1007/978-981-99-9807-4_4
Kocksch LKocksch L(2024)IntroductionFragile Computing10.1007/978-981-99-9807-4_1(1-18)Online publication date: 18-Jun-2024
https://doi.org/10.1007/978-981-99-9807-4_1
Hielscher JSchöps MMenges UGutfleisch MHelbling MSasse MKelley PKapadia A(2023)Lacking the tools and support to fix frictionProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632194(131-150)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632194
Evripidou SAni UHailes SWatson JKelley PKapadia A(2023)Exploring the security culture of operational technology (OT) organisationsProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632193(113-129)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632193
Chitare NCoventry LNicholson J(2023)“It may take ages”: Understanding Human-Centred Lateral Phishing Attack Detection in OrganisationsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617116(344-355)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617116
Menges UHielscher JKocksch LKluge ASasse M(2023)Caring Not Scaring - An Evaluation of a Workshop to Train Apprentices as Security ChampionsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617099(237-252)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617099
Brun YLin TSomerville JMyers EEbner N(2023)Blindspots in Python and Java APIs Result in Vulnerable CodeACM Transactions on Software Engineering and Methodology10.1145/357185032:3(1-31)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3571850
Lopez TSharp HBandara ATun TLevine MNuseibeh B(2023)Security Responses in Software DevelopmentACM Transactions on Software Engineering and Methodology10.1145/356321132:3(1-29)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3563211
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten