Secure Software Development Assimilation: Effects of External Pressures and Roles of Internal Factors

Secure Software Development Assimilation: Effects of External Pressures and Roles of Internal Factors

Mingqiu Song (Faculty of Management and Economics, Dalian University of Technology, Dalian, China), Donghao Chen (Faculty of Management and Economics, Dalian University of Technology, Dalian, China) and Elizabeth Sylvester Mkoba (School of Computer Science and Technology, Dalian University of Technology, Dalian, China)
Copyright: © 2014 |Pages: 24
DOI: 10.4018/ijsse.2014070103
OnDemand PDF Download:
List Price: $37.50


Drawing upon institutional theory, this article develops an extended model to test and verify the effects of external institutional pressures on Secure Software Development (SSD) assimilation and the roles of internal critical factors. The empirical results are based on 86 survey data from respondents of related organizations in United Kingdom, Hong Kong, and Mainland China who have related project experience about SSD. Results from partial least squares (PLS) analysis suggest that both mimetic and coercive pressures have indirect effects on SSD assimilation with the distal mediation of top management. Normative pressures positively affect SSD assimilation with the full mediation of secure software champion. Results also suggest that secure software champion plays another partial mediation between top management participation and SSD assimilation. This paper highlights the important role of secure software champion for its dually mediating effects on both external and internal forces during SSD assimilation process.
Article Preview

1. Introduction

In the rapidly advancement in information technology and E-commerce, a sharp contradiction between the security of software products and people’s expectation is building up. Sustained development of application software leads to exponential growth of vulnerabilities in information systems. As we all know, vulnerability of information system is a main point that can be exploited to conduct security breaches. Secure Software Development (SSD) provides an effective solution for this problem. SSD is a pro-active software development methodology which integrates security engineering with software development life cycle, to prevent security vulnerabilities generated in software development process (Howard and Lipner 2009; McGraw, 2006). There are existing best practices such as Security Development Lifecycle (Howard & Lipner, 2009), Comprehensive, Lightweight Application Security Process (Graham, 2006) and Touch-Points models (McGraw, 2006), indicate that SSD can definitely improve the security and quality of software system with technical feasibility and controlled cost.

However, to our knowledge, SSD has not been widespread and well applied in software industry, especially in Asian countries. Many firms have suffered an “assimilation gap” which means deep and widespread usage tends to lag behind their adoption (Fichman & Kemerer, 1999). Assimilation is defined by Armstrong and Sambamurthy (1999) as “the extent to which the use of a technology diffuses across organizational work processes and becomes routinized in the activities associated with those processes”. SSD is a new complex innovation of software development method. The existing best practices just provide theoretical and technological guidelines. They need to be tailored according to the development procedure and organizational structure when they are adopted and implemented. In addition, assimilation of SSD requires enough technology capability and seamless integration into the existing development procedure, which might change the current technologies and work processes. These strict conditions and requirements fettered the assimilation of SSD in industry.

The existing studies of SSD mainly focus on the process models and technological components. Although there is an increasing body of literature on information technology assimilation (Chatterjee, Grewal, & Sambamurthy, 2002; Liang, Saraf, Hu, & Xue, 2007; Purvis, Sambamurthy, & Zmud, 2001; Wang, 2008), research on SSD assimilation is scant. Thus, it is difficult for related firms to make organizational response to SSD assimilation process. Therefore, initiating the research of SSD assimilation is necessary and identifying factors which affect SSD assimilation process becomes the primary work. From a systematic angle, SSD assimilation will not only be affected by internal factors, but also affected by forces from environment (external factors). These external pressures may come from the competitors, customers, industry association and government. Therefore, identifying the factors from both internal and external context, and exploring the relations between them are significant to SSD assimilation.

Drawing upon the literature on institutional theory (Powell, 1991) and the research of IT assimilation, we develop a theoretical model to verify the effect of external pressures on SSD assimilation and study the role of internal critical factors. We argue that pressures for assimilating SSD also exist in external environment of the organization. Since not all external pressures affect assimilation process directly (Liang et al., 2007) and internal forces have been proved to affect IS security practice evidently (Hu, Hart, & Cooke, 2007). In our study, two internal factors, top management and secure software champion, are identified as interfaces (agents) to the external environment. Top management has been well studied and proved to be an interface to external pressures in prior research (Liang et al., 2007). Furthermore, we identify secure software champion as a new critical factor within organization for its significant role on technological aspects. Secure software champion is the member within firms who has a profound understanding about the philosophy, process, and technological details of SSD innovation, can get favour from top management group, remove various barriers, and provide actual technological support to project members in implementation and assimilation process.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 2 Released, 2 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing