Article Preview
Top1. Introduction
In the rapidly advancement in information technology and E-commerce, a sharp contradiction between the security of software products and people’s expectation is building up. Sustained development of application software leads to exponential growth of vulnerabilities in information systems. As we all know, vulnerability of information system is a main point that can be exploited to conduct security breaches. Secure Software Development (SSD) provides an effective solution for this problem. SSD is a pro-active software development methodology which integrates security engineering with software development life cycle, to prevent security vulnerabilities generated in software development process (Howard and Lipner 2009; McGraw, 2006). There are existing best practices such as Security Development Lifecycle (Howard & Lipner, 2009), Comprehensive, Lightweight Application Security Process (Graham, 2006) and Touch-Points models (McGraw, 2006), indicate that SSD can definitely improve the security and quality of software system with technical feasibility and controlled cost.
However, to our knowledge, SSD has not been widespread and well applied in software industry, especially in Asian countries. Many firms have suffered an “assimilation gap” which means deep and widespread usage tends to lag behind their adoption (Fichman & Kemerer, 1999). Assimilation is defined by Armstrong and Sambamurthy (1999) as “the extent to which the use of a technology diffuses across organizational work processes and becomes routinized in the activities associated with those processes”. SSD is a new complex innovation of software development method. The existing best practices just provide theoretical and technological guidelines. They need to be tailored according to the development procedure and organizational structure when they are adopted and implemented. In addition, assimilation of SSD requires enough technology capability and seamless integration into the existing development procedure, which might change the current technologies and work processes. These strict conditions and requirements fettered the assimilation of SSD in industry.
The existing studies of SSD mainly focus on the process models and technological components. Although there is an increasing body of literature on information technology assimilation (Chatterjee, Grewal, & Sambamurthy, 2002; Liang, Saraf, Hu, & Xue, 2007; Purvis, Sambamurthy, & Zmud, 2001; Wang, 2008), research on SSD assimilation is scant. Thus, it is difficult for related firms to make organizational response to SSD assimilation process. Therefore, initiating the research of SSD assimilation is necessary and identifying factors which affect SSD assimilation process becomes the primary work. From a systematic angle, SSD assimilation will not only be affected by internal factors, but also affected by forces from environment (external factors). These external pressures may come from the competitors, customers, industry association and government. Therefore, identifying the factors from both internal and external context, and exploring the relations between them are significant to SSD assimilation.
Drawing upon the literature on institutional theory (Powell, 1991) and the research of IT assimilation, we develop a theoretical model to verify the effect of external pressures on SSD assimilation and study the role of internal critical factors. We argue that pressures for assimilating SSD also exist in external environment of the organization. Since not all external pressures affect assimilation process directly (Liang et al., 2007) and internal forces have been proved to affect IS security practice evidently (Hu, Hart, & Cooke, 2007). In our study, two internal factors, top management and secure software champion, are identified as interfaces (agents) to the external environment. Top management has been well studied and proved to be an interface to external pressures in prior research (Liang et al., 2007). Furthermore, we identify secure software champion as a new critical factor within organization for its significant role on technological aspects. Secure software champion is the member within firms who has a profound understanding about the philosophy, process, and technological details of SSD innovation, can get favour from top management group, remove various barriers, and provide actual technological support to project members in implementation and assimilation process.