Selection of Research Methods
The topics of DevOps and DevSecOps are on the vanguard of information technology and therefore are subject to constant and fast evolution. Recent academic papers refer to DevOps as being a novel concept (Jabbari et al., 2016a) and point out that the number of relevant publications on DevSecOps is low (Mohan & Othmane, 2016b). An exploratory approach was chosen for this research project, allowing to gain familiarity with the concept of lean security, to generate new insights and return these insights to the body of knowledge.
Design science combines behavioural science and design science based on the premise that this combination is most suited to address fundamental problems faced in the productive application of information technology. Technology and behaviour are considered inseparable in IS research (Hevner et al., 2004). This premise aligns with a consensus in the proposed research domain; the combination of process, technology and people (Martin & Jim, 2001)(McCarthy et al., 2015) is essential for both DevOps and Information Security to become effective.
This research project develops the specifications for an artefact detailing a set of security activities applicable to DevOps and their characteristics in terms of effectiveness and delay caused in the process of continuous deployment.
This artefact proposes an initial solution to the problem of integrating security in DevOps and as such contributes to the body of knowledge. Therefore, design science methods are selected as the basis for this research. Design science methods are described by Hevner et al. as follows (Hevner et al., 2004):
“A research paradigm in which a designer answers questions relevant to human problems via the creation of innovative artefacts, thereby contributing new knowledge to the body of scientific evidence. The designed artefacts are both useful and fundamental in understanding that problem.”
As described by Recker (Recker & Recker, 2012), design science starts from the existing knowledge base to provide the material through which design science research is accomplished, thereby achieving rigour. This knowledge may consist of existing theories from science and engineering, specifications of currently known design, useful facts about currently available products, lessons learned from the experience of researchers in earlier design science projects, and plain common sense (Wieringa, 2014).
Subsequently, the researcher engages in a relevance cycle to bridge the environment of the research project with the design science activities, thereby providing relevance in the application domain. At the heart of design science is the design cycle which iterates between the core activity of building and evaluating the design artefacts.
Wieringa indicates that additional research may be required in cases where current scientific research does not provide an answer (Wieringa, 2014). The research domain selected for this project is on the vanguard of technological and cultural practices in the field of secure information systems development and operations in agile environments. As a result, knowledge on this subject is constantly evolving and therefore encourages us to employ techniques that facilitate knowledge gathering based on expert experience to generate new insights.
An approach to generating new insights is the use of Group Support Sessions. They facilitate the effective collection, organisation, evaluation, cross-impact analysis and reporting of data (Bobbert, 2017a). Group Support Sessions have been proposed as a qualitative research method in the decision-making process within the domain of Business Information Security (BIS) due to the stimulation of free-flowing discussion and sharing of experiences eliciting the views of all participants. Previous studies state that GSS provides a solution to the problem of capturing and sharing knowledge and as such can be used to feed decision making (Bobbert, 2017a).
A similar combination of design science research methods and Group Support Sessions for exploratory research has been applied in previous research to derive prioritised lists of items in the field of information security (Bobbert & Mulder, 2013).
Based on the need for this research project to elicit the views of practitioners and a similar need to provide a prioritised list of items, the choice was made to apply GSS. This research employs a combination of techniques to interact with experts: (a) surveys, (b) interviews and (c) group support sessions.
Figure 1. Overview of design science as defined by Hevner (2007)