Can security become a routine? A study of Organizational change in an agile software development group

Andreas Poller; Laura Kocksch; Sven Türpe; Felix Anand Epp; Katharina Kinder-Kurlanda

doi:10.1145/2998181.2998191

Can security become a routine? A study of Organizational change in an agile software development group

Andreas Poller, Laura Kocksch, Sven Türpe, Felix Anand Epp, Katharina Kinder-Kurlanda

Not published at Aalto University

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

68 Citations (Scopus)

Abstract

Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and routines remains unclear. We studied how security consultancy affected organizational routines in a software development group. Security consultants tested their product, reported vulnerabilities, and delivered a security training. We followed the group during and after consultancy events. As a result of the consultancy, group members improved their understanding of security issues, but could not effect a change of routines within the given organizational structure. They handled vulnerabilities in a stabilization routine without changes in feature development, where security remained intangible. Interestingly, group members acknowledged an unfulfilled need for change but defended the structure inhibiting change. Security initiatives need to consider this interplay of structure and situated practice, and manage change in addition to providing expertise and tools.

Original language	English
Title of host publication	CSCW 2017 - Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing
Publisher	ACM
Pages	2489-2503
Number of pages	15
ISBN (Electronic)	9781450343350
DOIs	https://doi.org/10.1145/2998181.2998191
Publication status	Published - 25 Feb 2017
MoE publication type	A4 Conference publication
Event	ACM Conference on Computer-Supported Cooperative Work and Social Computing - Portland, United States Duration: 25 Feb 2017 → 1 Mar 2017

Conference

Conference	ACM Conference on Computer-Supported Cooperative Work and Social Computing
Abbreviated title	CSCW
Country/Territory	United States
City	Portland
Period	25/02/2017 → 01/03/2017

Keywords

Agile development
It security
Organizational change
Organizational factors
Organizational routines
Penetration test
Scrum
Security training
Software development
Software development teams
Structure-and-agency duality

Access to Document

10.1145/2998181.2998191

Cite this

@inproceedings{60203407d20f418da0a4ac7e6a695fd1,

title = "Can security become a routine? A study of Organizational change in an agile software development group",

abstract = "Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and routines remains unclear. We studied how security consultancy affected organizational routines in a software development group. Security consultants tested their product, reported vulnerabilities, and delivered a security training. We followed the group during and after consultancy events. As a result of the consultancy, group members improved their understanding of security issues, but could not effect a change of routines within the given organizational structure. They handled vulnerabilities in a stabilization routine without changes in feature development, where security remained intangible. Interestingly, group members acknowledged an unfulfilled need for change but defended the structure inhibiting change. Security initiatives need to consider this interplay of structure and situated practice, and manage change in addition to providing expertise and tools.",

keywords = "Agile development, It security, Organizational change, Organizational factors, Organizational routines, Penetration test, Scrum, Security training, Software development, Software development teams, Structure-and-agency duality",

author = "Andreas Poller and Laura Kocksch and Sven T{\"u}rpe and Epp, {Felix Anand} and Katharina Kinder-Kurlanda",

year = "2017",

month = feb,

day = "25",

doi = "10.1145/2998181.2998191",

language = "English",

pages = "2489--2503",

booktitle = "CSCW 2017 - Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing",

publisher = "ACM",

address = "United States",

note = "ACM Conference on Computer-Supported Cooperative Work and Social Computing, CSCW ; Conference date: 25-02-2017 Through 01-03-2017",

}

Poller, A, Kocksch, L, Türpe, S, Epp, FA & Kinder-Kurlanda, K 2017, Can security become a routine? A study of Organizational change in an agile software development group. in CSCW 2017 - Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing. ACM, pp. 2489-2503, ACM Conference on Computer-Supported Cooperative Work and Social Computing, Portland, Oregon, United States, 25/02/2017. https://doi.org/10.1145/2998181.2998191

Can security become a routine? A study of Organizational change in an agile software development group. / Poller, Andreas; Kocksch, Laura; Türpe, Sven et al.
CSCW 2017 - Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing. ACM, 2017. p. 2489-2503.

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

TY - GEN

T1 - Can security become a routine? A study of Organizational change in an agile software development group

AU - Poller, Andreas

AU - Kocksch, Laura

AU - Türpe, Sven

AU - Epp, Felix Anand

AU - Kinder-Kurlanda, Katharina

PY - 2017/2/25

Y1 - 2017/2/25

N2 - Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and routines remains unclear. We studied how security consultancy affected organizational routines in a software development group. Security consultants tested their product, reported vulnerabilities, and delivered a security training. We followed the group during and after consultancy events. As a result of the consultancy, group members improved their understanding of security issues, but could not effect a change of routines within the given organizational structure. They handled vulnerabilities in a stabilization routine without changes in feature development, where security remained intangible. Interestingly, group members acknowledged an unfulfilled need for change but defended the structure inhibiting change. Security initiatives need to consider this interplay of structure and situated practice, and manage change in addition to providing expertise and tools.

AB - Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and routines remains unclear. We studied how security consultancy affected organizational routines in a software development group. Security consultants tested their product, reported vulnerabilities, and delivered a security training. We followed the group during and after consultancy events. As a result of the consultancy, group members improved their understanding of security issues, but could not effect a change of routines within the given organizational structure. They handled vulnerabilities in a stabilization routine without changes in feature development, where security remained intangible. Interestingly, group members acknowledged an unfulfilled need for change but defended the structure inhibiting change. Security initiatives need to consider this interplay of structure and situated practice, and manage change in addition to providing expertise and tools.

KW - Agile development

KW - It security

KW - Organizational change

KW - Organizational factors

KW - Organizational routines

KW - Penetration test

KW - Scrum

KW - Security training

KW - Software development

KW - Software development teams

KW - Structure-and-agency duality

UR - http://www.scopus.com/inward/record.url?scp=85014761847&partnerID=8YFLogxK

U2 - 10.1145/2998181.2998191

DO - 10.1145/2998181.2998191

M3 - Conference article in proceedings

AN - SCOPUS:85014761847

SP - 2489

EP - 2503

BT - CSCW 2017 - Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

PB - ACM

T2 - ACM Conference on Computer-Supported Cooperative Work and Social Computing

Y2 - 25 February 2017 through 1 March 2017

ER -

Can security become a routine? A study of Organizational change in an agile software development group

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this