This study investigates the critical relationship between organizational system development policies, procedures and processes and the resulting security quality of the systems developed. We draw from a general software quality model to provide a theoretical foundation for testing this relationship. We used paper-based survey as well as online surveys to collect data from software developers and project managers. Our results revealed a significant relationship between management support and security policies and development process control. We also found significant relationships between development-process control and security quality, attitude and security quality, and the interaction between value congruence and commitment to provide security skills development. Counter-intuitively, we did not find a significant relationship between either security policy and security quality or the interaction between security policy and its legitimacy as perceived by systems development personnel. The managerial implications of the study include the need to foster a climate of security skills development through training for system development personnel and also simultaneously find strategies to more closely align their values to the security goals of the organization. Additionally, providing management support to formulate guidelines for development process control can improve the security quality of the systems developed.
Raghavan, Vijay and Zhang, Xiaoni
"An Integrative Model of Managing Software Security during Information Systems Development,"
Journal of International Technology and Information Management: Vol. 26
, Article 3.
Available at: http://scholarworks.lib.csusb.edu/jitim/vol26/iss4/3