A taxonomy of computer program security flaws
ACM Computing Surveys (CSUR)
Communications of the ACM
An empirical investigation on factors affecting the acceptance of CASE by systems developers
Information and Management
SIGCPR '98 Proceedings of the 1998 ACM SIGCPR conference on Computer personnel research
Trust (and mistrust) in secure applications
Communications of the ACM
Explaining Software Developer Acceptance of Methodologies: A Comparison of Five Theoretical Models
IEEE Transactions on Software Engineering
Why do people use information technology?: a critical review of the technology acceptance model
Information and Management
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Information system security curricula development
CITC4 '03 Proceedings of the 4th conference on Information technology curriculum
Bringing security home: a process for developing secure and usable systems
Proceedings of the 2003 workshop on New security paradigms
Processes for Producing Secure Software: Summary of US National Cybersecurity Summit Subgroup Report
IEEE Security and Privacy
IEEE Security and Privacy
The Trustworthy Computing Security Development Lifecycle
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Integrating Security into Agile Development Methods
HICSS '05 Proceedings of the Proceedings of the 38th Annual Hawaii International Conference on System Sciences - Volume 07
IEEE Security and Privacy
Security quality requirements engineering (SQUARE) methodology
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
IEEE Security and Privacy
Validating instruments in MIS research
MIS Quarterly
Acceptance of e-commerce services: the case of electronic brokerages
IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans
Hi-index | 0.00 |
It is well known that software errors may lead to information security vulnerabilities, the breach of which can have considerable negative impacts for organizations. Studies have found that a large percentage of security defects in e-business applications are due to design-related flaws, which could be detected and corrected during applications development. Traditional methods of managing software application vulnerabilities have often been ad hoc and inadequate. A recent approach that promises to be more effective is to incorporate security requirements as part of the application development cycle. However, there is limited practice of secure development of applications (SDA) and lack of research investigating the phenomenon. Motivated by such concerns, the goal of this research is to investigate the factors that may influence the intention of information systems (IS) professionals to practise SDA, i.e., incorporate security as part of the application development lifecycle. This study develops two models based on the widely used theory of planned behaviour (TPB) and theory of reasoned action (TRA) to explain the phenomenon. Following model operationalization, a field survey of 184 IS professionals was conducted to empirically compare the explanatory power of the TPB-based model versus the TRA-based model. Consistent with TPB and TRA predictions, attitude and subjective norm were found to significantly impact intention to practise SDA for the overall survey sample. Attitude was in turn determined by product usefulness and career usefulness of SDA, while subjective norm was determined by interpersonal influence, but not by external influence. Contrary to TPB predictions, perceived behavioural controls, conceptualized in terms of self-efficacy and facilitating conditions, had no significant effect on intention to practise SDA. Thus, a modified TRA-based model was found to offer the best explanation of behavioural intention to practise SDA. Implications for research and information security practice are suggested.