FACTORS AFFECTING THE ADOPTION OF SECURE SOFTWARE PRACTICES IN SMALL AND MEDIUM ENTERPRISES THAT BUILD SOFTWARE IN-HOUSE

Abstract

Software has grown enormously in value because of its wide use for domestic, public, and economic activities. Software must be secure because exploited software vulnerabilities can negatively affect individuals’ and organizations' financial, health, and economic well-being. Various authors recommended practicing a secure software development lifecycle (SSDLC) to ensure that software is released secured. Software small and medium enterprises (SMEs), the dominant software publishers, have not widely adopted the SSDLC. This study approached the problem of software SMEs’ inadequate adoption of SSDLC from an innovation adoption perspective based on the diffusion of innovation theoretical framework (DOI). Five DOI factors, relative advantage, compatibility, complexity, trialability, and observability, were assessed for significance to software SMEs’ intention to adopt SSDLC. A random sample of 200 participants from a population of software security decision-makers of software SMEs based in the United States that develop software in-house were surveyed via an online close-ended questionnaire. Relative advantage, compatibility, and trialability were statistically significant to SME SSDLC adoption intention. Complexity and observability were not statistically significant to SME SSDLC adoption intention. Trialability was the strongest predictor of SME SSDLC adoption intention. SME software security decision-makers may find that the results of this study help to determine the factors they should consider when deciding to introduce the SSDLC into their software development process. The result of the study has implications for practice and social change because increased SME SSDLC adoption potentially results in the development of more secure software and fewer software security incidents.