Implementing and integrating security controls: A practitioners’ perspective

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-05-10 DOI:10.1016/j.cose.2025.104516

Maysa Sinan, Mojtaba Shahin, Iqbal Gondal

{"title":"Implementing and integrating security controls: A practitioners’ perspective","authors":"Maysa Sinan, Mojtaba Shahin, Iqbal Gondal","doi":"10.1016/j.cose.2025.104516","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>Security controls are indispensable in today’s technology-driven world for their essential role in protecting applications and systems in many organizations. They help to manage the organizational controls to ensure confidentiality, integrity and access to vital infrastructure and data (e.g., software applications, financial records, personal information, intellectual property, etc.) by ensuring that only authorized and trustworthy users have privileged access. Further, integrating security controls within the Software Development Lifecycle (SDLC) is imperative for detecting application deficiencies and preventing potential breaches that could result in financial losses and expose the systems to external and/or internal threats. They reduce the exploitation risk by identifying and patching vulnerabilities in applications and networks within the organization.</div></div><div><h3>Methods:</h3><div>To explore and get in-depth insights, a survey was conducted with 118 software practitioners to determine how they embed and handle security controls in software development environments. Our survey covers the four phases of the security controls lifecycle, including classifying, identifying, implementing, and validating security controls to understand the best practices and essential activities in each process.</div></div><div><h3>Results:</h3><div>The survey results indicated that most respondents recognized the critical importance of understanding security requirements prior to integrating appropriate security controls in each software release. We highlighted key factors that influence the selection and identification of security controls, including user group considerations, risk management practices, and organizational requirements. It appeared that security practitioners utilize a wide range of security controls that are broadly classified into six categories, where administrative and technical controls come first. With this emphasis and awareness, they could align their responses with practical and contextual factors driving effective security control implementation. Furthermore, the findings showed that most organizations rely on internal departments to implement and maintain security controls in conjunction with continuous security practices throughout the different phases of the SDLC. In contrast, only 36% of respondents utilize automated testing tools for monitoring, while 52% cite insufficient security training as a major obstacle.</div></div><div><h3>Conclusion:</h3><div>The survey highlighted the need to hire skillful security practitioners who possess a diverse range of cybersecurity skills, enabling them to govern security controls and handle troubleshooting with poise and professionalism, taking advantage of lessons learned in past experiences. The results also demonstrated the need for employing up-to-date tools and carrying out a list of best practices, to implement security controls and improve their effectiveness for the purpose of up-leveling the overall security posture. Those results emphasize the need for enhanced training programs and advanced tools to streamline security control integration. In addition, this study provides actionable insights for improving compliance and risk management, contributing to a more robust, comprehensive cybersecurity framework.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104516"},"PeriodicalIF":4.8000,"publicationDate":"2025-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002056","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

Security controls are indispensable in today’s technology-driven world for their essential role in protecting applications and systems in many organizations. They help to manage the organizational controls to ensure confidentiality, integrity and access to vital infrastructure and data (e.g., software applications, financial records, personal information, intellectual property, etc.) by ensuring that only authorized and trustworthy users have privileged access. Further, integrating security controls within the Software Development Lifecycle (SDLC) is imperative for detecting application deficiencies and preventing potential breaches that could result in financial losses and expose the systems to external and/or internal threats. They reduce the exploitation risk by identifying and patching vulnerabilities in applications and networks within the organization.

Methods:

To explore and get in-depth insights, a survey was conducted with 118 software practitioners to determine how they embed and handle security controls in software development environments. Our survey covers the four phases of the security controls lifecycle, including classifying, identifying, implementing, and validating security controls to understand the best practices and essential activities in each process.

Results:

The survey results indicated that most respondents recognized the critical importance of understanding security requirements prior to integrating appropriate security controls in each software release. We highlighted key factors that influence the selection and identification of security controls, including user group considerations, risk management practices, and organizational requirements. It appeared that security practitioners utilize a wide range of security controls that are broadly classified into six categories, where administrative and technical controls come first. With this emphasis and awareness, they could align their responses with practical and contextual factors driving effective security control implementation. Furthermore, the findings showed that most organizations rely on internal departments to implement and maintain security controls in conjunction with continuous security practices throughout the different phases of the SDLC. In contrast, only 36% of respondents utilize automated testing tools for monitoring, while 52% cite insufficient security training as a major obstacle.

Conclusion:

The survey highlighted the need to hire skillful security practitioners who possess a diverse range of cybersecurity skills, enabling them to govern security controls and handle troubleshooting with poise and professionalism, taking advantage of lessons learned in past experiences. The results also demonstrated the need for employing up-to-date tools and carrying out a list of best practices, to implement security controls and improve their effectiveness for the purpose of up-leveling the overall security posture. Those results emphasize the need for enhanced training programs and advanced tools to streamline security control integration. In addition, this study provides actionable insights for improving compliance and risk management, contributing to a more robust, comprehensive cybersecurity framework.

查看原文本刊更多论文

实现和集成安全控制：从业者的视角

上下文：在当今技术驱动的世界中，安全控制是不可或缺的，因为它们在保护许多组织中的应用程序和系统方面发挥着重要作用。他们帮助管理组织控制，确保机密性、完整性和访问重要基础设施和数据（例如，软件应用程序、财务记录、个人信息、知识产权等），确保只有授权和值得信赖的用户有特权访问。此外，在软件开发生命周期（SDLC）中集成安全控制对于检测应用程序缺陷和防止可能导致财务损失并使系统暴露于外部和/或内部威胁的潜在破坏是必要的。他们通过识别和修补组织内应用程序和网络中的漏洞来降低利用风险。方法：为了探索并获得深入的见解，对118名软件从业者进行了调查，以确定他们如何在软件开发环境中嵌入和处理安全控制。我们的调查涵盖了安全控制生命周期的四个阶段，包括分类、识别、实现和验证安全控制，以了解每个过程中的最佳实践和基本活动。结果：调查结果表明，大多数受访者认识到在每个软件版本中集成适当的安全控制之前理解安全需求的重要性。我们强调了影响安全控制选择和识别的关键因素，包括用户组考虑、风险管理实践和组织需求。安全从业人员似乎利用了广泛的安全控制，这些控制大致分为六类，其中管理和技术控制是第一位的。有了这种强调和意识，他们就可以将他们的响应与驱动有效安全控制实现的实际和上下文因素结合起来。此外，调查结果显示，大多数组织依靠内部部门在SDLC的不同阶段实施和维护安全控制，并结合持续的安全实践。相比之下，只有36%的受访者使用自动化测试工具进行监控，而52%的受访者认为安全培训不足是主要障碍。结论：调查强调需要雇佣熟练的安全从业人员，他们拥有各种各样的网络安全技能，使他们能够管理安全控制并以平衡和专业的态度处理故障，并利用过去的经验教训。结果还表明，需要采用最新的工具并执行一系列最佳实践，以实施安全控制并提高其有效性，从而提升整体安全状况。这些结果强调了加强培训计划和先进工具以简化安全控制集成的必要性。此外，本研究还为改进合规性和风险管理提供了可操作的见解，有助于构建更强大、更全面的网络安全框架。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.