Factors Affecting the Adoption of Secure Software Practices in Small and Medium Enterprises that Build Software In-house

Main Article Content

Kimberly Lowrey
Shardul Pandya


Software has grown enormously in value because of its wide use for domestic, public, and economic activities. Software must be secure because exploited software vulnerabilities can negatively affect individuals’ and organizations' financial, health, and economic well-being. Various authors recommended practicing a secure software development lifecycle (SSDLC) to ensure that software is released secured. Software small and medium enterprises (SMEs), the dominant software publishers, have not widely adopted the SSDLC. This study approached the problem of software SMEs’ inadequate adoption of SSDLC from an innovation adoption perspective based on the diffusion of innovation theoretical framework (DOI). Five DOI factors, relative advantage, compatibility, complexity, trialability, and observability, were assessed for significance to software SMEs’ intention to adopt SSDLC. A random sample of 200 participants from a population of software security decision-makers of software SMEs based in the United States that develop software in-house were surveyed via an online close-ended questionnaire. Relative advantage, compatibility, and trialability were statistically significant to SME SSDLC adoption intention. Complexity and observability were not statistically significant to SME SSDLC adoption intention. Trialability was the strongest predictor of SME SSDLC adoption intention. SME software security decision-makers may find that the results of this study help to determine the factors they should consider when deciding to introduce the SSDLC into their software development process.  The result of the study has implications for practice and social change because increased SME SSDLC adoption potentially results in the development of more secure software and fewer software security incidents.


Download data is not yet available.

Article Details

Author Biography

Wisdom Umeugo

Independent Researcher




OECD, OECD skills outlook 2019: thriving in a digital world. OECD, 2019.

N. Yusupova and K. Mironov, “Key information technologies for digital economy.,†Proceedings of REMS 2018 Russian Federation & Europe Multidisciplinary Symposium on Computer Science and ICT, vol. 2254, p. 330, 2018.

S. R. Sree and C. P. Rao, “A study on application of soft computing techniques for software effort estimation,†in A Journey Towards Bio-inspired Techniques in Software Engineering, vol. 185, J. Singh, S. Bilgaiyan, B. S. P. Mishra, and S. Dehuri, Eds. Cham: Springer International Publishing, 2020, pp. 141–165.

Gartner, “Gartner Forecasts Worldwide IT Spending to Reach $4.4 Trillion in 2022,†Gartner, May 06, 2022. https://www.gartner.com/en/newsroom/press-releases/2022-04-06-gartner-forecasts-worldwide-it-spending-to-reach-4-point-four-trillion-in-2022 (accessed May 15, 2022).

J. Ransome and A. Misra, Core Software Security. Auerbach Publications, 2018.

M. Tuape and Y. Ayalew, “Factors affecting development process in small software companies,†in 2019 IEEE/ACM Symposium on Software Engineering in Africa (SEiA), May 2019, pp. 16–23, doi: 10.1109/SEiA.2019.00011.

H. Al-Matouq, S. Mahmood, M. Alshayeb, and M. Niazi, “A maturity model for secure software design: A multivocal study,†IEEE Access, vol. 8, pp. 215758–215776, 2020, doi: 10.1109/ACCESS.2020.3040220.

R. Fujdiak et al., “Managing the secure software development,†in 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Jun. 2019, pp. 1–4, doi: 10.1109/NTMS.2019.8763845.

R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic mapping study on security approaches in secure software engineering,†IEEE Access, vol. 9, pp. 19139–19160, 2021, doi: 10.1109/ACCESS.2021.3052311.

F. Alghamdi, “Motivational company’s characteristics to secure software,†in 2020 3rd International Conference on Computer Applications & Information Security (ICCAIS), Mar. 2020, pp. 1–5, doi: 10.1109/ICCAIS48893.2020.9096815.

E. Venson, R. Alfayez, M. M. F. Gomes, R. M. C. Figueiredo, and B. Boehm, “The impact of software security practices on development effort: an initial survey,†in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Sep. 2019, pp. 1–12, doi: 10.1109/ESEM.2019.8870153.

H. Assal and S. Chiasson, “Motivations and amotivations for software security.,†SOUPS Workshop on Security Information Workers (WSIW). USENIX Association, p. 1, 2018.

Z. A. Maher, A. Shah, S. Chandio, H. M. Mohadis, and N. H. B. A. Rahim, “Challenges and limitations in secure software development adoption - A qualitative analysis in Malaysian software industry prospect,†IJST, vol. 13, no. 26, pp. 2601–2608, Jul. 2020, doi: 10.17485/IJST/v13i26.848.

J. Witschey, O. Zielinska, A. Welk, E. Murphy-Hill, C. Mayhorn, and T. Zimmermann, “Quantifying developers’ adoption of security tools,†in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering - ESEC/FSE 2015, New York, New York, USA, Aug. 2015, pp. 260–271, doi: 10.1145/2786805.2786816.

M. G. Jaatun and D. Soares Cruzes, “Care and feeding of your security champion,†in 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Jun. 2021, pp. 1–7, doi: 10.1109/CyberSA52016.2021.9478254.

I. M. Y. Woon and A. Kankanhalli, “Investigation of IS professionals’ intention to practise secure development of applications,†Int. J. Hum. Comput. Stud., vol. 65, no. 1, pp. 29–41, Jan. 2007, doi: 10.1016/j.ijhcs.2006.08.003.

M. Deschene, “Embracing security in all phases of the software development life cycle: A Delphi study,†Undergraduate thesis, 2016.

E. M. Rogers, “Diffusion of innovations/everett m. rogers.,†NY: Simon and Schuster, vol. 576, 2003.

S.-H. Hwang, J.-H. Lee, and Y. Hu, “Diffusion and adoption of smart media in china,†APJCRI, vol. 7, no. 12, pp. 67–77, Dec. 2021, doi: 10.47116/apjcri.2021.12.07.

M. A. Hameed and N. A. G. Arachchilage, “A conceptual model for the organizational adoption of information system security innovations,†in Security, privacy, and forensics issues in big data, R. C. Joshi and B. B. Gupta, Eds. IGI Global, 2020, pp. 317–339.

T. Lynn, X. Liang, A. Gourinovitch, J. Morrison, G. Fox, and P. Rosati, “Understanding the determinants of cloud computing adoption for high performance computing,†presented at the Hawaii International Conference on System Sciences, 2018, doi: 10.24251/HICSS.2018.489.

J. Kaminski, “Diffusion of innovation theory.,†Canadian Journal of Nursing Informatics, vol. 6, no. 2, pp. 1–6, 2011.

A. M. AlBar and Md. R. Hoque, “Factors affecting cloud ERP adoption in Saudi Arabia: An empirical study,†Information Development, vol. 35, no. 1, pp. 150–164, Jan. 2019, doi: 10.1177/0266666917735677.