{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:48:39Z","timestamp":1759092519655},"reference-count":47,"publisher":"IGI Global","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017,10]]},"abstract":"<jats:p>When working with software security in a risk-centric way, development projects become equipped to make decisions on how much security to include and what type of security pays off. This article presents the results of a study made among 23 public organisations, mapping their risk-centric activities and practices, and challenges for implementing them. The authors found that their software security practices were not based on an assessment of software security risks, but rather driven by compliance. Additionally, their practices could in many cases be characterised as arbitrary, late and error driven, with limited follow up on any security issues throughout their software development projects. Based on the results of the study, the authors identified the need for improvements in three main areas: responsibilities and stakeholder cooperation; risk perception and competence; and, practical ways of doing risk analysis in agile projects.<\/jats:p>","DOI":"10.4018\/ijsse.2017100101","type":"journal-article","created":{"date-parts":[[2018,4,16]],"date-time":"2018-04-16T09:12:29Z","timestamp":1523869949000},"page":"1-30","source":"Crossref","is-referenced-by-count":16,"title":["Risk Centric Activities in Secure Software Development in Public Organisations"],"prefix":"10.4018","volume":"8","author":[{"given":"Inger Anne","family":"T\u00f8ndel","sequence":"first","affiliation":[{"name":"Department of Computer Science, Norwegian University of Science and Technology (NTNU), Trondheim, Norway & SINTEF Digital, Trondheim, Norway"}]},{"given":"Martin Gilje","family":"Jaatun","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, Safety & Security, SINTEF Digital, Trondheim, Norway"}]},{"given":"Daniela Soares","family":"Cruzes","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, Safety & Security, SINTEF Digital, Trondheim, Norway"}]},{"given":"Nils Brede","family":"Moe","sequence":"additional","affiliation":[{"name":"SINTEF Digital, Trondheim, Norway"}]}],"member":"2432","reference":[{"key":"IJSSE.2017100101-0","doi-asserted-by":"crossref","unstructured":"Baca, D., Boldt, M., Carlsson, B., & Jacobsson, A. (2015, August 24-27). A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting. Paper presented at the 2015 10th International Conference on Availability, Reliability and Security.","DOI":"10.1109\/ARES.2015.45"},{"key":"IJSSE.2017100101-1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2008.03.059"},{"key":"IJSSE.2017100101-2","author":"K.Beck","year":"2000","journal-title":"Extreme programming explained: embrace change"},{"key":"IJSSE.2017100101-3","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2014.2298011"},{"key":"IJSSE.2017100101-4","author":"R. A.Caralli","year":"2007","journal-title":"OCTAVE Allegro: Improving the Information Security Risk Assessment Process (CMU\/SEI-2007-TR-012 ESC-TR-2007-012)"},{"key":"IJSSE.2017100101-5","unstructured":"Chandra, P. (2008). Software assurance maturity model. Retrieved from Cruzes, D. S., & ben Othmane, L. (2017). Threats to Validity in Empirical Software Security Research. In L. ben Othmane, M. G. Jaatun, & E. Weippl (Eds.), Empirical Research for Software Security: Foundations and Experience (pp. 277-302). CRC Press."},{"issue":"11","key":"IJSSE.2017100101-6","doi-asserted-by":"crossref","first-page":"131","DOI":"10.1109\/2.963450","article-title":"Agile software development, the people factor.","volume":"34","author":"A.Cockburn","year":"2001","journal-title":"Computer"},{"key":"IJSSE.2017100101-7","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2006.30"},{"key":"IJSSE.2017100101-8","unstructured":"Deleersnyder, S., Win, B. D., & Glas, B. (2017). Software Assurance Maturity Model - How To Guide - A Guide to Building Security Into Software Development. Retrieved from https:\/\/github.com\/OWASP\/samm\/blob\/master\/v1.5\/Final\/SAMM_How_To_V1-5_FINAL.pdf"},{"key":"IJSSE.2017100101-9","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9524-2"},{"key":"IJSSE.2017100101-10","unstructured":"Eclipse. (2016). Eclipse Process Framework (EPF). Retrieved from http:\/\/www.eclipse.org\/epf\/"},{"issue":"2","key":"IJSSE.2017100101-11","doi-asserted-by":"crossref","first-page":"58","DOI":"10.1109\/MSP.2010.117","article-title":"Verification, validation, and evaluation in information security risk management.","author":"S.Fenz","year":"2010","journal-title":"IEEE Security and Privacy"},{"key":"IJSSE.2017100101-12","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2015.06.063"},{"key":"IJSSE.2017100101-13","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2004.11.002"},{"issue":"7","key":"IJSSE.2017100101-14","first-page":"8","article-title":"A Review of Risk Management in Different Software Development Methodologies.","volume":"45","author":"H.Hijazi","year":"2012","journal-title":"International Journal of Computers and Applications"},{"key":"IJSSE.2017100101-15","volume":"Vol. 2016","author":"M.Howard","year":"2006","journal-title":"The Security Development Lifecycle: A Process for Developing Demonstrably More Secure Software"},{"issue":"1","key":"IJSSE.2017100101-16","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1177\/875697280003100106","article-title":"Assessing project management maturity.","volume":"31","author":"C. W.Ibbs","year":"2000","journal-title":"Project Management Journal"},{"key":"IJSSE.2017100101-17","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.06.003"},{"key":"IJSSE.2017100101-18","unstructured":"ISO\/IEC. (2011). ISO\/IEC 27005: 2011Information technology\u2013Security techniques\u2013Information security risk management."},{"key":"IJSSE.2017100101-19","first-page":"120","author":"M. G.Jaatun","year":"2015","journal-title":"Software Security Maturity in Public Organisations. In Information Security"},{"key":"IJSSE.2017100101-20","doi-asserted-by":"publisher","DOI":"10.1016\/j.jcss.2014.02.005"},{"issue":"2","key":"IJSSE.2017100101-21","first-page":"10","article-title":"An Investigation Of Organizational Information Security Risk Analysis.","volume":"3","author":"Z.Jourdan","year":"2010","journal-title":"Journal of Service Science"},{"key":"IJSSE.2017100101-22","doi-asserted-by":"publisher","DOI":"10.1109\/ICGSEW.2012.18"},{"key":"IJSSE.2017100101-23","doi-asserted-by":"crossref","unstructured":"Kongsli, V. (2006). Towards agile security in web applications. Paper presented at theCompanion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications.","DOI":"10.1145\/1176617.1176727"},{"key":"IJSSE.2017100101-24","volume":"Vol. 75","author":"Y. S.Lincoln","year":"1985","journal-title":"Naturalistic inquiry"},{"key":"IJSSE.2017100101-25","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2004.1281254"},{"key":"IJSSE.2017100101-26","volume":"Vol. 1","author":"G.McGraw","year":"2006","journal-title":"Software security: building security in"},{"key":"IJSSE.2017100101-27","unstructured":"McGraw, G., Migues, S., & West, J. (2013). Building Security In Maturity Model (BSIMM-V). Retrieved from http:\/\/bsimm.com"},{"key":"IJSSE.2017100101-28","unstructured":"McGraw, G., Migues, S., & West, J. (2016). Building Security In Maturity Model (BSIMM7). Retrieved from http:\/\/bsimm.com"},{"key":"IJSSE.2017100101-29","unstructured":"Microsoft. (2009). Security Development Lifecycle for Agile Development. Retrieved from http:\/\/www.microsoft.com\/en-us\/SDL\/Discover\/sdlagile.aspx"},{"key":"IJSSE.2017100101-30","unstructured":"Nelson, C. R., Taran, G., & de Lascurain Hinojosa, L. (2008). Explicit Risk Management in Agile Processes. In P. Abrahamsson, R. Baskerville, K. Conboy, B. Fitzgerald, L. Morgan, & X. Wang (Eds.), Agile Processes in Software Engineering and Extreme Programming:9th International Conference, XP 2008, Limerick, Ireland, June 10-14 (pp. 190-201). Berlin: Springer."},{"key":"IJSSE.2017100101-31","unstructured":"NIST. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems - A Security Life Cycle Approach (Special Publication 800-37). Retrieved from http:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-37r1.pdf"},{"key":"IJSSE.2017100101-32","unstructured":"Nyfjord, J., & Kajko-Mattsson, M. (2008). Integrating Risk Management with Software Development: State of Practice. Paper presented at the International MultiConference of Engineers and Computer Scientists, Hong Kong. Retrieved from http:\/\/www.iaeng.org\/publication\/IMECS2008\/IMECS2008_pp878-884.pdf"},{"key":"IJSSE.2017100101-33","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-017-0488-2"},{"key":"IJSSE.2017100101-34","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2015.118"},{"key":"IJSSE.2017100101-35","doi-asserted-by":"publisher","DOI":"10.4018\/IJSSE.2017010101"},{"key":"IJSSE.2017100101-36","doi-asserted-by":"publisher","DOI":"10.1145\/2998181.2998191"},{"key":"IJSSE.2017100101-37","doi-asserted-by":"publisher","DOI":"10.1111\/1467-9310.00243"},{"key":"IJSSE.2017100101-38","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.12.001"},{"key":"IJSSE.2017100101-39","article-title":"Focus groups","volume":"20","author":"D. W.Stewart","year":"2014","journal-title":"Theory into Practice"},{"key":"IJSSE.2017100101-40","doi-asserted-by":"publisher","DOI":"10.1145\/2460999.2461013"},{"key":"IJSSE.2017100101-41","doi-asserted-by":"publisher","DOI":"10.1111\/itor.12401"},{"key":"IJSSE.2017100101-42","unstructured":"T\u00f8ndel, I. A., Line, M. B., & Johansen, G. (2015). Assessing information security risks of AMI: What makes it so difficult? Paper presented at the 1st International Conference on Information Systems Security and Privacy 2015, Angers, France."},{"key":"IJSSE.2017100101-43","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.118"},{"key":"IJSSE.2017100101-44","author":"E.Wheeler","year":"2011","journal-title":"Security Risk Management"},{"key":"IJSSE.2017100101-45","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.58"},{"key":"IJSSE.2017100101-46","doi-asserted-by":"publisher","DOI":"10.1145\/2531602.2531722"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=204522","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,10,15]],"date-time":"2019-10-15T18:31:53Z","timestamp":1571164313000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/IJSSE.2017100101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2017,10]]},"references-count":47,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.4018\/ijsse.2017100101","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,10]]}}}