An empirical investigation of agile information systems development for cybersecurity

Ardo, AA, Bass, J ORCID: and Gaber, T ORCID: 2022, An empirical investigation of agile information systems development for cybersecurity , in: 18th European, Mediterranean and Middle Eastern Conference on Information Systems (EMCIS) 2021, 8th-9th December 2021, Online.

[img] PDF - Accepted Version
Restricted to Repository staff only until 16 February 2023.

Download (239kB) | Request a copy
Access Information: This version of the contribution has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: Use of this Accepted Version is subject to the publisher’s Accepted Manuscript terms of use


Cybersecurity has been identified as a major challenge confronting the digital world, neglecting cybersecurity techniques during software design and development increases the risk of malicious attacks. Thus, there is a need to make security an integral part of the agile information system development process. In this exploratory study, we empirically explore the agile security practices adopted by software developers and security professionals. Data was collected by conducting ten semi-structured interviews with agile practitioners from seven companies in the United Kingdom (UK). The study was conducted between August – November 2020. An approach informed by grounded theory was used for data analysis including Open coding, Memoing, Constant comparison and Theoretical saturation. The security practices identified in this study were categorized into roles, ceremonies and artefacts and mapped onto the different phases of the Software Development Lifecycle (SDLC). We discovered practitioners use five artefacts: security backlog documentation, software security baseline standards, security test plan templates, information security and security audit checklists; and that there are more artefacts than roles and ceremonies. Also, while most practitioners rely on automated tools for software security testing, only one practitioner mentioned conducting security tests manually. These practices that we have identified comprise a novel taxonomy which form the main research contribution of this paper.

Item Type: Conference or Workshop Item (Paper)
Schools: Schools > School of Computing, Science and Engineering
Journal or Publication Title: Information Systems 18th European, Mediterranean, and Middle Eastern Conference, EMCIS 2021, Virtual Event, December 8–2, 2021, Proceedings
Publisher: Springer
Series Name: Lecture Notes in Business Information Processing
ISBN: 9783030959463 (softcover); 9783030959470 (ebook)
ISSN: 1865-1348
Related URLs:
Depositing User: ABDULHAMID ALIYU Ardo
Date Deposited: 17 Jan 2022 10:32
Last Modified: 01 Mar 2022 16:15

Actions (login required)

Edit record (repository staff only) Edit record (repository staff only)


Downloads per month over past year