Investigation of IS professionals' intention to practise secure development of applications

It is well known that software errors may lead to information security vulnerabilities, the breach of which can have considerable negative impacts for organizations. Studies have found that a large percentage of security defects in e-business applications are due to design-related flaws, which could be detected and corrected during applications development. Traditional methods of managing software application vulnerabilities have often been ad hoc and inadequate. A recent approach that promises to be more effective is to incorporate security requirements as part of the application development cycle. However, there is limited practice of secure development of applications (SDA) and lack of research investigating the phenomenon. Motivated by such concerns, the goal of this research is to investigate the factors that may influence the intention of information systems (IS) professionals to practise SDA, i.e., incorporate security as part of the application development lifecycle. This study develops two models based on the widely used theory of planned behaviour (TPB) and theory of reasoned action (TRA) to explain the phenomenon. Following model operationalization, a field survey of 184 IS professionals was conducted to empirically compare the explanatory power of the TPB-based model versus the TRA-based model. Consistent with TPB and TRA predictions, attitude and subjective norm were found to significantly impact intention to practise SDA for the overall survey sample. Attitude was in turn determined by product usefulness and career usefulness of SDA, while subjective norm was determined by interpersonal influence, but not by external influence. Contrary to TPB predictions, perceived behavioural controls, conceptualized in terms of self-efficacy and facilitating conditions, had no significant effect on intention to practise SDA. Thus, a modified TRA-based model was found to offer the best explanation of behavioural intention to practise SDA. Implications for research and information security practice are suggested. r 2006 Elsevier Ltd. All rights reserved.