Search results

1 – 1 of 1
Per page
102050
Citations:
Loading...
Access Restricted. View access options
Article
Publication date: 17 June 2019

Inger Anne Tøndel, Martin Gilje Jaatun, Daniela Soares Cruzes and Laurie Williams

Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a…

752

Abstract

Purpose

Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices.

Design/methodology/approach

Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews.

Findings

Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product.

Research limitations/implications

Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker.

Originality/value

The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study.

Details

Information & Computer Security, vol. 27 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 1 of 1
Per page
102050