Integrating security into agile software development : A case study on the role of inertia

Abstract: The security directives at Ericsson Group IT have recently been re-worked to apply to modern security requirements. For Ericsson's software development teams developing internal applications, security tools have been implemented into the daily workflow to follow these new directives. Before, security mainly was considered during the reviews and scheduled assessments of the software projects. The goal of these new tools is to add security to every part of the software development process. Security thus adds to the scope of work of the developers at Ericsson Group IT, which has, in the past, evolved from being solely a developer to being responsible for development and operations to development, security and operations. However, adding methods and tools to the developer's workflow can create inertia and friction in daily work. We intend to apply the concept of inertia to agile work practices to examine how small-scale projects are affected when new security tools and methods are introduced and implemented in the agile workflow. Research suggests that linked processes and methods should be put in place to achieve desirable results from the implemented tools and be integrated into the team's agile methodologies. The thesis aims to identify the factors that affect inertia by investigating and analysing the developers' use of methods and tools. As for data collection, a pilot study and a case study were applied to a team at Ericsson Group IT. The data was collected through qualitative surveys conducted on twelve proven factors regarding successfulness in work implementations. The data was then analysed through the Gioia methodology by compiling the collected data into first-order concepts and linking them to familiar second-order themes. These themes were then translated into aggregate dimensions synthesised from the study's theoretical framework. The results showed that several factors affected the change process: personnel training and education, appropriate communication, and adaptability to the change process. These are all factors attributing inertia to the change process, and awareness of these can help mitigate and facilitate a successful change process. Streamlining successful change processes is vital when integrating security as a requirement into an agile software development team.