Consistent with theory of planned behaviour (TPB) and theory of reasoned action (TRA) predictions, attitude and subjective norm were found to significantly impact intention to practise secure development of applications (SDA) for the overall survey sample. Attitude was in turn determined by product usefulness and career usefulness of SDA, while subjective norm was determined by interpersonal influence, but not by external influence. Contrary to TPB predictions, perceived behavioural controls, conceptualized in terms of self-efficacy and facilitating conditions, had no significant effect on intention to practise SDA.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Product usefulness | Iivari, 1996, Green, 1999 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Career usefulness | Chau, 1996, Johnson et al., 1999, Compeau et al., 1999, Thompson et al., 1991 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| External influence | Pedersen, 2001, Bhattacherjee, 2000, Johnson et al., 1999 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Inter-personal influence | Pedersen, 2001, Bhattacherjee, 2000, Karahanna et al., 1999, Taylor, 1995 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Self-efficacy | Bhattacherjee, 2000, Taylor, 1995, Pedersen, 2001 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Facil. conditions | Pedersen, 2001, Bhattacherjee, 2000, Thompson et al., 1991, Venkatesh, 2000, Mathieson, 1991 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Attitude | Taylor, 1995 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Subjective norm | Taylor, 1995, Bhattacherjee, 2000 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). | ||
| Behavioural intention | Agarwal, 2000, Taylor, 1995 | yes | feedback from 3 experts | none | 7 point likert scale from ‘‘strongly disagree’’ (1) to ‘‘strongly agree’’ (7). |
Irene M. Y. Woon and Atreyi Kankanhalli. Investigation of IS professionals' intention to practise secure development of applications. International Journal of Human-Computer Studies, 65(1):29–41, January 2007. doi:10.1016/j.ijhcs.2006.08.003.
@article{woon_investigation_2007,
abstract = {It is well known that software errors may lead to information security vulnerabilities, the breach of which can have considerable negative impacts for organizations. Studies have found that a large percentage of security defects in e-business applications are due to design-related flaws, which could be detected and corrected during applications development. Traditional methods of managing software application vulnerabilities have often been ad hoc and inadequate. A recent approach that promises to be more effective is to incorporate security requirements as part of the application development cycle. However, there is limited practice of secure development of applications (SDA) and lack of research investigating the phenomenon. Motivated by such concerns, the goal of this research is to investigate the factors that may influence the intention of information systems (IS) professionals to practise SDA, i.e., incorporate security as part of the application development lifecycle. This study develops two models based on the widely used theory of planned behaviour (TPB) and theory of reasoned action (TRA) to explain the phenomenon. Following model operationalization, a field survey of 184 IS professionals was conducted to empirically compare the explanatory power of the TPB-based model versus the TRA-based model. Consistent with TPB and TRA predictions, attitude and subjective norm were found to significantly impact intention to practise SDA for the overall survey sample. Attitude was in turn determined by product usefulness and career usefulness of SDA, while subjective norm was determined by interpersonal influence, but not by external influence. Contrary to TPB predictions, perceived behavioural controls, conceptualized in terms of self-efficacy and facilitating conditions, had no significant effect on intention to practise SDA. Thus, a modified TRA-based model was found to offer the best explanation of behavioural intention to practise SDA. Implications for research and information security practice are suggested.},
author = {Woon, Irene M. Y. and Kankanhalli, Atreyi},
doi = {10.1016/j.ijhcs.2006.08.003},
issn = {1071-5819},
journal = {International Journal of Human-Computer Studies},
month = {January},
number = {1},
pages = {29-41},
series = {Information security in the knowledge economy},
title = {Investigation of {{IS}} Professionals' Intention to Practise Secure Development of Applications},
volume = {65},
year = {2007}
}