This study aims to explore the relation between conflict in the project team and user resistance to change in software projects. Following a cross-sectional research design, a survey was conducted ...among 1,000 largest companies in Slovenia (N = 114). The results of PLS-SEM analysis indicate that task and process conflicts in the project team are associated with user resistance. This study is among the first to associate conflict within the project team and user resistance in the implementing organization. It is also one of the first studies to investigate the relations between different types of conflict and user resistance. Project managers may invest resources into adequately managing conflicts within the project team related to tasks in which the project team interacts with users of developed software to lower user resistance. Project with poorly defined roles (e.g., agile and information security projects) may be more prone to user resistance than projects with clearly defined roles.
Critical success and failure factors of software projects were extensively studied. However, software project risk management has rarely researched organizational risks even though most problems ...occur when the social aspects are not addressed. By employing the resistance to change theory, our paper develops an organizational risk diagnosing (ORD) framework in order to show how can organizational risks be better understood and managed. Organizational risk factors may have non-trivial underlying root causes. A failure to diagnose them may result in ineffective risk responses that address the symptoms. A case study of a loan application software project has been conducted in one of the biggest banks in South-Eastern Europe. An analysis of the risk management process in the studied case allows a better understanding of organizational risk management.
•Hardly detectable root causes may be underlying organizational risks in software projects.•Discussing various stakeholder views helps diagnosing organizational risks.•Checklists alone may not be effective for managing organizational risks.•Defined the difference between “user resistance” and “stakeholder resistance”.•A novel resistance checklist based on extant research.
Different activities, artifacts, and roles can be found in the literature on the agile engineering of secure software (AESS). The purpose of this paper is to consolidate them and thus identify key ...activities, artifacts, and roles that can be employed in AESS. To gain initial sets of activities, artifacts, and roles, the literature was first extensively reviewed. Activities, artifacts, and roles were then cross-evaluated with similarity matrices. Finally, similarity matrices were converted into distance matrices, enabling the use of Ward’s hierarchical clustering method for consolidating activities, artifacts, and roles into clusters. Clusters of activities, artifacts, and roles were then named as key activities, artifacts, and roles. We identified seven key activities (i.e., security auditing, security analysis and testing, security training, security prioritization and monitoring, risk management, security planning and threat modeling; and security requirements engineering), five key artifacts (i.e., security requirement artifacts, security repositories, security reports, security tags, and security policies), and four key roles (i.e., security guru, security developer, penetration tester, and security team) in AESS. The identified key activities, artifacts, and roles can be used by software development teams to improve their software engineering processes in terms of software security.
Users of information systems are the weakest link in information security. Considering their current information security performance is essential for improving information security training. User ...segmentation can help to improve information security training by dividing users into smaller groups based on their information security performance. In this paper, we present a segmented approach for information security training of users. To test the approach, we used data collected from students at a Slovenian university (<inline-formula> <tex-math notation="LaTeX">\text{N}=165 </tex-math></inline-formula>) with the Human Aspects of Information Security Questionnaire (HAIS-Q). HAIS-Q data was used to divide users into groups according to their information security performance via clustering. The proposed approach inherently balances adaptation of training to the needs of users and the efforts needed to achieve it which maximizes the key benefits of existing information security training approaches. With improved personalization, it mitigates the challenges related to training boringness and lack of user motivation which are emblematic for traditional information security training approaches. The proposed approach also offers some flexibility regarding the degree of personalization and the efforts related to information security training by fine-tuning the number of user groups. Finally, the proposed approach can help to identify beneficial software security requirements during development of new information systems.
Increasingly sophisticated cyberattacks often systematically target organizational insiders. Their motivation for self-protection has therefore an important role in cybersecurity of organizations. ...Protection motivation studies in information security literature are largely based on the protection motivation theory (PMT) without proper adaptation to the organizational context. Additionally, only few studies consider the role of fear in protection motivation although PMT itself is based on fear appeals. This paper aims to revise PMT to better fit the organizational context of organizational insiders. A survey was conducted among academics (N = 255) at six Slovenian universities to reexamine threat appraisals of organizational insiders, and the mediating and moderating roles of fear of cyberattacks in protection motivation. CB-SEM analysis of survey data supports the distinction between appraisals of threats to the individual and to the organization. It also supports differentiating between perceived threats and fear of cyberattacks. Although we did not find support for the mediating role of fear of cyberattacks, perceived threats may mediate the association between perceived severity and vulnerability, and protection motivation. Only perceived vulnerability of the individual and perceived severity of consequences for the organization affect perceived threats. Perceived threats and measure efficacy influence protection motivation. Fear of cyberattacks dampens the positive relationship between self-efficacy and protection motivation. Self-efficacy influences protection motivation only when fear of cyberattacks is low. Interventions aiming to increase protection motivation need to focus on raising the perceived vulnerability of individuals, emphasizing the consequences for the organization, and increasing the efficacy of self-protective measures. Interventions aiming to improve self-efficacy may be effective only when there is low fear of cyberattacks and can be avoided when high fear of cyberattacks is expected.