Red de Área local (LAN)

Another issue related to the effectiveness of a Scrum team is the ability to manage security requirements. The participants were asked if they were able to manage security requirements to see if the inclusion of a SO would have any effect on this ability. In reference to managing security requirements the results also showed a contrast between the two participant groups. For the group with the Security Owner half of the participants agreed with the idea that they were able to manage security requirements and a quarter of them strongly agreed (see Table 6.5)

Participants’ response Frequency Valid percent Cumulative percent

Strongly disagree 0 0.0 0.0 Disagree 4 6.9 6.9 Neutral 10 17.2 24.1 Agree 29 50.0 74.1 Strongly agree 15 25.9 100.0 Total 58 100.0

182

This was in contrast to the group without the Security Owner and UMLsec, where there was a much level of disagreement where 47.2 percent of participants disagreed with this idea. This sharp contrast in the results is a clear indication that the presence of a SO had a strong positive effect on the management of security requirements. However, although this statement may show a strong influence from the presence of a SO, it does not show how this may occur. The following statements include about receiving effective advice about managing security requirements and finding it easy to prioritise security requirements, and they are designed to further elaborate of the general idea of effectively managing security requirements. In the following the results of these statements are presented.

6.3.1 Advised about managing security requirements

As discussed in the above, the statement here is about receiving advice about managing security requirements which is more direct and reflective of the actions of the SO. Within the agile development process team members are engaged in the practical implementation of security requirements as well as considering security requirements both in the sprints and the sprint meetings. Therefore, it is important for team members to receive advice from a member who has more ability and focus of security than themselves. The statement was presented to see if the participants would perceive that they receive more advise in the presence of the SO. For the group with the Security Owner and UMLsec there was a much stronger level of agreement with this idea than the group without (see Tables 6.6, 6.7). Therefore, with the prescence of a Security Owner team members felt that they received more advice about security requirements management. Although the statement does not specify who the advice comes from, the very presence of the SO

183

increases agreement with the idea that advice is received, so whether the advice comes from the SO or another team member, the overall effect of the presence of the SO is positive in this sense.

Participants’ response Frequency Valid percent Cumulative percent

Strongly disagree 0 0.0 0.0 Disagree 6 10.3 10.3 Neutral 0 0.0 0.0 Agree 30 51.7 51.7 Strongly agree 22 38 100.0 Total 58 100.0

Table 6.6: You received effective advice about security requirements to help with security requirements management (with SO and UMLsec)

Participants’ response Frequency Valid percent Cumulative percent

Strongly disagree 12 23.1 23.1 Disagree 14 26.9 50.0 Neutral 8 15.4 65.4 Agree 18 34.6 100.0 Strongly agree 0 0.0 100.0 Total 52 100.0

Table 6.7: You received effective advice about security requirements to help with security requirements management (without SO and UMLsec)

184

6.3.2 Prioritising security requirements

Additionally, within the overall management of security requirements is the ability to prioritise security requirements , this is required within the Scrum framework as part of planning the sprints. Moreover, considering this prioritisation further elaborates on where the SO can be effective in terms of management of security requirements. If reference to the statement about whether or not the participants found it easy to prioritise security requirements there was a level of agreement with this idea for the group with the Security Owner and UMLsec (32.8 percent strongly agree and 46.6 percent agree), although some of the participants expressed neutrality about this idea (10.3 percent). As for the group without, there was more disagreement with this idea (see Tables 6.8, 6.9).

Participants’ response Frequency Valid percent Cumulative percent

Strongly disagree 0 0.0 0.0 Disagree 6 10.3 10.3 Neutral 6 10.3 20.6 Agree 27 46.6 67.2 Strongly agree 19 32.8 100.0 Total 58 100.0

185

Participants’ response Frequency Valid percent Cumulative percent

Strongly disagree 6 11.5 11.5 Disagree 26 50.0 61.5 Neutral 10 19.2 80.8 Agree 10 19.2 100.0 Strongly agree 0 0 100.0 Total 52 100.0

Table 6.9: You found it easy to prioritise security requirements (without UMLsec and SO)

The higher level of agreement with this idea shows that the inclusion of a Security Owner role and UMLsec makes it is easier for the Scrum team members to prioritise security requirements. Therefore, the results show that the fourth hypothesis (H4) is supported, that the Security Owner will help the team members to prioritise security requirements. The fact that without the SO and UMLsec the participants did not find it easy to prioritise security requirements further supports the hypothesis. Again, although there is no clear evidence that the SO directly helped in prioritising security requirements, their presence has a positve effect.

186

Levene's Test for Equality of

Variances t-test for Equality of Means F Sig. t df Sig. (2-tailed) You find it easy to

prioritise security requirements

Equal variances

assumed 1.938 .167 8.736 108 .000 Equal variances not

assumed 8.730 106.401 .000 t-test for Equality of Means

Mean Difference

Std. Error Difference

95% Confidence Interval of the Difference

Lower Upper You find it easy to

prioritise security requirements

Equal variances

assumed 1.556 .178 1.203 1.909 Equal variances not

assumed 1.556 .178 1.202 1.909 Table 6.10 Independent Samples Test - You find it easy to prioritise security requirements

The statistical difference between the two groups in response to the statement ‘You find it easy to prioritise security requirements’, the analysis shows that the null hypothesis which would be that there would be no difference between the results of the two groups, meaning that the presence of a security owner role and UMLsec would not make the respondents feel that they found it easy to prioritise security requirements. However, the results show that the null hypothesis is rejected because the independent samples T-test show less than 0.001 at 0.000 (Sig. 2-tailed) (Table 6.10) which shows there is no significant relationship between the two groups. Moreover, there is 95

187

percent confidence level that the mean difference in agreement with the statement that respondents found it easy to prioritise security requirements between the ‘with’ and ‘without’ groups was between 1.203 and 1.909 (Table 6.10). Therefore, attitudes to this statement do differ between the two different groups.

The responses to the qualitative questions in the questionnaire for those with a Security Owner showed that particpants were content with the approach that they used. Specifically in response to question 19 which read as follows ‘In consideration of the approach to security requirements that

you engaged with in the experiment, what are your opinions about the security requirements consideration?’ participants emphasised that the consideration of security requirements was

something that they did collectively as the following statement shows:

We work together to consider security requirements as we need input from all the members (with UMLsec and SO)

Although they did not mention the Security Owner directly, they did say that security requirements consideration was a process that went smoothly.

I find it easy to consider security requirements as we discussed them collectively and helped each other (UMLsec and SO)

Ther was also mention of the use of UMLsec:

Modelling the security requirements using UMLsec was completely new to me but I was fine with it (UMLsec and SO)

The group that did not include the Security Owner were also positive about security requirements consideration, however, they did not mention anything about teamwork or the ease of the process

188

unlike the other group. Therefore, the results here show that the presence of a Security Owner had a postive effect on teamwork and the ease of the process of considering security requirements consideration.