Innovators1.jpgAs software security zealots, we sometimes forget the human aspect of software development. Why wouldn't developers and organizations do every available security activity to make their software more secure? Isn't security indispensable? Isn't security king? There are some obvious reasons why they can't. For example, a lot of software security practices can be costly to implement from a pure financial or time sense. However, there are human factors that we don't always consider as well, so we might need to borrow from the fields of sociology to answer those questions.

Diffusion of Innovation theory was popularized by a professor of sociology named Everett Rogers working with farmers in rural Iowa in his seminal work aptly named *Diffusion of Innovations*. Rogers sought to explain why certain innovations spread at different rates amongst members of a social system. He identified a number of characteristics and factors that affect the rate of adoption. In particular, he found five attributes of innovations themselves that he believed helped explain why some innovations were adopted faster than others: relative advantage, complexity, compatibility, observability, and trialability[1].

So how can farmers in Iowa from the 1950s help us understand software security practices? A lot actually. Organizations are reluctant to adopt a security idea unless it sees tangible value in changing its current practices (relative advantage) that outweighs the potential difficulty (complexity); at the same time the new practice has to be compatible with the organization's norms and existing practices (compatibility). The organization might not even be aware of the security practice if it's not easy to see the results amongst its peer organizations (observability) and it's more likely to adopt a security practice that can be tested on a limited basis and doesn't need to be adopted all at once (trialability).

At Security Innovation these factors play a significant role in the approach we take when conducting Secure SDLC Assessments & Optimization services for our clients. There is an abundance of professionals that can simply waltz in and recommend a regurgitated list of best software security practices. However, unless they have the ability and insight to tailor their recommendations based on the unique impact, cultural fit, and ease of adoption, you are probably better served Googling the list yourself. This is why we immerse ourselves in your organization – to accurately capture ground truth and understand your organization's values, and then place them in context of a secure SDLC roadmap plan.

There is a plethora of other innovation attributes that have been studied that could supplement the Diffusion of Innovation theory [2], and the theory has been used for years in the fields of information systems[3]; however, I have yet to see it applied specifically to information security.

Because the software security problem can only be solved through the widespread adoption of a well defined and repeatable approach to secure software development, I'm particularly interested in why certain security practices are more popular in software security programs than others. I’m currently working on an academic paper on this topic and actively recruiting participants with experience in secure SDLCs and deploying software security initiatives. If you're interested in participating or have comments about my research feel free to reach out to me at

[1] Rogers, E. 2003. Diffusion of Innovations. 5th edition. New York: Free Press.

[2] Oliveira, T., and M. F. Martins. 2011. “Literature Review of Information Technology Adoption Models at Firm Level.” Electronic Journal of Information Systems Evaluation 14 (1): 110–21.

[3] Tornatzky, L.G., and K.J. Klein. 1982. “Innovation Characteristics and Innovation Adoption-Implementation: A Meta-Analysis of Findings.” IEEE Transactions on Engineering Management EM-29 (1): 28–45.

Subscribe To Our Blog

Let Us Know What You Thought about this Post.

Put your Comment Below.