LAUSR

Security by design is a recommended approach, addressing end-to-end security and privacy in the design of software systems. To realize this approach, proactive security behavior is required from software developers. This research follows results from previous studies that suggest that personal and organizational characteristics influence security-related behaviors during the software design process. The research is aimed at gaining an in-depth understanding of proactive security behavior and the factors affecting it. Leveraging organization climate theory from organizational psychology, we propose a theoretical model, detailing different factors and their relations with proactive security behavior and test it in empirical settings. The empirical study was conducted in collaboration with an internationally distributed information technology enterprise and included a survey questionnaire completed by 499 software developers working in seven countries. The results of the survey confirm the moderation-mediation relations in the proposed model, revealing that organizational security climate and security self-efficacy are both positively associated with proactive security behavior, organizational security climate is positively associated with security self-efficacy, and cultures promoting individualism moderate the relationship between organizational security climate and security self-efficacy, thus impeding proactive security behavior. The body of knowledge of organizational psychology points to directions that can effectively be activated for improvement.