Understanding Challenges to Adoption of the Protection Poker Software Security Game

  • Inger Anne TøndelEmail author
  • Martin Gilje Jaatun
  • Daniela Cruzes
  • Tosin Daniel Oyetoyan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11387)


Currently, security requirements are often neglected in agile projects. Despite many approaches to agile security requirements engineering in literature, there is little empirical research available on why there is limited adoption of these techniques. In this paper we describe a case study on challenges facing adoption of the Protection Poker game; a collaborative and lightweight software security risk estimation technique that is particularly suited for agile teams. Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits identified include good discussions on security and the development project, increased knowledge and awareness of security, and contributions to security requirements. Challenges include managing discussions and the time it takes to play, ensuring confidence in the results from playing the game, and integrating results in a way that improves security of the end-product.



This work was supported by the SoS-Agile: Science of Security in Agile Software Development project, funded by the Research Council of Norway (grant number 247678). Thanks to the course organizers (Prof. Jon Atle Gulla and Prof. John Krogstie) and the participating students at NTNU. Thanks to Prof. Pekka Abrahamsson and Prof. Laurie Williams for input on the study design.


  1. 1.
    Ajzen, I., Fishbein, M.: Understanding Attitudes and Predicting Social Behavior. Prentice-Hall, Upper Saddle River (1980)Google Scholar
  2. 2.
    Baca, D., Boldt, M., Carlsson, B., Jacobsson, A.: A novel security-enhanced agile software development process applied in an industrial setting. In: 10th International Conference on Availability, Reliability and Security (ARES), pp. 11–19. IEEE (2015)Google Scholar
  3. 3.
    Beck, K.: Extreme Programming Explained: Embrace Change. Addison-Wesley Professional, Boston (2000)Google Scholar
  4. 4.
    Boström, G., Wäyrynen, J., Bodén, M., Beznosov, K., Kruchten, P.: Extending XP practices to support security requirements engineering. In: Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, pp. 11–18. ACM (2006)Google Scholar
  5. 5.
    Caroli, P., Caetano, T.: Fun Retrospectives - Activities and Ideas for Making Agile Retrospectives More Engaging. Leanpub, Layton (2015)Google Scholar
  6. 6.
    Cockburn, A., Highsmith, J.: Agile software development, the people factor. Computer 34(11), 131–133 (2001)CrossRefGoogle Scholar
  7. 7.
    Davis, F.D.: A technology acceptance model for empirically testing new end-user information systems: theory and results. Ph.D. thesis, Massachusetts Institute of Technology (1985)Google Scholar
  8. 8.
    Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13, 319–340 (1989)CrossRefGoogle Scholar
  9. 9.
    Dybå, T., Moe, N.B., Mikkelsen, E.M.: An empirical investigation on factors affecting software developer acceptance and utilization of electronic process guides. In: 10th International Symposium on Software Metrics, pp. 220–231. IEEE (2004)Google Scholar
  10. 10.
    Grenning, J.: Planning poker or how to avoid analysis paralysis while release planning. Hawthorn Woods: Renaissance Softw. Consult. 3, 22–23 (2002)Google Scholar
  11. 11.
    Höst, M., Regnell, B., Wohlin, C.: Using students as subjects - a comparative study of students and professionals in lead-time impact assessment. Empirical Softw. Eng. 5(3), 201–214 (2000)CrossRefGoogle Scholar
  12. 12.
    Jaatun, M.G., Cruzes, D.S., Bernsmed, K., Tøndel, I.A., Røstad, L.: Software security maturity in public organisations. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 120–138. Springer, Cham (2015). Scholar
  13. 13.
    Jaatun, M.G., Tøndel, I.A.: Covering your assets in software engineering. In: The Third International Conference on Availability, Reliability and Security (ARES), Barcelona, Spain, pp. 1172–1179 (2008)Google Scholar
  14. 14.
    Jaatun, M.G., Tøndel, I.A.: Playing protection poker for practical software security. In: Abrahamsson, P., Jedlitschka, A., Nguyen Duc, A., Felderer, M., Amasaki, S., Mikkonen, T. (eds.) PROFES 2016. LNCS, vol. 10027, pp. 679–682. Springer, Cham (2016). Scholar
  15. 15.
    Khaim, R., Naz, S., Abbas, S., Iqbal, N., Hamayun, M.: A review of security integration technique in agile software development. Int. J. Softw. Eng. Appl. 7(3), 49–68 (2016)Google Scholar
  16. 16.
    Li, L.: A critical review of technology acceptance literature. Department of Accounting, Economics and Information Systems, College of Business, Grambling State University (2008)Google Scholar
  17. 17.
    Nicolaysen, T., Sassoon, R., Line, M.B., Jaatun, M.G.: Agile software development: the straight and narrow path to secure software? Int. J. Secure Softw. Eng. (IJSSE) 1(3), 71–85 (2010)CrossRefGoogle Scholar
  18. 18.
    Odzaly, E., Greer, D., Stewart, D.: Agile risk management using software agents. J. Ambient Intell. Hum. Comput. 9, 823–841 (2017)CrossRefGoogle Scholar
  19. 19.
    Oueslati, H., Rahman, M.M., ben Othmane, L.: Literature review of the challenges of developing secure software using the agile approach. In: 10th International Conference on Availability, Reliability and Security (ARES), pp. 540–547. IEEE (2015)Google Scholar
  20. 20.
    Peeters, J.: Agile security requirements engineering. In: Symposium on Requirements Engineering for Information Security (2005)Google Scholar
  21. 21.
    Pohl, C., Hof, H.J.: Secure scrum: Development of secure software with scrum. arXiv preprint arXiv:1507.02992 (2015)
  22. 22.
    Renatus, S., Teichmann, C., Eichler, J.: Method selection and tailoring for agile threat assessment and mitigation. In: 10th International Conference on Availability, Reliability and Security (ARES), pp. 548–555. IEEE (2015)Google Scholar
  23. 23.
    Savola, R.M., Frühwirth, C., Pietikäinen, A.: Risk-driven security metrics in agile software development-an industrial pilot study. J. UCS 18(12), 1679–1702 (2012)Google Scholar
  24. 24.
    Svahnberg, M., Aurum, A., Wohlin, C.: Using students as subjects - an empirical evaluation. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 288–290. ACM (2008)Google Scholar
  25. 25.
    Tavares, B., Silva, C., Diniz de Souza, A.: Risk management analysis in scrum software projects. Int. Trans. Oper. Res., 1–22 (2017)Google Scholar
  26. 26.
    Terpstra, E., Daneva, M., Wang, C.: Agile practitioners’ understanding of security requirements: insights from a grounded theory analysis. In: 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), pp. 439–442. IEEE (2017)Google Scholar
  27. 27.
    Tøndel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)CrossRefGoogle Scholar
  28. 28.
    Tøndel, I.A., Oyetoyan, T.D., Jaatun, M.G., Cruzes, D.: Understanding challenges to adoption of the microsoft elevation of privilege game. In: Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security (HoTSoS 2018), pp. 2:1–2:10. ACM (2018)Google Scholar
  29. 29.
    Vähä-Sipilä, A.: Product security risk management in agile product management. Stockholm, Sweden (2010)Google Scholar
  30. 30.
    Venkatesh, V., Davis, F.D.: A model of the antecedents of perceived ease of use: development and test. Decis. Sci. 27(3), 451–481 (1996)CrossRefGoogle Scholar
  31. 31.
    Weir, C., Rashid, A., Noble, J.: Developer essentials: top five interventions to support secure software development (2017)Google Scholar
  32. 32.
    Williams, L., Gegick, M., Meneely, A.: Protection poker: structuring software security risk assessment and knowledge transfer. In: Massacci, F., Redwine, S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 122–134. Springer, Heidelberg (2009). Scholar
  33. 33.
    Williams, L., Meneely, A., Shipley, G.: Protection poker: the new software security game. IEEE Secur. Privacy 8(3), 14–20 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Inger Anne Tøndel
    • 1
    • 2
    Email author
  • Martin Gilje Jaatun
    • 2
  • Daniela Cruzes
    • 2
  • Tosin Daniel Oyetoyan
    • 2
  1. 1.Department of Computer ScienceNorwegian University of Science and Technology (NTNU)TrondheimNorway
  2. 2.Department of Software Engineering, Safety and SecuritySINTEF DigitalTrondheimNorway

Personalised recommendations