No Silver Bullet: Towards Demonstrating Secure Software Development for Small and Medium Enterprises in a Business-to-Business Model

Raha Asadi; Bodil Biering; Vincent van Dijk; Oksana Kulyk; Elda Paja

doi:10.48550/arXiv.2503.04293

No Silver Bullet: Towards Demonstrating Secure Software Development for Small and Medium Enterprises in a Business-to-Business Model

Raha Asadi
, Bodil Biering
, Vincent van Dijk
, Oksana Kulyk
, Elda Paja

Cyberjuice ApS
Security Scientist

Research output: Conference Article in Proceeding or Book/Report chapter › Article in proceedings › Research › peer-review

Abstract

Software developing small and medium enterprises (SMEs) play a crucial role as suppliers to larger corporations and public administration. It is therefore necessary for them to be able to demonstrate that their products meet certain security criteria, both to gain trust of their customers and to comply to standards that demand such a demonstration. In this study we have investigated ways for SMEs to demonstrate their security when operating in a business-to-business model, conducting semi-structured interviews (N=16) with practitioners from different SMEs in Denmark and validating our findings in a follow-up workshop (N=6). Our findings indicate five distinctive security demonstration approaches, namely: Certifications, Reports, Questionnaires, Interactive Sessions and Social Proof. We discuss the challenges, benefits, and recommendations related to these approaches, concluding that none of them is a one-size-fits all solution and that more research into relative advantages of these approaches and their combinations is needed.

Original language	English
Title of host publication	Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems
Number of pages	17
Publisher	Association for Computing Machinery
Publication date	2025
DOIs	https://doi.org/10.48550/arXiv.2503.04293
Publication status	Published - 2025
Event	ACM Conference on Human Factors in Computing Systems - Yokohama, Japan Duration: 26 Apr 2025 → 1 May 2025 Conference number: 25 https://dblp.org/db/conf/chi/index.html https://chi2025.acm.org/ https://sigchi.org/events/chi-2025/ https://dl.acm.org/doi/proceedings/10.1145/3706598

Conference

Conference	ACM Conference on Human Factors in Computing Systems
Number	25
Country/Territory	Japan
City	Yokohama
Period	26/04/2025 → 01/05/2025
Internet address	https://dblp.org/db/conf/chi/index.html https://chi2025.acm.org/ https://sigchi.org/events/chi-2025/ https://dl.acm.org/doi/proceedings/10.1145/3706598

Keywords

Security
Commerce/Business
Qualitative methods

Access to Document

10.48550/arXiv.2503.04293Licence: CC BY

chi25-843Accepted author manuscript, 3.99 MBLicence: CC BY

aDESSO: Towards demonstrating secure software development for small and medium enterprises in a business-to-business model
Kulyk, O. (PI), Paja, E. (PI), Asadi, R. (CoI), Oppermann, N. (Admin) & Ibsen, P. (Admin)
DigitalLead
15/09/2023 → 31/03/2024
Project: Research

Cite this

@inproceedings{3162cddb6a8247f5b6b09d29c6207244,

title = "No Silver Bullet: Towards Demonstrating Secure Software Development for Small and Medium Enterprises in a Business-to-Business Model",

abstract = "Software developing small and medium enterprises (SMEs) play a crucial role as suppliers to larger corporations and public administration. It is therefore necessary for them to be able to demonstrate that their products meet certain security criteria, both to gain trust of their customers and to comply to standards that demand such a demonstration. In this study we have investigated ways for SMEs to demonstrate their security when operating in a business-to-business model, conducting semi-structured interviews (N=16) with practitioners from different SMEs in Denmark and validating our findings in a follow-up workshop (N=6). Our findings indicate five distinctive security demonstration approaches, namely: Certifications, Reports, Questionnaires, Interactive Sessions and Social Proof. We discuss the challenges, benefits, and recommendations related to these approaches, concluding that none of them is a one-size-fits all solution and that more research into relative advantages of these approaches and their combinations is needed.",

keywords = "Security, Commerce/Business, Qualitative methods",

author = "Raha Asadi and Bodil Biering and \{van Dijk\}, Vincent and Oksana Kulyk and Elda Paja",

year = "2025",

doi = "10.48550/arXiv.2503.04293",

language = "English",

booktitle = "Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems",

publisher = "Association for Computing Machinery",

address = "United States",

note = "ACM Conference on Human Factors in Computing Systems, CHI ; Conference date: 26-04-2025 Through 01-05-2025",

url = "https://dblp.org/db/conf/chi/index.html, https://chi2025.acm.org/, https://sigchi.org/events/chi-2025/, https://dl.acm.org/doi/proceedings/10.1145/3706598",

}

Asadi, R, Biering, B, van Dijk, V, Kulyk, O & Paja, E 2025, No Silver Bullet: Towards Demonstrating Secure Software Development for Small and Medium Enterprises in a Business-to-Business Model. in Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, ACM Conference on Human Factors in Computing Systems, Yokohama, Japan, 26/04/2025. https://doi.org/10.48550/arXiv.2503.04293

No Silver Bullet: Towards Demonstrating Secure Software Development for Small and Medium Enterprises in a Business-to-Business Model. / Asadi, Raha; Biering, Bodil; van Dijk, Vincent et al.
Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, 2025.

Research output: Conference Article in Proceeding or Book/Report chapter › Article in proceedings › Research › peer-review

TY - GEN

T1 - No Silver Bullet

T2 - ACM Conference on Human Factors in Computing Systems

AU - Asadi, Raha

AU - Biering, Bodil

AU - van Dijk, Vincent

AU - Kulyk, Oksana

AU - Paja, Elda

N1 - Conference code: 25

PY - 2025

Y1 - 2025

N2 - Software developing small and medium enterprises (SMEs) play a crucial role as suppliers to larger corporations and public administration. It is therefore necessary for them to be able to demonstrate that their products meet certain security criteria, both to gain trust of their customers and to comply to standards that demand such a demonstration. In this study we have investigated ways for SMEs to demonstrate their security when operating in a business-to-business model, conducting semi-structured interviews (N=16) with practitioners from different SMEs in Denmark and validating our findings in a follow-up workshop (N=6). Our findings indicate five distinctive security demonstration approaches, namely: Certifications, Reports, Questionnaires, Interactive Sessions and Social Proof. We discuss the challenges, benefits, and recommendations related to these approaches, concluding that none of them is a one-size-fits all solution and that more research into relative advantages of these approaches and their combinations is needed.

AB - Software developing small and medium enterprises (SMEs) play a crucial role as suppliers to larger corporations and public administration. It is therefore necessary for them to be able to demonstrate that their products meet certain security criteria, both to gain trust of their customers and to comply to standards that demand such a demonstration. In this study we have investigated ways for SMEs to demonstrate their security when operating in a business-to-business model, conducting semi-structured interviews (N=16) with practitioners from different SMEs in Denmark and validating our findings in a follow-up workshop (N=6). Our findings indicate five distinctive security demonstration approaches, namely: Certifications, Reports, Questionnaires, Interactive Sessions and Social Proof. We discuss the challenges, benefits, and recommendations related to these approaches, concluding that none of them is a one-size-fits all solution and that more research into relative advantages of these approaches and their combinations is needed.

KW - Security

KW - Commerce/Business

KW - Qualitative methods

U2 - 10.48550/arXiv.2503.04293

DO - 10.48550/arXiv.2503.04293

M3 - Article in proceedings

BT - Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems

PB - Association for Computing Machinery

Y2 - 26 April 2025 through 1 May 2025

ER -

No Silver Bullet: Towards Demonstrating Secure Software Development for Small and Medium Enterprises in a Business-to-Business Model

Abstract

Conference

Keywords

Access to Document

Fingerprint

Projects

aDESSO: Towards demonstrating secure software development for small and medium enterprises in a business-to-business model

Cite this