Getting Started with Corporate Open Source Governance: A Case Study Evaluation of Industry Best Practices

Ope​n source software usage in companies is on the rise, often resulting in lower development costs, higher quality, and quick availability of code. However, using open source software in products comes with legal, business, and technical risks. Experienced companies prevent and address these risks through corporate open source governance. In our previous work, we studied how top-tier companies got started with corporate open source governance. We proposed a set of industry best practices on the topic, using the practical format of interconnected context-problem-solution patterns. In this study, we put the proposed state-of-the-art practices to the test by evaluating their real-life application in a case study at a Germany-based multibillion-dollar corporation with products in four distinct industries and more than 17000 employees worldwide. In the course of two and a half years, we conducted 35 semi-structured employee interviews and workshops in five divisions of the company to assess the initial situation of open source governance, the process of getting started with governance following our recommendations, and the outcomes. In this paper, we report the results of this longitudinal case study by presenting the artifacts created while getting started with open source governance, as well as the transferability evaluation of the proposed best practices, both individually and collectively

The Implementation of Governance Risk and Compliance Information Systems (GRC IS): Adoption Lifecycle and Enterprise Value

Governance, Risk and Compliance (GRC) has become an emerging field within the IS academic community. Motivated by this research direction, the study capitalizes on the theoretical background of Enterprise Systems (ES) and extends the focus on GRC systems’ implementation (enterprise value and lifecycle). Building upon expert views on GRC IS implementation projects, the analysis indicates that the three value drivers of integration; optimization and information should be considered throughout the whole GRC IS implementation lifecycle

Inclusion criteria for third-party dependencies in enterprise software projects

Abstract. Third-party libraries are commonly used in software development to save development time, allowing teams to focus on implementing their own business logic. Including third-party dependencies in a project is not without its risks, however. Bugs, vulnerabilities, and license incompatibilities are only some of the potential issues that can arise from third-party dependencies, yet knowing what to look for before including a dependency can be difficult. This thesis investigates the factors that should be considered when including a third-party dependency through a review of current scientific literature and models a testable set of inclusion criteria through the design science process. The factors found in the literature were validated and assigned importance levels through a developer survey. Based on the survey results, the model was finalised and tested on six different libraries. The model as well as the test results were then evaluated by developers in a small-scale workshop. The design science process resulted in a proof-of-concept model that was considered quite good by the developers evaluating it, in addition to a synthesis of existing knowledge on third-party dependencies. The model includes 14 factors divided into eight different criteria, with each factor having a clear definition, a way to measure it, as well as the number of points it contributes to the scoring system of the model. The final score of the model can then be used as a reference to aid in the dependency inclusion decision making process. The developers considered the criteria to be usable enough to be implemented as part of their dependency inclusion process with some minor changes. The major limitation with these findings is that the developer data, used in both creating the importance ratings as well as evaluating the model, was acquired through convenience sampling. This means that the findings cannot be generalised to a wider population. Additionally, the survey and the workshop both had low participation rates of 40% and 55% respectively, hurting the credibility of the results. Future research should consider repeating the study with sampling that can be generalised to a larger population to validate and improve upon the results in this thesis

Managing license compliance in free and open source software development

License compliance in Free and Open Source Software development is a significant issue today and organizations using free and open source software are predominately focusing on this issue. The noncompliance to licenses in free and open source software development leads to the loss of reputation and the high costs of litigation for organizations. Towards an automated compliance management, we use the Open Digital Rights Language to implement the clauses of open source software licenses in a machine interpretable way and propose a novel algorithm that analyzes compatibility between free and open source software licenses. Also, we describe a framework that inductively manages compliance of license clauses in a free and open source software development. We simulate and evaluate the formalized license compliance management by analyzing a real-time open source software project GRASS

Strategic Sensemaking and Software Asset Management: Linkages Between Interpretation and Organizational Action

Software is a critical information technology (IT) asset as it plays a key role in the creation of organizational value and it ranks as the first or second most important IT budget disbursement. Organizations are expected to govern software to ensure its efficient use while protecting the copyright of software developers. Software asset management (SAM) focuses on the good governance and effective lifecycle management of software. SAM impacts the flexibility to support business strategies with software, and protects organizations against liability and security risks associated with software use. Since the 1990s, practitioners and scholars posit that SAM is a strategic issue that should be attended by top management. However, reports indicate that widespread SAM adoption is at early stages and a review of the literature reveals limited research on SAM. Studying SAM is relevant to practice and theory because it could explain the processes behind its adoption in organizations. Two different SAM actions are identified: Proactive and Reactive SAM. This study investigates the role of top managers and important antecedents of SAM actions. This investigation draws from strategic sensemaking to explain how top management team’s (TMT) interpretation of IS strategic issues (i.e., software asset issues) as an opportunity influences proactive SAM. It also draws from institutional theory as explanation of reactive SAM actions. Survey responses from 187 chief information officers were collected. The study used a scenario to elicit a strategic issue tested in three stages. In the first stage, scholars and practitioners validated the scenario and survey items. In the second, a pilot was conducted to validate the survey instrument and research model. In the third, a full-scale data collection and test of the research model was completed. Findings from this study indicate that TMT interpretation of SAM as an IS strategic issue influences the adoption of Proactive SAM. Also, coercive force has a direct influence on reactive SAM. This study contributes to the IS literature by developing an instrument to measure reactive and proactive SAM, identifying factors that influence TMT’s interpretation, and subsequent SAM action. For practice, the study corroborates the need to involve TMT in the SAM decision making processes because TMT interpretation is positively associated with the willingness to implement Proactive SAM