Master Thesis: Information Security in Software Startups

In summer of 2016 I wrote my master thesis about “Information Security in Software Startups – How to implement lean security mechanisms and measures”. Based on the thesis I’ve created this website to provide my survey results and the Lean Startup Security Guide (which I defined in the thesis) to others.


Small companies and startups are increasingly becoming targets of hackers. Especially organizations which provide Internet services are targeted, because they offer more attack vectors due to their globally available offerings. Also the facts that young companies are lacking money and sensitivity to implement pervasive security mechanisms are exploited by attackers. Furthermore many startups can’t focus on activities which do not contribute to the company’s growth or success, because there is no time and money left for such tasks. Although most young companies do know the different kinds of cyber security threats very well, it seems like they knowingly resign on implementing or getting certified after information security standards like ISO/IEC 27001 or BSI 100-x.

Based on the hypothesis above the following research questions arise for this master thesis: Are startups willingly taking risks in terms of cybersecurity by lacking information security processes and mechanisms? Why do startups spare on implementing information security processes and mechanisms? To answer these questions the author conducted personal interviews with CEOs, CTOs and startup employees. Based on the answers an online survey had been created and executed with startup founders and employees. The results confirm the first hypothesis and show that startups spare cyber security mechanisms because of negligence and time famine.

Independent from the first two research questions this thesis also answers the following question: Which security safeguards and which processes for managing the safeguards can be used by startups to deal with threats and to improve their information security level? For answering this question different standards, papers, laws, best practices and interviews with startups were analysed. They built the basis for defining lean information security safeguards for software and Internet startups. The different measures had been verified and improved by implementing them into the author’s own startup. The result is a “lean startup security guide” which can be implemented with an initial effort of only 2 to 4 days. The guide ensures that information security processes and safeguards are integrated into a startup’s daily business at minimal cost. This guarantees that the lean startup security guide is accepted and implemented by startups in opposite to the existing more heavyweight information security standards.


The results of my thesis are published on this website: