Erden A.
COMPUTERS & SECURITY, cilt.164, ss.1-32, 2026 (SCI-Expanded, Scopus)
-
Yayın Türü:
Makale / Tam Makale
-
Cilt numarası:
164
-
Basım Tarihi:
2026
-
Doi Numarası:
10.1016/j.cose.2026.104847
-
Dergi Adı:
COMPUTERS & SECURITY
-
Derginin Tarandığı İndeksler:
Scopus, Science Citation Index Expanded (SCI-EXPANDED), ABI/INFORM, Compendex, Criminal Justice Abstracts, INSPEC
-
Sayfa Sayıları:
ss.1-32
-
Marmara Üniversitesi Adresli:
Evet
Özet
This research evaluates the gap between web application security best practices and their actual implementation within organizations in Türkiye. A sequential explanatory mixed-methods design used national quantitative mapping to inform a positive deviance case study explaining superior security performance. First, a total of 2,463 of the most visited domains in the .tr top-level domain space were evaluated via the Mozilla Observatory tool. The evaluation resulted in an average score of 27.19, with 53% of tested domains receiving a failing 'F' grade. Most often, important security-related elements such as Content Security Policy headers were either non-existent or misconfigured.
Subsequently, a qualitative case study was conducted on a leading organization that had received an 'A+' security grade. Interviews with the organization's Chief Security Officer identified that the organization views regulatory requirements as opportunities to improve their internal processes rather than as burdens. The success of the organization was directly related to having a strong security culture, active senior management engagement, and the incorporation of security into their software development processes.
The frameworks that were utilized in the analysis include Institutional Theory, Resource-Based View, and the Technology-Organization-Environment Framework to provide a conceptual model of how external influences, internal resources/capabilities, and managerial perceptions/direction combined to achieve superior security results. The results of the study identify the need for increased adoption of both technical solutions and organizational and cultural practices to enhance web application security.