Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Data-driven barriers to adoption proposed #19

Merged
merged 2 commits into from
Aug 30, 2022
Merged

Data-driven barriers to adoption proposed #19

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ec3bada
resolving #13
bunnyshebash Aug 30, 2022
82e6fe4
Merge pull request #1 from bunnyshebash/updatesv1
bunnyshebash Aug 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions types/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
We claim in our goals and purpose that there are barriers to SBOM adoption. We should be more clear about this.

Rather than just claim this is true, we should find a way to determine this with data. Are there existing studies on the topic we can reuse? Is someone willing to conduct a survey with this group?

How can we move this question forward in a scientific manner that isn't made up data.


To claim that there are barriers to adoption simply because different formats, structures, and tools exist is to reduce issues of complexity to the issues of impediments and doesn't actually paint a picture as to *how* such complexity poses challenges to SBOM adoption. In order to move this issue forward in a scientific manner, claims regarding barriers to adoption, adoption rates, and SBOM readiness and maturity need to be substantiated by data. In order to flesh out the current barriers to SBOM adoption, we need to assess quantitative or qualitative data regarding the challenges that entities or individuals face in their SBOM journey.

The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exempler data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exempler data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption.
The Linux Foundation SBOM Report (https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_020422.pdf) is an exemplar data set to begin detailing challenges to adoption. For example, the study directly queried the respondent's SBOM readiness by asking, "What is your group's current SBOM readiness?" 90% of organizations have started their SBOM journey, while 10% of organizations have not begun planning their SBOM journeys. Of the segment that have started their SBOM journeys, 14% are in a planning or development phase, 52% are addressing SBOMs in a few, some, or many areas of their business, and 23% are addressing SBOMs across all areas that include the use of SBOMs. Thus, 76% of organizations surveyed have a tangible degree of SBOM readiness. This level of "tangible readiness" indicates further analysis is warranted in order to account for the composition of "barriers" and what type of entities or individuals experience these barriers to SBOM adoption.


The Linux report categorizes respondents into three readiness levels, *SBOM Procrastinators*, *SBOM Early Adopters*, and *SBOM Innovators*. Procrastinators include respondents who have not started to address SBOMs, and respondents who are planning how to address SBOMs, or beginning to address SBOMs. SBOM procrastinators account for 24% of total respondents; 41% of SBOM procrastinators (10% of the overall sample) have not started their SBOM journey, while 58% of SBOM procrastinators are planning to address or beginning to address SBOMs.

SBOM Early Adopters include respondents who have addressed producing or consuming SBOMs across some portion of their business. SBOM Early Adopters account for 53% of the total sample: 29% are addressing SBOMs in a few segments of their business, 42% across some segments, and 28% are addressing SBOMs across many segments. SBOM Innovators include organizations that are highly committed and experienced in SBOM use. Innovators account for 23% of the total sample: 62% are addressing SBOMs across almost all segments of their business while 38% have standard practices in place for using SBOMs.

Accounting for barriers to adoption along these lines is warranted. Conducting deeper analysis or user research may account for why (1) 10% of the overall study sample have not started their SBOM journey, while also providing insight into adoption barrier composition and how these barriers are (2) accounted for and overcome in the planning phase and beginning to plan phase also experienced by *SBOM Procrastinators*. To be clear, segments (1) and (2) just mentioned together comprise the *SBOM Procrastinator* readiness level as defined by the LF Report.

Comparison of (A) SBOM readiness levels to (B) plans to produce SBOMs reveals that organizations may not be as far along as "readiness" would suggest. While 14% of the sample indicated that they were in planning/beginning phase of SBOM readiness, 40% of the overall sample is in the SBOM production planning phase (i.e. will be producing SBOMs in the next 6-24 months). While 38% claimed they were addressing SBOMs in a "few or some" segments, only 20% of the overall sample indicated they are producing SBOMs in a "few or some segments".

These are just a few examples of the critical role of qualitative and quantitative data. Next steps may include (1) a adding a comprehensive executive summary of the LF SBOM report, (2) identifying and validating our problem set, (3) identifying remaining problems that are not addressed by available data, (4) drafting a research plan to address remaining questions.