Skip to content

SQ3: Delivery and Security Impact

Supporting research question

How does an automated Compliance-as-Code gate impact developer feedback cycles and the overall security posture of custom healthcare software?

Problem Investigation

Compliance controls can improve consistency but may also slow teams if feedback is late, unclear, or noisy.

Treatment Design

Define an impact assessment model with delivery and security indicators.

Candidate Indicators

  • Time-to-feedback for compliance violations.
  • Rework rate caused by late compliance findings.
  • Number and severity of blocked non-compliant changes.
  • Clarity and actionability of failure messages.
  • Coverage of mapped requirements.

Treatment Validation

Use controlled pipeline scenarios, historical comparison where available, and expert interpretation to evaluate trade-offs between speed and assurance.

Iteration Checkpoints

  • Baseline: current feedback and control behavior.
  • Pilot: automated gate with selected rules.
  • Follow-up: refine messages, thresholds, and fallback controls.

Evaluation Boundary

Observed impacts during thesis are context-bound and may not fully predict long-term organization-wide effects.

Evidence Map

  • Pipeline run comparisons.
  • Incident or defect proxy metrics.
  • Developer feedback records.
  • Security/compliance review notes.

Expected Contribution to Main Question

SQ3 validates practical utility and clarifies where automation adds value or needs complementary process controls.