Security by Design in Hybrid Software Development: An Empirical Framework for Aligning Organizational Climate and Developer Behavior

(1) Background: As security breaches rise, the “Security by Design” approach is imperative for software organizations. (2) Problem: A significant gap remains between declared security priorities and actual developer behavior. This gap widens in hybrid environments, where social mechanisms that reinforce security norms weaken. (3) Objective: This research investigates the organizational mechanisms translating security priorities into secure coding behavior and proposes a framework to maintain them in distributed teams. (4) Methods: We surveyed 244 software developers across international sites of a large IT enterprise. Using validated measures, we tested a mediation model linking priorities, climate, and behavior, with remote work as a moderator. (5) Results: Organizational Security Climate mediates the relationship between priorities and behavior. Crucially, remote work significantly weakens this mediation, showing that “hybrid friction” disrupts the transmission of security norms. (6) Conclusions: We created a framework for building a security climate in hybrid teams by introducing explicit mechanisms, such as traceable leadership signals and structured network hubs. This ensures clear DevSecOps integration and consistent security implementation across all locations.