Abstract
This study raised an important concern regarding the licensing of third-party software and the ownership of information security. Organisations may be led to believe that they are safe from security threats by shifting the responsibility to the third-party. However, research shows that third-party breaches are growing in frequency. In addition, organisations are still held liable and accountable for such breaches as they remain the custodians of the data. This poses the question of “What factors influence InfoSec ownership of non-bespoke third-party software?” The study used Grounded Theory (GT) to present insights from the lived experiences of experts in the field of study. A qualitative research approach was employed to address the gap identified in the extant corpus of knowledge. The study qualitatively examined the lived experiences of selected experts when licensing and managing non-bespoke third-party software. This culminated in the development of a substantive theory which explains how risks can be managed when licensing software, more specifically when making decisions around the licensing of said software. Findings show that trust impacted strategies, information security, contractual obligations and critical decision-making regarding the software solutions being licensed. This work is intended to guide organisations in establishing mutually beneficial, long-lasting relationships with third parties and ensuring that they prioritise information security whilst considering their nuanced business needs.