npm practitioners often struggle to prioritize security practices due to resource constraints. Method: Leveraging empirical data from GitHub-hosted npm projects, this study conducts the first systematic evaluation—using regression analysis combined with causal inference (including propensity score matching)—of how OpenSSF Scorecard metrics affect real-world security outcomes: vulnerability count, mean time to remediate (MTTR), and dependency update latency, while controlling for confounders such as project size. Contribution/Results: Higher Scorecard scores significantly reduce vulnerability counts and shorten dependency update latency; no significant effect on MTTR was observed. Among individual checks, Code Review, Maintained, Pinned Dependencies, and Branch Protection exhibit the strongest causal associations with improved outcomes. This work provides the first causal, evidence-based foundation for prioritizing security practices, enabling developers and policymakers to focus resources on high-impact interventions.

Practitioners often struggle with the overwhelming number of security practices outlined in cybersecurity frameworks for risk mitigation. Given the limited budget, time, and resources, practitioners want to prioritize the adoption of security practices based on empirical evidence. The goal of this study is to assist practitioners and policymakers in making informed decisions on which security practices to adopt by evaluating the relationship between software security practices and security outcome metrics. The study investigated the relationship between security practice adoption and security outcomes. We selected the OpenSSF Scorecard metrics to automatically measure the adoption of security practices in npm GitHub repositories. We also explored security outcome metrics, such as the number of open vulnerabilities (Vul_Count), mean time to remediate (MTTR) vulnerabilities in dependencies, and mean time to update (MTTU) dependencies. We conducted regression and causal analysis using 12 Scorecard metrics and their aggregated Scorecard score (computed by aggregating individual security practice scores) as predictors and Vul_Count, MTTR, and MTTU as target variables. Our findings show that higher aggregated Scorecard scores are associated with fewer Vul_Count and shorter MTTU, also supported by causal analysis. However, while the regression model suggests shorter MTTR, causal analysis indicates project characteristics likely influence MTTR direction. Segment analysis shows that larger, newer repositories with more contributors, dependencies, and downloads have shorter MTTR. Among individual security practices, Code Review, Maintained status, Pinned Dependencies, and Branch Protection show strong associations with security outcomes; the directionality of these associations varies across security outcomes.