Accepted author manuscript, 724 KB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Final published version
Licence: CC BY: Creative Commons Attribution 4.0 International License
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - The Case for Adaptive Security Interventions
AU - Rauf, Irum
AU - Petre, Marian
AU - Tun, Thein T.
AU - Lopez, Tamara
AU - Lunn, Paul
AU - van der Linden, Dirk
AU - Towse, John
AU - Sharp, Helen
AU - Levine, Mark
AU - Rashid, Awais
AU - Nuseibeh, Bashar
PY - 2022/1/31
Y1 - 2022/1/31
N2 - Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. In order to widen our understanding of developers’ behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this paper (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature which identified a catalogue of factors that influence developers’ security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests ‘adaptive security interventions’ as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.
AB - Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. In order to widen our understanding of developers’ behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this paper (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature which identified a catalogue of factors that influence developers’ security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests ‘adaptive security interventions’ as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.
U2 - 10.1145/3471930
DO - 10.1145/3471930
M3 - Journal article
VL - 31
SP - 1
EP - 52
JO - ACM Transactions on Software Engineering and Methodology
JF - ACM Transactions on Software Engineering and Methodology
SN - 1049-331X
IS - 1
M1 - 9
ER -