Top

Empirical Software Engineering

Published in:

01-11-2021

Understanding developers’ privacy and security mindsets via climate theory

Authors: Renana Arizon-Peretz, Irit Hadar, Gil Luria, Sofia Sherman

Published in: Empirical Software Engineering | Issue 6/2021

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Privacy and security by design are policy measures that guide software developers to engineer privacy and security solutions inherently into the software systems they develop. However, although these policy measures have been widely discussed and promoted over the years, recent studies still show a consistent underperformance of privacy and security practices in industry. This research follows previous findings that indicate the role the organizational work environments of developers play in forming their mindsets and behavior. Specifically, we aimed to explore the potential of using organizational climate theory for attaining a better understanding of developers’ perceptions and behaviors and the underlying forces affecting them, and to unveil the constructs that compose organizational privacy and security climates. To this end, we conducted interviews with 27 practitioners involved in developing software systems from 14 companies and qualitatively analyzed the collected data. Our findings indicate that software developers are faced with inconsistent and confusing cues conveyed by management and other parties in their work environment, many of which indicate that these facets are of relatively low priority, leading to perceptions and behaviors that are not in line with those expected and recommended by policy makers. Further, we show how these perceptions and behaviors can be explained by constructs of the organizational climate theory and how, based on our findings, organizational climate mechanisms can be used to go beyond understanding developers’ current privacy and security mindsets toward improving them, thereby leading to an effective implementation of privacy and security by design.

previous article Where were the repair ingredients for Defects4j bugs?

next article Single-state state machines in model-driven software engineering: an exploratory study

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Where applicable, we use in the presentation of the findings the naming of already existing climate themes matching the categories emerging from our data (see details in Section 3.4).

Here, too, we note that the presented numbers by no means provide any quantitative generalizable measures of the distribution between the sub-themes; rather, they inform us about the visibility of these sub-themes to our participants in their respective organizations.

Acuña ST, Gómez M, Juristo N (2008) Towards understanding the relationship between team climate and software quality—a quasi-experimental study. Empir Softw Eng 13(4):401–434CrossRef

Acuña ST, Gómez MN, Hannay JE, Juristo N, Pfahl D (2015) Are team personality and climate related to satisfaction and software quality? Aggregating results from a twice replicated experiment. Information and Software Technology 57:141–156. https://doi.org/10.1016/j.infsof.2014.09.002

Andres HP (1995) Coordination of Software Development Workgroups. AMCIS 1995 Proceedings, pp 59. https://aisel.aisnet.org/amcis1995/59

Arizon-Peretz R, Luria G, Kalish Y, Zohar D (2021) Safety climate strength: the negative effects of cliques and negative relationships in teams. Safety science, 138, 105224

Bartels J, Pruyn A, Jong MD, Joustra I (2007) Multiple organizational identification levels and the impact of perceived external prestige and communication climate. J Organ Behav 28(2):173–190CrossRef

Bednar K, Spiekermann S, Langheinrich M (2019) Engineering Privacy by Design: Are engineers ready to live up to the challenge? Inf Soc 35(3):122–142CrossRef

Birnhack M, Toch E, Hadar I (2014) Privacy Mindset, Technological Mindset. Jurimetrics 55:55–114

Blumer H (1969) Symbolic interactionism: Perspective and method. In The University of California Press

Bowen DE, Ostroff C (2004) Understanding HRM-firm performance linkages: The role of the “strength” of the HRM system. Acad Manag Rev 29(2):203–221

Carr JZ, Schmidt AM, Ford JK, DeShon RP (2003) Climate perceptions matter: A meta-analytic path analysis relating molar climate, cognitive and affective states, and individual level work outcomes. J Appl Psychol 88:605–619CrossRef

Cavoukian A, Dixon M (2013) Privacy and Security by Design: An Enterprise Architecture Approach. Information and Privacy Commissioner of Ontario, Canada

Christian MS, Bradley JC, Wallace JC, Burke MJ (2009) Workplace safety: A meta-analysis of the roles of person and situation factors. J Appl Psychol 94(5):1103–1127CrossRef

Clarke S (2006) The relationship between safety climate and safety performance: A meta-analytic review. J Occup Health Psychol 11(4):315–327CrossRef

Clincy VA (2003) Software development productivity and cycle time reduction. J Comput Sci Coll 19(2):278–287

Davis M, Kumiega A, Van Vliet B (2013) Ethics, finance, and automation: A preliminary survey of problems in high frequency trading. Sci Eng Ethics 19(3):851–874

Dragoni L (2005) Understanding the emergence of state goal orientation in organizational work groups: The role of leadership and multilevel climate perceptions. J Appl Psychol 90:1084–1095CrossRef

Flin R, Mearns K, O’Connor P, Bryden R (2000) Measuring safety climate: Identifying the common features. Saf Sci 34(1–3):177–192CrossRef

Ghahramani A, Khalkhali HR (2015) Development and Validation of a safety climate scale for manufacturing industry. Saf Health Work 6:97–103CrossRef

González-Romá V, Fortes-Ferreira L, Peiró JM (2009) Team climate, climate strength and team performance. A longitudinal study. J Occup Organ Psych. 82(3):511–536

González-Romá V, Peiró JM, Tordera N (2002) An examination of the antecedents and moderator influences of climate strength. J Appl Psychol 87(3):465–473CrossRef

Guba EG (1981) Criteria for assessing the trustworthiness of naturalistic inquiries. Ectj 29(2):75–91

Hadar I, Hasson T, Ayalon O, Toch E, Birnhack M, Sherman S, Balissa A (2018) Privacy by designers: software developers’ privacy mindset. Empir Softw Eng 23:259–289CrossRef

Hage J (1974) Communications and organizational control. Wiley, New York

Hofmann DA, Morgeson FP (1999) Safety-related behavior as a social exchange: The role of perceived organizational support and leader–member exchange. J Appl Psychol 84(2):286–296CrossRef

Hong Y, Liao H, Hu J, Jiang K (2013) Missing link in the service profit chain: A meta-analytic review of the antecedents, consequences, and moderators of service climate. J Appl Psychol 98(2):237–267CrossRef

James LR, Choi CC, Ko CHE, McNeil PK, Minton MK, Wright MA, Kim KI (2008) Organizational and psychological climate: A review of theory and research. Eur J Work Organ Psy 17(1):5–32CrossRef

Johnson JW (1996) Linking employee perceptions of service climate to customer satisfaction. Pers Psychol 49(4):831–851CrossRef

Johnson T, Fendrich M (2005) Modeling sources of self-report bias in a survey of drug use epidemiology. Ann Epidemiol 15(5):381–389CrossRef

Jones AP, Jamest LR (1979) Psychological climate: dimensions and relationships of individual and aggregated work environment perceptions. Organ Behav Hum Perform 23:201–250CrossRef

Joseph B, Jacob M (2011) Knowledge sharing intentions among IT professionals in India. In: Dua S., Sahni S., Goyal D.P. (eds) Information Intelligence, Systems, Technology and Management. ICISTM 2011. Communications in Computer and Information Science, vol 141. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19423-8_3

Kozlowski SWJ, Doherty ML (1989) Integration of climate and leadership: examination of a neglected issue. J Appl Psychol 74(4):546–553CrossRef

Krumay B, Oetzel MC (2011) Security and Privacy in Companies: State-of-the-art and Qualitative Analysis. In 2011 Sixth International Conference on Availability, Reliability and Security (pp. 313–320). IEEE

Luria G (2008a) Controlling for quality: climate, leadership and quality behavior. J Qual Manag 15:27–40CrossRef

Luria G (2008b) Climate strength – How leaders form consensus. Leadersh Q 19:42–53CrossRef

Luria G (2016) Safety climate and supervisory-based interventions. In S. Clarck, F. Guldenmund, & J. Passmore (Eds.), The Wiley Blackwell Handbook of the Psychology of Occupational Safety and Workplace Health (pp. 357–375). Wiley & Sons

Luria G (2019) Climate as a group level phenomenon: Theoretical assumptions and methodological considerations. J Organ Behav 40(9):1055–1066CrossRef

Luria G, Boehm A, Mazor T (2014) Conceptualizing and measuring community road-safety climate. Saf Sci 70:288–294CrossRef

Luria G, Yagil D (2010) Safety perception referents of permanent and temporary employees: Safety climate boundaries in the industrial workplace. Accid Anal Prev 42(5):1423–1430CrossRef

Luria G, Zohar D, Erev I (2008) The effect of workers’ visibility on effectiveness of intervention programs : Supervisory-based safety interventions. J Safety Res 39:273–280

Maxwell JA (1992) Understanding and validity in qualitative research. Harv Educ Rev 62:279–300

Maxwell JA (2010) Using numbers in qualitative research. Qual Inq 16(6):475–482

Miles MB, Huberman AM, Saldaña J (2014) Qualitative data analysis: A methods sourcebook. 3rd Edition. Sage publications

Myers MD (1997) Qualitative research in information systems. MIS Q 21:241–242CrossRef

Myers MD, Newman M (2007) The qualitative interview in IS research: examining the craft. Inf Organ 17:2–26CrossRef

Naumann SE, Bennett N (2000) A Case for procedural justice climate: Development and test of a multilevel model. Acad Manag J 43(5):881–889

Neal A, Griffin MA (2004) Safety climate and safety at work. In: Barling J, Frone MR (eds) The Psychology of Workplace Safety. American Psychological Association, Washington, DC, pp 15–34CrossRef

Ostroff C, Kinicki AJ, Muhammad RS (2012) Organizational culture and climate. In Handbook of Psychology, Second Edition (pp. 643–676). John Wiley & Sons, Inc

Parker SK, Bindl UK, Strauss K (2010) Making things happen: A model of proactive motivation. J Manag 36(4):827–856

Pereira CMM, Gomes JFS (2012) The strength of human resource practices and transformational leadership: impact on organisational performance. Int J Hum Resour Manag 23(20):4301–4318CrossRef

Rentsch JR (1990) climate and culture : interaction and qualitative differences in organizational meanings. J Appl Psychol 75(6):668–681

Roberson QM (2006) Justice in teams: The effects of interdependence and identification on referent choice and justice climate strength. Soc Justice Res 19(3):323–344CrossRef

Salanova M, Agut S, Peiró JM (2005) Linking organizational resources and work engagement to employee performance and customer loyalty: the mediation of service climate. J Appl Psychol 90(6):1217–1227CrossRef

Schneider B (1975) Organizational climates: An essay. Pers Psychol 28(4):447–479CrossRef

Schneider B (1990) The climate for service: An application of the climate construct. In: Schneider B (ed) Organizational Climate and Culture. Jossey-Bass, San Francisco, CA, pp 383–412

Schneider B, Brief AP, Guzzo RA (1996) Creating a climate and culture for sustainable organizational change. Organizational Dynamic 24(4):7–19CrossRef

Schneider B, Ehrhart MG, Macey W (2013) Organizational climate and culture. Annu Rev Psychol 64:361–388CrossRef

Schneider B, González-Romá V, Ostroff C, West MA (2017) Organizational climate and culture: Reflections on the history of the constructs in the Journal of Applied Psychology. J Appl Psychol 102(3):468–482CrossRef

Schneider B, Reichers AE (1983) On the etiology of climates. Pers Psychol 36(1):19–39CrossRef

Schneider B, Rentsch JR (1988) Managing climates and cultures: A futures perspective. In J. Hage (Ed.), Issues in Organization and Management Series. Futures of Organizations: Innovating to Adapt Strategy and Human Resources to Rapid Technological Change (pp. 181–203). Lexington, MA, England: Lexington Books/D. C. Heath and Com

Schneider B, Salvaggio AN, Subirats M (2002) Climate strength : a new direction for climate research. J Appl Psychol 87(2):220–229

Schneider B, Wheeler JK, Cox JF (1992) A passion for service: using content analysis to explicate service climate themes. J Appl Psychol 77(5):705–716CrossRef

Schneider B, White SS, Paul MC (1998) Linking service climate and customer perceptions of service quality: test of a causal model. J Appl Psychol 83(2):150–163CrossRef

Schulte M, Ostroff C, Kinicki AJ (2006) Organizational climate systems and psychological climate perceptions: A cross-level study of climate-satisfaction relationships. J Occup Organ Psychol 79(4):645–671CrossRef

Schulte M, Ostroff C, Shmulyian S, Kinicki A (2009) organizational climate configurations: relationships to collective attitudes, customer satisfaction, and financial performance. J Appl Psychol 94(3):618–634CrossRef

Seaman CB (1999) Qualitative methods in empirical studies of software engineering. IEEE Trans Softw Eng 25(4):557–572CrossRef

Senarath A, Arachchilage NAG (2018) Why developers cannot embed privacy into software systems? An empirical investigation. 2nd International Conference on Evaluation and Assessment in Software Engineering, 2018

Sharma A, Gupta A (2012) Impact of organisational climate and demographics on project specific risks in context to Indian software industry. Int J Project Manage 30(2):176–187CrossRef

Sheth S., Kaiser G., Maalej W .(2014) Us and them: a study of privacy requirements across North America, Asia, and Europe. Proceedings of the 36th International Conference on Software Engineering. ACM, 2014

Strauss A, Corbin J (1998) Basics of qualitative research: techniques and procedures for developing grounded theory. Sage Publications, Thousand Oaks

Spiekermann S, Cranor LF (2009) Engineering privacy. IEEE Trans Software Eng 35(1):67–82CrossRef

Spiekermann S, Korunovska J, Langheinrich M (2019) Inside the organization: why privacy and security engineering is a challenge for engineers. Proc IEEE 107(3):600–615CrossRef

Szekely I (2011) “What are the pros and cons of mass surveillance?” in Internet and Surveillance (The Challenge of Web 2.0 and Social Media), C. Fuchs, Ed. New York, NY, USA: Routledge

Tsaur SH, Lin YC (2004) Promoting service quality in tourist hotels: the role of HRM practices and service behavior. Tour Manage 25(4):471–481CrossRef

Van de Mortel TF (2008) Faking it: social desirability response bias in self-report research. Australian Journal of Advanced Nursing, the 25(4):40–48

Vroom VH (1964) Work and motivation. Wiley, New York

Walsham G (2006) Doing interpretive research. Eur J Inf Syst 15:320–330CrossRef

Weick KE, (1995). Sensemaking in organizations. Sage Publication

Weick KE, Sutcliffe KM, Obstfeld D (2005) Organizing and the Process of Sensemaking. Organ Sci 16(4):409–421CrossRef

Wohlin C, Runeson P, Höst M, Ohlsson MC, Regnell B, Wessle ́N.A. (2012) Experimentation in Software Engineering. Springer, Heidelberg GermanyMATHCrossRef

Yagil D (2014) Service quality. In B. Schneider K. M. Barbera (Eds.), The Oxford Handbook of Organizational Climate and Culture (pp. 297–317). New York.

Yagil D, Luria G (2010) Friends in need: The protective effect of social relationships under low-safety climate. Group Org Manag 35(6):727–750CrossRef

Zohar D (1980) safety climate in industrial organizations: theoretical and applied implications. J Appl Psychol 65(1):96–102CrossRef

Zohar D (2002) The effects of leadership dimensions, safety climate, and assigned priorities on minor injuries in work groups. J Organ Behav 23(1):75–92CrossRef

Zohar D (2003) The influence of leadership and climate on occupational health and safety. In D. A. Hofmann L. Tetrick (Eds.), Health and Safety in Organizations: A Multilevel Perspective (pp. 201–230). San Francisco, CA: Jossey-Bass

Zohar D (2010) Thirty years of safety climate research: reflections and future directions. Accident; Analysis and Prevention 42(5):1517–1522MathSciNetCrossRef

Zohar D (2014) Safety climate: Conceptualization, measurement, and improvement. In B. Schneider and K. M. Barbera (Eds.), The Oxford Handbook of Organizational Climate and Culture (pp. 317–334). Oxford University Press

Zohar D, Hofmann DA (2012) Organizational culture and climate. In: Kozlowski SWJ (ed) The Oxford Handbook of Organizational Psychology2. Oxford University Press, New York, pp 643–666

Zohar D, Luria G (2003) The use of supervisory practices as leverage to improve safety behavior : A cross-level intervention model. J Safety Res 34:567–577

Zohar D, Luria G (2004) Climate as a social – cognitive construction of supervisory safety practices: scripts as proxy of behavior patterns. J Appl Psychol 89(2):322–333CrossRef

Zohar D, Luria G (2005) A multilevel model of safety climate: Cross-level relationships between organization and group-level climates. J Appl Psychol 90(4):616–628CrossRef

Zohar D, Luria G (2010) Group leaders as gatekeepers : testing safety climate variations across levels of analysis. Appl Psychol 59(4):647–673

Zohar D, Polachek T (2014) Discourse-based intervention for modifying supervisory communication as leverage for safety climate and performance improvement: A randomized field study. J Appl Psychol 99(1):113–124CrossRef

Zohar D, Tenne-Gazit O (2008) Transformational leadership and group interaction as climate antecedents: a social network analysis. J Appl Psychol 93(4):744–757CrossRef

Title: Understanding developers’ privacy and security mindsets via climate theory
Authors: Renana Arizon-Peretz
Irit Hadar
Gil Luria
Sofia Sherman
Publication date: 01-11-2021
Publisher: Springer US
Published in: Empirical Software Engineering / Issue 6/2021
Print ISSN: 1382-3256
Electronic ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-021-09995-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 6/2021

Single-state state machines in model-driven software engineering: an exploratory study

The indolent lambdification of Java

What do class comments tell us? An investigation of comment evolution and practices in Pharo Smalltalk

Applying test case prioritization to software microbenchmarks

A study into the practice of reporting software engineering experiments

How are project-specific forums utilized? A study of participation, content, and sentiment in the Eclipse ecosystem

Premium Partner