The Case for Adaptive Security Interventions

Authors:
Irum Rauf

School of Computingand Communications, The Open University, Milton Keynes, UK

School of Computingand Communications, The Open University, Milton Keynes, UK
View Profile

,
Marian Petre

School of Computingand Communications, The Open University, Milton Keynes, UK

School of Computingand Communications, The Open University, Milton Keynes, UK
View Profile

,
Thein Tun

School of Computingand Communications, The Open University, Milton Keynes, UK

School of Computingand Communications, The Open University, Milton Keynes, UK
View Profile

,
Tamara Lopez

School of Computingand Communications, The Open University, Milton Keynes, UK

School of Computingand Communications, The Open University, Milton Keynes, UK
View Profile

,
Paul Lunn

The University of Manchester, Manchester, UK

The University of Manchester, Manchester, UK
View Profile

,
Dirk Van Der Linden

Department of Computer and Information Sciences, Northumbria University, Newcastle-upon-Tyne, UK

Department of Computer and Information Sciences, Northumbria University, Newcastle-upon-Tyne, UK
View Profile

,
John Towse

Department of Psychology, University of Lancaster, Lancaster, UK

Department of Psychology, University of Lancaster, Lancaster, UK
View Profile

,
Helen Sharp

School of Computing and Communications, The Open University, Milton Keynes, UK

School of Computing and Communications, The Open University, Milton Keynes, UK
View Profile

,
Mark Levine

Department of Psychology, University of Lancaster, Lancaster, UK

Department of Psychology, University of Lancaster, Lancaster, UK
View Profile

,
Awais Rashid

Bristol Cyber Security Group, University of Bristol, UK

Bristol Cyber Security Group, University of Bristol, UK
View Profile

,
Bashar Nuseibeh

School of Computing and Communications, The Open University, UK, Lero-The Irish Software Research Centre, Republic of Ireland

School of Computing and Communications, The Open University, UK, Lero-The Irish Software Research Centre, Republic of Ireland
View Profile

ACM Transactions on Software Engineering and Methodology Volume 31 Issue 1Article No.: 9pp 1–52https://doi.org/10.1145/3471930

Published:28 September 2021Publication History

ACM Transactions on Software Engineering and Methodology

Abstract

Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. To widen our understanding of developers' behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this article (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature that identified a catalogue of factors that influence developers' security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.

References

Stack Overflow. 2019.Developer Survey Results. Retrieved from https://insights.stackoverflow.com/survey/2019.Google Scholar
Dave Wichers. 2020.Free for Open Source Application Security Tools | OWASP. Retrieved January, 2020 from https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools.Google Scholar
OWASP. 2020.Source Code Analysis Tools | OWASP. Retrieved January, 2020 from https://owasp.org/www-community/Source_Code_Analysis_Tools.Google Scholar
Veracode. 2020.State Of Software Security. Retrieved January, 2020 from https://tinyurl.com/uaa4ock.Google Scholar
OWASP. 2020.Vulnerability Scanning Tools | OWASP. Retrieved January, 2020 from https://owasp.org/www-community/Vulnerability_Scanning_Tools.Google Scholar
Fortify. 2020.Fortify Taxonomy: Software Security Errors. Retrieved January, 2020 from https://vulncat.fortify.com/en.w.Google Scholar
Mohd Syazwan Abdullah, Ian Benest, Andy Evans, and Chris Kimble. 2002. Knowledge modelling techniques for developing knowledge management systems. In 3rd European Conference on Knowledge Management.Google Scholar
Dominic Abrams, Margaret Wetherell, Sandra Cochrane, Michael A. Hogg, and John C. Turner. 1990. Knowing what to think by knowing who you are: Self-categorization and the nature of norm formation, conformity and group polarization. British J. Soc. Psychol. 29, 2 (1990), 97–119.Google ScholarCross Ref
Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic apis. In IEEE Symposium on Security and Privacy (SP). IEEE, 154–171.Google ScholarCross Ref
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016. You get where you're looking for: The impact of information sources on code security. In IEEE Symposium on Security and Privacy (SP). IEEE, 289–305.Google ScholarCross Ref
Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security developer studies with github users: Exploring a convenience sample. In 13th Symposium on Usable Privacy and Security (SOUPS'17). 81–95. Google ScholarDigital Library
Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. 2017. Developers need support, too: A survey of security advice for software developers. In IEEE Cybersecurity Development (SecDev). IEEE, 22–26.Google Scholar
Icek Ajzen. 1991. The theory of planned behavior. Organiz. Behav. Hum. Decis. Process. 50, 2 (1991), 179–211.Google ScholarCross Ref
I. Ajzen. 2015. The theory of planned behavior: A bibliography: 1985–2015. Retrieved fromhttps://people.umass.edu/aizen/tpbrefstxt.html.Google Scholar
Pierre A. Akiki, Arosha K. Bandara, and Yijun Yu. 2014. Adaptive model-driven user interface development systems. ACM Comput. Surv. 47, 1 (2014), 9. Google ScholarDigital Library
Ahmad Al-Ahmad, Belal Abu Ata, and Abdullah Wahbeh. 2012. Pen testing for web applications. Int. J. Inf. Technol. Web Eng. 7, 3 (2012), 1–13.Google ScholarCross Ref
Erik M. Altmann, J. Gregory Trafton, and David Z. Hambrick. 2014. Momentary interruptions can derail the train of thought.J. Experim. Psychol.: Gen. 143, 1 (2014), 215.Google ScholarCross Ref
Rozaliya Amirova. 2020. Attention tracking for developers. In 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). ACM, 1690–1692. DOI:https://doi.org/10.1145/3368089.3418778 Google ScholarDigital Library
John Robert Anderson. 1990. The Adaptive Character of Thought. Psychology Press.Google Scholar
John R. Anderson and Christian J. Lebiere. 2014. The Atomic Components of Thought. Psychology Press.Google Scholar
Jackie Andrade and Jon May. 2004. BIOS Instant Notes in Cognitive Psychology. Taylor & Francis.Google Scholar
Brad Arkin, Scott Stender, and Gary McGraw. 2005. Software penetration testing. IEEE Secur. Priv. 3, 1 (2005), 84–87. Google ScholarDigital Library
Hala Assal and Sonia Chiasson. 2018. Security in the software development lifecycle. In 14th Symposium on Usable Privacy and Security (SOUPS'18). USENIX Association, 281–296. Google ScholarDigital Library
Halaa Assal and Sonia Chiasson. 2019. “Think secure from the beginning”: A survey with software developers. In CHI Conference on Human Factors in Computing Systems. ACM, 289. Google ScholarDigital Library
Hala Assal, Sonia Chiasson, and Robert Biddle. 2016. Cesar: Visual representation of source code vulnerabilities. In IEEE Symposium on Visualization for Cyber Security (VizSec). IEEE, 1–8.Google ScholarCross Ref
Edward Awh, Edward K. Vogel, and S.-H. Oh. 2006. Interactions between attention and working memory. Neuroscience 139, 1 (2006), 201–208.Google ScholarCross Ref
Dejan Baca, Kai Petersen, Bengt Carlsson, and Lars Lundberg. 2009. Static code analysis to detect software security vulnerabilities-does experience matter? In International Conference on Availability, Reliability and Security. IEEE, 804–810.Google ScholarCross Ref
Alan Baddeley. 2007. Working Memory, Thought, and Action. Vol. 45. OuP Oxford.Google Scholar
Rebecca Balebako and Lorrie Cranor. 2014. Improving app privacy: Nudging app developers to protect user privacy. IEEE Secur. Priv. 12, 4 (2014), 55–58.Google ScholarCross Ref
Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason I. Hong, and Lorrie Cranor. 2014. The privacy and security behaviors of smartphone app developers. In Workshop on Usable Security (USEC).Google ScholarCross Ref
Gordon Baxter and Ian Sommerville. 2011. Socio-technical systems: From design methods to systems engineering. Interact. Comput. 23, 1 (2011), 4–17. Google ScholarDigital Library
Sarah Beecham, Nathan Baddoo, Tracy Hall, Hugh Robinson, and Helen Sharp. 2008. Motivation in software engineering: A systematic literature review. Inf. Softw. Technol. 50, 9-10 (2008), 860–878. Google ScholarDigital Library
Laura M. Bishop, Phillip L. Morgan, Phoebe M. Asquith, George Raywood-Burke, Adam Wedgbury, and Kevin Jones. 2020. Examining human individual differences in cyber security and possible implications for human-machine interface design. In International Conference on Human-computer Interaction. Springer, 51–66.Google ScholarDigital Library
Matt Bishop. 2010. A clinic for “secure” programming. IEEE Secur. Priv. 8, 2 (2010), 54–56. Google ScholarDigital Library
Alan F. Blackwell. 2002. First steps in programming: A rationale for attention investment models. In IEEE Symposia on Human Centric Computing Languages and Environments. IEEE, 2–10. Google ScholarDigital Library
James Blake. 1999. Overcoming the “value-action gap” in environmental policy: Tensions between national policy and local experience. Local Environ. 4, 3 (1999), 257–278.Google ScholarCross Ref
Andrew Booth, Anthea Sutton, and Diana Papaioannou. 2016. Systematic approaches to a successful literature review. SAGE. Retrieval: https://www.google.co.uk/books/edition/_/JD1DCgAAQBAJ?hl=en&gbpv=0.Google Scholar
Michael Bosnjak, Icek Ajzen, and Peter Schmidt. 2020. The theory of planned behavior: selected recent advances and applications. Europe's J. Psychol. 16, 3 (2020), 352–356.Google ScholarCross Ref
Steven A. Brieger. 2019. Social identity and environmental concern: The importance of contextual effects. Environ. Behav. 51, 7 (2019), 828–855.Google ScholarCross Ref
Rupert Brown. 2020. The social identity approach: Appraising the Tajfellian legacy. British J. Soc. Psychol. 59, 1 (2020), 5–25. DOI:https://doi.org/10.1111/bjso.12349Google ScholarCross Ref
Marcel Bruch, Eric Bodden, Martin Monperrus, and Mira Mezini. 2010. IDE 2.0: Collective intelligence in software development. In FSE/SDP Workshop on Future of Software Engineering Research. ACM, 53–58. Google ScholarDigital Library
Evan A. Byrne and Raja Parasuraman. 1996. Psychophysiology and adaptive automation. Biol. Psychol. 42, 3 (1996), 249–268.Google ScholarCross Ref
Gadiel Sznaier Camps, Nicolas Bohm Agostini, and David Kaeli. 2019. Discovering programmer intention behind written source code. In 18th IEEE International Conference on Machine Learning and Applications (ICMLA). IEEE, 432–437.Google Scholar
OWASP Foundation. 2020.Category: Vulnerability Scanning Tools - OWASP. Retrieved January 2020 from https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools.Google Scholar
Mengsu Chen, Felix Fischer, Na Meng, Xiaoyin Wang, and Jens Grossklags. 2019. How reliable is the crowdsourced knowledge of security implementation? In Proceedings of the 41st International Conference on Software Engineering. IEEE Press, 536–547. Google ScholarDigital Library
Robert B. Cialdini. 1985. Influence. Scott, Foresman and Company, Glenview, IL.Google Scholar
Robert B. Cialdini, Carl A. Kallgren, and Raymond R. Reno. 1991. A focus theory of normative conduct: A theoretical refinement and reevaluation of the role of norms in human behavior. In Advances in Experimental Social Psychology. Vol. 24. Academic Press, San Diego, CA, 201–234.Google Scholar
Robert B. Cialdini and Melanie R. Trost. 1998. Social influence: Social norms, conformity and compliance. In Handbook of Social Psychology. Vol. 2, D. T. Gilbert, S. T. Fiske, G. Lindzey (Eds.). McGraw-Hill, Boston, MA, 151–192).Google Scholar
Andrew Conway, Chris Jarrold, Michael Kane, Akira Miyake, and John Towse. 2008. Variation in Working Memory. Oxford University Press.Google Scholar
The MITRE Corporation. 2020.Cybersecurity Resources. Retrieved January 2020 from https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources.Google Scholar
Ricardo Couceiro, Gonçalo Duarte, João Durães, João Castelhano, Catarina Duarte, Cesar Teixeira, Miguel Castelo Branco, Paulo Carvalho, and Henrique Madeira. 2019. Pupillography as indicator of programmers' mental effort and cognitive overload. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 638–644.Google ScholarCross Ref
Kevin Crowston and Ericka Eve Kammerer. 1998. Coordination and collective mind in software requirements development. IBM Syst. J. 37, 2 (1998), 227–245. Google ScholarDigital Library
Shirley Cruz, Fabio Q. B. da Silva, and Luiz Fernando Capretz. 2015. Forty years of research on personality in software engineering: A mapping study. Comput. Hum. Behav. 46 (2015), 94–113. Google ScholarDigital Library
CVE - Common Vulnerabilities and Exposures (CVE). 2020. Retrieved January 2020 from https://cve.mitre.org/.Google Scholar
Meredyth Daneman and Patricia A. Carpenter. 1980. Individual differences in working memory and reading. J. Mem. Lang. 19, 4 (1980), 450.Google Scholar
Rogério de Lemos, Holger Giese, Hausi A. Müller, Mary Shaw, Jesper Andersson, Luciano Baresi, Basil Becker, Nelly Bencomo, Yuriy Brun, Bojan Cukic, Ronald J. Desmarais, Schahram Dustdar, Gregor Engels, Kurt Geihs, Karl M. Göschka, Alessandra Gorla, Vincenzo Grassi, Paola Inverardi, Gabor Karsai, Jeff Kramer, Marin Litoiu, Antónia Lopes, Jeff Magee, Sam Malek, Serge Mankovskii, Raffaela Mirandola, John Mylopoulos, Oscar Nierstrasz, and Ma. 2010. Software engineering for self-adaptive systems: A second research roadmap. In Software Engineering for Self-Adaptive Systems(Dagstuhl Seminar Proceedings, Vol. 10431), Rogério de Lemos, Holger Giese, Hausi A. Müller, and Mary Shaw (Eds.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Germany. Retrieved from http://drops.dagstuhl.de/opus/volltexte/2011/3156/.Google Scholar
A. P. Dijksterhuis and Henk Aarts. 2010. Goals, attention, and (un) consciousness. Ann. Rev. Psychol. 61 (2010), 467–490.Google ScholarCross Ref
Wenliang Du and Ronghua Wang. 2008. SEED: A suite of instructional laboratories for computer security education. J. Educ. Resour. Comput. 8, 1 (2008), 3. Google ScholarDigital Library
John Duncan, Hazel Emslie, Phyllis Williams, Roger Johnson, and Charles Freer. 1996. Intelligence and the frontal lobe: The organization of goal-directed behavior. Cog. Psychol. 30, 3 (1996), 257–303.Google ScholarCross Ref
Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In ACM SIGSAC Conference on Computer & Communications Security. ACM, 73–84. Google ScholarDigital Library
Hewlett Packard Enterprise. 2015.Awareness is only the first step: A framework for progressive engagement of staff in cyber security. Retrieved from https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the-First- 1713Step.pdf.Google Scholar
Rino Falcone and Cristiano Castelfranchi. 2001. The human in the loop of a delegated agent: The theory of adjustable social autonomy. IEEE Trans. Syst., Man, Cyber.-Part A: Syst. Hum. 31, 5 (2001), 406–418. Google ScholarDigital Library
Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack overflow considered harmful? The impact of copy&paste on Android application security. In IEEE Symposium on Security and Privacy (SP). IEEE, 121–136.Google ScholarCross Ref
Jose Fonseca, Marco Vieira, and Henrique Madeira. 2007. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In 13th Pacific Rim International Symposium on Dependable Computing (PRDC07). IEEE, 365–372. Google ScholarDigital Library
Michael Frese and Dieter Zapf. 1994. Action as the core of work psychology: A German approach. Handb. Industr. Organiz. Psychol. 4, 2 (1994), 271–340.Google Scholar
Krzysztof Z. Gajos, Daniel S. Weld, and Jacob O. Wobbrock. 2010. Automatically generating personalized user interfaces with Supple. Artif. Intell. 174, 12-13 (2010), 910–950. Google ScholarDigital Library
Vaibhav Garg and Jean Camp. 2013. Heuristics and biases: Implications for security design. IEEE Technol. Soc. Mag. 32, 1 (2013), 73–79.Google ScholarCross Ref
Patrice Godefroid. 2007. Random testing for security: Blackbox vs. whitebox fuzzing. In 2nd International Workshop on Random Testing, co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE'07). ACM, 1–1. Google ScholarDigital Library
Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl. 2018. Developers deserve security warnings, too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. In 14th Symposium on Usable Privacy and Security (SOUPS'18). 265–281. Google ScholarDigital Library
Jerold L. Hale, Brian J. Householder, and Kathryn L. Greene. 2002. The theory of reasoned action. Persuas. Handb.: Devel. Theor. Pract. 14 (2002), 259–286.Google Scholar
Charles Haley, Robin Laney, Jonathan Moffett, and Bashar Nuseibeh. 2008. Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng. 34, 1 (2008), 133–153. Google ScholarDigital Library
Julie M. Haney and Wayne G. Lutters. 2017. Skills and characteristics of successful cybersecurity advocates. In Symposium on Usable Privacy and Security (SOUPS'17).Google Scholar
Julie M. Haney, Mary Theofanos, Yasemin Acar, and Sandra Spickard Prettyman. 2018. “We make it a big deal in the company”: Security mindsets in organizations that develop cryptographic products. In 14th Symposium on Usable Privacy and Security (SOUPS'18). 357–373. Google ScholarDigital Library
S. Alexander Haslam. 2001. Psychology in Organizations: The Social Identity Approach. London: Sage, London.Google Scholar
J.-M. Hoc. 2014. Psychology of Programming. Academic Press.Google Scholar
Thomas Hofer. 2010. Evaluating Static Source Code Analysis Tools. Technical Report. EPFL, Switzerland.Google Scholar
Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web application security assessment by fault injection and behavior monitoring. In 12th International Conference on World Wide Web. ACM, 148–159. Google ScholarDigital Library
Luigi Lo Iacono and Peter Leo Gorski. 2017. I do and I understand. not yet true for security APIs. So sad. In 2nd European Workshop on Usable Security.DOI:https://doi.org/10.14722/eurousecGoogle ScholarCross Ref
William James. 2007. The Principles of Psychology. Vol. 1. Cosimo, Inc., 2007.Google Scholar
Jolanda Jetten, Catherine Haslam, and S. Haslam Alexander. 2012. The Social Cure: Identity, Health and Well-being. Psychology Press.Google Scholar
Philip N. Johnson-Laird and Ruth M. J. Byrne. 1993. Precis of deduction. Behav. Brain Sci. 16, 2 (1993), 323–333.Google ScholarCross Ref
Russell L. Jones and Abhinav Rastogi. 2004. Secure coding: Building security into the software development life cycle. Inf. Syst. Secur. 13, 5 (2004), 29–39.Google ScholarCross Ref
Jan Jurjens. 2006. Security analysis of crypto-based Java programs using automated theorem provers. In 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06). IEEE, 167–176. Google ScholarDigital Library
Daniel Kahneman and Amos Tversky. 1996. On the reality of cognitive illusions. Psychol. Rev. 103, 3 (1996), 582–591.Google ScholarCross Ref
Kaarina Karppinen, Lyly Yonkwa, and Mikael Lindvall. 2009. Why developers insert security vulnerabilities into their code. In 2nd International Conference on Advances in Computer-human Interactions. IEEE, 289–294. Google ScholarDigital Library
Tara Kennedy, Glenn Regehr, Jay Rosenfield, S. Wendy Roberts, and Lorelei Lingard. 2004. Exploring the gap between knowledge and behavior: A qualitative study of clinician action following an educational intervention. Acad. Med. 79, 5 (2004), 386–393.Google ScholarCross Ref
Iacovos Kirlappos, Simon Parkin, and M. Angela Sasse. 2014. Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security. In Proceedings Workshop on Usable Security. Retrieval https://discovery.ucl.ac.uk/id/eprint/1424472/.Google Scholar
Barbara Kitchenham and Stuart Charters. 2007. Guidelines for performing systematic literature reviews in software engineering. Citeseer. Retrieval info https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.117.471&rep=rep1&type=pdf.Google Scholar
Agata Kołakowska. 2016. Towards detecting programmers' stress on the basis of keystroke dynamics. In Federated Conference on Computer Science and Information Systems (FedCSIS). IEEE, 1621–1626.Google ScholarCross Ref
Anja Kollmuss and Julian Agyeman. 2002. Mind the gap: Why do people act environmentally and what are the barriers to pro-environmental behavior?Environ. Educ. Res. 8, 3 (2002), 239–260.Google Scholar
Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, et al. 2017. CogniCrypt: Supporting developers in using cryptography. In 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE Press, 931–936. Google ScholarDigital Library
Raula Gaikovina Kula, Daniel M. German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2018. Do developers update their library dependencies?Empir. Softw. Eng. 23, 1 (2018), 384–417. Google ScholarDigital Library
Patrick C. Kyllonen and Raymond E. Christal. 1990. Reasoning ability is (little more than) working-memory capacity?!Intelligence 14, 4 (1990), 389–433.Google Scholar
Per Lenberg, Robert Feldt, and Lars Göran Wallgren. 2015. Behavioral software engineering: A definition and systematic literature review. J. Syst. Softw. 107 (2015), 15–37. Google ScholarDigital Library
Timothy C. Lethbridge. 2000. Priorities for the education and training of software engineers. J. Syst. Softw. 53, 1 (2000), 53–71. Google ScholarDigital Library
Peng Li and Baojiang Cui. 2010. A comparative study on software vulnerability static analysis techniques and tools. In IEEE International Conference on Information Theory and Information Security (ICITIS). IEEE, 521–524.Google Scholar
Simon Y. W. Li, Ann Blandford, Paul Cairns, and Richard M. Young. 2008. The effect of interruptions on postcompletion and other procedural errors: An account based on the activation-based goal memory model.J. Experim. Psychol.: Appl. 14, 4 (2008), 314.Google ScholarCross Ref
Tong Li, Jennifer Horkoff, and John Mylopoulos. 2018. Holistic security requirements analysis for socio-technical systems. Softw. Syst. Model. 17, 4 (2018), 1253–1285. Google ScholarDigital Library
Tamara Lopez, Thein Tun, Arosha Bandara, Levine Mark, Bashar Nuseibeh, and Helen Sharp. 2019. An anatomy of security conversations in stack overflow. In IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS). IEEE, 31–40. Google ScholarCross Ref
Tamara Lopez, Thein T. Tun, Arosha Bandara, Mark Levine, Bashar Nuseibeh, and Helen Sharp. 2018. An investigation of security conversations in stack overflow: Perceptions of security and community involvement. In 1st International Workshop on Security Awareness from Design to Deployment. ACM, 26–32. Google ScholarDigital Library
Kai-Uwe Loser and Martin Degeling. 2014. Security and privacy as hygiene factors of developer behavior in small and agile teams. In IFIP International Conference on Human Choice and Computers. Springer, 255–265.Google ScholarCross Ref
Shinsuke Matsumoto, Yasutaka Kamei, Akito Monden, Ken-ichi Matsumoto, and Masahide Nakamura. 2010. An analysis of developer metrics for fault prediction. In 6th International Conference on Predictive Models in Software Engineering. ACM, 18. Google ScholarDigital Library
Gary McGraw. 2006. Software Security: Building Security in. Vol. 1. Addison-Wesley Professional. Google ScholarDigital Library
Jennifer C. McVay and Michael J. Kane. 2009. Conducting the train of thought: Working memory capacity, goal neglect, and mind wandering in an executive-control task.J. Experim. Psychol.: Learn., Mem., Cogn. 35, 1 (2009), 196.Google ScholarCross Ref
Susan Michie, Maartje M. Van Stralen, and Robert West. 2011. The behaviour change wheel: A new method for characterising and designing behaviour change interventions. Implement. Sci. 6, 1 (2011), 42.Google ScholarCross Ref
Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping through hoops: Why do Java developers struggle with cryptography APIs? In 38th International Conference on Software Engineering. ACM, 935–946. Google ScholarDigital Library
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, and Matthew Smith. 2020. On conducting security developer studies with CS students: Examining a password-storage study with CS students, freelancers, and company developers. In CHI Conference on Human Factors in Computing Systems. 1–13. Google ScholarDigital Library
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, and Matthew Smith. 2019. “If you want, I can store the encrypted password”: A password-storage field study with freelance developers. In CHI Conference on Human Factors in Computing Systems. ACM, 140. Google ScholarDigital Library
Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why do developers get password storage wrong?: A qualitative usability study. In ACM SIGSAC Conference on Computer and Communications Security. ACM, 311–328. Google ScholarDigital Library
Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting vulnerable software components. In 14th ACM Conference on Computer and Communications Security. ACM, 529–540. Google ScholarDigital Library
Fergus G. Neville. 2015. Preventing violence through changing social norms. Oxford Textbook of Violence Prevention: Epidemiology, Evidence and Policy, P. Donnelly and C. Ward (Eds.) Oxford University Press, 239–244.Google Scholar
Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. 2017. A stitch in time: Supporting Android developers in writingsecure code. In ACM SIGSAC Conference on Computer and Communications Security. ACM, 1065–1077. Google ScholarDigital Library
Dennis Nigbur, Evanthia Lyons, and David Uzzell. 2010. Attitudes, norms, identity and environmental behaviour: Using an expanded theory of planned behaviour to predict participation in a kerbside recycling programme. British J. Soc. Psychol. 49, 2 (2010), 259–284.Google ScholarCross Ref
Donald A. Norman. 1981. Categorization of action slips.Psychol. Rev. 88, 1 (1981), 1.Google ScholarCross Ref
Daniela Oliveira, Marissa Rosenthal, Nicole Morin, Kuo-Chuan Yeh, Justin Cappos, and Yanyan Zhuang. 2014. It's the psychology, stupid: How heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots. In Computer Security Applications Conference. ACM, 296–305. Google ScholarDigital Library
Daniela Seabra Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A. DeLong, Justin Cappos, and Yuriy Brun. 2018. Blindspots: Why experienced developers write vulnerable code. In 14th Symposium on Usable Privacy and Security (SOUPS'18). 315–328. Google ScholarDigital Library
OWASP. (Accessed on: January, 2020). Source Code Analysis Tools | OWASP. Retrieved from https://owasp.org/www-community/Source_Code_Analysis_Tools.Google Scholar
OWASP Foundation. 2020. The Open Source Foundation for Application Security. Retrieved from https://owasp.org/.Google Scholar
OWASP Secure Coding Practices - Quick Reference Guide. 2020. Retrieved January, 2020 from https://www.owasp.org/index.php/ OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide.Google Scholar
Harold E. Pashler. 1999. The Psychology of Attention. The MIT Press.Google Scholar
Steven Pemberton. 1996. Programmers are humans too. ACM SIGCHI Bull. 28, 1 (1996), 96. Google ScholarDigital Library
Thomas F. Pettigrew. 2018. The emergence of contextual social psychology. Personal. Soc. Psychol. Bull. 44, 7 (2018), 963–971.Google ScholarCross Ref
Shari Lawrence Pfleeger, M. Angela Sasse, and Adrian Furnham. 2014. From weakest link to security hero: Transforming staff security behavior. J. Homel. Secur. Emerg. Manag. 11, 4 (2014), 489–510.Google ScholarCross Ref
Olgierd Pieczul, Simon Foley, and Mary Ellen Zurko. 2017. Developer-centered security and the symmetry of ignorance. In New Security Paradigms Workshop. 46–56. Google ScholarDigital Library
Frank Piessens. 2019. The Cyber Security Body of Knowledge, Software Security Knowledge Area Issue 1.0. (2019). Retrieval Info: https://www.cybok.org/media/downloads/cybok_version_1.0.pdf.Google Scholar
Andreas Poller, Laura Kocksch, Katharina Kinder-Kurlanda, and Felix Anand Epp. 2016. First-time security audits as a turning point?: Challenges for security practices in an industry software development team. In CHI Conference Extended Abstracts on Human Factors in Computing Systems. ACM, 1288–1294. Google ScholarDigital Library
Andreas Poller, Laura Kocksch, Sven Türpe, Felix Anand Epp, and Katharina Kinder-Kurlanda. 2017. Can security become a routine? A study of organizational change in an agile software development group. In ACM Conference on Computer Supported Cooperative Work and Social Computing. 2489–2503. Google ScholarDigital Library
Irum Rauf, Elena Troubitsyna, and Ivan Porres. 2019. A systematic mapping study of API usability evaluation methods. Comput. Sci. Rev.iew 33 (2019), 49–68.Google ScholarDigital Library
Irum Rauf, Dirk van der Linden, Mark Levine, John Towse, Bashar Nuseibeh, and Awais Rashid. 2020. The impact of social considerations on app developers' choices. In 42nd International Conference on Software Engineering Workshops (ICSEW'20). Google ScholarDigital Library
Stephen Reicher, Russell Spears, and S. Alexander Haslam. 2010. The social identity approach in social psychology. Sage Ident. Handb. (2010), 45–62.Google ScholarCross Ref
Allecia E. Reid, Robert B. Cialdini, and Leona S. Aiken. 2010. Social norms and health behavior. In Handbook of Behavioral Medicine. Springer, New York, NY.Google Scholar
Katharina Reinecke and Abraham Bernstein. 2011. Improving performance, perceived usability, and aesthetics with culturally adaptive user interfaces. ACM Trans. Comput.-Hum. interact. 18, 2 (2011). Google ScholarDigital Library
Christelle Robert, Erika Borella, Delphine Fagot, Thierry Lecerf, and Anik De Ribaupierre. 2009. Working memory and inhibitory control across the life span: Intrusion errors in the Reading Span Test. Mem. Cogn. 37, 3 (2009), 336–345.Google ScholarCross Ref
Tobias Roehm, Rebecca Tiarks, Rainer Koschke, and Walid Maalej. 2012. How do professional developers comprehend software? In 34th International Conference on Software Engineering (ICSE). IEEE, 255–265. Google ScholarDigital Library
Mazeiar Salehie and Ladan Tahvildari. 2009. Self-adaptive software: Landscape and research challenges. ACM Trans. Auton. Adapt. Syst. 4, 2 (2009), 14. University of Oulu. Retrieval https://core.ac.uk/download/pdf/344910619.pdf. Google ScholarDigital Library
Tommi Sallinen. 2020. Secure Coding Intention via Protection Motivation Theory Based Survey. University of Oulu. Retrieval https://core.ac.uk/download/pdf/344910619.pdf.Google Scholar
Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278–1308.Google ScholarCross Ref
Luciano Sampaio and Alessandro Garcia. 2016. Exploring context-sensitive data flow analysis for early vulnerability detection. J. Syst. Softw. 113 (2016), 337–361. Google ScholarDigital Library
M. Angela Sasse and Awais Rashid. 2019. Human Factors Knowledge Area, Software Security Knowledge Area Issue 1.0. (2019). Retrieval https://www.cybok.org/media/downloads/Human_Factors_issue_1.0.pdf.Google Scholar
Johann M. Schumann. 2001. Automated Theorem Proving in Software Engineering. Springer Science & Business Media. Google ScholarDigital Library
Anuj K. Shah and Daniel M. Oppenheimer. 2008. Heuristics made easy: An effort-reduction framework.Psychol. Bull. 134, 2 (2008), 207.Google ScholarCross Ref
Paschal Sheeran and Thomas L. Webb. 2016. The intention–behavior gap. Soc. Personal. Psychol. Compass 10, 9 (2016), 503–518.Google ScholarCross Ref
Michael Siegrist and George Cvetkovich. 2000. Perception of hazards: The role of social trust and knowledge. Risk Anal. 20, 5 (2000), 713–720.Google ScholarCross Ref
Alberto Sillitti, Giancarlo Succi, and Jelena Vlasenko. 2012. Understanding the impact of pair programming on developers' attention: A case study on a large industrial experimentation. In 34th International Conference on Software Engineering, Martin Glinz, Gail C. Murphy, and Mauro Pezzè (Eds.). IEEE Computer Society, 1094–1101. DOI:https://doi.org/10.1109/ICSE.2012.6227110 Google ScholarDigital Library
Daniel J. Simons and Christopher F. Chabris. 1999. Gorillas in our midst: Sustained inattentional blindness for dynamic events. Perception 28, 9 (1999), 1059–1074.Google ScholarCross Ref
Eliot R. Smith and Gün R. Semin. 2004. Socially situated cognition: Cognition in its social context. Retrieval https://psycnet.apa.org/record/2005-01913-002.Google Scholar
Justin Smith, Brittany Johnson, Emerson Murphy-Hill, Bill Chu, and Heather Richter Lipford. 2015. Questions developers ask while diagnosing potential security vulnerabilities with static analysis. In 10th Joint Meeting on Foundations of Software Engineering. ACM, 248–259. Google ScholarDigital Library
Justin Smith, Brittany Johnson, Emerson Murphy-Hill, Bei-Tseng Chu, and Heather Richter. 2018. How developers diagnose potential security vulnerabilities with a static analysis tool. IEEE Trans. Softw. Eng. 45, 9 (2018), 877–897.Google ScholarDigital Library
Joanne R. Smith and Winnifred R. Louis. 2008. Do as we say and as we do: The interplay of descriptive and injunctive group norms in the attitude–behaviour relationship. British J. Soc. Psychol. 47, 4 (2008), 647–666.Google ScholarCross Ref
Joanne R. Smith and Winnifred R. Louis. 2009. Group norms and the attitude–behaviour relationship. Soc. Personal. Psychol. Compass 3, 1 (2009), 19–35.Google ScholarCross Ref
Erin Treacy Solovey, Francine Lalooses, Krysta Chauncey, Douglas Weaver, Margarita Parasi, Matthias Scheutz, Angelo Sassaroli, Sergio Fantini, Paul Schermerhorn, Audrey Girouard, et al. 2011. Sensing cognitive multitasking for a brain-based adaptive user interface. In SIGCHI Conference on Human Factors in Computing Systems. ACM, 383–392. Google ScholarDigital Library
Source Code Analysis Tools - OWASP. n.d. Retrieved January, 2020 from https://www.owasp.org/index.php/Source_Code_Analysis_Tools.Google Scholar
Mohammad Tahaei and Kami Vaniea. 2019. A survey on developer-centred security. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 129–138.Google ScholarCross Ref
Carmen Tanner. 1999. Constraints on environmental behaviour. J. Environ. Psychol. 19, 2 (1999), 145–157.Google ScholarCross Ref
Blair Taylor and Shiva Azadegan. 2008. Moving beyond security tracks: Integrating security in cs0 and cs1. In ACM SIGCSE Bulletin, Vol. 40. ACM, 320–324. Google ScholarDigital Library
David R. Thomas. 2006. A general inductive approach for analyzing qualitative evaluation data. Amer. J. Eval. 27, 2 (2006), 237–246.Google ScholarCross Ref
Tyler W. Thomas, Madiha Tabassum, Bill Chu, and Heather Lipford. 2018. Security during application development: An application security expert perspective. In CHI Conference on Human Factors in Computing Systems. ACM, 262. Google ScholarDigital Library
J. N. Towse, M. Levine, M. Petre, A. Bandara, T. Lopez, A. Rashid, I. Rauf, H. Sharp, T. Tun, D. van der Linden, and B. Nuseibeh. 2020. The case for understanding secure coding as a psychological enterprise. (2020). Manuscript submitted for publication.Google Scholar
Endel Tulving. 1993. What is episodic memory?Curr. Direct. Psychol. Sci. 2, 3 (1993), 67–70.Google ScholarCross Ref
Thein Than Tun, Mu Yang, Arosha K. Bandara, Yijun Yu, Armstrong Nhlabatsi, Niamul Khan, Khaled M. Khan, and Bashar Nuseibeh. 2018. Requirements and specifications for adaptive security: concepts and analysis. In IEEE/ACM 13th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS). IEEE, 161–171. Google ScholarDigital Library
John C. Turner, Michael A. Hogg, Penelope J. Oakes, Stephen D. Reicher, and Margaret S. Wetherell. 1987. Rediscovering the Social Group: A Self-categorization Theory.Basil Blackwell.Google Scholar
John C. Turner, Penelope J. Oakes, S. Alexander Haslam, and Craig McGarty. 1994. Self and collective: Cognition and social context. Personal. Soc. Psychol. Bull.etin 20, 5 (1994), 454–463.Google ScholarCross Ref
Jay J. Van Bavel and Andrea Pereira. 2018. The partisan brain: An identity-based model of political belief. Trends Cogn. Sci. 22, 3 (2018), 213–224.Google ScholarCross Ref
Dirk van der Linden, Pauline Anthonysamy, Bashar Nuseibeh, Thein T. Tun, Marian Petre, Mark Levine, John Towse, and Awais Rashid. 2020. Schrödinger's security: Opening the box on app developers' security rationale. In 42nd International Conference on Software Engineering (ICSE). Google ScholarDigital Library
Dirk van der Linden, Emma Williams, Joseph Hallett, and Awais Rashid. 2020. The impact of surface features on choice of (in) secure answers by Stackoverflow readers. IEEE Trans. Softw. Eng. 1, 1 (2020), 1–1. DOI:10.1109/TSE.2020.2981317Google ScholarCross Ref
Axel Van Lamsweerde. 2004. Elaborating security requirements by construction of intentional anti-models. In 26th International Conference on Software Engineering. IEEE, 148–157. Google ScholarDigital Library
Axel Van Lamsweerde and Emmanuel Letier. 1998. Integrating obstacles in goal-driven requirements engineering. In 20th International Conference on Software Engineering. IEEE, 53–62. Google ScholarDigital Library
Dirk van Moorselaar and Heleen A. Slagter. 2020. Inhibition in selective attention. Ann. New York Acad. Sci. 1464, 1 (2020), 204.Google ScholarCross Ref
Samuel M. Waldron, John Patrick, Phillip L. Morgan, and Sophia King. 2007. Influencing cognitive strategy by manipulating information access. Comput. J. 50, 6 (2007), 694–702. Google ScholarDigital Library
Charles Weir, Ingolf Becker, James Noble, Lynne Blair, M. Angela Sasse, and Awais Rashid. 2020. Interventions for software security: Creating a lightweight program of assurance techniques for developers. Softw.: Pract. Exper. 50, 3 (2020), 275–298.Google ScholarCross Ref
Charles Weir, Lynne Blair, Ingolf Becker, James Noble, Angela Sasse, and Awais Rashid. 2019. Interventions for Software security: Creating a lightweight program of assurance techniques for developers. In 41st International Conference on Software Engineering, Helen Sharpe and Michael Whalen (Eds.). IEEE. Google ScholarDigital Library
Charles Weir, Awais Rashid, and James Noble. 2016. How to Improve the Security Skills of Mobile App Developers: Comparing and Contrasting Expert Views. In 2nd Workshop on Security Information Workers, WSIW@SOUPS 2016, Denver, CO, USA, June 22, 2016. https://www.usenix.org/conference/soups2016/workshop-program/wsiw16/presentation/weir.Google Scholar
Charles Weir, Awais Rashid, and James Noble. 2017. I'd like to have an argument, please: Using dialectic for effective app security In EuroUSEC 2017 Internet Society. Retrieval https://research-information.bris.ac.uk/en/publications/id-like-to-have-an-argument-please-using-dialectic-for-effective.Google Scholar
Rodrigo Werlinger, Kirstie Hawkey, David Botta, and Konstantin Beznosov. 2009. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. Int. J. Hum.-comput. Stud. 67, 7 (2009), 584–606. Google ScholarDigital Library
Michael Whitney, Heather Lipford-Richter, Bill Chu, and Jun Zhu. 2015. Embedding secure coding instruction into the IDE: A field study in an advanced CS course. In 46th ACM Technical Symposium on Computer Science Education. 60–65. Google ScholarDigital Library
James A. Whittaker and Richard Ford. 2006. How to think about security. IEEE Secur. Priv. 4, 2 (2006), 68–71. Google ScholarDigital Library
Craig Williams, Helen M. Hodgetts, Candice Morey, Bill Macken, Dylan M. Jones, Qiyuan Zhang, and Phillip L. Morgan. 2020. Human error in information security: Exploring the role of interruptions and multitasking in action slips. In International Conference on Human-computer Interaction. Springer, 622–629.Google Scholar
Jim Witschey, Shundan Xiao, and Emerson Murphy-Hill. 2014. Technical and personal factors influencing developers' adoption of security tools. In ACM Workshop on Security Information Workers. ACM, 23–26. Google ScholarDigital Library
Jim Witschey, Olga Zielinska, Allaire Welk, Emerson Murphy-Hill, Chris Mayhorn, and Thomas Zimmermann. 2015. Quantifying developers' adoption of security tools. In 10th Joint Meeting on Foundations of Software Engineering. ACM, 260–271. Google ScholarDigital Library
Claes Wohlin. 2014. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In 18th International Conference on Evaluation and Assessment in Software Engineering. 1–10. Google ScholarDigital Library
Claes Wohlin and Rafael Prikladniki. 2013. Systematic literature reviews in software engineering. Inf. Softw. Technol. 55, 6 (2013), 919–920. Google ScholarDigital Library
Irene M. Y. Woon and Atreyi Kankanhalli. 2007. Investigation of IS professionals' intention to practise secure development of applications. Int. J. Hum.-comput. Stud. 65, 1 (2007), 29–41. Google ScholarDigital Library
Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social influences on secure development tool adoption: Why security tools spread. In 17th ACM Conference on Computer Supported Cooperative Work & Social Computing. ACM, 1095–1106. Google ScholarDigital Library
Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton. 2011. ASIDE: IDE support for web application security. In 27th Annual Computer Security Applications Conference. ACM, 267–276. Google ScholarDigital Library
Jing Xie, Heather Richter Lipford, and Bill Chu. 2011. Why do programmers make security errors? In IEEE Symposium on Visual Languages and Human-centric Computing (VL/HCC). IEEE, 161–164.Google Scholar
Limin Yang, Xiangxue Li, and Yu Yu. 2017. VulDigger: A just-in-time and cost-aware tool for digging vulnerability-contributing changes. In IEEE Global Communications Conference. IEEE, 1–7.Google ScholarDigital Library
Xin-Li Yang, David Lo, Xin Xia, Zhi-Yuan Wan, and Jian-Ling Sun. 2016. What security questions do developers ask? A large-scale study of stack overflow posts. J. Comput. Sci. Technol. 31, 5 (2016), 910–924.Google ScholarCross Ref
Thomas Zimmermann, Nachiappan Nagappan, and Laurie Williams. 2010. Searching for a needle in a haystack: Predicting security vulnerabilities for Windows Vista. In 3rd International Conference on Software Testing, Verification and Validation (ICST). IEEE, 421–428. Google ScholarDigital Library

Index Terms

The Case for Adaptive Security Interventions

Recommendations

Best managerial practices in agile development
ACM SE '14: Proceedings of the 2014 ACM Southeast Regional Conference

Agile development has been gaining momentum over the year. It practices are perceived by some to be the best for software development. This work investigates agile best development and managerial practices, specially the benefits for optimizing the ...
Read More
Interventions for software security: creating a lightweight program of assurance techniques for developers
ICSE-SEIP '19: Proceedings of the 41st International Conference on Software Engineering: Software Engineering in Practice

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the ...
Read More
Specifying Security Goals of Component Based Systems: An End-User Perspective
ICCBSS '08: Proceedings of the Seventh International Conference on Composition-Based Software Systems (ICCBSS 2008)

This paper treats security from a software engineering point of view. Security issues of software components are usually handled at the two levels of development abstractions: by the security experts during the component design, and by the software ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Software Engineering and Methodology Volume 31, Issue 1
January 2022
665 pages
ISSN:1049-331X
EISSN:1557-7392
DOI:10.1145/3481711
Editor:
Mauro Pezzè
USI Università della Svizzera italiana and SIT Schaffhausen Institute of Technology
Issue’s Table of Contents
Copyright © 2021 Copyright held by the owner/author(s).
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 September 2021
- Accepted: 1 June 2021
- Revised: 1 April 2021
- Received: 1 September 2020
Published in tosem Volume 31, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Security decisions
developers
security goals
security interventions
cognitive psychology
social psychology
adaptive software engineering
Qualifiers
- research-article
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 9
  Total Citations
  View Citations
- 1,645
  Total Downloads
- Downloads (Last 12 months)667
- Downloads (Last 6 weeks)76
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

The Case for Adaptive Security Interventions

ACM Transactions on Software Engineering and Methodology

Abstract

References

Cited By

Index Terms

Recommendations

Best managerial practices in agile development

Interventions for software security: creating a lightweight program of assurance techniques for developers

Specifying Security Goals of Component Based Systems: An End-User Perspective