University of Limerick
Browse
- No file added yet -

The case for adaptive security interventions

Download (1.05 MB)
journal contribution
posted on 2023-11-01, 15:43 authored by Irum RaufIrum Rauf, Marian Petre, Thein Tun, Tamara LopezTamara Lopez, Paul Lunn, Dirk Van Der LindenDirk Van Der Linden, John Towse, Helen Sharp, Mark Levine, Awais Rashid, Bashar NuseibehBashar Nuseibeh

Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. To widen our understanding of developers’ behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this article (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature that identified a catalogue of factors that influence developers’ security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.

Funding

Lero - the Irish Software Research Centre

Science Foundation Ireland

Find out more...

Confirm Centre for Smart Manufacturing

Science Foundation Ireland

Find out more...

Why Johnny doesn't write secure software? Secure software development by the masses

Engineering and Physical Sciences Research Council

Find out more...

Why Johnny doesn't write secure software? Secure software development by the masses

Engineering and Physical Sciences Research Council

Find out more...

SAUSE: Secure, Adaptive, Usable Software Engineering

Engineering and Physical Sciences Research Council

Find out more...

Socio-technical resilience in software development (STRIDE)

Engineering and Physical Sciences Research Council

Find out more...

History

Publication

ACM Transactions on Software Engineering and Methodology, 2021 31 (1) Article No.: 9 pp 1–52

Publisher

Association for computing Machinery

Also affiliated with

  • LERO - The Irish Software Research Centre

Sustainable development goals

  • (4) Quality Education

Usage metrics

    University of Limerick

    Categories

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC