Can you hear the ROAR of software security? How Responsibility, Optimism And Risk shape developers’ security perceptions

Ivory, Matthew Richard; Sturdee, Miriam; Towse, John N.; Levine, Mark; Nuseibeh, Bashar

doi:10.31234/osf.io/pexvz

“…For cybersecurity, users have been found to underestimate their risk online, increasing their vulnerability cybersecurity attacks (West, 2008;Wiederhold, 2014). In a thematic analysis of the same data presented in this article, engineers reported negative events as being damaging to their identity as an engineer (Ivory et al, 2023), indicating that for some, they associate the potential of software vulnerabilities in one's code as being a negative event. As such, a logical assumption would be that software developers are also susceptible to optimistic outlooks toward their work, and underestimating the likelihood of negative events, such as vulnerabilities in their code (as a potential marker of low-quality work).…”

Section: Optimism Biasmentioning

confidence: 71%

“…This article is part of a larger project (Ivory, 2022) that examines both cognitive links and risk perception, alongside social identity, and responsibility within software development. The project comprises two independent, self-contained components, with the complementary package focusing on a thematic analysis of responsibility and risk acceptance (Ivory et al, 2023). The overall project information and data can be found at https://doi.org/10 .17605/OSF.IO/P6DY5.…”

Section: Motivationsmentioning

confidence: 99%

“…From this the percentage of both parties identifying a word belonging to a topic or not provided the interrater reliability. We report the raw percentage agreements in Table 3 as it provides a coarse-grade assessment of potential bias, and we provide the data and the analysis code in the online repository at https://doi.org/10.17605/ OSF.IO/SJ8BT (Ivory et al, 2022), providing full transparency of data reliability.…”

Section: Notementioning

confidence: 99%

See 1 more Smart Citation

Recognizing the known unknowns; the interaction between reflective thinking and optimism for uncertainty among software developer’s security perceptions.

Ivory,

Towse,

Sturdee

et al. 2023

Technology, Mind, and Behavior

2

0

View full text Add to dashboard Cite

Software development is a complex process requiring aspects of social, cognitive, and technical skills. Software engineers face high levels of uncertainty and risk during functional and security decision making. This preregistered study investigates behavioral measures of cognitive reflection, risk aversion, and optimism bias among professional freelance software developers and computer science students, to expose relationships between uncertainty-associated language and risk sensitivity. We employ content analysis with a mixed-effect model to understand how psychological dimensions influence risk sensitivity in secure software development.We show an interaction between cognitive reflection and optimism bias in the proportion of uncertainty-related language used. Overly optimistic outlooks combined with higher cognitive reflection drives up expressions of uncertainty, while pessimistic or realistic individuals reduce uncertainty as cognitive reflection increases. Software engineers who hold average or pessimistic views on the security of their code are more likely to speak more intuitively about security and risk. We discuss the potential of our findings in relation to understanding how to leverage language used by engineers as markers of risk aversion. Encouraging increased discourse could be used as a catalyst for increased cognitive reflection and grounding optimistic behaviors, leading to more careful decisions.

show abstract

“…Companies that can do so should employ or delegate security testing to specific teams or individuals whose primary role is security-focused. Typically, developers are seen to prioritise functionality over security when tasked with both [6], and an absence of clearly defined roles for security can lead to a diminished sense of responsibility for ensuring software is secure [32]. Identifying specific security roles can reduce the presence of conflicting tasks, allowing for enhanced security focus, which may increase reflective thinking around security.…”

Section: Discussionmentioning

confidence: 99%

“…A catalyst for engaging system 2 processing can be peer communication [69], as it allows for greater exploration of potential viewpoints and reduces potential biases. Aligning with different social identities, such as those shared by software users, can enhance feelings of responsibility [32], which can also result in decisions being taken that account for others [38]. By acknowledging these views, developers may look at software code differently, allowing them to identify security vulnerabilities that would otherwise be missed.…”

Section: Discussionmentioning

confidence: 99%

Software Vulnerabilities as Cognitive Blindspots; assessing the suitability of a dual processing theory of decision making for secure coding

Ivory,

Towse,

Sturdee

et al. 2024

Preprint

0

View full text Add to dashboard Cite

Security vulnerabilities are present in many software systems, putting those who entrust software with their data in harm’s way. Many vulnerabilities are avoidable since they are not new and are well-described. Despite this awareness, they remain widespread. One hypothesis for their persistence is that they represent software blindspots, problems that are implicit in the mental models of developers and thus escape attention (Brun et al., 2023; Oliveira et al. 2018). Our current understanding of how cognitive influences secure coding is limited, and we address this by extending the hypothesis by suggesting differences in decision making approaches alter the ability to detect vulnerabilities. Through an empirical study and power analysis, we show the potential value of dual processing theory, where individuals make decisions using one of two cognitive systems: a default system reliant on heuristics and intuitive mechanisms, and a more deliberate and computational interventionist system. This preregistered study replicates key predictions from previous blindspot research, extends the analysis towards cognition, and models effect sizes of variables that might impact software security. We complement this analysis with data simulations to expose the sampling scale of empirical studies that would be necessary for highly powered work in this domain.

show abstract

Supplemental Material for Recognizing the known unknowns; the interaction between reflective thinking and optimism for uncertainty among software developer’s security perceptions.

Ivory,

Towse,

Sturdee

et al. 2023

Technology, Mind, and Behavior

0

View full text Add to dashboard Cite

Software development is a complex process requiring aspects of social, cognitive, and technical skills. Software engineers face high levels of uncertainty and risk during functional and security decision making. This preregistered study investigates behavioral measures of cognitive reflection, risk aversion, and optimism bias among professional freelance software developers and computer science students, to expose relationships between uncertainty-associated language and risk sensitivity. We employ content analysis with a mixed-effect model to understand how psychological dimensions influence risk sensitivity in secure software development.We show an interaction between cognitive reflection and optimism bias in the proportion of uncertainty-related language used. Overly optimistic outlooks combined with higher cognitive reflection drives up expressions of uncertainty, while pessimistic or realistic individuals reduce uncertainty as cognitive reflection increases. Software engineers who hold average or pessimistic views on the security of their code are more likely to speak more intuitively about security and risk. We discuss the potential of our findings in relation to understanding how to leverage language used by engineers as markers of risk aversion. Encouraging increased discourse could be used as a catalyst for increased cognitive reflection and grounding optimistic behaviors, leading to more careful decisions.

show abstract

Can you hear the ROAR of software security? How Responsibility, Optimism And Risk shape developers’ security perceptions

Cited by 5 publications

References 54 publications

Recognizing the known unknowns; the interaction between reflective thinking and optimism for uncertainty among software developer’s security perceptions.

Recognizing the known unknowns; the interaction between reflective thinking and optimism for uncertainty among software developer’s security perceptions.

Software Vulnerabilities as Cognitive Blindspots; assessing the suitability of a dual processing theory of decision making for secure coding

Supplemental Material for Recognizing the known unknowns; the interaction between reflective thinking and optimism for uncertainty among software developer’s security perceptions.

Contact Info

Product

Resources

About