The Case for Adaptive Security Interventions

Rauf, Irum, Petre, Marian, Tun, Thein Than, Lopez, Tamara, Lunn, Paul, van der Linden, Dirk, Towse, John, Sharpe, Helen, Levine, Mark, Rashid, Awais and Nuseibeh, Bashar (2022) The Case for Adaptive Security Interventions. ACM Transactions on Software Engineering and Methodology, 31 (1). p. 9. ISSN 1049-331X

[img]
Preview
Text
3471930.pdf - Published Version
Available under License Creative Commons Attribution 4.0.

Download (1MB) | Preview
[img]
Preview
Text
The_Case_for_Adaptive_Security_Interventions.pdf - Accepted Version

Download (743kB) | Preview
Official URL: https://doi.org/10.1145/3471930

Abstract

Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. To widen our understanding of developers' behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this article (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature that identified a catalogue of factors that influence developers' security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.

Item Type: Article
Additional Information: Funding information: This work was partially supported by UKRI/EPSRC (EP/P011799/1, EP/P011799/2, EP/R013144/1, and EP/T017465/1), NCSC, and SFI (13/RC/2094 and 16/RC/3918).
Subjects: G400 Computer Science
G500 Information Systems
G900 Others in Mathematical and Computing Sciences
Department: Faculties > Engineering and Environment > Computer and Information Sciences
Depositing User: Rachel Branson
Date Deposited: 16 Jul 2021 12:58
Last Modified: 21 Oct 2021 14:15
URI: http://nrl.northumbria.ac.uk/id/eprint/46692

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics