Oteng Ntsweng,Ransome Bawack,Xixian Peng,Shem Amalaya

DOI: https://doi.org/10.1109/istas57930.2023.10305976

2023-01-01

Abstract:Over the past decade, gameful systems have been widely used in training and behavior modification. However, the mechanisms by which these systems influence desired outcomes remain unclear. Consequently, the literature on their impact is riddled with contradictory findings, suggesting that researchers have overlooked crucial variables, especially those related to the science of learning. Consistent with recommendations from educational psychology, we focus on the core cognitive processes involved in cybersecurity protective tasks. Reflective thinking is at the heart of these tasks. Given that gameful systems aim to simulate real-world tasks, we study the effects of coupling cybersecurity training games with reflective practices. Drawing upon the theoretical perspectives of the reflective practitioner and the theory of flow, we hypothesize that incorporating guided reflection during interaction with a gameful system will result in superior experiential and learning outcomes compared to reflecting after the interaction or playing without reflection.

Lucas Gren,Robert Feldt

2024-06-29

Abstract:This position paper explores the intricate relationship between social psychology and secure software engineering, underscoring the vital role social psychology plays in the realm of engineering secure software systems. Beyond a mere technical endeavor, this paper contends that understanding and integrating social psychology principles into software processes are imperative for establishing robust and secure software systems. Recent studies in related fields show the importance of understanding the social psychology of other security domains. Finally, we identify critical gaps in software security research and present a set of research questions for incorporating more social psychology into software security research.

Software Engineering

Faheem Ahmed,Luiz Fernando Capretz,Salah Bouktif,Piers Campbell

DOI: https://doi.org/10.48550/arXiv.1507.06873

2015-07-24

Software Engineering

Abstract:We review the literature relating to soft skills and the software engineering and information systems domain before describing a study based on 650 job advertisements posted on well-known recruitment sites from a range of geographical locations including, North America, Europe, Asia and Australia. The study makes use of nine defined soft skills to assess the level of demand for each of these skills related to individual job roles within the software industry. This work reports some of the vital statistics from industry about the requirements of soft skills in various roles of software development phases. The work also highlights the variation in the types of skills required for each of the roles. We found that currently although the software industry is paying attention to soft skills up to some extent while hiring but there is a need to further acknowledge the role of these skills in software development. The objective of this paper is to analyze the software industry soft skills requirements for various software development positions, such as system analyst, designer, programmer, and tester. We pose two research questions, namely, (1) What soft skills are appropriate to different software development lifecycle roles, and (2) Up to what extend does the software industry consider soft skills when hiring an employee. The study suggests that there is a further need of acknowledgment of the significance of soft skills from employers in software industry.

Luiz Fernando Capretz,Fahem Ahmed,Fabio Queda Bueno da Silva

DOI: https://doi.org/10.1016/j.infsof.2017.07.011

2017-11-22

Abstract:Software is a field of rapid changes: the best technology today becomes obsolete in the near future. If we review the graduate attributes of any of the software engineering programs across the world, life-long learning is one of them. The social and psychological aspects of professional development is linked with rewards. In organizations, where people are provided with learning opportunities and there is a culture that rewards learning, people embrace changes easily. However, the software industry tends to be short-sighted and its primary focus is more on current project success; it usually ignores the capacity building of the individual or team. It is hoped that our software engineering colleagues will be motivated to conduct more research into the area of software psychology so as to understand more completely the possibilities for increased effectiveness and personal fulfillment among software engineers working alone and in teams.

Software Engineering

Michael Whitney,Heather Richter Lipford,Bill Chu,Jun Zhu

DOI: https://doi.org/10.1145/2676723.2677280

2015-01-01

Abstract:Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.

Judit Módné Takács

DOI: https://doi.org/10.3311/ope.467

2021-09-30

Opus et Educatio

Abstract:In the 21st century digitization and online presence affect all areas and stages of life. Everyone becomes a user of the virtual world, both in the professional and in everyday life. There is an increasing priority for the safe use of cyberspace, for a conscious presence. The 21st century and digital evolution expect new attitudes and skill changes in all areas of life, be it the private sector, the workplace or education. With the current methods, the education system often fails to prepare young workers for the new work environment, so it is relevant that we also find the right way to form. As the young people of Generation Z and Alpha already look at the new cyber world from a completely different perspective, we can change their way of thinking and develop their skills differently, facilitating the due process of lifelong learning and development. The expectations and needs of the labour market are forced to change. The reasons for the change are the revolutionized environmental impacts, cybersecurity threats and the transformation of the generational characteristics of employees. The current topic of my research is what industry 4.0 employers expect, what gaps they face, what methods they use to keep security awareness at the right level, and how they try to put employees and their workflows into cyberspace. The study goes beyond mapping safety awareness. In addition, it also examines soft skills that may influence or make safety awareness more effective. After all, a person’s attitude can change as their way of thinking changes.

Mohammad Tahaei,Adam Jenkins,Kami Vaniea,Maria Wolters

DOI: https://doi.org/10.48550/arXiv.2103.09905

2021-03-13

Cryptography and Security

Abstract:The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.

Asif Imran

DOI: https://doi.org/10.1007/978-3-031-36597-3

2023-10-23

Abstract:Software security requirements have been traditionally considered as a non-functional attribute of the software. However, as more software started to provide services online, existing mechanisms of using firewalls and other hardware to secure software have lost their applicability. At the same time, under the current world circumstances, the increase of cyber-attacks on software is ever increasing. As a result, it is important to consider the security requirements of software during its design. To design security in the software, it is important to obtain the views of the developers and managers of the software. Also, it is important to evaluate if their viewpoints match or differ regarding the security. Conducting this communication through a specific model will enable the developers and managers to eliminate any doubts on security design and adopt an effective strategy to build security into the software. In this paper, we analyzed the viewpoints of developers and managers regarding their views on security design. We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack. We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security. Based on their feedback, we coded their open-ended responses into 4 codes, which we recommended using for other real-life software as well.

Software Engineering,Cryptography and Security,Computers and Society

Sam Wen Ping,Jeffrey Cheok Jun Wah,Lee Wen Jie,Jeremy Bong Yong Han,Saira Muzafar

2023-11-18

Abstract:In recent years, technology has advanced considerably with the introduction of many systems including advanced robotics, big data analytics, cloud computing, machine learning and many more. The opportunities to exploit the yet to come security that comes with these systems are going toe to toe with new releases of security protocols to combat this exploitation to provide a secure system. The digitization of our lives proves to solve our human problems as well as improve quality of life but because it is digitalized, information and technology could be misused for other malicious gains. Hackers aim to steal the data of innocent people to use it for other causes such as identity fraud, scams and many more. This issue can be corrected during the software development life cycle, integrating security across the development phases, and testing of the software is done early to reduce the number of vulnerabilities that might or might not heavily impact an organisation depending on the range of the attack. The goal of a secured system software is to prevent such exploitations from ever happening by conducting a system life cycle where through planning and testing is done to maximise security while maintaining functionality of the system. In this paper, we are going to discuss the recent trends in security for system development as well as our predictions and suggestions to improve the current security practices in this industry.

Cryptography and Security,Software Engineering

Vivek Arora,Enrique Larios Vargas,Maurício Aniche,Arie van Deursen

DOI: https://doi.org/10.48550/arXiv.2104.03476

2021-04-08

Abstract:Secure software engineering is a fundamental activity in modern software development. However, while the field of security research has been advancing quite fast, in practice, there is still a vast knowledge gap between the security experts and the software development teams. After all, we cannot expect developers and other software practitioners to be security experts. Understanding how software development teams incorporate security in their processes and the challenges they face is a step towards reducing this gap. In this paper, we study how financial services companies ensure the security of their software systems. To that aim, we performed a qualitative study based on semi-structured interviews with 16 software practitioners from 11 different financial companies in three continents. Our results shed light on the security considerations that practitioners take during the different phases of their software development processes, the different security practices that software teams make use of to ensure the security of their software systems, the improvements that practitioners perceive as important in existing state-of-the-practice security tools, the different knowledge-sharing and learning practices that developers use to learn more about software security, and the challenges that software practitioners currently face when it comes to secure their systems.

Software Engineering

Ariessa Davaindran Lingham,Nelson Tang Kwong Kin,Chen Wan Jing,Chong Heng Loong,Fatima-tuz-Zahra

DOI: https://doi.org/10.48550/arXiv.2012.13108

2020-12-24

Abstract:Security holds an important role in a software. Most people are not aware of the significance of security in software system and tend to assume that they will be fine without security in their software systems. However, the lack of security features causes to expose all the vulnerabilities possible to the public. This provides opportunities for the attackers to perform dangerous activities to the vulnerable insecure systems. This is the reason why many organizations are reported for being victims of system security attacks. In order to achieve the security requirement, developers must take time to study so that they truly understand the consequences and importance of security. Hence, this paper is written to discuss how secure software development can be performed. To reach the goal of this paper, relevant researches have been reviewed. Multiple case study papers have been studied to find out the answers to how the vulnerabilities are identified, how to eliminate them, when to implement security features, why do we implement them. Finally, the paper is concluded with final remarks on implementation of security features during software development process. It is expected that this paper will be a contribution towards the aforementioned software security domain which is often ignored during practical application.

Software Engineering

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque,Anmoal Porwal

DOI: https://doi.org/10.48550/arXiv.2102.10430

2021-02-20

Software Engineering

Abstract:Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.

Filipo Sharevski,Adam Trowbridge,Jessica Westbrook

DOI: https://doi.org/10.48550/arXiv.1806.01198

2018-06-04

Computers and Society

Abstract:Training the future cybersecurity workforce to respond to emerging threats requires introduction of novel educational interventions into the cybersecurity curriculum. To be effective, these interventions have to incorporate trending knowledge from cybersecurity and other related domains while allowing for experiential learning through hands-on experimentation. To date, the traditional interdisciplinary approach for cybersecurity training has infused political science, law, economics or linguistics knowledge into the cybersecurity curriculum, allowing for limited experimentation. Cybersecurity students were left with little opportunity to acquire knowledge, skills, and abilities in domains outside of these. Also, students in outside majors had no options to get into cybersecurity. With this in mind, we developed an interdisciplinary course for experiential learning in the fields of cybersecurity and interaction design. The inaugural course teaches students from cybersecurity, user interaction design, and visual design the principles of designing for secure use - or secure design - and allows them to apply them for prototyping of Internet-of-Things (IoT) products for smart homes. This paper elaborates on the concepts of secure design and how our approach enhances the training of the future cybersecurity workforce.

Pradeep Waychal,Luiz Fernando Capretz

DOI: https://doi.org/10.5121/csit.2017.70414

2017-04-04

Abstract:It is impossible to separate the human factors from software engineering expertise during software development, because software is developed by people and for people. The intangible nature of software has made it a difficult product to successfully create, and an examination of the many reasons for major software system failures show that the reasons for failures eventually come down to human issues. Software developers, immersed as they are in the technological aspect of the product, can quickly learn lessons from technological failures and readily come up with solutions to avoid them in the future, yet they do not learn lessons from human aspects in software engineering. Dealing with human errors is much more difficult for developers and often this aspect is overlooked in the evaluation process as developers move on to issues that they are more comfortable solving. A major reason for this oversight is that software psychology (the softer side) has not developed as extensively.

Computers and Society

Wouter Groeneveld,Brett A. Becker,Joost Vennekens

DOI: https://doi.org/10.1145/3341525.3387396

2020-01-01

Abstract:Industry expectations of graduates are higher than ever. Not only are they required to be skilled in several technologies, but also need to be equipped with non-technical skills - often called soft skills or professional skills. This puts pressure on computing programs, as educators try to integrate these requirements into already full curricula. Although incorporating such skills into programs is seemingly common practice, little is known about what skills are being taught and why, outside of isolated case studies. In this work we ask: What non-technical skills are expected of undergraduate students according to computing programs? To answer this we manually curated 278 non-technical syllabi from 110 universities in 30 European countries. The most frequently identified skills are teamwork, ethics, written/oral communication, and presentation skills, while the development of one's own values, motivating others, creativity, and empathy feature least frequently. By providing a detailed analysis and an interactive website visualizing this data, we hope to aid the community in reviewing which non-technical skills are taught with an aim to teaching the right skills to the right students. This work sheds new light on what is expected of undergraduate computing students in terms of non-technical skills and identifies areas where more coverage might be needed.

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.48550/arXiv.2102.05345

2021-02-10

Abstract:Awareness of cybersecurity topics facilitates software developers to produce secure code. This awareness is especially important in industrial environments for the products and services in critical infrastructures. In this work, we address how to raise awareness of software developers on the topic of secure coding. We propose the "CyberSecurity Challenges", a serious game designed to be used in an industrial environment and address software developers' needs. Our work distils the experience gained in conducting these CyberSecurity Challenges in an industrial setting. The main contributions are the design of the CyberSecurity Challenges events, the analysis of the perceived benefits, and practical advice for practitioners who wish to design or refine these games.

Software Engineering

Larissa Braz,Alberto Bacchelli

DOI: https://doi.org/10.1145/3540250.3549135

2022-08-09

Abstract:To avoid software vulnerabilities, organizations are shifting security to earlier stages of the software development, such as at code review time. In this paper, we aim to understand the developers' perspective on assessing software security during code review, the challenges they encounter, and the support that companies and projects provide. To this end, we conduct a two-step investigation: we interview 10 professional developers and survey 182 practitioners about software security assessment during code review. The outcome is an overview of how developers perceive software security during code review and a set of identified challenges. Our study revealed that most developers do not immediately report to focus on security issues during code review. Only after being asked about software security, developers state to always consider it during review and acknowledge its importance. Most companies do not provide security training, yet expect developers to still ensure security during reviews. Accordingly, developers report the lack of training and security knowledge as the main challenges they face when checking for security issues. In addition, they have challenges with third-party libraries and to identify interactions between parts of code that could have security implications. Moreover, security may be disregarded during reviews due to developers' assumptions about the security dynamic of the application they develop. Data and materials: <a class="link-external link-https" href="https://doi.org/10.5281/zenodo.6875435" rel="external noopener nofollow">this https URL</a>

Software Engineering

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

Luca Allodi,Marco Cremonini,Fabio Massacci,Woohyun Shim

DOI: https://doi.org/10.48550/arXiv.1808.06547

2018-08-20

Computers and Society

Abstract:In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.

Shao-Fang Wen,Basel Katt

DOI: https://doi.org/10.1080/19361610.2019.1585704

2019-06-04

Journal of Applied Security Research

Abstract:Learning software security is one of the most challenging tasks in the information technology sector due to the vast amount of security knowledge and the difficulties in understanding its practical applications. Conventional teaching approaches give little attention to how to improve the effectiveness of learning in the domain of software security. Context-based learning has been proven to be a sound pedagogical methodology; however, it is still unclear how to synthesize the prescription in the domain of software security. In this article, a context-based approach to software security learning is proposed for structuring and presenting security knowledge. To evaluate the proposed approach, a quasi-experiment was designed and executed in the setting of a university learning environment. The experiment results indicate that the proposed context-based learning approach not only yields significant knowledge gains compared to the conventional approach but also gains better learning satisfaction of students.