Abstract
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples’ code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: IEEE Symposium on Security and Privacy, pp. 154–171 (2017)
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305 (2016)
Acar, Y., Fahl, S., Mazurek, M.L.: You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In: Cybersecurity Development (SecDev), pp. 3–8. IEEE (2016)
Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M.L., Fahl, S.: Developers need support, too: a survey of security advice for software developers. In: Cybersecurity Development (SecDev), pp. 22–26. IEEE (2017)
Arce, I., et al.: Avoiding the Top 10 software security design flaws. Technical report, IEEE Computer Societys Center for Secure Design (CSD) (2014)
Arzt, S., Nadi, S., Ali, K., Bodden, E., Erdweg, S., Mezini, M.: Towards secure integration of cryptographic software. In: 2015 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward!), pp. 1–13 (2015)
Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_34
Assal, H., Chiasson, S.: Security in the software development lifecycle. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS) (2018)
Assal, H., Chiasson, S.: ‘Think secure from the beginning’: a survey with software developers. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (2019)
Azhar, M., et al.: Securing the human: broadening diversity in cybersecurity. In: Proceedings of the 2019 ACM Conference on Innovation and Technology in Computer Science Education, pp. 251–252 (2019)
Balebako, R., Cranor, L.: Improving app privacy: nudging app developers to protect user privacy. IEEE Secur. Privacy 12(4), 55–58 (2014)
Bartsch, S.: Practitioners’ perspectives on security in agile development. In: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security, pp. 479–484 (2011)
Bell, L., Brunton-Spall, M., Smith, R., Bird, J.: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline. O’Reilly Media, Newton (2017)
Binder, J.F., Baguley, T., Crook, C., Miller, F.: The academic value of internships: benefits across disciplines and student backgrounds. Contemp. Educ. Psychol. 41, 73–82 (2015)
Bowen, J.P., Hinchey, M., Janicke, H., Ward, M.P., Zedan, H.: Formality, agility, security, and evolution in software development. IEEE Comput. 47(10), 86–89 (2014)
Cambazoglu, V., Thota, N.: Computer science students’ perception of computer network security. In: Learning and Teaching in Computing and Engineering (LaTiCE), pp. 204–207. IEEE (2013)
Camp, L.J.: Mental models of privacy and security. IEEE Technol. Soc. Mag. 28(3), 37–46 (2009)
Chillas, S., Marks, A., Galloway, L.: Learning to labour: an evaluation of internships and employability in the ICT sector. New Technol. Work Employ. 30(1), 1–15 (2015)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 73–84 (2013)
The European parliament and the council of the European union: General Data Protection Regulation (GDPR) (2018). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed Aug 2019
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and Mallory love android: an analysis of android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61 (2012)
Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 49–60 (2013)
Fischer, F., et al.: Stack overflow considered harmful? The impact of copy paste on android application security. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 121–136 (2017)
Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)
Fulton, K.R., Gelles, R., McKay, A., Abdi, Y., Roberts, R., Mazurek, M.L.: The effect of entertainment media on mental models of computer security. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS) (2019)
Furnell, S., Fischer, P., Finch, A.: Can’t get the staff? the growing need for cyber-security skills. Comput. Fraud Secur. 2017(2), 5–10 (2017)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)
Google: Google diversity annual report (2018). http://diversity.google/annual-report. Accessed Aug 2019
Green, M., Smith, M.: Developers are not the enemy!: the need for usable security APIs. IEEE Secur. Priv. 14(5), 40–46 (2016)
Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. Empirical Softw. Eng. 23(1), 259–289 (2018)
Haney, J.M., Theofanos, M., Acar, Y., Prettyman, S.S.: “We make it a big deal in the company”: security mindsets in organizations that develop cryptographic products. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS) (2018)
Hissam, S.A., Plakosh, D., Weinstock, C.: Trust and vulnerability in open source software. IEE Proc. Softw. 149(1), 47–51 (2002)
Hoffman, L., Burley, D., Toregas, C.: Holistically building the cybersecurity workforce. IEEE Secur. Priv. 10(2), 33–39 (2012)
Iacono, L.L., Gorski, P.L.: I do and I understand. Not yet true for security APIs. So sad. In: Proceedings of the 2nd European Workshop on Usable Security, ser. EuroUSEC (2017)
Indela, S., Kulkarni, M., Nayak, K., Dumitras, T.: Toward semantic cryptography APIs. In: Cybersecurity Development (SecDev), pp. 9–14. IEEE (2016)
Information Commissioner’s Office: Investigation into the use of data analytics in political campaigns (2018). https://ico.org.uk/media/action-weve-taken/2259371/investigation-into-data-analytics-for-political-purposes-update.pdf. Accessed Aug 2019
Jones, K., Siami Namin, A., Armstrong, M.: What should cybersecurity students learn in school?: results from interviews with cyber professionals. In: Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education, p. 711 (2017)
Kernighan, B.W., Ritchie, D.M.: The C Programming Language. Prentice Hall, New Jersey (2006)
Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail?: a case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, p. 7. ACM (2014)
Lazar, J., Feng, J.H., Hochheiser, H.: Research Methods in Human-Computer Interaction. Morgan Kaufmann, Cambridge (2017)
Maier, J., Padmos, A., Bargh, M.S., Wörndl, W.: Influence of mental models on the design of cyber security dashboards. In: Proceedings of the 12th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, IVAPP, (VISIGRAPP), vol. 3, pp. 128–139 (2017)
Mansfield-Devine, S.: The Ashley Madison affair. Netw. Secur. 2015(9), 8–16 (2015)
Märki, H., Maas, M., Kauer-Franz, M., Oberle, M.: Increasing software security by using mental models. In: Nicholson, D. (ed.) Advances in Human Factors in Cybersecurity. Advances in Intelligent Systems and Computing, vol. 501, pp. 347–359. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41932-9_29
Mazurek, M.L., et al.: Access control for home data sharing: attitudes, needs and practices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 645–654 (2010)
Miles, M., Huberman, M.: Qualitative Data Analysis: A Methods Sourcebook. Sage, Los Angeles (1994)
Munro, K.: Hacking kettles & extracting plain text WPA PSKs. Yes really! (2015). https://www.pentestpartners.com/security-blog/hacking-kettles-extracting-plain-text-wpa-psks-yes-really. Accessed Aug 2019
Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIs? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946. ACM (2016)
Nielson, S.J.: PLAYGROUND: preparing students for the cyber battleground. Comput. Sci. Educ. 26(4), 255–276 (2016)
Oliveira, D., Rosenthal, M., Morin, N., Yeh, K.C., Cappos, J., Zhuang, Y.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 296–305 (2014)
Oltrogge, M., et al.: The rise of the citizen developer: assessing the security impact of online app generators. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 634–647 (2018)
OWASP: Top 10 Most Critical Web Application Security Risks. Technical report, The OWASP Foundation (2017)
Patnaik, N., Hallett, J., Rashid, A.: Usability smells: an analysis of developers’ struggle with crypto libraries. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS) (2019)
Pieczul, O., Foley, S., Zurko, M.E.: Developer-centered security and the symmetry of ignorance. In: Proceedings of the 2017 New Security Paradigms Workshop, pp. 46–56. ACM (2017)
Poller, A., Kocksch, L., Türpe, S., Epp, F.A., Kinder-Kurlanda, K.: Can security become a routine?: a study of organizational change in an agile software development group. In: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, pp. 2489–2503 (2017)
Radermacher, A., Walia, G.: Gaps between industry expectations and the abilities of graduates. In: Proceeding of the 44th ACM Technical Symposium on Computer Science Education, pp. 525–530 (2013)
Radermacher, A., Walia, G., Knudson, D.: Investigating the skill gap between graduating students and industry expectations. In: Companion Proceedings of the 36th International Conference on Software Engineering, pp. 291–300. ACM (2014)
Renaud, K., Volkamer, M., Renkema-Padmos, A.: Why doesn’t jane protect her privacy? In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 244–262. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_13
Robillard, M.P., Deline, R.: A field study of API learning obstacles. Empirical Softw. Eng. 16(6), 703–732 (2011)
Saldaña, J.: The Coding Manual for Qualitative Researchers. Sage, London (2015)
StackOverflow: Developer Survey Results (2019). https://insights.stackoverflow.com/survey/2019. Accessed Aug 2019
Sudol, L.A., Jaspan, C.: Analyzing the strength of undergraduate misconceptions about software engineering. In: Proceedings of the Sixth International Workshop on Computing Education Research, pp. 31–40 (2010)
Tabassum, M., Watson, S., Chu, B., Lipford, H.R.: Evaluating two methods for integrating secure programming education. In: Proceedings of the 49th ACM Technical Symposium on Computer Science Education, pp. 390–395 (2018)
Thomas, T.W., Tabassum, M., Chu, B., Lipford, H.: Security during application development: an application security expert perspective. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 262 (2018)
Ukrop, M., Matyas, V.: Why Johnny the developer can’t work with public key certificates. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 45–64. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_3
Vaniea, K.E., Rader, E., Wash, R.: Betrayed by updates: how negative experiences affect future security. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2014)
Vox: The Cambridge Analytica Facebook scandal (2018). https://www.vox.com/2018/4/10/17207394. Accessed Aug 2019
Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS) (2010)
Weir, C., Rashid, A., Noble, J.: How to improve the security skills of mobile app developers: comparing and contrasting expert views. In: Twelfth Symposium on Usable Privacy and Security (SOUPS) (2016)
Whitney, M., Lipford-Richter, H., Chu, B., Zhu, J.: Embedding secure coding instruction into the IDE: a field study in an advanced CS course. In: Proceedings of the 46th ACM Technical Symposium on Computer Science Education (2015)
Wurster, G., van Oorschot, P.C.: The developer is the enemy. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 89–97. ACM (2009)
Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 161–164 (2011)
Zou, Y., Mhaidli, A.H., McCall, A., Schaub, F.: “I’ve got nothing to lose”: consumers risk perceptions and protective actions after the equifax data breach. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS) (2018)
Acknowledgements
Thanks to all participants for their time and everyone associated with the TULiPS Lab at the University of Edinburgh for helpful discussions and feedback. We also thank the anonymous reviewers whose comments helped improve the paper greatly. This work was sponsored in part by Microsoft Research through its PhD Scholarship Programme.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Interview Script
Appendix: Interview Script
-
1.
Background
\(\bullet \) Can you tell me about yourself? Your academic and professional background? \(\bullet \) Can you tell me about your dream job?
-
2.
App scenario
Let’s say you were asked to create a new group discussion app for in-class discussions. \(\bullet \) Free list: what features would you consider in this app? \(\bullet \) Here is a red pen. Can you circle the features that are security and privacy related? Or where you might have to consider security and privacy when building them? \(\bullet \) Why these ones? \(\bullet \) Who is most likely to try and attack this system? What are they likely going to try and do?
-
3.
Threats and attacks
\(\bullet \) Can you tell me who hackers are, in your opinion? \(\bullet \) Their intentions? \(\bullet \) What are hackers trying to get? \(\bullet \) Their background?
-
4.
Responsibility attribution
\(\bullet \) Who is responsible for providing security and privacy to end users?
-
5.
Prior coding experiences
\(\bullet \) Tell me about the last piece of software you wrote. \(\bullet \) Did you consider security while building your project? If not this one, any other projects? \(\bullet \) Can you tell me an example of an API/library? Can you give me some experiences you have had with them? Any experience with security APIs in particular? \(\bullet \) What was good about it? Why did you like it? \(\bullet \) What was confusing about it?
-
6.
Personal security/privacy practices
Now we are going to switch to talking about how you handle security and privacy personally as an end user. \(\bullet \) Free list: What words and concepts do you associate with computer security? \(\bullet \) Can you give me an example of a good computer security practice? What about something you have done yourself? \(\bullet \) Have you ever experienced a security or privacy compromise such as getting a virus on your computer, losing your password, having an email sent from your account, or loss of data about you? \(\bullet \) How did you find out about the issue? \(\bullet \) How did you correct it? \(\bullet \) What did you learn from the experience? \(\bullet \) Can you tell me some about the experiences you have had with passwords?
-
7.
Background and demographics
\(\bullet \) How old are you? \(\bullet \) What is your degree title? \(\bullet \) Which year of the program are you in? \(\bullet \) What programming languages do you know? \(\bullet \) What programming courses have you taken? \(\bullet \) What security courses have you taken? \(\bullet \) What is your nationality? \(\bullet \) Where did you study your undergraduate, Masters, or other degrees?
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Tahaei, M., Jenkins, A., Vaniea, K., Wolters, M. (2021). “I Don’t Know Too Much About It”: On the Security Mindsets of Computer Science Students. In: Groß, T., Tryfonas, T. (eds) Socio-Technical Aspects in Security and Trust. STAST 2019. Lecture Notes in Computer Science(), vol 11739. Springer, Cham. https://doi.org/10.1007/978-3-030-55958-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-55958-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55957-1
Online ISBN: 978-3-030-55958-8
eBook Packages: Computer ScienceComputer Science (R0)