Skip to main content
SpringerLink
Log in

“I Don’t Know Too Much About It”: On the Security Mindsets of Computer Science Students

  • Conference paper
  • First Online:
Socio-Technical Aspects in Security and Trust (STAST 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11739))

Abstract

The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples’ code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: IEEE Symposium on Security and Privacy, pp. 154–171 (2017)

    Google Scholar 

  2. Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305 (2016)

    Google Scholar 

  3. Acar, Y., Fahl, S., Mazurek, M.L.: You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In: Cybersecurity Development (SecDev), pp. 3–8. IEEE (2016)

    Google Scholar 

  4. Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M.L., Fahl, S.: Developers need support, too: a survey of security advice for software developers. In: Cybersecurity Development (SecDev), pp. 22–26. IEEE (2017)

    Google Scholar 

  5. Arce, I., et al.: Avoiding the Top 10 software security design flaws. Technical report, IEEE Computer Societys Center for Secure Design (CSD) (2014)

    Google Scholar 

  6. Arzt, S., Nadi, S., Ali, K., Bodden, E., Erdweg, S., Mezini, M.: Towards secure integration of cryptographic software. In: 2015 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward!), pp. 1–13 (2015)

    Google Scholar 

  7. Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_34

    Chapter  Google Scholar 

  8. Assal, H., Chiasson, S.: Security in the software development lifecycle. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS) (2018)

    Google Scholar 

  9. Assal, H., Chiasson, S.: ‘Think secure from the beginning’: a survey with software developers. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (2019)

    Google Scholar 

  10. Azhar, M., et al.: Securing the human: broadening diversity in cybersecurity. In: Proceedings of the 2019 ACM Conference on Innovation and Technology in Computer Science Education, pp. 251–252 (2019)

    Google Scholar 

  11. Balebako, R., Cranor, L.: Improving app privacy: nudging app developers to protect user privacy. IEEE Secur. Privacy 12(4), 55–58 (2014)

    Article  Google Scholar 

  12. Bartsch, S.: Practitioners’ perspectives on security in agile development. In: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security, pp. 479–484 (2011)

    Google Scholar 

  13. Bell, L., Brunton-Spall, M., Smith, R., Bird, J.: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline. O’Reilly Media, Newton (2017)

    Google Scholar 

  14. Binder, J.F., Baguley, T., Crook, C., Miller, F.: The academic value of internships: benefits across disciplines and student backgrounds. Contemp. Educ. Psychol. 41, 73–82 (2015)

    Article  Google Scholar 

  15. Bowen, J.P., Hinchey, M., Janicke, H., Ward, M.P., Zedan, H.: Formality, agility, security, and evolution in software development. IEEE Comput. 47(10), 86–89 (2014)

    Article  Google Scholar 

  16. Cambazoglu, V., Thota, N.: Computer science students’ perception of computer network security. In: Learning and Teaching in Computing and Engineering (LaTiCE), pp. 204–207. IEEE (2013)

    Google Scholar 

  17. Camp, L.J.: Mental models of privacy and security. IEEE Technol. Soc. Mag. 28(3), 37–46 (2009)

    Article  Google Scholar 

  18. Chillas, S., Marks, A., Galloway, L.: Learning to labour: an evaluation of internships and employability in the ICT sector. New Technol. Work Employ. 30(1), 1–15 (2015)

    Article  Google Scholar 

  19. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 73–84 (2013)

    Google Scholar 

  20. The European parliament and the council of the European union: General Data Protection Regulation (GDPR) (2018). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed Aug 2019

  21. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and Mallory love android: an analysis of android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61 (2012)

    Google Scholar 

  22. Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 49–60 (2013)

    Google Scholar 

  23. Fischer, F., et al.: Stack overflow considered harmful? The impact of copy paste on android application security. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 121–136 (2017)

    Google Scholar 

  24. Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)

    Article  Google Scholar 

  25. Fulton, K.R., Gelles, R., McKay, A., Abdi, Y., Roberts, R., Mazurek, M.L.: The effect of entertainment media on mental models of computer security. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS) (2019)

    Google Scholar 

  26. Furnell, S., Fischer, P., Finch, A.: Can’t get the staff? the growing need for cyber-security skills. Comput. Fraud Secur. 2017(2), 5–10 (2017)

    Article  Google Scholar 

  27. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)

    Google Scholar 

  28. Google: Google diversity annual report (2018). http://diversity.google/annual-report. Accessed Aug 2019

  29. Green, M., Smith, M.: Developers are not the enemy!: the need for usable security APIs. IEEE Secur. Priv. 14(5), 40–46 (2016)

    Article  Google Scholar 

  30. Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. Empirical Softw. Eng. 23(1), 259–289 (2018)

    Article  Google Scholar 

  31. Haney, J.M., Theofanos, M., Acar, Y., Prettyman, S.S.: “We make it a big deal in the company”: security mindsets in organizations that develop cryptographic products. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS) (2018)

    Google Scholar 

  32. Hissam, S.A., Plakosh, D., Weinstock, C.: Trust and vulnerability in open source software. IEE Proc. Softw. 149(1), 47–51 (2002)

    Article  Google Scholar 

  33. Hoffman, L., Burley, D., Toregas, C.: Holistically building the cybersecurity workforce. IEEE Secur. Priv. 10(2), 33–39 (2012)

    Article  Google Scholar 

  34. Iacono, L.L., Gorski, P.L.: I do and I understand. Not yet true for security APIs. So sad. In: Proceedings of the 2nd European Workshop on Usable Security, ser. EuroUSEC (2017)

    Google Scholar 

  35. Indela, S., Kulkarni, M., Nayak, K., Dumitras, T.: Toward semantic cryptography APIs. In: Cybersecurity Development (SecDev), pp. 9–14. IEEE (2016)

    Google Scholar 

  36. Information Commissioner’s Office: Investigation into the use of data analytics in political campaigns (2018). https://ico.org.uk/media/action-weve-taken/2259371/investigation-into-data-analytics-for-political-purposes-update.pdf. Accessed Aug 2019

  37. Jones, K., Siami Namin, A., Armstrong, M.: What should cybersecurity students learn in school?: results from interviews with cyber professionals. In: Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education, p. 711 (2017)

    Google Scholar 

  38. Kernighan, B.W., Ritchie, D.M.: The C Programming Language. Prentice Hall, New Jersey (2006)

    MATH  Google Scholar 

  39. Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail?: a case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, p. 7. ACM (2014)

    Google Scholar 

  40. Lazar, J., Feng, J.H., Hochheiser, H.: Research Methods in Human-Computer Interaction. Morgan Kaufmann, Cambridge (2017)

    Google Scholar 

  41. Maier, J., Padmos, A., Bargh, M.S., Wörndl, W.: Influence of mental models on the design of cyber security dashboards. In: Proceedings of the 12th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, IVAPP, (VISIGRAPP), vol. 3, pp. 128–139 (2017)

    Google Scholar 

  42. Mansfield-Devine, S.: The Ashley Madison affair. Netw. Secur. 2015(9), 8–16 (2015)

    Article  Google Scholar 

  43. Märki, H., Maas, M., Kauer-Franz, M., Oberle, M.: Increasing software security by using mental models. In: Nicholson, D. (ed.) Advances in Human Factors in Cybersecurity. Advances in Intelligent Systems and Computing, vol. 501, pp. 347–359. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41932-9_29

    Chapter  Google Scholar 

  44. Mazurek, M.L., et al.: Access control for home data sharing: attitudes, needs and practices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 645–654 (2010)

    Google Scholar 

  45. Miles, M., Huberman, M.: Qualitative Data Analysis: A Methods Sourcebook. Sage, Los Angeles (1994)

    Google Scholar 

  46. Munro, K.: Hacking kettles & extracting plain text WPA PSKs. Yes really! (2015). https://www.pentestpartners.com/security-blog/hacking-kettles-extracting-plain-text-wpa-psks-yes-really. Accessed Aug 2019

  47. Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIs? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946. ACM (2016)

    Google Scholar 

  48. Nielson, S.J.: PLAYGROUND: preparing students for the cyber battleground. Comput. Sci. Educ. 26(4), 255–276 (2016)

    Article  Google Scholar 

  49. Oliveira, D., Rosenthal, M., Morin, N., Yeh, K.C., Cappos, J., Zhuang, Y.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 296–305 (2014)

    Google Scholar 

  50. Oltrogge, M., et al.: The rise of the citizen developer: assessing the security impact of online app generators. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 634–647 (2018)

    Google Scholar 

  51. OWASP: Top 10 Most Critical Web Application Security Risks. Technical report, The OWASP Foundation (2017)

    Google Scholar 

  52. Patnaik, N., Hallett, J., Rashid, A.: Usability smells: an analysis of developers’ struggle with crypto libraries. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS) (2019)

    Google Scholar 

  53. Pieczul, O., Foley, S., Zurko, M.E.: Developer-centered security and the symmetry of ignorance. In: Proceedings of the 2017 New Security Paradigms Workshop, pp. 46–56. ACM (2017)

    Google Scholar 

  54. Poller, A., Kocksch, L., Türpe, S., Epp, F.A., Kinder-Kurlanda, K.: Can security become a routine?: a study of organizational change in an agile software development group. In: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, pp. 2489–2503 (2017)

    Google Scholar 

  55. Radermacher, A., Walia, G.: Gaps between industry expectations and the abilities of graduates. In: Proceeding of the 44th ACM Technical Symposium on Computer Science Education, pp. 525–530 (2013)

    Google Scholar 

  56. Radermacher, A., Walia, G., Knudson, D.: Investigating the skill gap between graduating students and industry expectations. In: Companion Proceedings of the 36th International Conference on Software Engineering, pp. 291–300. ACM (2014)

    Google Scholar 

  57. Renaud, K., Volkamer, M., Renkema-Padmos, A.: Why doesn’t jane protect her privacy? In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 244–262. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_13

    Chapter  Google Scholar 

  58. Robillard, M.P., Deline, R.: A field study of API learning obstacles. Empirical Softw. Eng. 16(6), 703–732 (2011)

    Article  Google Scholar 

  59. Saldaña, J.: The Coding Manual for Qualitative Researchers. Sage, London (2015)

    Google Scholar 

  60. StackOverflow: Developer Survey Results (2019). https://insights.stackoverflow.com/survey/2019. Accessed Aug 2019

  61. Sudol, L.A., Jaspan, C.: Analyzing the strength of undergraduate misconceptions about software engineering. In: Proceedings of the Sixth International Workshop on Computing Education Research, pp. 31–40 (2010)

    Google Scholar 

  62. Tabassum, M., Watson, S., Chu, B., Lipford, H.R.: Evaluating two methods for integrating secure programming education. In: Proceedings of the 49th ACM Technical Symposium on Computer Science Education, pp. 390–395 (2018)

    Google Scholar 

  63. Thomas, T.W., Tabassum, M., Chu, B., Lipford, H.: Security during application development: an application security expert perspective. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 262 (2018)

    Google Scholar 

  64. Ukrop, M., Matyas, V.: Why Johnny the developer can’t work with public key certificates. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 45–64. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_3

    Chapter  Google Scholar 

  65. Vaniea, K.E., Rader, E., Wash, R.: Betrayed by updates: how negative experiences affect future security. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2014)

    Google Scholar 

  66. Vox: The Cambridge Analytica Facebook scandal (2018). https://www.vox.com/2018/4/10/17207394. Accessed Aug 2019

  67. Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS) (2010)

    Google Scholar 

  68. Weir, C., Rashid, A., Noble, J.: How to improve the security skills of mobile app developers: comparing and contrasting expert views. In: Twelfth Symposium on Usable Privacy and Security (SOUPS) (2016)

    Google Scholar 

  69. Whitney, M., Lipford-Richter, H., Chu, B., Zhu, J.: Embedding secure coding instruction into the IDE: a field study in an advanced CS course. In: Proceedings of the 46th ACM Technical Symposium on Computer Science Education (2015)

    Google Scholar 

  70. Wurster, G., van Oorschot, P.C.: The developer is the enemy. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 89–97. ACM (2009)

    Google Scholar 

  71. Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 161–164 (2011)

    Google Scholar 

  72. Zou, Y., Mhaidli, A.H., McCall, A., Schaub, F.: “I’ve got nothing to lose”: consumers risk perceptions and protective actions after the equifax data breach. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS) (2018)

    Google Scholar 

Download references

Acknowledgements

Thanks to all participants for their time and everyone associated with the TULiPS Lab at the University of Edinburgh for helpful discussions and feedback. We also thank the anonymous reviewers whose comments helped improve the paper greatly. This work was sponsored in part by Microsoft Research through its PhD Scholarship Programme.

Author information

Authors and Affiliations

  1. School of Informatics, University of Edinburgh, Edinburgh, UK

    Mohammad Tahaei, Adam Jenkins, Kami Vaniea & Maria Wolters

Authors
  1. Mohammad Tahaei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adam Jenkins
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kami Vaniea
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maria Wolters
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad Tahaei .

Editor information

Editors and Affiliations

  1. Computing, Newcastle University, Newcastle upon Tyne, UK

    Thomas Groß

  2. Faculty of Engineering, Bristol University, Bristol, UK

    Theo Tryfonas

Appendix: Interview Script

Appendix: Interview Script

  1. 1.

    Background

    \(\bullet \) Can you tell me about yourself? Your academic and professional background? \(\bullet \) Can you tell me about your dream job?

  2. 2.

    App scenario

    Let’s say you were asked to create a new group discussion app for in-class discussions. \(\bullet \) Free list: what features would you consider in this app? \(\bullet \) Here is a red pen. Can you circle the features that are security and privacy related? Or where you might have to consider security and privacy when building them? \(\bullet \) Why these ones? \(\bullet \) Who is most likely to try and attack this system? What are they likely going to try and do?

  3. 3.

    Threats and attacks

    \(\bullet \) Can you tell me who hackers are, in your opinion? \(\bullet \) Their intentions? \(\bullet \) What are hackers trying to get? \(\bullet \) Their background?

  4. 4.

    Responsibility attribution

    \(\bullet \) Who is responsible for providing security and privacy to end users?

  5. 5.

    Prior coding experiences

    \(\bullet \) Tell me about the last piece of software you wrote. \(\bullet \) Did you consider security while building your project? If not this one, any other projects? \(\bullet \) Can you tell me an example of an API/library? Can you give me some experiences you have had with them? Any experience with security APIs in particular? \(\bullet \) What was good about it? Why did you like it? \(\bullet \) What was confusing about it?

  6. 6.

    Personal security/privacy practices

    Now we are going to switch to talking about how you handle security and privacy personally as an end user. \(\bullet \) Free list: What words and concepts do you associate with computer security? \(\bullet \) Can you give me an example of a good computer security practice? What about something you have done yourself? \(\bullet \) Have you ever experienced a security or privacy compromise such as getting a virus on your computer, losing your password, having an email sent from your account, or loss of data about you? \(\bullet \) How did you find out about the issue? \(\bullet \) How did you correct it? \(\bullet \) What did you learn from the experience? \(\bullet \) Can you tell me some about the experiences you have had with passwords?

  7. 7.

    Background and demographics

    \(\bullet \) How old are you? \(\bullet \) What is your degree title? \(\bullet \) Which year of the program are you in? \(\bullet \) What programming languages do you know? \(\bullet \) What programming courses have you taken? \(\bullet \) What security courses have you taken? \(\bullet \) What is your nationality? \(\bullet \) Where did you study your undergraduate, Masters, or other degrees?

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tahaei, M., Jenkins, A., Vaniea, K., Wolters, M. (2021). “I Don’t Know Too Much About It”: On the Security Mindsets of Computer Science Students. In: Groß, T., Tryfonas, T. (eds) Socio-Technical Aspects in Security and Trust. STAST 2019. Lecture Notes in Computer Science(), vol 11739. Springer, Cham. https://doi.org/10.1007/978-3-030-55958-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-55958-8_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-55957-1

  • Online ISBN: 978-3-030-55958-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation