Understanding the social aspects of software security




Yousefi, Soroush

Journal Title

Journal ISSN

Volume Title



Context: Security is a critical non-functional requirement that remains to be adequately addressed in software development. Security breaches occur with surprising regularity and many of them are due to inadequate understanding of development processes and tools. Researchers and practitioners have conducted studies and proposed new interventions to understand and improve security, but understanding how this research is related and how much progress has been made can be difficult. Moreover, some of the existing research has been criticized for focusing too much on technical aspects and not enough on understanding the human and social aspects that are a critical aspect of ensuring higher security. Objective: My thesis addresses two objectives. First of all, I aim to develop a map of the research done to date with a focus on how much of the literature considers social and human aspects of security. Secondly, I aim to investigate how developers in industry approach security, what motivates them, and what activities they follow to improve security of the projects they work on. Method: To meet my first objective, I conducted a systematic mapping study, finding 36 papers that study security issues using projects hosted on GitHub. I classified these papers into nine different problem areas. I also investigated how these papers address social aspects of security by applying a socio-technical research framework to capture the beneficiary of the reported research, the type of contribution produced by that research, and the research strategy used by the research in the papers. To meet the second objective and to address the gap identified in the mapping study, I conducted an interview study with 28 practitioners to understand their behavior towards security and what motivates them. I used a behavioral model from psychology to design the interviews and to understand developer behaviours and motivations towards security. Results: The mapping study shows that much of the research to date has focused on advancing technical aspects with much less attention placed on studying how developers and practitioners might adopt and use the available security tools. My review suggests that human and social aspects are neglected in security research. I summarize gaps in the literature and suggest future areas for research. Also, I synthesized suggestions for how to mitigate security threats in projects hosted on GitHub. From the cross-sectional interview study, motivated by the mapping study to focus more on social aspects, I found practitioners need more support from their organizations, peers, and managers to achieve higher security practice adoption. I also observed how different factors affect the adoption of security in software development, such as industry type and organization characteristics. Conclusion: I provide an overview of security issues and how researchers approach improving security. I identify gaps and challenges in the literature and suggest future research areas. The gaps from the mapping study show a dearth of research on social and human aspects which motivated an interview study with developers from industry to understand their attitudes towards security and how they can be encouraged to adopt more secure practices. I conclude with insights that could potentially help organizations design new strategies to increase the adoption of more secure practices by software developers.