How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study

Gutfleisch, Marco; Klemmer, Jan H.; Busch, Niklas; Acar, Yasemin; Sasse, M. Angela; Fahl, Sascha

doi:10.1109/sp46214.2022.9833756

Cited by 18 publications

(9 citation statements)

References 49 publications

(48 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We saw that more mature startups did consider security and privacy, and had dedicated teams or persons for them, or outsourced them to third parties. We find that, except for considering both KVKK and GDPR, Turkish startup developers' security and privacy perceptions and processes resemble those found in published literature based on interviews with developers from various company sizes in Germany, the United States of America, the United Kingdom, Brazil, Israel, and China [22], [23], [46], [50], [59], [62].…”

Section: Discussionsupporting

confidence: 57%

"We are a startup to the core": A qualitative interview study on the security and privacy development practices in Turkish software startups

Keküllüoğlu

Acar

2023

2023 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

Security and privacy are often neglected in software development, and rarely a priority for developers. This insight is commonly based on research conducted by researchers and on developer populations living and working in the United States, Europe, and the United Kingdom. However, the production of software is global, and crucial populations in important technology hubs are not adequately studied. The software startup scene in Turkey is impactful, and comprehension, knowledge, and mitigations related to software security and privacy remain understudied. To close this research gap, we conducted a semi-structured interview study with 16 developers working in Turkish software startups. The goal of the interview study was to analyze if and how developers ensure that their software is secure and preserves user privacy. Our main finding is that developers rarely prioritize security and privacy, due to a lack of awareness, skills, and resources. We find that regulations can make a positive impact on security and privacy. Based on the study, we issue recommendations for industry, individual developers, research, educators, and regulators. Our recommendations can inform a more globalized approach to security and privacy in software development.

show abstract

Section: Discussionsupporting

confidence: 57%

"We are a startup to the core": A qualitative interview study on the security and privacy development practices in Turkish software startups

Keküllüoğlu

Acar

2023

2023 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Those involved in software design and development greatly influence the implementation of security and, consequently, whether security is implemented in a usable way. In this regard, Gutfleish et al [64], in a series of 25 interviews conducted in different development contexts, investigated how usable security is handled within the software development process: a process that involves several stages (e.g., requirements definition, code writing, and debugging) and different stakeholders (managers, designers, developers, and customers). The results of that qualitative study showed that the topic of usable security had received little attention within the developer community.…”

Section: Discussionmentioning

confidence: 99%

Usable Security: A Systematic Literature Review

Di Nocera,

Tempestini,

Orsini

2023

Information

View full text Add to dashboard Cite

Usable security involves designing security measures that accommodate users’ needs and behaviors. Balancing usability and security poses challenges: the more secure the systems, the less usable they will be. On the contrary, more usable systems will be less secure. Numerous studies have addressed this balance. These studies, spanning psychology and computer science/engineering, contribute diverse perspectives, necessitating a systematic review to understand strategies and findings in this area. This systematic literature review examined articles on usable security from 2005 to 2022. A total of 55 research studies were selected after evaluation. The studies have been broadly categorized into four main clusters, each addressing different aspects: (1) usability of authentication methods, (2) helping security developers improve usability, (3) design strategies for influencing user security behavior, and (4) formal models for usable security evaluation. Based on this review, we report that the field’s current state reveals a certain immaturity, with studies tending toward system comparisons rather than establishing robust design guidelines based on a thorough analysis of user behavior. A common theoretical and methodological background is one of the main areas for improvement in this area of research. Moreover, the absence of requirements for Usable security in almost all development contexts greatly discourages implementing good practices since the earlier stages of development.

show abstract

“…However, it is important to acknowledge that privacy and security are still often de-prioritized by individual developers and organizations [7,37,53]. In particular, prior research indicated that the deprioritization of privacy is especially pronounced in smaller organizations or teams [37]. Indeed, participants in our study who mentioned piggybacking on privacy procedure were all from largesize technology companies (with 25,000+ employees) that may already have more established privacy processes than smaller organizations in place.…”

Section: Thriving Not Just Surviving: Frommentioning

confidence: 95%

Section: Thriving Not Just Surviving: Frommentioning

confidence: 99%

Investigating Practices and Opportunities for Cross-functional Collaboration around AI Fairness in Industry Practice

Deng

Yildirim

Chang

et al. 2023

2023 ACM Conference on Fairness, Accountability, and Transparency

View full text Add to dashboard Cite

An emerging body of research indicates that ineffective cross-functional collaboration -the interdisciplinary work done by industry practitioners across roles -represents a major barrier to addressing issues of fairness in AI design and development. In this research, we sought to better understand practitioners' current practices and tactics to enact cross-functional collaboration for AI fairness, in order to identify opportunities to support more effective collaboration. We conducted a series of interviews and design workshops with 23 industry practitioners spanning various roles from 17 companies. We found that practitioners engaged in bridging work to overcome frictions in understanding, contextualization, and evaluation around AI fairness across roles. In addition, in organizational contexts with a lack of resources and incentives for fairness work, practitioners often piggybacked on existing requirements (e.g., for privacy assessments) and AI development norms (e.g., the use of quantitative evaluation metrics), although they worry that these tactics may be fundamentally compromised. Finally, we draw attention to the invisible labor that practitioners take on as part of this bridging and piggybacking work to enact interdisciplinary collaboration for fairness. We close by discussing opportunities for both FAccT researchers and AI practitioners to better support crossfunctional collaboration for fairness in the design and development of AI systems.

show abstract

How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study

Cited by 18 publications

References 49 publications

"We are a startup to the core": A qualitative interview study on the security and privacy development practices in Turkish software startups

"We are a startup to the core": A qualitative interview study on the security and privacy development practices in Turkish software startups

Usable Security: A Systematic Literature Review

Investigating Practices and Opportunities for Cross-functional Collaboration around AI Fairness in Industry Practice

Contact Info

Product

Resources

About