Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Science of Security Lablet
Understanding & Accounting Human Behavior
Understanding Secure Development Tool
Adoption Jim Witschey
Graduate Research Assistant
Science of Security Lablet
Understanding & Accounting Human Behavior
Us
• Jim Witschey (me) • Shundan Xiao • Dr. Emerson Murphy-Hill (PI)
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Software security can’t be painted on
www.flickr.com/photos/crondeau/6251922757
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Software security should be baked in
www.flickr.com/photos/crondeau/6251923537
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Tools Help developers find and fix vulnerabilities
http://blogs.smithsonianmag.com/design/files/2012/07/sherlock-holmes-glass_550.jpg
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Tools e.g. FindBugs
users.ece.utexas.edu/~miryung/teaching/EE461L-Spring2012/labs/findbugs.html
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Tool Adoption
•Why do developers use secure development tools?
•Why don’t they?
Science of Security Lablet
Understanding & Accounting Human Behavior
Diffusion of Innovations Sociological framework for understanding
adoption patterns of new technologies
http://commons.wikimedia.org/wiki/File:Chaconne_Dance_1735.jpg
Science of Security Lablet
Understanding & Accounting Human Behavior
What We’ve Done
• Interviewed 43 industry developers • Analyzed responses • Developed Security Tool Adoption Model
Science of Security Lablet
Understanding & Accounting Human Behavior
Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Security Tool Adoption Model
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption Observability
Science of Security Lablet
Understanding & Accounting Human Behavior
Tools
• Trialability – How easy is it to try out a tool?
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Science of Security Lablet
Understanding & Accounting Human Behavior
Social System
• Company Structure – How do people interact within the company?
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Science of Security Lablet
Understanding & Accounting Human Behavior
Communication Channel
• Trust – How much do developers trust a
communication channel?
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Science of Security Lablet
Understanding & Accounting Human Behavior
Potential Adopters
• Experience – How long has the developer been working?
Science of Security Lablet
Understanding & Accounting Human Behavior
Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Security Tool Adoption Model
Science of Security Lablet
Understanding & Accounting Human Behavior
What’s Next?
•More interviews with OSS developers – generalize our model
• Surveys of hundreds of developers – quantify our model
• Case studies – help companies understand and foster security
tool adoption in their organizations
Science of Security Lablet
Understanding & Accounting Human Behavior
How Can We Work Together?
• Connect us to your developers for surveys •Help us conduct case studies
– gain concrete knowledge about how your policies affect adoption in your organization