In the DFG funded fundamental research project „Hearts and Minds: Transforming Developer Attitudes and Skills“, we analyze what leads to security and usable security becoming embedded in software development practice. The project contributes improved development practices, thus leading to more secure software with security that is also usable. This project is part of the cluster of excellence „Cyber Security in the Age of Large-Scale Adversaries (CASA)“.
In CASA we study the intersection of computer security and privacy with human factors. Especially writing secure software that is also usable is a huge challenge for many software developers. In the past, software vulnerabilities or bad user interface design and interaction choices were often caused by single developers or small groups of them but impacted millions of users with serious consequences to the users’ data security or privacy. Deploying more systems with software that is more secure and more security software with better usability will result in the increased effort required to attack these systems making mass attacks harder for large scale attackers. The project adresses Research Challenge 10 „Engineers and Usability“ of CASA which focuses on methods that will enable us to improve the usability of security and privacy mechanisms for engineers such as cryptographers, software developers, but also system administrators.
We address four objectives that make a major contribution to the goals of CASA and future software security:
- Gain detailed insights into professional software development teams and their development practices for security measures. Based on this, identify interventions that can shift developers ‘hearts’ and ‘minds’ in favour of security and usability.
- Gain in-depth knowledge on how security software providers design and implement user interfaces and interactions for their software. Understand the decision-making processes and identify intervention points.
- Long-term transformation of professional habits by a commitment towards continuous improvement and the habit of ‘evaluation and reflection’ cycles. Encourage software developers to identify security and usability skill gaps and offer training and tools.
- Develop a set of usability knowledge and security application examples that can be introduced as part of the reflections cycles in the development process.