Lessons Learned from Using an Online Platform to Conduct Large-Scale, Online Controlled Security Experiments with Software Developers


Christian Stransky, CISPA, Saarland University; Yasemin Acar, Leibniz University Hannover; Duc Cuong Nguyen, CISPA, Saarland University; Dominik Wermke, Leibniz University Hannover; Doowon Kim and Elissa M. Redmiles, University of Maryland, College Park; Michael Backes, CISPA, Saarland University & MPI-SWS; Simson Garfinkel, U.S. Census Bureau & U.S. National Institute of Standards and Technology; Michelle L. Mazurek, University of Maryland, College Park; Sascha Fahl, Leibniz University Hannover


Security and privacy researchers are increasingly conducting controlled experiments focusing on IT professionals, such as software developers and system administrators. These professionals are typically more difficult to recruit than general end-users. In order to allow for distributed recruitment of IT professionals for security user studies, we designed Developer Observatory, a browser-based virtual laboratory platform that enables controlled programming experiments while retaining most of the observational power of lab studies. The Developer Observatory can be used to conduct large-scale, reliable online programming studies with reasonable external validity. We report on our experiences and lessons learned from two controlled programming experiments (n>200) conducted using Developer Observatory.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.