Security Developer Studies with GitHub Users: Exploring a Convenience Sample

Authors: 

Yasemin Acar, Leibniz University Hannover; Christian Stransky, CISPA, Saarland University; Dominik Wermke, Leibniz University Hannover; Michelle Mazurek, University of Maryland, College Park; Sascha Fahl, CISPA, Saarland University

Abstract: 

The usable security community is increasingly considering how to improve security decision-making not only for end users, but also for information technology professionals, including system administrators and software developers. Recruiting these professionals for user studies can prove challenging, as, relative to end users more generally, they are limited in numbers, geographically concentrated, and accustomed to higher compensation. One potential approach is to recruit active GitHub users, who are (in some ways) conveniently available for online studies. However, it is not well understood how GitHub users perform when working on security-related tasks. As a first step in addressing this question, we conducted an experiment in which we recruited 307 active GitHub users to each complete the same security-relevant programming tasks. We compared the results in terms of functional correctness as well as security, finding differences in performance for both security and functionality related to the participant's self-reported years of experience, but no statistically significant differences related to the participant's self-reported status as a student, status as a professional developer, or security background. These results provide initial evidence for how to think about validity when recruiting convenience samples as substitutes for professional developers in security developer studies.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {205176,
author = {Yasemin Acar and Christian Stransky and Dominik Wermke and Michelle L. Mazurek and Sascha Fahl},
title = {Security Developer Studies with GitHub Users: Exploring a Convenience Sample},
booktitle = {Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017)},
year = {2017},
isbn = {978-1-931971-39-3},
address = {Santa Clara, CA},
pages = {81--95},
url = {https://www.usenix.org/conference/soups2017/technical-sessions/presentation/acar},
publisher = {{USENIX} Association},
month = jul,
}

Presentation Audio