"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products


Julie M. Haney and Mary F. Theofanos, National Institute of Standards and Technology; Yasemin Acar, Leibniz University Hannover; Sandra Spickard Prettyman, Culture Catalyst


Cryptography is an essential component of modern computing. Unfortunately, implementing cryptography correctly is a non-trivial undertaking. Past studies have supported this observation by revealing a multitude of errors and developer pitfalls in the cryptographic implementations of software products. However, the emphasis of these studies was on individual developers; there is an obvious gap in more thoroughly understanding cryptographic development practices of organizations. To address this gap, we conducted 21 in-depth interviews of highly experienced individuals representing organizations that include cryptography in their products. Our findings suggest a security mindset not seen in other research results, demonstrated by strong organizational security culture and the deep expertise of those performing cryptographic development. This mindset, in turn, guides the careful selection of cryptographic resources and informs formal, rigorous development and testing practices. The enhanced understanding of organizational practices encourages additional research initiatives to explore variations in those implementing cryptography, which can aid in transferring lessons learned from more security-mature organizations to the broader development community through educational opportunities, tools, and other mechanisms. The findings also support past studies that suggest that the usability of cryptographic resources may be deficient, and provide additional suggestions for making these resources more accessible and usable to developers of varying skill levels.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {219400,
author = {Julie M. Haney and Mary Theofanos and Yasemin Acar and Sandra Spickard Prettyman},
title = {"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products},
booktitle = {Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018)},
year = {2018},
isbn = {978-1-939133-10-6},
address = {Baltimore, MD},
pages = {357--373},
url = {https://www.usenix.org/conference/soups2018/presentation/haney-mindsets},
publisher = {USENIX Association},
month = aug