An Analysis of the Role of Situated Learning in Starting a Security Culture in a Software Company

Authors: 

Anwesh Tuladhar, Daniel Lende, Jay Ligatti, and Xinming Ou, University of South Florida

Awarded Distinguished Paper!

Abstract: 

We conducted an ethnographic study of a software development company to explore if and how a development team adopts security practices into the development lifecycle. A PhD student in computer science with prior training in qualitative research methods was embedded in the company for eight months. The researcher joined the company as a software engineer and participated in all development activities as a new hire would, while also making observations on the development practices. During the fieldwork, we observed a positive shift in the development team's practices regarding secure development. Our analysis of data indicates that the shift can be attributed to enabling all software engineers to see how security knowledge could be applied to the specific software products they worked on. We also observed that by working with other developers to apply security knowledge under the concrete context where the software products were built, developers who possessed security expertise and wanted to push for more secure development practices (security advocates) could be effective in achieving this goal. Our data point to an interactive learning process where software engineers in a development team acquire knowledge, apply it in practice, and contribute to the team, leading to the creation of a set of preferred practices, or "culture" of the team. This learning process can be understood through the lens of the situated learning framework, where it is recognized that knowledge transfer happens within a community of practice, and applying the knowledge is the key in individuals (software engineers) acquiring it and the community (development team) embodying such knowledge in its practice. Our data show that enabling a situated learning environment for security gives rise to security-aware software engineers. We discuss the roles of management and security advocates in driving the learning process to start a security culture in a software company.

SOUPS 2021 Open Access Videos Sponsored by
Ethyca

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {274475,
author = {Anwesh Tuladhar and Daniel Lende and Jay Ligatti and Xinming Ou},
title = {An Analysis of the Role of Situated Learning in Starting a Security Culture in a Software Company},
booktitle = {Seventeenth Symposium on Usable Privacy and Security ({SOUPS} 2021)},
year = {2021},
isbn = {978-1-939133-25-0},
pages = {617--632},
url = {https://www.usenix.org/conference/soups2021/presentation/tuladhar},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video