Enrique Larios Vargas, OWASP
The Secure by Design movement has advanced security by shifting responsibility from individual developers to the systems they use. However, it assumes developers will respond uniformly to secure defaults and guardrails. They don't.
Using the COM-B behavioral model, which analyzes behavior through Capability, Opportunity, and Motivation, and synthesizing empirical research on developer security practices, I identified six developer personas reflecting fundamentally different patterns of security engagement. A developer skeptical about security's ROI requires a different intervention than one who is enthusiastic but lacks organizational support, or one who actively resists security processes.
This talk introduces the SECUR-E framework (Skeptic, Enthusiast, Compliant, Unaware, Resistant, Embedded) and explains why recognizing behavioral diversity is essential for Secure by Design to succeed. When organizations approach developer security as a behavioral design challenge rather than a compliance issue, they can tailor interventions to the actual barriers of each developer type.
Dr. Enrique Larios Vargas is a Security and Learning Specialist at Adyen in the Netherlands, where he designs and leads large-scale security enablement programs for engineering teams in a global fintech environment. His work focuses on integrating behavioral science into secure software development, helping organizations move beyond compliance-driven approaches toward sustainable security culture.
With over five years of experience across fintech, cybersecurity, and higher education, Enrique bridges research and practice. Prior to joining the industry, he served as a university lecturer and conducted research on behavioral factors in software engineering and cybersecurity. He holds a Ph.D. in Computer Science from Leiden University.
Enrique is an active OWASP contributor, co-leads the OWASP Security Culture Project, and regularly speaks on human-centric cybersecurity, developer behavior, and security culture transformation. His mission is to make secure development not just a policy requirement, but the natural and easiest choice for developers and software teams.
