Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots

Daniela Oliveira, Marissa Rosenthal, N. Morin, Kuo Chuan Yeh, Justin Cappos, Y. Zhuang

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

    Original languageEnglish (US)
    Title of host publicationProceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014
    PublisherAssociation for Computing Machinery
    Pages296-305
    Number of pages10
    Volume2014-December
    EditionDecember
    DOIs
    StatePublished - Dec 8 2014
    Event30th Annual Computer Security Applications Conference, ACSAC 2014 - New Orleans, United States
    Duration: Dec 8 2014Dec 12 2014

    Other

    Other30th Annual Computer Security Applications Conference, ACSAC 2014
    CountryUnited States
    CityNew Orleans
    Period12/8/1412/12/14

    Fingerprint

    Software engineering
    Education
    Decision making
    Data storage equipment

    ASJC Scopus subject areas

    • Human-Computer Interaction
    • Computer Networks and Communications
    • Computer Vision and Pattern Recognition
    • Software

    Cite this

    Oliveira, D., Rosenthal, M., Morin, N., Yeh, K. C., Cappos, J., & Zhuang, Y. (2014). Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. In Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014 (December ed., Vol. 2014-December, pp. 296-305). Association for Computing Machinery. https://doi.org/10.1145/2664243.2664254

    Its the psychology stupid : How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. / Oliveira, Daniela; Rosenthal, Marissa; Morin, N.; Yeh, Kuo Chuan; Cappos, Justin; Zhuang, Y.

    Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014. Vol. 2014-December December. ed. Association for Computing Machinery, 2014. p. 296-305.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Oliveira, D, Rosenthal, M, Morin, N, Yeh, KC, Cappos, J & Zhuang, Y 2014, Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. in Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014. December edn, vol. 2014-December, Association for Computing Machinery, pp. 296-305, 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States, 12/8/14. https://doi.org/10.1145/2664243.2664254
    Oliveira D, Rosenthal M, Morin N, Yeh KC, Cappos J, Zhuang Y. Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. In Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014. December ed. Vol. 2014-December. Association for Computing Machinery. 2014. p. 296-305 https://doi.org/10.1145/2664243.2664254
    Oliveira, Daniela ; Rosenthal, Marissa ; Morin, N. ; Yeh, Kuo Chuan ; Cappos, Justin ; Zhuang, Y. / Its the psychology stupid : How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014. Vol. 2014-December December. ed. Association for Computing Machinery, 2014. pp. 296-305
    @inproceedings{f9821157652e473aba020ab2d5dfea14,
    title = "Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots",
    abstract = "Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.",
    author = "Daniela Oliveira and Marissa Rosenthal and N. Morin and Yeh, {Kuo Chuan} and Justin Cappos and Y. Zhuang",
    year = "2014",
    month = "12",
    day = "8",
    doi = "10.1145/2664243.2664254",
    language = "English (US)",
    volume = "2014-December",
    pages = "296--305",
    booktitle = "Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014",
    publisher = "Association for Computing Machinery",
    edition = "December",

    }

    TY - GEN

    T1 - Its the psychology stupid

    T2 - How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots

    AU - Oliveira, Daniela

    AU - Rosenthal, Marissa

    AU - Morin, N.

    AU - Yeh, Kuo Chuan

    AU - Cappos, Justin

    AU - Zhuang, Y.

    PY - 2014/12/8

    Y1 - 2014/12/8

    N2 - Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

    AB - Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

    UR - http://www.scopus.com/inward/record.url?scp=84954508470&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84954508470&partnerID=8YFLogxK

    U2 - 10.1145/2664243.2664254

    DO - 10.1145/2664243.2664254

    M3 - Conference contribution

    AN - SCOPUS:84954508470

    VL - 2014-December

    SP - 296

    EP - 305

    BT - Proceedings - 30th Annual Computer Security Applications Conference, ACSAC 2014

    PB - Association for Computing Machinery

    ER -