| EPSRC Reference: |
EP/P011799/2 |
| Title: |
Why Johnny doesn't write secure software? Secure software development by the masses |
| Principal Investigator: |
Rashid, Professor A |
| Other Investigators: |
|
| Researcher Co-Investigators: |
|
| Project Partners: |
|
| Department: |
Computer Science |
| Organisation: |
University of Bristol |
| Scheme: |
Standard Research |
| Starts: |
01 January 2018 |
Ends: |
31 December 2021 |
Value (£): |
853,634
|
| EPSRC Research Topic Classifications: |
| Human-Computer Interactions |
Psychology |
| Software Engineering |
|
|
| EPSRC Industrial Sector Classifications: |
|
| Related Grants: |
|
| Panel History: |
| Panel Date | Panel Name | Outcome |
|
10 Nov 2016
|
Human Dimensions of Cyber Security
|
Announced
|
|
|
Summary on Grant Application Form |
Do you use mobile or web apps or have Internet of Things devices on your person, in your home or workplace? Have you thought about who developed the software that drives these apps and devices, what was their understanding of cyber security, how did they make design decisions that impact the cyber security of the resulting software, and what factors influenced their behaviour and design choices? Or perhaps you are one of the masses exploiting app development platforms and easy-to-program hardware devices such as Arduino and Raspberry Pi to develop applications and deploy them for personal use or distribute them to millions of people around the world? How do you make cyber security decisions when you write software? Do you consciously think about the security implications of your design choices, or are there other factors that are more critical? What will help you achieve your goals from the software that you are developing while ensuring that it is not vulnerable to attacks by malicious actors?
This project aims to develop a deep foundational understanding of these issues. We recognise that developing software is no longer the preserve for the select few with deep technical skills, training, and knowledge. A wide range of people from diverse backgrounds are increasingly developing software for mobile and web apps and for programmable consumer devices. This diversity of developers is at the heart of many innovations in the digital economy. The software they produce can be, and is, deployed across systems embedded in many aspects of human activity, and is used by a global user base. However, little is currently understood about the security behaviours and decision-making processes of 'the masses' engaged in software development.
We refer to these masses by the pseudonym 'Johnny' - based on a seminal work by Whitten and Tygar where they highlighted the challenges faced by Johnny, the prototypical user of encryption. In this project we aim to tackle the challenges faced by Johnny in a contemporary setting beyond encryption. We focus on the Johnnys with diverse backgrounds, know-how and cyber security expertise who can, and are, developing software used, potentially, by millions worldwide.
Drawing on a research team of experts in cyber security, software engineering, and psychology, our aim in this project is to conduct empirically-grounded research to better understand the security implications of Johnny's behaviours and practices and develop effective support for secure software development by Johnny. We propose to achieve this by uncovering and characterising the security vulnerabilities that Johnny tends to introduce, by analysing how and why these vulnerabilities are introduced, and by identifying and evaluating a range of interventions to improve Johnny's security behaviours during software development. We will do this in collaboration with eminent international research partners, drawn from leading research and practitioner organisations around the world. This project will be the first to study the inter-relationship between the cognitive and social processes that shape Johnny's cyber security decisions, their impact on the security of the resultant software and the novel interventions that may steer Johnny towards more effective cyber security decisions during software development.
|
|
Key Findings |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
|
Potential use in non-academic contexts |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
|
Impacts |
|
| Description |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk |
| Summary |
|
| Date Materialised |
|
|
|
|
Sectors submitted by the Researcher |
|
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
| Project URL: |
|
| Further Information: |
|
| Organisation Website: |
http://www.bris.ac.uk |