The Case for Adaptive Security Interventions

Irum Rauf*, Marian Petre, Thein Than Tun, Tamara Lopez, Paul Lunn, Dirk van der Linden, John Towse, Helen Sharpe, Mark Levine, Awais Rashid, Bashar Nuseibeh

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

93 Downloads (Pure)


Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. To widen our understanding of developers' behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this article (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature that identified a catalogue of factors that influence developers' security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.
Original languageEnglish
Article number9
Pages (from-to)1-52
Number of pages52
JournalACM Transactions on Software Engineering and Methodology
Issue number1
Early online date28 Sept 2021
Publication statusPublished - Jan 2022


Dive into the research topics of 'The Case for Adaptive Security Interventions'. Together they form a unique fingerprint.

Cite this