Open University professor Helen Sharp‘s talk at the June 2017 RISCS meeting presented the Motivating Jenny project. She began by noting that she knows very little about security. However, she knows a lot about software and its community and culture from studying software professionals, how they collaborate, and how they work with users, as well as different development methods. There are close links between this project and the complementary Why Johnny Doesn’t Write Secure Software project, particularly in terms of the researchers involved, but the two were developed separately. Funded by NCSC as part of RISCS, Motivating Jenny will be supported by academic and practitioner collaborators in the UK, Ireland, Japan, and Brazil.
Sharp, a newcomer to RISCS, has a background in software engineering; earlier in her career she developed software for large banks and other firms in the City of London. The software engineering group based at the OU brings together expertise in security, privacy, and digital forensics, as well as human behaviour. For the Motivating Jenny project, this combination is enhanced by experience in qualitative practice-based research, in which Sharp and researcher Tamara Lopez (Open University) have expertise. A crucial element is observing subjects in the real environment they work in every day as they perform the real tasks they are required to complete.
For the last ten years, Sharp has been looking at motivation in software engineering. Sharp has conducted studies on professional developers both in offices and working remotely. Although software development is thought of as a lonely, solitary profession, particularly for those who work online, in fact it involves a lot of online collaboration. “They have a very wide community behind their screens.”
There are many ideas about motivation based on the notion that people who are happy are more motivated. Sharp cited, for example, Daniel H. Pink’s Drive, which prescribes autonomy, mastery, and purpose; J.S. Adams’ fairness-based equity theory; the work of Teresa Amibile, whose studies of professionals led her to propose the progress principle; psychologist Abraham Maslow’s hierarchy of needs; and Frederick Herzberg’s two-factor theory, which posits the interplay of positive and negative factors. But a key question is, motivation to do what? Sharp’s work for the last decade has sought to understand what motivates software engineers to be software engineers and to do a good job. What do they enjoy? Why do they stay in the job? The answers are not always obvious. One developer she met had taken a 25% pay cut in order to move to a business that was using cutting-edge technology.
Based on a systematic literature review, the researchers developed a model of motivation in software engineering – but many aspects of it are contested. Partly, this is because software development has changed substantially from the time when a lot of this research was done, as has the environment in which software is written. The researchers are in the process of developing a new model for motivation and will incorporate these elements into the background that feeds into the Motivating Jenny project.
The NCSC’s developer-centred security research call had four questions:
- What does the developer profession look like currently?
- How can we improve the tools that developers use?
- How can the security culture in the developer community be improved?
- How can we motivate developers to care more about security?
Based on their background and taking motivation as the overarching framework, the research team hopes to provide some input into all four of these questions by investigating what motivates developers to do secure coding. The project focuses on developers who are not security specialists. The project is working with two companies. One is a progressive small company that has just started to say it needs to understand security. The second does good coding but hasn’t considered security at all; it is interested in motivation. The project’s outputs will include a pack of materials to communicate to the communities of professional developers. One thing that does motivate developers a lot is talking to others, and peer recognition. Status within the profession is really important, and developers pick up new ideas such as agile development or object-oriented programming because their peers have. Why, therefore, aren’t security principles and practices used effectively? In Sharp’s experience, developers want to do a good job, so if they’re not using these principles and practices there must be a reason. Community and culture are vital influences on developer behaviour, so the question is how to seed the community and bring more people into the practice of writing secure code.
The project has three research questions and hypotheses:
- What motivates developers? Their working hypothesis includes peer comparison, communities of practice, experience of failures, and knowing the impact their work has on the lives of their end users. What doesn’t work, based on the literature: financial incentives beyond the short term, policies, and general awareness.
- How do we develop and sustain a culture of security? The project will draw on cultural transmission to understand how to ensure the culture of secure coding spreads once it’s been seeded. Other motivators include the impact on end users and problem-solving.
- How can we facilitate community building for practices and technologies? The project will use interventions using motivational and cultural factors and engage practitioners. For the latter aspect, the project is seeking someone anchored in the profession to help them get into and build the right communities of practice, local groups, and online communities.
The project’s research activities will include:
- Analysing existing data sets such as the annual study of the techniques in use by agile developers to characterise sections of the profession;
- Conducting ethnographic studies with practitioners to understand their current practices and identify security-based motivational factors that can be used to spread better practices, both offline and online;
- Refining existing motivation model(s) with security-specific findings;
- Using constrained task studies to develop recommendations regarding a variety of specific security practices and security technologies;
- Using the results of those studies to package recommendations as free practitioner-friendly resource packs;
- Promoting findings and engagement with wider developer community(ies);
- Designing and deploying a survey to refine the project’s findings according to different UK and global settings, such as Japan and Brazil.
Questions raised the issue of the context in which developers work, such as intense pressure to get products to market, which might dampen professionals’ ability to adopt secure coding practices. However, the project’s focus is on trying to seed the community because Sharp’s studies have shown that professionals are motivated by what their community is doing. The different pressures on developers in different environments are not the same as motivational factors, which may include the reasons why someone chooses to work in a highly pressured situation.
The project is in its early stages, and the researchers welcome engagement and comments. Those interested should contact the project through firstname.lastname@example.org.