Dates: August 2017 – January 2020
Lead researchers: Professor Helen Sharp, Professor Arosha Bandara, Dr Tamara Lopez, Dr Thein T Tun, The Open University, Professor Mark Levine, Lancaster University, Professor Bashar Nuseibeh, The Open University and Lero
The initial aim of this project was to investigate the role of developer motivation in the production of secure code. The project focused on developers who are not security experts. Specifically, it set out to develop:
- An empirically-grounded model of why and how non-specialist developers can be motivated to adopt secure coding practices and to effectively integrate existing security technologies into their software development practice.
- Guidelines for creating and propagating a security culture across software teams.
Software developers, including programmers, testers, designers or product managers, typically make hundreds of decisions every day. Very few of those decisions have security implications. It is vital that developers spot security-relevant decisions as they are encountered, have a clear sense of when security is needed for different kinds of development tasks, and work in the right conditions to be able to act.
The Motivating Jenny project set out to understand how to develop more secure software. Rather than trying to motivate developers, this work found it is more important to sensitise developers to where security decisions are needed. For code to be more secure, developers need to learn how to recognise that security is needed and to apply the knowledge they have from awareness and skills training within the specific situations.
To achieve this, the research team identified four interventions and produced supporting packs for developers to adopt and adapt, which were developed with practitioners. There are four activity packages with clear instructions, freely downloadable from the website. The desired outcome of these activities is that teams of developers are empowered to develop more secure software.
This work identified a new way to tackle the problem of incentivising developer security: rather than focusing on motivating developers or providing incentives to improve security, it is better to focus on creating the environment and support for developers to apply the knowledge they gain through education and training.Developers need to know when and how to apply the knowledge they have gained through education and training, so having knowledge is not enough. The practitioner packs produced within this project, with input from practitioners, support communities of developers to share and build on each other’s experience and sensitise developers and build competencies to improve security. The project has provided both empirical evidence for this phenomenon and practical resources to achieve the change needed.
Ethnography underpinned all studies: in-situ observations, workshops, interviews, presentations at practitioner events, online forums, online questionnaires. Analysis through computer-mediated discourse analysis, motivation theory, situated learning.
Find out more
External collaborators: Support from NCSC and RISCS. Industrial collaborators: Workforce Software Systems; Oliver Wyman; Simply Business. International collaborators: Samsung labs, Brazil; UFSCAR, Brazil; Sapient, India.
Follow on work: The project underpinned the development of an EPSRC-funded project focusing on resilience and automation, funded until 2023: https://tinyurl.com/motivatingjenny