Open Access Open Access  Restricted Access Subscription Access

Application Security Self-Efficacy of Software Developers : A Correlational Study


Affiliations
1 Independent Researcher, Ottawa, Canada
 

Practicing the secure software development lifecycle (SSDLC) requires a team of application security experts and a proper management structure. Software developers usually lack application security expertise but are often responsible for software security when management undervalues software security, or the SSDLC is too expensive to practice. Software developers must have adequate application security self-efficacy (SE) to execute software security activities and processes effectively. To improve software developers’ SE, the factors that impact their SE must be identified. A sample of 200 software developers based in the United States was surveyed for their SE. The relationship between the factors and SE was analyzed using Spearman’s rho correlation. Application security awareness, the presence of an application security team, and education level all correlated with software developers’ SE. Security training and performing multiple application securities did not correlate with software developers’ SE. The results have practical implications for improving software security.

Keywords

Self-Efficacy, Application Security, Software Security, SSDLC, Secure Software Development.
User
Notifications
Font Size

  • E. Venson, R. Alfayez, M. M. F. Gomes, R. M. C. Figueiredo, and B. Boehm, ―The impact of software security practices on development effort: an initial survey,‖ in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Sep. 2019, pp. 1–12, doi: 10.1109/ESEM.2019.8870153.
  • U.S. Department of Homeland Security, ―Security in the softwarelifecycle: Making software development processes—and software produced by them—more secure. DRAFT Version 1.2. ,‖ 2006, Accessed: Jan. 28, 2023. [Online]. Available: http://www.cert.org/books/secureswe/SecuritySL.pdf.
  • R. Fujdiak et al., ―Managing the secure software development,‖ in 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Jun. 2019, pp. 1–4, doi: 10.1109/NTMS.2019.8763845.
  • J. Ransome and A. Misra, Core Software Security. Auerbach Publications, 2018.
  • H. Al-Matouq, S. Mahmood, M. Alshayeb, and M. Niazi, ―A maturity model for secure software design: A multivocal study,‖ IEEE Access, vol. 8, pp. 215758–215776, 2020, doi: 10.1109/ACCESS.2020.3040220.
  • W. C. Umeugo, ―Secure software development lifecycle: A case for adoption in software SMEs,‖ International Journal of Advanced Research in Computer Science, Feb. 2023.
  • H.-S. Rhee, C. Kim, and Y. U. Ryu, ―Self-efficacy in information security: Its influence on end users‘ information security practice behavior,‖ Computers & Security, vol. 28, no. 8, pp. 816–826, Nov. 2009, doi: 10.1016/j.cose.2009.05.008.
  • B.-Y. Ng, A. Kankanhalli, and Y. (Calvin) Xu, ―Studying users‘ computer security behavior: A health belief perspective,‖ Decis. Support Syst., vol. 46, no. 4, pp. 815–825, Mar. 2009, doi: 10.1016/j.dss.2008.11.010.
  • B. Y. Ng and Y. Xu, ―Studying users‘ computer security behavior using the Health Belief Model.,‖ PACIS 2007 Proceedings, 2007.
  • R. W. Rogers, ―Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation.,‖ Social psychophysiology: A sourcebook, pp. 153–176, 1983.
  • T. E. Gasiba, U. Lechner, M. Pinto-Albuquerque, and D. M. Fernandez, ―Awareness of Secure Coding Guidelines in the Industry-A first data analysis.,‖ 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), p. 345, 2020.
  • Z. A. Maher, H. Shaikh, M. S. Khan, A. Arbaaeen, and A. Shah, ―Factors Affecting Secure Software Development Practices Among Developers - An Investigation,‖ in 2018 IEEE 5th International Conference on Engineering Technologies and Applied Sciences (ICETAS), Nov. 2018, pp. 1–6, doi: 10.1109/ICETAS.2018.8629168.
  • S. H. Appelbaum and A. Hare, ―Self‐ efficacy as a mediator of goal setting and performance,‖ Journal of Managerial Psych, vol. 11, no. 3, pp. 33–47, May 1996, doi: 10.1108/02683949610113584.
  • A. Bandura, ―Social cognitive theory of self-regulation,‖ Organ. Behav. Hum. Decis. Process., vol. 50, no. 2, pp. 248–287, Dec. 1991, doi: 10.1016/0749-5978(91)90022-L.
  • M. Kara and T. Aşti, ―Effect of education on self-efficacy of Turkish patients with chronic obstructive pulmonary disease.,‖ Patient Educ. Couns., vol. 55, no. 1, pp. 114–120, Oct. 2004, doi: 10.1016/j.pec.2003.08.006.
  • A. Bandura, ―Self-efficacy: Toward a unifying theory of behavioral change.,‖ Psychol. Rev., vol. 84, no. 2, pp. 191–215, 1977, doi: 10.1037/0033-295X.84.2.191.
  • M. Bong and E. M. Skaalvik, :―{unav),‖ Springer Science and Business Media LLC, 2003, doi: 10.1023/a:1021302408382.
  • R. Wood and A. Bandura, ―Social cognitive theory of organizational management,‖ Academy of Management Review, vol. 14, no. 3, pp. 361–384, Jul. 1989, doi: 10.5465/amr.1989.4279067.
  • V. Hooper and C. Blunt, ―Factors influencing the information security behaviour of IT employees,‖ Behav. Inf. Technol., pp. 1–13, May 2019, doi: 10.1080/0144929X.2019.1623322.
  • Bulgurcu, Cavusoglu, and Benbasat, ―Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,‖ MIS Quarterly, vol. 34, no. 3, p. 523, 2010, doi: 10.2307/25750690.
  • G. White, T. Ekin, and L. Visinescu, ―Analysis of protective behavior and security incidents for home computers,‖ Journal of Computer Information Systems, vol. 57, no. 4, pp. 353–363, Oct. 2017, doi: 10.1080/08874417.2016.1232991.
  • N. A. G. Arachchilage and S. Love, ―Security awareness of computer users: A phishing threat avoidance perspective,‖ Comput. Human Behav., vol. 38, pp. 304–312, Sep. 2014, doi: 10.1016/j.chb.2014.05.046.
  • N. Humaidi, V. Balakrishnan, and M. Shahrom, ―Exploring user‘s compliance behavior towards Health Information System security policies based on extended Health Belief Model,‖ in 2014 IEEE Conference on e-Learning, e-Management and e-Services (IC3e), Dec. 2014, pp. 30–35, doi: 10.1109/IC3e.2014.7081237.
  • M. A. Albashrawi, L. Turner, and S. Balasubramanian, ―Adoption of mobile ERP in educational environment,‖ International Journal of Enterprise Information Systems, vol. 16, no. 4, pp. 184–200, Oct. 2020, doi: 10.4018/IJEIS.2020100109.
  • Md. A. Islam, M. A. Khan, T. Ramayah, and M. M. Hossain, ―The Adoption of Mobile Commerce Service among Employed Mobile Phone Users in Bangladesh: Self-efficacy as a Moderator,‖ IBR, vol. 4, no. 2, Mar. 2011, doi: 10.5539/ibr.v4n2p80.
  • M. Umarji and C. Seaman, ―Predicting acceptance of Software Process Improvement,‖ in Proceedings of the 2005 workshop on Human and social factors of software engineering - HSSE ‘05, New York, New York, USA, May 2005, pp. 1–6, doi: 10.1145/1083106.1083121.
  • M. A. Hameed and N. A. G. Arachchilage, ―The role of self-efficacy on the adoption of information systems security innovations: a meta-analysis assessment,‖ Pers. Ubiquitous Comput., vol. 25, no. 5, pp. 911–925, Oct. 2021, doi: 10.1007/s00779-021-01560-1.
  • L. Mannila, L.-Å. Nordén, and A. Pears, ―Digital Competence, Teacher Self-Efficacy and Training Needs,‖ in Proceedings of the 2018 ACM Conference on International Computing Education Research - ICER ‘18, New York, New York, USA, Aug. 2018, pp. 78–85, doi: 10.1145/3230977.3230993.
  • P. J. Ambrose, ―Metacognition and software developer competency: construct development and empirical validation.,‖ Issues in Information Systems, vol. 8, no. 2, pp. 273–9, 2007.
  • R. N. Anantharaman, Rajeswari K. S., A. Angusamy, and J. Kuppusamy, ―Role of Self-Efficacy and Collective Efficacy as Moderators of Occupational Stress Among Software Development Professionals,‖ in Social issues in the workplace: breakthroughs in research and practice, I. R. Management Association, Ed. IGI Global, 2018, pp. 854–868.
  • I. M. Y. Woon and A. Kankanhalli, ―Investigation of IS professionals‘ intention to practise secure development of applications,‖ Int. J. Hum. Comput. Stud., vol. 65, no. 1, pp. 29–41, Jan. 2007, doi: 10.1016/j.ijhcs.2006.08.003.
  • J. Witschey, O. Zielinska, A. Welk, E. Murphy-Hill, C. Mayhorn, and T. Zimmermann, ―Quantifying developers‘ adoption of security tools,‖ in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering - ESEC/FSE 2015, New York, New York, USA, Aug. 2015, pp. 260–271, doi: 10.1145/2786805.2786816.
  • M. Deschene, ―Embracing security in all phases of the software development life cycle: A Delphi study,‖ Undergraduate thesis, 2016.
  • A. Senarath and N. A. G. Arachchilage, ―Why developers cannot embed privacy into software systems? An empirical investigation,‖ in Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018 - EASE‘18, New York, New York, USA, Jun. 2018, pp. 211–216, doi: 10.1145/3210459.3210484.
  • D. Votipka, D. Abrokwa, and M. L. Mazurek, ―Building and Validating a Scale for Secure Software Development Self-Efficacy,‖ in Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, New York, NY, USA, Apr. 2020, pp. 1–20, doi: 10.1145/3313831.3376754.
  • J. Zhen, K. Dong, Z. Xie, and L. Chen, ―Factors influencing employees‘ information security awareness in the telework environment,‖ Electronics, vol. 11, no. 21, p. 3458, Oct. 2022, doi: 10.3390/electronics11213458.
  • K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram, ―Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q),‖ Computers & Security, vol. 42, pp. 165–176, May 2014, doi: 10.1016/j.cose.2013.12.003.
  • J. Ryan, ―Information security awareness: an evaluation among business students with regard to computer self-efficacy and personal innovation.,‖ AMCIS 2007 Proceedings, 2007.
  • G. Torkzadeh and T. P. Van Dyke, ―Effects of training on Internet self-efficacy and computer user attitudes,‖ Comput. Human Behav., vol. 18, no. 5, pp. 479–494, Sep. 2002, doi: 10.1016/S0747-5632(02)00010-9.
  • W. He et al., ―Improving employees‘ intellectual capacity for cybersecurity through evidence-based malware training,‖ JIC, vol. 21, no. 2, pp. 203–213, Nov. 2019, doi: 10.1108/JIC-05-2019-0112.
  • C. W. Yoo, I. Hur, and J. Goo, ―Workgroup collective efficacy to information security management: manifestation of its antecedents and empirical examination,‖ Inf. Syst. Front., Jan. 2023, doi: 10.1007/s10796-022-10367-1.
  • R. D. Hays, T. Hayashi, and A. L. Stewart, ―A Five-Item Measure of Socially Desirable Response Set,‖ Educ. Psychol. Meas., vol. 49, no. 3, pp. 629–636, Sep. 1989, doi: 10.1177/001316448904900315.
  • Y. Salem, M. Moreb, and K. S. Rabayah, ―Evaluation of Information Security Awareness among Palestinian Learners,‖ in 2021 International Conference on Information Technology (ICIT), Jul. 2021, pp. 21–26, doi: 10.1109/ICIT52682.2021.9491639.
  • C. P. Dancey and J. Reidy, ―Statistics without maths for psychology,‖ Statistics without maths for psychology, 2007.
  • H. Assal and S. Chiasson, ―Motivations and amotivations for software security.,‖ SOUPS Workshop on Security Information Workers (WSIW). USENIX Association, p. 1, 2018.

Abstract Views: 257

PDF Views: 119




  • Application Security Self-Efficacy of Software Developers : A Correlational Study

Abstract Views: 257  |  PDF Views: 119

Authors

Wisdom Umeugo
Independent Researcher, Ottawa, Canada

Abstract


Practicing the secure software development lifecycle (SSDLC) requires a team of application security experts and a proper management structure. Software developers usually lack application security expertise but are often responsible for software security when management undervalues software security, or the SSDLC is too expensive to practice. Software developers must have adequate application security self-efficacy (SE) to execute software security activities and processes effectively. To improve software developers’ SE, the factors that impact their SE must be identified. A sample of 200 software developers based in the United States was surveyed for their SE. The relationship between the factors and SE was analyzed using Spearman’s rho correlation. Application security awareness, the presence of an application security team, and education level all correlated with software developers’ SE. Security training and performing multiple application securities did not correlate with software developers’ SE. The results have practical implications for improving software security.

Keywords


Self-Efficacy, Application Security, Software Security, SSDLC, Secure Software Development.

References