Why Johnny doesn't write secure software? Secure software development by the masses

Lead Research Organisation: University of Bristol
Department Name: Computer Science


Do you use mobile or web apps or have Internet of Things devices on your person, in your home or workplace? Have you thought about who developed the software that drives these apps and devices, what was their understanding of cyber security, how did they make design decisions that impact the cyber security of the resulting software, and what factors influenced their behaviour and design choices? Or perhaps you are one of the masses exploiting app development platforms and easy-to-program hardware devices such as Arduino and Raspberry Pi to develop applications and deploy them for personal use or distribute them to millions of people around the world? How do you make cyber security decisions when you write software? Do you consciously think about the security implications of your design choices, or are there other factors that are more critical? What will help you achieve your goals from the software that you are developing while ensuring that it is not vulnerable to attacks by malicious actors?

This project aims to develop a deep foundational understanding of these issues. We recognise that developing software is no longer the preserve for the select few with deep technical skills, training, and knowledge. A wide range of people from diverse backgrounds are increasingly developing software for mobile and web apps and for programmable consumer devices. This diversity of developers is at the heart of many innovations in the digital economy. The software they produce can be, and is, deployed across systems embedded in many aspects of human activity, and is used by a global user base. However, little is currently understood about the security behaviours and decision-making processes of 'the masses' engaged in software development.

We refer to these masses by the pseudonym 'Johnny' - based on a seminal work by Whitten and Tygar where they highlighted the challenges faced by Johnny, the prototypical user of encryption. In this project we aim to tackle the challenges faced by Johnny in a contemporary setting beyond encryption. We focus on the Johnnys with diverse backgrounds, know-how and cyber security expertise who can, and are, developing software used, potentially, by millions worldwide.

Drawing on a research team of experts in cyber security, software engineering, and psychology, our aim in this project is to conduct empirically-grounded research to better understand the security implications of Johnny's behaviours and practices and develop effective support for secure software development by Johnny. We propose to achieve this by uncovering and characterising the security vulnerabilities that Johnny tends to introduce, by analysing how and why these vulnerabilities are introduced, and by identifying and evaluating a range of interventions to improve Johnny's security behaviours during software development. We will do this in collaboration with eminent international research partners, drawn from leading research and practitioner organisations around the world. This project will be the first to study the inter-relationship between the cognitive and social processes that shape Johnny's cyber security decisions, their impact on the security of the resultant software and the novel interventions that may steer Johnny towards more effective cyber security decisions during software development.

Planned Impact

The ultimate beneficiaries of the research are citizens and the digital economy at large. They will benefit from fundamental improvements in security of the software that pervades their daily lives - due to the foundational advances in security behaviours of the masses developing such software and novel interventions to support them in effective security practices.

Developers, i.e., Johnny, will benefit from fundamental insights into factors influencing their security behaviours, tools to automatically detect and flag their security assumptions and interventions to support them in effective security behaviours and design choices.

Large industry organisations and SMEs will benefit from insights into human factors and assumptions that impact software security in contemporary settings where developers have a diversity of knowledge and expertise in both software development and security. They will benefit from the insights relating behaviours, vulnerabilities and interventions to inform their own practices within their software development teams - whether in-house or out-sourced. They will also benefit from new tools and techniques as well as evolution of existing APIs and development environment to more effectively support security design choices. They will also benefit from innovative interventions to support secure software development by the masses, hence stimulating economic growth and development of a strong industry sector in this area.

Policy and government organisations will benefit from a deeper understanding of how Johnny's behaviour impacts software security and hence security of the wider environment and the kind of interventions that can lead to improved security cultures in the masses developing software.

Last, but not least, UK science will be a major beneficiary by being at the forefront of tackling fundamental security challenges that are not only critical to the UK society and economy but that of the world at large.


10 25 50
publication icon
Van Der Linden D (2019) The Effect of Software Warranties on Cybersecurity in ACM SIGSOFT Software Engineering Notes

publication icon
Van Der Linden D (2018) Safe cryptography for all

Related Projects

Project Reference Relationship Related To Start End Award Value
EP/P011799/1 01/04/2017 31/12/2017 £1,008,352
EP/P011799/2 Transfer EP/P011799/1 01/01/2018 31/03/2021 £853,634