The Soft Skills of Software Learning Development: the Psychological Dimensions of Computing and Security Behaviours

05/09/2022
by   Matthew Ivory, et al.
Lancaster
0

When writing software code, developers typically prioritise functionality over security, either consciously or unconsciously through biases and heuristics. This is often attributed to tangible pressures such as client requirements, but little is understood about the psychological dimensions affecting security behaviours. There is an increasing demand for understanding how psychological skills affect secure software development and to understand how these skills themselves are developed during the learning process. This doctoral research explores this research space, with aims to identify important workplace-based skills for software developers; to identify and empirically investigate the soft skills behind these workplace skills in order to understand how soft skills can influence security behaviours; and, to identify ways to introduce and teach soft skills to computer science students to prepare the future generation of software developers. The motivations behind this research are presented alongside the work plan. Three distinct phases are introduced, along with planned analyses. Phase one is currently in the data collection stage, with the second phase in planning. Prior relevant work is highlighted, and the paper concludes with a presentation of preliminary results and the planned next steps.

READ FULL TEXT VIEW PDF

page 2

page 3

12/12/2018

A Call to Promote Soft Skills in Software Engineering

We have been thinking about other aspects of software engineering for ma...
09/06/2022

Understanding Skills for OSS Communities on GitHub

The development of open source software (OSS) is a broad field which req...
03/13/2021

"I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students

The security attitudes and approaches of software developers have a larg...
05/13/2022

The Hard Truth about Soft Skills in Game Development

This article explores the value and measurable effects of hard and soft ...
05/28/2021

Promoting the Acquisition of Hardware Reverse Engineering Skills

This full research paper focuses on skill acquisition in Hardware Revers...
11/04/2020

What Skills do IT Companies look for in New Developers? A Study with Stack Overflow Jobs

Context: There is a growing demand for information on how IT companies l...

1. Introduction

In this research, soft skills are defined as the psychological dimensions, or traits, that underpin behaviour (Capretz and Ahmed, 2018). Commonly, soft skills are synonymous with workplace-relevant transferable skills, including skills such as ”teamwork” or ”time management”, and have been the focus of previous human factors research (Matturro et al., 2019; Groeneveld et al., 2020; Montandon et al., 2021). This current research seeks to go beyond these surface level traits, to identify the psychological dimensions that underpin transferable skills. In this body of research, transferable skills are referred to as ”shallow skills”, and soft skills are the underlying psychological dimensions. Shallow skills are referred to as such, because they provide little in the way of quantifiable skills, and their definitions often change depending on research context. Shallow skills can be considered as the manifestation of soft skills, particularly in workplace situations. Soft skills are the more immutable, psychological aspects of behaviour.

Software development is the direct product of human interaction, created through the combination of cognitive abilities, social interactions and the unique culture of software development (Ahmed et al., 2015; Towse et al., 2020). In recent years, the software industry has become aware of the significance of soft skills for successful software creation (Capretz and Ahmed, 2018; Matturro et al., 2019; Montandon et al., 2021). By 2030, there is an anticipated 22% increase in employment opportunities for software developers compared to an average 8% increase across all other industries111https://www.bls.gov/ooh/computer-and-information-technology/software-developers.htm, but a rising concern that graduates entering the workforce are lacking the necessary cognitive and social skills required for successful integration into the workplace (Liebenberg et al., 2014). This issue has been evidenced in software security roles, with research indicating the most important skills required for security roles are not technical in nature, but are soft skills (Furnell and Bishop, 2020). As a consequence, it is vital to identify the psychological traits required to successfully develop secure software.

Security in software is not a new concern, but the responsibility for security has changed over time. In 1999, Adams and Sasse (Adams and Sasse, 1999) argued that software users were ”not the enemy” and their fallible security behaviours were not their fault, but rather that of developers disregarding default user behaviour.

Similarly in 2008, Wurster and van Oorschot (Wurster and van Oorschot, 2008) posited that developers were ”the enemy” and as they are the ones causing security issues, security should be removed from their responsibilities. They suggested the onus should be placed with API developers as they provide functionality (and security) to other developers. More recently, this sentiment about API developers was echoed by Green and Smith (Green and Smith, 2016), who emphasised that developers typically focus on functionality and expect APIs to be secure by default. One issue with this argument is that it treats software developers as a homogeneous population with little security awareness, but expects API developers to be somehow more security conscious. API developers are as human as software developers, subsequently they are susceptible to the same cognitive and social biases (Oliveira et al., 2018; Brun et al., 2021). Rather than assigning responsibility to different groups, we should identify the psychological dimensions associated with good security behaviours and seek to promote these skills in software learning development.

1.1. Motivation and Rationale

The primary motivation is to understand how soft skills relate to software development, and how people’s skills develop and exhibit in software development environments. Of particular interest are the behavioural changes exhibited by relative novices during skill development, compared to more experienced developers. What potentially incorrect, but intuitive actions are ultimately suppressed through experience? What habits are built and how do these originate? What soft skills are required for secure software development and how do these skills manifest and evolve?

In recent years, increased attention has turned towards the psychology of software developers, particularly in relation to security (Rauf et al., 2021). Security vulnerabilities typically leverage psychological processes (Taylor-Jackson et al., 2020), via cognitive processes (such as exploiting expected use cases), or through exploiting heuristic use. If adversaries exploit developers’ behaviour, it is important to identify the soft skills involved and find ways in which these behaviours can be changed through psychological interventions, which can be taught to novice and experienced developers alike.

The project is motivated to provide practical impact through developing teaching materials for Computer Science courses. Incorporating psychological interventions into pedagogy will allow for the development of soft skills and security conscious behaviours in future generations of software developers.

1.2. Contribution

The main aim of this research is to understand how the software learning development process occurs and how behaviours change and evolve. By identifying these processes, we are better placed to encourage positive behavioural changes, resulting in more efficient code development. The project also seeks to investigate key soft skills that affect secure code production. As a result, psychological interventions can be developed for promoting better security practices. To practically encourage relevant behavioural changes in early-stage software developers (e.g. Computer Science students), pedagogical materials will be developed for education, with the aim for these to be incorporated into teaching practices.

2. Research Questions

RQ1: What soft skills are considered important for computing and security practices?

RQ2: How do soft skills evolve and develop in novice software developers with time and experience?

RQ3: How do software development behaviours evolve and change with experience?

RQ4: How can relevant soft skills be incorporated into pedagogical practice to promote security behaviours?

3. Work Plan

The research incorporates a breadth of analysis methods, including qualitative and quantitative approaches. This methodological pluralism allows for a broad range of information to be drawn from the data that would otherwise not be possible with a restricted methodology. The doctoral research will look at data collected through interviews, surveys, data scraping and behavioural studies. Analysis will be varied and include statistical modelling, natural language processing modelling, and qualitiative approaches, such as thematic analysis. Not only will it provide broader interpretation to findings within this space, it allows for stronger links to other work in similar research spaces.

Figure 1. Outline of research phases within the planned work.

The research can be split into three phases, as illustrated by Figure 1. The first phase identifies shallow skills as taught in Computer Science undergraduate courses. It seeks to understand how shallow skills are perceived by current students, staff and alumni.

The second phase will build directly on the first phase. By identifying soft skills linked to shallow skills through previous research, phase two aims to build relationships between secure coding behaviours and soft skills. This will be achieved through empirical, lab-based research involving manipulation and measuring of soft skills and programming tasks.

Finally, the third phase will focus on incorporating findings on soft skills into pedagogical materials. This phase will measure the effectiveness of teaching these ideas, with the aim to raise awareness and increase the understanding of the psychological traits of software developers.

A stand-alone study is also being conducted into cognitive reflection and risk perception in software developers and computer scientists, see section 3.4. This will fit in with the phase two work.

Following open science practices, the research will include preregistrations, data sharing and reproducible analysis scripts. This will be managed through the use of the Open Science Framework222www.osf.io and provision of Docker containers with reproducible workflows.

3.1. Phase One: Identification of Shallow Skills

The first phase is currently in the data collection stage. This phase is comprised of four research projects: an examination of core modules in computer science programmes as taken from university websites; academic staff interviews on how they view shallow skills being taught; longitudinal interviews with current students on how they develop their shallow skills over an academic year; and an alumni survey of computer science graduates and psychology graduates, collecting data on their perceived importance of shallow skills.

3.1.1. Curriculum Examination.

The online course information and core module descriptions for Computer Science and Psychology undergraduate courses were collected from eight UK universities belonging to the N8 research group (Durham, Lancaster, Leeds, Liverpool, Manchester, Newcastle, Sheffield and York).

To identify shallow skills in natural language texts, a named entity recognition (NER) model will be developed. Similar work has been created

(Fareri et al., 2021), but without the granularity attempted here. In efforts to further understand covariance of shallow skills and language used around them, the NER model weights can be analysed further, including factor analysis to find highly correlated skills. A preregistration, providing details on the data collection can be found at https://osf.io/qcw3n.

3.1.2. Alumni Survey.

Lancaster University undergraduate alumni from Computer Science and Psychology were contacted to take part in a survey. Participants were asked to rank shallow skills for their importance in current employment. A Psychology sample were used as a comparative group, particularly when considering the less vocational nature of psychology undergraduate degrees (inferred from software development roles attained with a minimum education of a bachelor’s degree333https://nationalcareers.service.gov.uk/job-profiles/software-developer, compared to a minimum education of a postgraduate degree for most psychology roles444https://nationalcareers.service.gov.uk/job-profiles/psychologist).

Data analysis will focus on loglinear models, correspondence analysis and exploratory factor analysis to identify the key shallow skills for computer science graduates compared to psychology graduates. The preregistration is found at https://osf.io/5qb6a.

3.1.3. Interviews with Staff and Students.

These two projects are planned, and interview schedules will be arranged for times when teaching volume is low for staff, and longitudinal student surveys will begin in line with the start of an academic year.

Staff interviews will look to identify soft skills considered important by teaching staff and how these are conveyed to students in teaching materials. Student interviews will be conducted over the course of the academic year, following the same students to identify the way in which they recognise and develop shallow skills. Analysis for both interview studies will use thematic and content analysis to extract relevant information.

3.1.4. Data Analysis of Phase One.

The results from the individual projects in phase one can be cross-examined to identify areas of shallow skills that are of most interest. The combined data can be used to understand the transmission of ideas from academic staff to students to what they take into the workplace, (see figure 2). Understanding the development of these skills and their importance can be used in the second phase. Analysis of data is in planning.

Goal: to identify the shallow skills considered as important within the transmission of skills in the pedagogical process. Measured through various quantitative and qualitative methods.

Figure 2. Transmission of shallow skills can be expected to develop whereby teaching staffs’ understanding of which skills are important feed into the skills students pick up on, which are reflected in alumni use of these skills.

3.2. Phase Two: Behavioural Studies

The second phase is in early design stages, but will focus on empirical behavioural research, based on the findings from phase one. The exact soft skills to be included is dependent on phase one findings, as it is important to focus on the skills that are most likely to have the biggest effect on coding behaviours.

One study will investigate API blindspots, which can be defined as a misunderstanding or misrepresentation of API function security, resulting in vulnerabilities (Oliveira et al., 2018). Using Python snippets from Brun et al (2021) (Brun et al., 2021), and measuring soft skills through cognitive tasks (e.g. the cognitive reflection test (Frederick, 2005)), relationships can be drawn between soft skills and API blindspot awareness.

Similar studies, using different programming paradigms (such as code debugging, or secure password database creation) will also be used. It is important to understand the stability of soft skills across a range of development and security-related tasks.

3.2.1. Data Analysis of Phase Two.

Data analysis for phase two experiments will be predominantly quantitative, using mixed effects models for group comparisons. These can be used to measure relationships between soft skills and security behaviours. Preregistrations will be published in due course.

Goal: to identify and measure the effect of soft skills on security behaviours. Measured through mixed effect modelling and group comparisons.

3.3. Phase Three: Inclusion in Pedagogy

For the final phase, the focus will be on the development of pedagogical materials for introducing students to the soft skills necessary for secure programming. This phase has not yet reached planning, as it relies on the work of phase two to be near completion. This will be achieved through seminars or workshops as methods to introduce the soft skills, to encourage students to engage with the psychology behind software development. Effectiveness of sessions will likely be measured through participant feedback.

To further disseminate research findings and promote inclusion of soft skills into current pedagogical materials, engagement through publication will be pursued. By raising awareness of research through publication, conferences and posters, along with the provision of basic materials for others to work with, phase three looks to create a meaningful impact in the domain of software learning development.

Goal: to develop and deliver teaching materials in order to promote soft skills within computer science curricula. Measured through student engagement and feedback.

3.4. Risk Perception and Cognitive Reflection

In this individual differences study aligned with phase two research, groups of professional software developers and computer science students were compared regarding risk perception in software. Participants completed a cognitive reflection test, a risk-oriented decision task, and answered qualitative questions about how they understand risk in software development.

Cognitive reflection is a person’s ability to inhibit intuitive responses in favour of more reflective responses, indicating their skill in reflective thinking in search of a correct answer. Cognitive reflection was measured through the Cognitive Reflection Test (CRT) (Frederick, 2005). This is a three question test, including items such as, ”A paperclip and an elastic band cost £1.10 in total. The elastic band costs £1 more than the paperclip. How much does the paperclip cost?” The intuitive answer is 10 pence, but upon reflection the correct answer is 5 pence. The risk-orientation task focussed on how participants view susceptibility of themselves and the ”average developer” when considering security vulnerabilities as listed by OWASP (e.g. SQL injection). Data analysis is in progress. The preregistration can be found at: https://osf.io/zbqe4.

3.4.1. Data Analysis of Risk Perception Study.

Data will be analysed through quantitative measures, such as linear modelling, along with more qualitative methods, including thematic and content analyses.

Goal: to identify potential relationships between risk-related behaviours in software development and cognitive reflection. Measured through linear modelling and group comparisons.

3.5. Validity Threats and Controls

Validity threats to the research are broadly discussed, relevant to the project overall. More granular considerations are included in preregistration documents.

One key threat is the consideration of software developers as a population. It is easy to treat developers as a homogeneous population who demonstrate similar characteristics, subsequently making approaches to promoting security behaviours intolerant to variance within the population. This can be controlled through mixed effect models, where population characteristics can be included in the analysis to identify the effect these have on behaviours.

This is a relatively new research field (Rauf et al., 2021)

, so much of the planned research is exploratory. This can often lead to a series of analysis methods being used, increasing type I errors. To control for this, preregistration procedures are published prior to data collection. Open data and reproducible analysis scripts will be uploaded following study completion, to allow replication and to confirm findings.

Using a range of methodologies, as highlighted in the work plan, may result in a trade-off between breadth of analysis and depth of analysis. To control for this, analysis plans and research choices will be well considered through the use of preregistration documents. By considering methodologies prior to execution, the connection between the studies within the wider research can be well justified.

Another threat to validity is the generalisation to different programming languages or work cultures. Not all languages have similar structures, and differences have been shown in security awareness between Java and Python APIs (Brun et al., 2021). This can be controlled for by acknowledging that results may only apply to a single language. By focussing on Python, which is the most popular language555https://www.tiobe.com/tiobe-index/python/, findings will have relevance to many developers. The inclusion of preregistration documents, materials and analyses will also allow for replications, either directly or conceptually.

The tasks used in the second phase are designed to provide consistency across participants, reducing task variance and improving statistical power. This comes at a cost, which is that the tasks are less industry-specific, reducing the validity. This PhD research is specifically focussed on the software learning process, and work beyond the PhD may look into more industry specific tasks, or applying similar research to different programming languages.

4. Relevant Prior Work

In this section the current literature relevant to the research is discussed. This is not an exhaustive literature review, but aims to identify key research influencing the doctoral research.

4.1. Phase One

In phase one, key research identified shallow skills in software development, such as Matturro et al. (2019) (Matturro et al., 2019), who conducted a systematic analysis and identified 23 separate skills. Similarly, Stevens and Norman (2016) looked at job adverts to identify the most important shallow skills for developers (Stevens and Norman, 2016). These research papers provided context for the important shallow skills.

Groeneveld et al. (Groeneveld et al., 2020) analysed computer science curricula for modules that taught shallow skills explicitly, but did not look into the implicitly taught skills in all modules. This motivated the investigation of the course curricula for text relevant to shallow skills.

Finding an absence of research that provided associations between shallow skills and soft skills is the motivation for phase one. The literature search for phase one has found little evidence of work associating security awareness and soft skills.

4.2. Phase Two

In the second phase, a series of work has been carried out concerning API blindspots and developers’ use of heuristics when evaluating software code. Oliveira et al. (2018) (Oliveira et al., 2018) highlighted this issue with Java puzzles, finding that security blindspots in code snippets were difficult to identify, possibly due to developers’ expectation of APIs being secure as default. Brun et al. (2021) (Brun et al., 2021) followed this work with a replication using Python code. They found that developers who exhibited better long term memory recall were more successful in solving puzzles with blindspots. They found that short term memory, memory span and episodic memory had no effect on solving the puzzles. Other works that touch on psychology in security include Hallett et al (2021) (Hallett et al., 2021), where boosting security awareness through requiring planning promoted a small effect on security, and Shreeve et al (2020) (Shreeve et al., 2020) who identified decision making processes related to cybersecurity.

4.3. Phase Three

For the third phase, Taylor-Jackson et al. (2020) (Taylor-Jackson et al., 2020) advocated including psychology in security education, particularly when considering that vulnerabilities are often psychological in nature (e.g. phishing, API blindspots). They discuss the benefits of exposing computer scientists to the different ideas and styles of thinking found within psychology. There are also wider calls for inclusion of soft skills in university education (Guerra-Báez, 2019). It is important that the findings from the first two research phases are used for positive impact and one immediate way to achieve this, is to answer the calls for increasing soft skill teachings in cybersecurity courses to benefit future software developers.

4.4. Risk Perception

For this study, key items are papers on cognitive reflection by Frederick (2005) (Frederick, 2005) and Thomson and Oppenheimer (2016) (Thomson and Oppenheimer, 2016). Combined with the understanding that developers are often not the most security conscious, as highlighted by Acar et al (2017) (Acar et al., 2017), it is clear that the understanding of risk by developers in a software context is poorly understood in relation to cognitive measures.

5. Current Status

5.1. Early Results Analysis

Some of the preliminary results from the risk perception study (section 3.4) are mentioned here. The third hypothesis stated in the preregistration is examined here, ”Mean scores closer to zero on the novel OWASP risk task will be found with higher scores of cognitive reflection”. Data from 143 (70 students, 73 developers) participants is used.

The OWASP task is a measure devised for this study where participants were asked to respond to two sets of questions, the first asking about the percentage of web applications they believe to be created by others that suffer from one of the top five OWASP vulnerabilities (injection flaws, broken authentication, sensitive data exposure, XML External Entity and broken access control). Then following a separation task, participants were then asked to rate the percentage of web applications that they had developed that suffered from the same vulnerabilities. Scores closer to 100 indicate high optimism that they do not produce flawed products, scores near 0 indicate similar levels of flaws in both their own and other people’s products, and scores approaching -100 indicate beliefs that their own work is highly susceptible to these vulnerabilities.

To test the hypothesis above, a linear regression was run to see whether CRT scores significantly predicted OWASP vulnerability scores and whether this differed between the two populations. The model formula was ”Vulnerability

CRT”. The overall regression was statistically significant (R = .05, F(3, 139) = 15.13, p

= .017. Estimates, values and significance of model items can be seen in Table

1. Despite significant terms in the model summary, the variance explained by the model is negligible (5%) and further models will need to be developed to explain more variance in these scores.

Figure 3 shows the distribution of vulnerability scores for each level of CRT score as a box plot. Post-hoc Tukey tests identified no significant differences between any of the groups with all p ¿ .05, except for those who scored zero and those who correctly scored one, adjusted p = .014. This indicates that there is little significant relationship between CRT scores and results on the novel OWASP risk task.

Estimate Std. Error t value p*
Intercept 11.00 3.13 3.52 ¡.001***
CRTscore1 14.08 4.59 3.07 .003**
CRTscore2 5.61 4.86 1.15 .250
CRTscore3 10.67 4.91 2.17 .031*

*Significant alpha values of ¡.001 indicated by ***

Table 1. Coefficients, t-values and p-values for the linear regression of CRT predicting OWASP vulnerability

What is noted with the Vulnerability scores, and can be seen in Figure 3

, is that most scores on the OWASP task, regardless of CRT scores, are around or above 0. One-way t-tests on the Vulnerability scores were run for both the developer and the student samples. In the Developer sample (mean score = 17.48), the scores were significantly higher than 0, t(69) = 7.16,

p ¡ .001. Similarly for the student sample (mean score = 18.94), scores were significantly higher than 0, t(69) = 7.26, p ¡ .001.

This finding is indicative of optimism bias (Sharot, 2011), suggesting that both professionals and student developers consider themselves to be better than average at preventing these OWASP-listed security issues. A score of zero would indicate respondents understand they were average, but higher scores suggest an over-optimistic outlook on their own abilities, which could lead to a more relaxed view on these security issues. These findings will be further developed and discussed in future publications.

Figure 3. Box plot of mean OWASP vulnerability scores by CRT score split by population.

5.2. Next Steps

In the short term, the next steps are to continue with phase one data collection, and planning of phase two. It is intended that the research will progress according to the research phases outlined above. Following the completion of the doctoral work, future work would include the investigation of psychological interventions for developing soft skills and measuring their impact on security behaviours in longitudinal research.

The steps beyond the PhD research as outlined above is to focus on the skills that explain the largest variance in secure coding behaviours, and seek to identify the best ways to promote continued, stable use of these behaviours as opposed to short-term changes (such as those achieved through nudging, e.g. IDE pop-ups serving as reminders to look for blindspots).

6. Conclusion

This paper provides an overview of the planned work within the PhD research titled ”The Soft Skills of Software Learning Development: the Psychological Dimensions of Computing and Security Behaviours”. The research is diverse in both aims and processes, ranging from thematic analysis of interviews, to modelling relationships between psychological dimensions and security issues, to incorporating the findings into pedagogy.

This project seeks to investigate the software learning development process; to better understand the behavioural changes and soft skill development of both computing and security behaviours. By identifying these changes, and when and how they develop, we can seek to promote these changes earlier in the learning cycle, allowing for more effective learning and encouraging positive behaviours for software development. In doing so, not only can we exhibit greater awareness of the psychology behind secure software development, we can develop interventions for encouraging these secure behaviours, reducing the likelihood of these security vulnerabilities. All public preregistrations, published data, analyses, and links to further research outputs will be accessible from https://osf.io//v93zt.

References

  • Y. Acar, C. Stransky, D. Wermke, C. Weir, M. L. Mazurek, and S. Fahl (2017) Developers Need Support, Too: A Survey of Security Advice for Software Developers. In 2017 IEEE Cybersecurity Development (SecDev), Cambridge, MA, USA, pp. 22–26. External Links: Document Cited by: §4.4.
  • A. Adams and M. A. Sasse (1999) Users are not the enemy. Communications of the ACM 42 (12), pp. 40–46. External Links: ISSN 0001-0782, 1557-7317, Document Cited by: §1.
  • F. Ahmed, L. F. Capretz, S. Bouktif, and P. Campbell (2015) Soft Skills and Software Development: A Reflection from the Software Industry. International Journal of Information Processing and Management 4 (3), pp. 171–191. External Links: 1507.06873, Document Cited by: §1.
  • Y. Brun, T. Lin, J. E. Somerville, E. Myers, and N. C. Ebner (2021) Blindspots in Python and Java APIs Result in Vulnerable Code. arXiv:2103.06091 [cs]. External Links: 2103.06091 Cited by: §1, §3.2, §3.5, §4.2.
  • L. F. Capretz and F. Ahmed (2018) A Call to Promote Soft Skills in Software Engineering. Psychology and Cognitive Sciences - Open Journal 4 (1), pp. e1–e3. External Links: 1901.01819, ISSN 2380727X, Document Cited by: §1, §1.
  • S. Fareri, N. Melluso, F. Chiarello, and G. Fantoni (2021) SkillNER: Mining and Mapping Soft Skills from any Text. Expert Systems with Applications 184, pp. 115544. External Links: 2101.11431, ISSN 09574174, Document Cited by: §3.1.1.
  • S. Frederick (2005) Cognitive reflection and decision making. Journal of Economic perspectives 19 (4), pp. 25–42. External Links: ISSN 0895-3309 Cited by: §3.2, §3.4, §4.4.
  • S. Furnell and M. Bishop (2020) Addressing cyber security skills: the spectrum, not the silo. Computer Fraud & Security 2020 (2), pp. 6–11. External Links: ISSN 1361-3723, Document Cited by: §1.
  • M. Green and M. Smith (2016) Developers are Not the Enemy!: The Need for Usable Security APIs. IEEE Security Privacy 14 (5), pp. 40–46. External Links: ISSN 1558-4046, Document Cited by: §1.
  • W. Groeneveld, B. A. Becker, and J. Vennekens (2020) Soft Skills: What do Computing Program Syllabi Reveal About Non-Technical Expectations of Undergraduate Students?. In Proceedings of the 2020 ACM Conference on Innovation and Technology in Computer Science Education, ITiCSE ’20, New York, NY, USA, pp. 287–293. External Links: Document, ISBN 978-1-4503-6874-2 Cited by: §1, §4.1.
  • S. P. Guerra-Báez (2019) A panoramic review of soft skills training in university students. Psicologia Escolar e Educacional 23, pp. 1–10. External Links: ISSN 2175-3539, Document Cited by: §4.3.
  • J. Hallett, N. Patnaik, B. Shreeve, and A. Rashid (2021) “Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?. In Proceedings of the 43rd International Conference on Software Engineering (ICSE ’21), Madrid, Spain, pp. 486–498. External Links: Document Cited by: §4.2.
  • J. Liebenberg, M. Huisman, and E. Mentz (2014) Knowledge and Skills Requirements for Software Developer Students. International Journal of Social, Behavioral, Educational, Economic, Business and Industrial Engineering 8 (8), pp. 6. Cited by: §1.
  • G. Matturro, F. Raschetti, and C. Fontán (2019) A Systematic Mapping Study on Soft Skills in Software Engineering. Journal of Universal Computer Science 25 (1), pp. 26. Cited by: §1, §1, §4.1.
  • J. E. Montandon, C. Politowski, L. L. Silva, M. T. Valente, F. Petrillo, and Y. Guéhéneuc (2021) What skills do IT companies look for in new developers? A study with Stack Overflow jobs. Information and Software Technology 129, pp. 106429. External Links: ISSN 0950-5849, Document Cited by: §1, §1.
  • D. S. Oliveira, T. Lin, M. S. Rahman, R. Akefirad, D. Ellis, E. Perez, R. Bobhate, L. A. DeLong, J. Cappos, and Y. Brun (2018) {}API{} Blindspots: Why Experienced Developers Write Vulnerable Code. In Fourteenth Symposium on Usable Privacy and Security ({}SOUPS{} 2018), Baltimore, MD, USA, pp. 315–328. External Links: ISBN 1-939133-10-6 Cited by: §1, §3.2, §4.2.
  • I. Rauf, M. Petre, T. Tun, T. Lopez, P. Lunn, D. Van Der Linden, J. Towse, H. Sharp, M. Levine, A. Rashid, and B. Nuseibeh (2021) The Case for Adaptive Security Interventions. ACM Transactions on Software Engineering and Methodology 31 (1), pp. 9:1–9:52. External Links: ISSN 1049-331X, Document Cited by: §1.1, §3.5.
  • T. Sharot (2011) The optimism bias. Current Biology 21 (23), pp. R941–R945. External Links: ISSN 0960-9822, Document Cited by: §5.1.
  • B. Shreeve, J. Hallett, M. Edwards, P. Anthonysamy, S. Frey, and A. Rashid (2020) ”So if Mr Blue Head here clicks the link..” Risk Thinking in Cyber Security Decision Making. ACM Transactions on Privacy and Security 24 (1), pp. 5:1–5:29. External Links: ISSN 2471-2566, Document Cited by: §4.2.
  • M. Stevens and R. Norman (2016) Industry expectations of soft skills in IT graduates: a regional survey. In Proceedings of the Australasian Computer Science Week Multiconference, ACSW ’16, New York, NY, USA, pp. 1–9. External Links: Document, ISBN 978-1-4503-4042-7 Cited by: §4.1.
  • J. Taylor-Jackson, J. McAlaney, J. L. Foster, A. Bello, A. Maurushat, and J. Dale (2020) Incorporating Psychology into Cyber Security Education: A Pedagogical Approach. In Financial Cryptography and Data Security, M. Bernhard, A. Bracciali, L. J. Camp, S. Matsuo, A. Maurushat, P. B. Rønne, and M. Sala (Eds.), Lecture Notes in Computer Science, Cham, pp. 207–217. External Links: Document, ISBN 978-3-030-54455-3 Cited by: §1.1, §4.3.
  • K. S. Thomson and D. M. Oppenheimer (2016) Investigating an alternate form of the cognitive reflection test. Judgment and Decision making 11 (1), pp. 99. External Links: ISSN 1930-2975 Cited by: §4.4.
  • J. Towse, M. Levine, M. Petre, A. Bandara, T. Lopez, A. Rashid, I. Rauf, H. Sharp, T. Tun, D. van der Linden, and B. Nuseibeh (2020) The Case for Understanding Secure Coding as a Psychological Enterprise. Cyberpsychology, Behavior, and Social Networking. Cited by: §1.
  • G. Wurster and P. van Oorschot (2008) The developer is the enemy. In Proceedings of the 2008 New Security Paradigms Workshop, NSPW ’08, New York, NY, USA, pp. 89–97. External Links: Document, ISBN 978-1-60558-341-9 Cited by: §1.