Motivation significantly influences productivity and code quality in software development projects. Successful developers are motivated to learn new technologies, but are rarely motivated by reading documentation or studying manuals. They engage in peer-to-peer interactions and assessments, two forms of interaction that have been found to bring about lasting cultural change within the wider software developer community. This is evident, for example, in the widespread adoption of object-oriented technologies and agile development practices.
The Motivating Jenny to Write Secure Software: Community and Culture of Coding project (2017-2020) investigated how to initiate and sustain secure software culture, building upon frameworks of personal motivation and team culture (see figure). Our specific research aims were to:
- A1. Develop an empirically-grounded model of why and how non-specialist developers can be motivated to adopt secure coding practices and technologies into their software development practice.
- A2. Develop guidelines for creating and propagating a security culture across software teams.
To address these research aims, we conducted ethnographic and constrained task studies and drew upon classic models of motivation, organisational theory, and social and cultural psyschology. Our engagement with the developer community considered online and professional settings, in communities such as those found in StackExchange and through collaboration with a range of companies including members of Agile Business Consortium (ABC) Ltd. Academic collaborators included Lero, the Irish Software Research Centre and international research groups in Brazil and Japan.
This was a joint project between The Open University and Exeter University, and a sister project of the EPSRC-funded Why Johnny doesn't write secure software? Secure Software Development by the masses.
- Invited Talk: Tamara Lopez presented "Motivating Jenny: Examining security in online and professional environments’: Views on Secure Code in Professional Practice", at Cardiff University, 14 April 2021.
- Talk: Tamara Lopez presented "Taking the Middle Path: Learning About Security Through Online Social Interaction" at ESEC/FSE 2020, 10 November, 2020.
- Talk: Helen Sharp presented "Motivating Jenny: creating a sense of security in development practice" at Impact2020, 29 September, 2020.
- Invited Talk: Tamara Lopez presented "Hopefully We Are Mostly Secure': Views on Secure Code in Professional Practice" at DCS Confer Session 3, August, 2020.
- Talk: Tamara Lopez presented "Strategies for Managing Risk in Professional Secure Software Development" at The Social and Behavioural Science for Cyber Security Conference 2019, 25th September, 2019.
- Invited Talk: Helen Sharp presented Secure code development in practice: Community and Culture at the Security Lancaster Seminar Series, 30 January, 2019.
- Invited Talk: Tamara Lopez and Helen Sharp presented Secure Code Development in Practice at the Mini-SPA 2018 in Leeds on 26th November 2018
- Workshop: Tamara Lopez, Helen Sharp and Thein Tun gave a workshop on Secure Code Development in Practice at the SPA Conference in London on 2 July 2018
- Workshop: Tamara Lopez gave a paper at the First International Workshop on Security Awareness from Design to Deployment (SEAD'18) at ICSE 2018 in Gothenburg, Sweden on 27th May 2018
- Workshop: Helen Sharp presented early findings at the International Workshop on Secure Software Engineering in DevOps and Agile Development at XP 2018 in Porto, Portugal, on 25 May 2018
- Community Meeting: Tamara Lopez gave a lightning talk and Helen Sharp participated in a panel at the RISCS Community Meeting, UCL, 8 February 2018
- XP Meetup London: Helen Sharp and Tamara Lopez gave a talk about security and motivation, 30 November 2017
- Invited Talk: Helen Sharp, Motivating Jenny to Write Secure Software: Community and Culture of Coding, RISCS Community Meeting, UCL, 22 June 2017
- Panel: Helen Sharp and Bashar Nuseibeh, Every little helps? Supporting the transition to secure software development processes, RISCS Community Meeting, UCL, 22 June 2017
- Lopez, T., Tun, T.T, Bandara, A., Levine, M., Nuseibeh, B. & Sharp, H. (2020) Taking the Middle Path: Learning about Security Through Online Social Interaction. IEEE Software, vol. 37, no. 1, pp. 25-30, Jan.-Feb. 2020.
- Lopez, T., Tun, T.T, Bandara, A., Levine, M., Nuseibeh, B. & Sharp, H. (2019) An Anatomy of Security Conversations in Stack Overflow. Software Engineering in Society, International Conference of Software Engineering, 2019. Montréal, Canada, May 25 - June 1, 2019.
- Lopez, T., Sharp, H., Tun, T.T., Bandara, A., Levine, M., and Nuseibeh, B. (2019) 'Hopefully We Are Mostly Secure': Views on Secure Code in Professional Practice', 12th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE), International Conference of Software Engineering, 2019. Montréal, Canada, May 27, 2019.
- Lopez, T., Sharp, H., Tun, T.T., Bandara, A., Levine, M., and Nuseibeh, B. (2019) Talking about security with professional developers, 7th International Workshop Series on Conducting Empirical Studies in Industry (CESSER-IP), International Conference of Software Engineering, 2019. Montréal, Canada, May 28, 2019.
- Lopez, T., Tun, T.T, Bandara, A., Nuseibeh, B., Sharp, H., & Levine, M. (2018). An Investigation of Security Conversations in Stack Overflow: Perceptions of Security and Community Involvement. 1st International Workshop on Security Awareness from Design to Deployment, International Conference of Software Engineering, 2018. Gothenburg, Sweden, 27 May, 2018.
- Weir, C., Becker, I., Noble, J., Blair, L., Sasse, M.A., Rashid, A. (2020). Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers. Software: Practice & Experience. 2020; 50: 275– 298. (See also: The Secure Development Handbook)
- Stuart, A., Bandara, A., Levine, M. (2019) The psychology of privacy in the digital age. Social and Personality Psychological Compass. 13:e12507.
- Tun, Thein and Bennaceur, Amel (2018). Agree to Disagree: Security Requirements Are Different, But Mechanisms For Security Adaptation Are Not. In: SEAMS ’18: Proceedings of the 13th International Conference on Software Engineering for Adaptive and Self-Managing Systems, ACM, New York, pp. 194–195.
- França, C., Da Silva, F. F. Q. B., & Sharp, H. (2018). Motivation and Satisfaction of Software Engineers. IEEE Transactions on Software Engineering.
- Lopez, T. (2016). Error Detection and Recovery in Software Development. PhD Thesis, the Open University.
- Lopez, T., Petre, M., & Nuseibeh, B. (2016). Examining Active Error in Software Development. In VL/HCC: IEEE Symposium on Visual Languages and Human-Centric Computing (pp. 152-156). IEEE Press.
- Sharp, H., Dittrich, Y. and deSouza, C. (2016) The Role of Ethnographic Studies in Empirical Software Engineering. IEEE Transactions on Software Engineering. IEEE Press.
- França, C. Sharp, H., & Da Silva, F. Q. (2014) Motivated software engineers are engaged and focused, while satisfied ones are happy. In ESEM: Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (no. 32). ACM Press.
- Sach, R.J. (2013) The Impact of Feedback on the Motivation of Software Engineers. PhD Thesis, the Open University.
- Sharp, H., Baddoo, N., Beecham, S., Hall, T. and Robinson, H.M. (2009) Models of Motivation in Software Engineering. Information and Software Technology 51(1) (pp. 219-233).
- Tun, T. T., Jackson, M., Laney, R., Nuseibeh, B., & Yu, Y. (2009). Are Your Lights Off? Using Problem Frames to Diagnose System Failures. In RE'09: 17th IEEE International Requirements Engineering Conference (pp. 343-348). IEEE Press.