always considered the weakest link [289, 396, 451]. The results of numerous surveys suggest that people’s attitudes and lack of awareness of security issues are among the most significant contributors to security incidents [154]. If appropriate security culture is neglected, individuals will not develop habitually secure behavior or take the initiative to make better decisions when problems arise. Therefore, the creation of a security culture is necessary for the effective management of information security.
8.3 Research Framework
In this section, we elaborate characteristics of a security culture that can be adopted in the context of OSS development. Based on a systematic review and a synthesis of relevant publications on security culture and information gathered from numerous pilot studies, we identified six dimensions of security culture: attitude, behavior, competency, subjective norms, governance, and communication.
8.3.1 Attitude
Attitude is an important factor that influences humans’ emotions (how you feel or what you believe) and behavior [64]. Specifically, attitude can also refer to the degree to which a person has favorable or unfavorable feelings about an object [499]. The object can be an event, person, thing, place, idea, or activity. Other commonly used descriptions include behavior that is liked or disliked, desirable or undesirable, good or bad or behavior that is viewed positively or negatively [6]. Chia [80] asserted that in good security culture, individuals of the organization not only feel responsible but also have a sense of ownership about security. Unless they believe that security is important, people are unlikely to work securely, irrespective of how much they know about security requirements. Attitudes give a strong indication of individuals’
disposition to act. For this study, attitude can be seen as OSS participants’ feelings and emotions about the various activities that pertain to software security. Aspects include participants’ belief (value) about security, responsibility for software security in the community, and positive thinking and perception of security requirements.
8.3.2 Behavior
The notion of behavior is based on what individuals do and relate to actual or intended activities [254]. According to Cox, Connolly, and Currall [93], human behavior is crucial in ensuring an efficient environment for information security.
Essentially, security behavior is performed by individuals who are governed by instructions and requirements when using computer resources, but the way people think, believe, and subsequently, appreciate the organization of security affect how they behave [191]. Thus, security behavior can be seen as a function that frames the way that organizational actors collectively construct the meaning of different experiences of security tasks. The importance of participants’ behavior in software
112
security management cannot be ignored. In the context of software development, security behavior includes the use of security technologies, adoption of secure coding practices, and compliance with organizations’ security policies. Subsequently, risk-taking is another important component of security behavior, when the people involved in the design and/or operation of a system fail to perceive some set of conditions that might arise and cause the security of the system to be compromised [119]. People adjust their risk-taking behavior toward their “comfortable” level of risk (i.e., their “secure” level of risk).
8.3.3 Competency
Competency is defined as the underlying human characteristic that distinctly affects superior job performance in real-life and context-specific situations [28]. This characteristic is the collection of underlying knowledge and skills, which potentially enables some individuals to meet demands more effectively than others [69].
Competency, therefore, provides the potential capability to be skilled in relation to a specific goal or job task. To improve job performance and satisfaction, competency has been widely used to match employees to jobs by matching the competencies of a person to the job requirements [244], which causes individuals to feel that their behavior will not have any bad consequences. In the domain of software security, competency can be defined as software engineers’ knowledge level and skills in protecting their software from a wide range of threats to software security, and with the ability to apply knowledge and skills productively (effectiveness). Having adequate competency regarding software security is a prerequisite to performing any software development task securely. Therefore, security competency may be regarded as an important factor to cultivate in security culture as the first line of defense in information security effectiveness.
8.3.4 Subjective Norms
A subjective norm is a person’s belief about what people think about him or her should be done [135]. We recognize the term, subjective norms, as describing
“directed normative relationships between participants in the context of an organization” [415]. Norms are a powerful means of regulating interactions among autonomous agents [26]. What is perceived as normal behavior in social settings has a strong influence on what is considered acceptable behavior in an organization, and what is not [456], independent of what the rules or formal policies dictate. Individuals are influenced by both—messages about expectations and the observed behavior of others [409]. For security culture, subjective norms represent a combination of perceived expectations of relevant individuals or groups along with intentions to comply with security-related tasks. It regards what is right and wrong regarding information security, involvement in organizational communication processes, and awareness of security policies. If the group considers information security an important and serious problem, then it is more likely that the individuals within that
113
group will value and follow the security policies. Conversely, if risk-taking is accepted within the group, then it is likely that greater risks will be taken. Failing to meet this expectation may incur a sanction against the offender. For example, members in OSS projects are often expected to follow a coding convention. Failure to adhere to this obligation may result in the code being rejected by the community. The level of intention toward a secure action is higher if the person has a positive attitude about and a subjective norm for the behavior [135].8.3.5 Governance
Governance refers to the processes involved in developing and enforcing policies and norms for a given community or organization with the aim of structuring some set of activities [246]. Security governance is the means by which one controls and directs an organization’s approach to security [246]. Security governance provides a framework in which the decisions made about security actions are aligned with the organization’s overall business strategy and culture [107]. Thus, security governance is about decision making per se, which is concerned with setting directions, establishing standards and policies, and prioritizing investment and implementation.
Effective security governance must provide mechanisms that enable managers to allocate expertise and responsibilities accordingly [480]. It requires roles and responsivities of security tasks, defined policies, implementation, and oversight mechanisms. In growing and maintaining an OSS project, people, such as the core contributors/maintainers, leaders, and community managers, must develop guidelines for writing and documenting code, implementing rules about licensing and distribution, determining methods for evaluating contributions to the project, and providing venues for like-minded users to communicate and build working, trust-based relationships (e.g., Slack channels and discussion forums) [410].
8.3.6 Communication
Communication, in simple terms, can be considered an interactive process of sending and receiving messages among individuals, groups, and organizations, including some form of feedback [248]. DeVito [116] defined communication as an act:
“Communication refers to the act, by one or more persons, of sending and receiving messages that are distorted by noise, occur within a context, have some effect, and provide some opportunity for feedback.” Clear, open, effective communication can create a sense of transparency in the organization, which builds trust between levels of employees. As Adams and Sasse [20] pointed out, insufficient communication with individuals in the organization “causes them to construct their own model of possible security threats and the importance of security and these are often wildly inaccurate.”
It is imperative that security has an internal voice in the form of broadcasting channels, ensuring policies, procedures, and relevant breaking news items are universally and regularly communicated. In the present study, communication refers to the methods OSS participants use to communicate security information within a
114
community, information transferring facilities, codification, and personalization information. Developers and users of an OSS project do not all necessarily work on the project in proximity. They require an electronic means of communication. Internet resources have the advantage of providing the community with an information infrastructure for sharing codification materials of software development in the form of hypertext, video, and software artifact content indexes or directories.
Personalization communication has the inherent flexibility of transmitting tacit knowledge, and allowing for discussions and sharing interpretations that may lead to the development of new knowledge [51].
8.4 Research Methodology
This research adopted a quantitative approach to investigate the security culture in OSS communities. Quantitative research methods such as conducting surveys and the validation of research frameworks and questionnaires have been greatly applied in the information security discipline [398, 417]. Organizations can use survey instruments to study information security behavior in general [40]. The use of an OSS participant survey was deemed appropriate in this study, as the survey enables clear, direct, and objective answers to the questions presented to the respondents. For the purpose of this study, a self-administered web-based survey was used to collect individual-level perception data from participants in OSS projects.
8.4.1 Instruments
The survey instrument used in this study was the outcome of an iterative process of checking and refinement. We developed a questionnaire based on the six dimensions defined in section 8.3. The primary measurement items and the corresponding questions are summarized in Table 8.1. Some survey questions were inspired by existing studies, while others were created specifically to suit the research context of this study. Each item in the questionnaire was measured on a five-point Likert scale ranging from strongly disagree (1) to strongly agree (5).
8.4.2 Data Collection
Samples for the empirical study were randomly collected from participants in OSS development projects, available on GitHub. GitHub is an online database of OSS projects. Users and potential contributors can access information about projects, and download current versions of the software being developed. As in June 2018, GitHub reported more than 30 million users [164] and 57 million repositories [163], making it the largest host of source code in the world.