Prof Lynne Baillie
Dr Manuel Maarek, Dr S Louchart (Glasgow School of Art), Dr A Reed (St Andrews) Dr Rob Stewart (HWU), Dr Hans Loidl (HWU) & Daisy Abbott (GSA)
Start :01 June 2020
End: 31 May 2023
The security of software systems is a complex problem impacted by organisation, technology and people. An example of the impact of weak security is shown by the 2019 Cost of a Data Breach report in which the Ponemon Institute for IBM Security estimated that across the United Kingdom, the average cost of a data breach increased from $3.68 million in 2018 to $3.88 million in 2019 (6th highest cost globally when compared to other regions). Software developers are at the forefront of the issue as confirmed by the GitLab's 2019 Global Developer Report released on 15th July 2019 (https://about.gitlab.com/developer-survey/2019/) which surveyed over 4k software professionals and found that while 69% of developers indicate they are expected to write secure code, nearly half said they struggle to get developers to make remediation of vulnerabilities a priority, and 68% of security professionals feel that fewer than half of developers are able to spot security vulnerabilities later in the lifecycle. These dramatic figures are for professionals while the democratisation of software development and deployment enabled by the enormous markets of mobile and Web apps means that many of these apps are not built by professionals.
With the democratisation of software development and deployment, comes the widening of the issues of code security and safety. At the heart of this democratisation are the new code-citizens who are code- literate, able to build and run their own software code. However, they may have had no formal software engineering training and are often outside of the software industry which normally inculcate good practice via house standards. As new citizens, they need to discover, understand, and exercise their rights and duties among a society living with software systems. Their understanding of the security implications of their coding is of fundamental importance to the security of software systems. Recent research (Fischer et al, 2017) revealed that of the 1.3 million Android applications that contained security-related code snippets from Stack Overflow 97.9% contained at least one insecure code snippet.
To assist these code-citizens to become secure code citizens we believe that we can use serious games, which will bring practice and play together to enhance and guide our participants focus. Games are an immersive medium which the project will use to engage code-citizens and deliver an intervention on security matters. Additionally, the process of designing serious games itself elicits the nature of the practice and engages participants in defining how to intervene and act effectively. We propose in this project to put code-citizens at the heart of secure code development by engaging code-citizens in the co-design of serious games for code-citizens. The project will apply an enhanced serious game design for three software security themes that have been informed by industrial practice.