research-article

Using Situational and Narrative Analysis for Investigating the Messiness of Software Security

Authors:

Inger Anne Tøndel,

Daniela Soares Cruzes,

Martin Gilje JaatunAuthors Info & Claims

ESEM '20: Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

Article No.: 27, Pages 1 - 6

https://doi.org/10.1145/3382494.3422162

Published: 23 October 2020 Publication History

Abstract

Background: Software engineering work and its context often has characteristics of what in social science is termed 'messy'; it has ephemeral and irregular qualities. This puts high demands on researchers doing inquiry and analysis. Aims: This paper aims to show what a combination of situational analysis (SA) and narrative analysis (NA) can bring to qualitative software engineering research, and in particular for situations characterised by mess. Method: SA and NA were applied to a case study on software security. Results: We found that these analysis methods helped us gain new insights and understandings and a broader perspective of the situation we are studying. Additionally, the methods helped collaboration in the analysis. Conclusion: We recommend applying and studying these and similar combinations of analysis approaches further.

References

[1]

Deepika Badampudi, Claes Wohlin, and Tony Gorschek. 2019. Contextualizing research evidence through knowledge translation in software engineering. In Proceedings of the Evaluation and Assessment on Software Engineering. 306--311.

Digital Library

[2]

Adele E Clarke. 2016. From Grounded Theory to Situational Analysis: What's New? Why? How? In Situational analysis in practice: Mapping research with grounded theory, Adele E Clarke, Carrie Friese, and Rachel Washburn (Eds.). Routledge, 84--118.

[3]

Adele E Clarke, Carrie Friese, and Rachel Washburn. 2016. Situational analysis in practice: Mapping research with grounded theory. Routledge.

[4]

Tore Dybå, Dag IK Sjøberg, and Daniela S Cruzes. 2012. What works for whom, where, when, and why? On the role of context in empirical software engineering. In Proceedings of the ACM-IEEE international symposium on Empirical software engineering and measurement. 19--28.

Digital Library

[5]

Steve Easterbrook, Janice Singer, Margaret-Anne Storey, and Daniela Damian. 2008. Selecting empirical methods for software engineering research. In Guide to advanced empirical software engineering. Springer, 285--311.

[6]

Jennifer R Fosket. 2016. Situating knowledge. In Situational analysis in practice. Mapping research with grounded theory, Adele E Clarke, Carrie Friese, and Rachel Washburn (Eds.). Routledge, 195--215.

[7]

Marilou Gagnon, Jean Daniel Jacob, and Dave Holmes. 2016. Governing through (in) security: a critical analysis of a fear-based public health campaign. In Situational analysis in practice: Mapping research with grounded theory, Adele E Clarke, Carrie Friese, and Rachel Washburn (Eds.). Routledge, 270--284.

[8]

Laura Kocksch, Matthias Korn, Andreas Poller, and Susann Wagenknecht. 2018. Caring for IT Security: Accountabilities, Moralities, and Oscillations in IT Security Practices. Proceedings of the ACM on Human-Computer Interaction 2, CSCW (2018), 1--20.

Digital Library

[9]

Ann Langley. 1999. Strategies for theorizing from process data. Academy of Management review 24, 4 (1999), 691--710.

[10]

John Law. 2004. After method: Mess in social science research. Routledge.

[11]

Wayne G Lutters and Carolyn B Seaman. 2007. Revealing actual documentation usage in software maintenance through war stories. Information and Software Technology 49, 6 (2007), 576--587.

Digital Library

[12]

Joseph A Maxwell. 2012. Qualitative research design: An interactive approach. Vol. 41. Sage publications.

[13]

Jefferson Seide Molléri, Kai Petersen, and Emilia Mendes. 2019. CERSE - Catalog for empirical research in software engineering: A systematic mapping study. Information and Software Technology 105 (2019), 117--149.

[14]

Kai Petersen and Claes Wohlin. 2009. Context in industrial software engineering research. In 2009 3rd International Symposium on Empirical Software Engineering and Measurement. IEEE, 401--404.

Digital Library

[15]

Catherine Kohler Riessman. 2008. Narrative methods for the human sciences. Sage.

[16]

Evenynke Terpstra, Maya Daneva, and Chong Wang. 2017. Agile Practitioners' Understanding of Security Requirements: Insights from a Grounded Theory Analysis. In 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW). IEEE, 439--442.

[17]

Inger Anne Tøndel, Daniela Soares Cruzes, and Martin Gilje Jaatun. 2020. Achieving" Good Enough" Software Security: The Role of Objectivity. In Proceedings of the Evaluation and Assessment in Software Engineering. 360--365.

Digital Library

[18]

Inger Anne Tøndel and Martin Gilje Jaatun. 2020. Towards a Conceptual Framework for Security Requirements Work in Agile Software Development. International Journal of Systems and Software Security and Protection (IJSSSP) 11, 1 (2020), 33--62.

Digital Library

Cited By

Van Staden SBidwell N(2023)Localised Trust in a Globalised Knot: Designing Information Privacy for Digital-IDACM Journal on Computing and Sustainable Societies10.1145/3616024Online publication date: 16-Aug-2023
https://dl.acm.org/doi/10.1145/3616024
Lopez TSharp HBandara ATun TLevine MNuseibeh B(2023)Security Responses in Software DevelopmentACM Transactions on Software Engineering and Methodology10.1145/356321132:3(1-29)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3563211
Goyes D(2023)The importance of stories in wildlife managementEcological Management & Restoration10.1111/emr.1256723:3(237-243)Online publication date: 9-Jan-2023
https://doi.org/10.1111/emr.12567
Show More Cited By

Index Terms

Using Situational and Narrative Analysis for Investigating the Messiness of Software Security
1. General and reference
  1. Cross-computing tools and techniques
    1. Empirical studies
2. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Achieving "Good Enough" Software Security: The Role of Objectivity
EASE '20: Proceedings of the 24th International Conference on Evaluation and Assessment in Software Engineering

Today's software development projects need to consider security as one of the qualities the software should possess. However, overspending on security will imply that the software will become more expensive and often also delayed. This paper discusses ...
Security Engineering Approach to Support Software Security
SERVICES '10: Proceedings of the 2010 6th World Congress on Services

As information security and privacy become increasingly important to organizations, the demand grows for software development processes that assure information integrity, availability, and confidentiality. Unfortunately, despite the investments made in ...
Software security in agile software development: a literature review of challenges and solutions
XP '18: Proceedings of the 19th International Conference on Agile Software Development: Companion

There has been a surge in number of software security threats and vulnerabilities in recent times. At the same time, expectations towards software and data security are growing. Thus there is a need to ensure that security-related tasks are effectively ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEM '20: Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

October 2020

412 pages

ISBN:9781450375801

DOI:10.1145/3382494

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Norges Forskningsråd

Conference

ESEM '20

Sponsor:

SIGSOFT

ESEM '20: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement

October 5 - 9, 2020

Bari, Italy

Acceptance Rates

ESEM '20 Paper Acceptance Rate 26 of 123 submissions, 21%;

Overall Acceptance Rate 130 of 594 submissions, 22%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
172
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)1

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Van Staden SBidwell N(2023)Localised Trust in a Globalised Knot: Designing Information Privacy for Digital-IDACM Journal on Computing and Sustainable Societies10.1145/3616024Online publication date: 16-Aug-2023
https://dl.acm.org/doi/10.1145/3616024
Lopez TSharp HBandara ATun TLevine MNuseibeh B(2023)Security Responses in Software DevelopmentACM Transactions on Software Engineering and Methodology10.1145/356321132:3(1-29)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3563211
Goyes D(2023)The importance of stories in wildlife managementEcological Management & Restoration10.1111/emr.1256723:3(237-243)Online publication date: 9-Jan-2023
https://doi.org/10.1111/emr.12567
Tøndel ICruzes DJaatun MSindre G(2022)Influencing the security prioritisation of an agile software development projectComputers and Security10.1016/j.cose.2022.102744118:COnline publication date: 1-Jul-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102744

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents