Awareness and Working Knowledge of Secure Design Principles: A User Study

Almousa, May; Keshavarz, Mahsa; Anwar, Mohd

doi:10.1007/978-3-030-50309-3_1

May Almousa⁹,
Mahsa Keshavarz¹⁰ &
Mohd Anwar⁹

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12210))

Included in the following conference series:

International Conference on Human-Computer Interaction

6320 Accesses
1 Citations

Abstract

Software systems are everywhere, and therefore, software security breaches impact every enterprise system. Although the software engineers and system developers are provided with various secure software development guidelines and processes, attacks exploiting software vulnerabilities are on the rise. The prevalence of software vulnerabilities and the increasing number of hacked enterprise systems underline the need for guidance in the design and implementation of secure software. If the software engineers and system developers consider applying and implementing the Secure Design Principles (SDPs), the enterprise systems would be secured against many types of attacks. In this research, we conducted a survey study among participants who have experience in designing and/or developing software (such as native application, browser application, or mobile application) to test their familiarity and working knowledge of SDPs. We also explored if the demographic variables (age, gender, experience, education) are associated with their knowledge of SDPs. We also discovered misconception of secure design principles and gathered participants’ opinions on the ways to implement SDPs.

You have full access to this open access chapter, Download conference paper PDF

Software Security Requirements Engineering: State of the Art

A Novel Approach for Improving Security in Software Development in Small Software Firms: A Literature Review

A Survey on the Effectiveness of the Secure Software Development Life Cycle Models

Keywords

1 Introduction

Nowadays, IT systems and software are predominantly used to conduct many types of critical and important business and operational tasks. In many industries, such as healthcare, banking, finance, government, and e-commerce, the information stored and communicated using IT systems is of confidential nature [8]. The confidential nature of such information requires adoption of well-designed security mechanisms in systems and software tools to keep the private and confidential data of individuals and organizations protected from malicious attacks, and unauthorized access.

In the software and system development field, security refers to the process of implementing special purpose mechanisms that ensure confidentiality, availability, and integrity of the system and information objects. Information security is a continuous process in a system that aims to maintain availability, confidentiality, and integrity of the data stored or communicated by the system. With security mechanisms, system developers target three key components of security:

Integrity: Ensuring that information is protected from being modified by unauthorized users.
Confidentiality: Concealment of system’s resources, information, and process against unauthorized access. It mainly refers to access control mechanisms, which depend on policies of allowing or not allowing system access requests.
Availability: Availability requires a system to be accessible for the authorized users.

In the field of software development, standardization of security mechanism exists in different forms such as certification, encryption strength, authentication metrics, etc. Together with the security standards, the software engineers and system developers are expected to follow some secure design principles that recommend best practices in implementation of security measures in a system.

In this research, we conducted a survey to examine the familiarity and understanding of secure design principles among participants who have experience in designing and/or developing software.

Our contribution in this paper is to discover whether the software engineers and developers are aware of and have working knowledge of the Secure Design Principles. Also, our study investigates correlation between the knowledge gap (e.g., examine the association and the demographic variables such as age, gender, experience, education and the lack of knowledge of Secure Design Principles).

This paper is organized as follows. Section 2 provides background information on secure design principles. Section 3 contains a discussion of related work, and in Sect. 4, we discuss our approach on the study. In Sect. 5 we present our results, and lastly, Sect. 6 concludes with a recommendation for future work.

2 Background Information

In the field of information systems, principles of secure design (also known as secure design principles) operate as fundamental concepts that define the ways various security mechanisms should be designed and implemented. The scope of principles of secure design is not limited to just the technological aspects, rather it also accounts for the human factor aspects of the system mechanism. Many of the commonly adopted principles of secure design are derived from factors of non-technical aspect of the system, such as the principle of least privilege. Each of the security design principle establishes some level of restriction in allocating privileges on basis of specific criterions or attempts to minimize the level of complexity in security mechanism to reduce probability of failure in the security mechanism [10]. According to [11], the secure design principles (SDPs) are as follows:

Principle of Least Privilege: In accordance with the secure design principle of least privilege, a user should always be allocated only the access privileges that are absolutely needed by the user to complete the assigned tasks. The first line of defense of in security is applying principle of least privilege to access controls.
Principle of Fail-Safe Defaults: According to this secure design principle, as a default system behavior, the system should deny a user access to an object unless a user is explicitly provided access to that object. In addition, principle of fail-safe defaults assures the ability of a user to rollback. For example, if a user tries to complete a transaction and the system fails, the system should be able to rollback.
Principle of Economy of Mechanism: This security design principle states that design of a security mechanism implemented in a system should always strive to remain as simple as possible.
Principle of Complete Mediation: The security mechanism implemented by this principle requires that system must verify every access request to every object before allowing access. In another words, every access request should be mediated by the system.
Principle of Open Design (Security by Obscurity): This principle stipulates that the level of security achieved by a mechanism should not depend on the secrecy of its design or deployment method.
Principle of Separation of Privilege: As per this principle of secure design, in design of a system, access to an object should not be granted on the basis of a single access criterion getting satisfied.
Principle of Least Common Mechanism: This principle of secure design requires that the mechanisms that are used to access resources should not be shared.
Principle of Psychological Acceptability: This principle argues that human interface needs to be designed for ease of use so that users routinely and correctly apply the protection mechanisms.

The prevalence of software vulnerabilities and the increasing number of hacked systems show the high demand to improve the development of secure software. If the software engineers and system developers consider applying and implementing these SDPs, their systems would be secured against many types of attacks.

3 Related Work

Secure Design Principles provide a general guideline to the system developers in designing of security mechanisms, which are applicable for a wide variety of software, web-tool, system, and application development processes [2]. The Secure Design Principles exist as an abstract concept rather than a specific requirement, allowing flexible and convenient adoption of the principles of secure design.

The secure design principles are also applicable on the networking and communication protocols. The versatility of secure design principles is useful for deployment of security mechanisms in interconnected world of Internet of Things (IoT) [7]. The use of design principles enables networking protocols to achieve security while being lightweight and less burdensome on utilization of resources.

The secure design principles also emphasize practicality of the secure systems. It is the theme of secure design principles that targets simplicity and thoroughness in security mechanisms [1]. In this manner, the secure design principles require security mechanisms to not com-promise with usability or performance of a system.

The US Department of Defense (DoD) widely uses secure design principles for computer security. Some of the security experts like [11] list secure design principles as a set of precisely worded statements. Others refer to these principles as a collection of fundamental concepts. Since the first release of secure design principles, more principles have been added such as easiest penetration, weakest link, effectiveness, and adequate protection, which demonstrates a wider scope of security thinking. However, Smith (2012) [13] believes that in modern information security, some of these principles such as economy of mechanism, complete mediation and psychological acceptability do not play a central role. Economy of mechanism has been left far behind in both the profit-oriented and free software communities. Due to the distributed nature of modern net-work security, complete mediation has become impractical. Higher cost is a likely trade-off when deciding to adopt the security measures that has “psychological acceptability,” which has more importance now.

Understanding the secure design principles is a big challenge. Reference [6] observes that access control, which is related to principle complete mediation, is a big challenge in organizations. Developing a shared understanding of policy between different stakeholders is a daunting task. The reason is that those who make policies are not the same as those who implement these policies. In [6] 12 semi-structured interviews with security practitioners were conducted using a new interface named AuthzMap to realize how people make sense, review access of users, and to identify the challenges in reviewing implemented access policies. The other challenge is expressing policies in role-based access control (RBAC) for resource owners. Authors of [5] discussed about this issue and used natural language to solve this problem. For understanding effective access policy in case of conflicting access rules, [9] proposed a new UI named “expandable grid”. Expandable grid helps end-users of commodity Operating Systems to understand the access policy and solved the issue of conflicting access rules that happened in Windows file system.

Researchers [15, 16] describe principles for secure systems design with an emphasis on groupware and believe that a reason for this concern is a lack of principles of secure information system designs that may be used when selecting or creating control measures. Most security experts agree that security by secrecy is a flawed tactic as there is a chance of threats going undetected [4]. Sistla et al. (2008) [12], designed a verification technique to check for the satisfaction of complete mediation property directly on code from Java standard libraries.

Issues such as lack of knowledge and not paying attention to principles will cause security violations. For example, [3] studied on design flows of SmartApps. They discovered that although SmartApps implements a separation of privilege, principle of least privilege is not considered, and this causes design flaws. The results estimate that over 55% of SmartApps in the store are over-privileged.

Syverson (1996) [14] discusses the limitations of design principles for cryptographic protocols. The paper illustrates the limitations by examining principles involving the encryption of signed data or signing of encrypted data. This paper concluded that it is better to use design principles at the beginning for guiding the preliminary design, in the middle by looking at the motivation for applying the principle to see if the motivation best served by following the principle or not, and at the end of designing a protocol to check that there is no possibility for violating the design.

4 Study Design

Nowadays, there are significant increase in the number of flaws and security vulnerabilities in different software and systems. Software developers spend years releasing patches and updates to fix the design flaws in an ongoing basis.

A reason behind high number of flaws and security issues being present in software is attributed to extensively complex software structure. Another reason is the lack of information or awareness of best practices such as secure design principles, which contributed significantly to the flaws and security issues in systems.

Our research study attempts to assess whether software developers or designers lack awareness and knowledge of the secure design principles. To test this argument, a questionnaire-based survey method was utilized with the objective of identifying the level of familiarity with principles of secure design among software engineering students and software developers. Analysis of answers provided by the survey participants will reveal whether or not secure design principles are applied by software developers.

4.1 Survey Design

To achieve the goal of this study, we only recruited people who have experience in software engineering and development. The survey started with informed consent, where our participants can agree or disagree to participate in the survey. The first set of survey questions are related to the participants’ demographic information such as age, gender, experience, and education. The main part of the survey included 30 questions designed to gain insights into knowledge, familiarity, and use of the secure design principles among participants. To gain most accurate information from the participants, questions will be asked in different forms, including open-ended questions, and rating scale based questions (on 1–5 Likert scale items - strongly agree, agree, undecided, disagree, and strongly degree). These are some samples Likert items of the survey:

By default, the user should have full access rights (e.g., Read-Write-Delete).
Applying more security mechanisms will help your system to be more secure
The simplicity in design and implementation of software is helpful for decreasing the possibilities of system errors.
A security mechanism depends on secrecy of its design or implementation.
Unless a user has explicitly been given access to an object, it should be denied access to that object.
If a user has been verified in the system once, the users should be treated as a valid user for subsequent requests without the need for further verification.
A secure design principle restricts a user from reassigning or sharing privilege with another user.
A secure software system should have a minimum number of mechanisms.

4.2 Survey Sample

To avoid any kind of bias in the data collection process, participants were selected belonging to different age and education levels. Also, we used random selection to reduce skewness. The objective of the survey is to get insights into knowledge of principles of secure design among software engineers with experience of software designing, therefore, only participants over the age of 19 were accepted as participants. In the survey, all the participants are located in the USA and they included 18 computer science graduate students and 33 software developers and engineers working in the industry. The students were recruited through flyers that were distributed among the computer science graduate students at North Carolina A&T State University. The inclusion criteria were that the students should have experience in software engineering and development. The students experience in software development and security, and their knowledge of design principles can be gained from the courses that they took during their studies in graduate and undergraduate levels. The flyer is also posted in the Amazon Mechanical Turk (MTurk) website.

For a research study to get accurate results from a sample population, it is very important avoid selection bias. Keeping this into consideration, 33 participants got selected in an automated random manner by hiring services of Amazon Mechanical Turk. This platform has millions of users ready to take a survey. However, we put premium qualifications for the Amazon Mechanical Turk workers. So, only workers with the chosen qualifications can access the survey link.

4.3 Survey Distribution

The survey was distributed among all volunteers who met the inclusion (software engineers/software developers or graduate level software engineering students) and exclusion criteria (English speaking participants only). To make the survey more convenient for the participants, we used a popular digital survey platform “Survey-Monkey”. We collected 51 responses form the participants. All the participants – students and MTurk workers received $5.00 gift card after completing the survey.

5 Results

The 51 participants in this research survey covered a wide range of demographics. The most popular age category was 25 to 34 (42%), but 18 to 24 and 35 to 44 were also strongly represented at 18% and 28% respectively (as shown in Fig. 1 below). The remaining 12% was split evenly between 45–54 and 55–64. Both females and males were represented at 30% and 70%, respectively.

Education was predominantly at a bachelor’s degree level (59%); 22% were at master’s degree Level and 12% at PhD degree level. Those below a bachelor’s degree reported being at an associate degree level (8%) (as shown in Fig. 2 below).

The self-described level of experience in developing software was mostly Intermediate (57%) with a slight skew to Advanced (27%) over Low (16%). Quantitatively, reported years of experience in software design and development showed a similar distribution with the highest reported category being 1–3 years (35%), and high levels of representation all the way to 10% in 10+ years. Only 15% of respondents had less than one year of experience.

The results from this survey highlighted many areas where there is currently a misunderstanding of secure design principles. For the 28 multiple-choice questions, only 23% of respondents were both correct and confident. Another 31% were correct but not quite confident (e.g. “Agree” instead of “Strongly Agree”). Consequently, the remaining 46% of responses were either uncertain or incorrect. The “easiest” question in the set still only had 51% of respondents answering correctly; the “most difficult” question saw no respondent answering correctly. Figure 3 below demonstrates the participant’s performance in a box-whisker plot.

It can be tested whether respondent performance depends upon education level. First, to investigate if there is any performance difference between respondents with Associate and bachelor’s degrees, we conducted a t-test where the null hypothesis is that there is no significant performance difference between these two groups; the alternative hypothesis is that there is significant performance differences between the respondents of two education levels. Using the mean performances of Associate (56%) and Bachelor’s (53%) degrees, we computed a t-value magnitude of 0.36. Since the critical magnitude for a two-sided test with 95% confidence is 2.04, the null hypothesis cannot be rejected; the performance of Associate and Bachelor’s degrees are not discernibly different.

A similar analysis can be conducted to test if Master/PhD degrees perform better than that of Bachelor’s degrees. The null hypothesis is that average performances are equal; the alternative hypothesis is that master/PhD degrees outperform Bachelor degrees. Comparing the mean performances of Bachelor’s (53%) and Master/PhD (55%), the associated t-value is 0.80. The critical magnitude for a one-sided test with 95% confidence is 1.68. Therefore, the null hypothesis cannot be rejected; the data does not suggest Master/PhD degrees perform better than Bachelor’s degrees.

An ANOVA was used to test if any of the levels of experience influences performance. The null hypothesis is that all levels of experience perform equally well; the alternative hypothesis is that at least one of the categories performs differently than the rest. Starting with the less than 1 year experience category and progressing to 10+ years, the mean performances are 52%, 54%, 55%, 56%, and 51%. The computed F-value is 0.17, less than the F-critical of 2.57. Therefore, the null hypothesis cannot be rejected; no level of experience is discernibly different in terms of the knowledge of secure design principles than the rest.

On the matching question on the definition of some secure design principles, there was only 50% correctness on three of the five assignments, though, the most popular answer for each assignment was correct. This is again only marginally better than random selection.

The most troubling multiple-choice question on the knowledge of least privilege principle was “Access rights of users should be assigned based on their roles (higher role, more access rights)”. Here 53% of respondents agreed and a further 35% strongly agreed, opposed to the correct answer (only access rights should be assigned that are required for assigned tasks): strongly disagree (0%), suggesting that there is an overemphasis on the importance of user roles in the granting of access rights.

Three other questions were also widely mistaken and showed a common theme of knowledge gap:

A complex security model ensures a secure software;
More security mechanisms will always help a system to be more secure;
A secure software system should have a minimum number of mechanisms.

For these questions only 6% (age group: 25–34), 2% (age group: 25–34), and 6% (age group: 25–34) of responses were fully correct, significantly outweighed by the 78–88% undecided or incorrect. It appears there is an enormous gap in understanding the primary design components of a secure mechanism and how that is best carried out in practice.

The question most correctly answered by respondents (51%) was a disagreement to the following statement: by default, the user should have full access rights (e.g., Read-Write-Delete); still, 27% of respondents were either uncertain or incorrect.

No other question received more than 50% correctness, but following pattern emerged when looking at the next best-answered questions:

It’s better to grant a user a range of access rights (e.g., Read-Write-Delete), even if the user does not need all;
Unless a user has explicitly been given access to an object, it should be denied access to that object;
A secure design principle restricts a user from reassigning or sharing privilege with another user.
Respondents were best able to recognize that permissions should be granted carefully and only for specific reason.

Grouping the questions by principle and analyzing performance, the Principles of Psychological Acceptability and Separation of Privilege were the two most frequently correct answers at 60.8%. The most incorrectly answered questions covered the Principles of Least Common Mechanism and Economy of Mechanism, with only 46.8% and 44.1% correct responses. The other four principles fell in the middle, between 54% and 60% (as shown in Fig. 4).

Of the five questions where a design principle to be matched with their appropriate description, economy of mechanism was most correct (73%). In subsequent order of recognition were: least privilege (60%), complete mediation (59%), separation of privilege (35%), and fail-safe defaults (32%).

Statistically, the results are better than random chance, but what these results seem to highlight most is how unique and recognizable the names of the principles are, rather than any previous knowledge of the principles. In the multiple-choice questions, a prevalent and erroneous view was that secure systems would have greater quantity and more complex mechanisms in place than that of non-secure systems. This reveals the inability of respondents to correctly identify the economy of mechanism, the most correct choice of the five principles by far.

One possible metric of respondents’ interests in the secure design principles perhaps is the length of responses to the essay question. The question asked was, “what should be done to ensure that secure design principles are applied in developing software?” We received a response from 46 of the 51 participants. Of those who responded, only 19 provided a substantial answer with more than 100 characters; 15 were between 30 and 100 characters, and 12 were fewer than 30 characters (as shown in Fig. 5).

The quality of the answers was comparable with the results from the previous sections. It evidenced the misunderstanding of secure design principles and the absence of knowledge on the topic seen in short, generic statements without mention of underlying fundamentals. Some of the meaningful/concrete suggestions from participants were:

A balance of usability and security in needed since programmers lean on usability too much thus throwing security out of the window.
Software development companies need security experts that are available to do testing, and make sure that resources are being used accurately, and safely to prevent risks to user’s data.
Companies with software developers should have a training program held every 1 to 2 years for its employees.
Use of agile software development model help the developers to design, test, implement, and review to achieve better security.
Computer security is a continuous process dealing with confidentiality, integrity, and availability on multiple layers of a system.
Financial penalties for those who don’t do follow the secure design principles will force them to follow all the principles carefully.

6 Conclusion and Future Work

In conclusion, security of software systems has a huge impact on our life. That is why it is important for software developers and engineers to apply best practices such as secure design principles and understand all principles of secure design. In this paper we conducted a survey study to gauge if the software developers are aware of or have working knowledge of the important secure design principles. This study is very important, because there are many attackers who exploit software vulnerabilities due to lack of knowledge of software developers. In this paper, we gathered participants of different age, gender, education levels, and levels of experience in developing software. Our participants include 18 computer science students and 33 software engineers recruited from MTurk.

In this study various questions were asked to measure the participants’ knowledge. By analyzing the results of this survey, we conclude that there is a knowledge gap in secure design principles. It is shown that software developers are not familiar with the concept of secure design principles or they do not know how to apply and follow them in system design phase. We need to work more on the problem of how we can improve the software engineers’ knowledge to prevent security violations in the systems. Also, we need to make sure that there is enough training, having knowledge about these principles is not enough. This is a first step to understand the level of awareness of these principles, and further studies are needed to understand more and find the ways to improve knowledge.

In the future, we plan to conduct a large-scale study and re-evaluate the current survey instrument as well as test different hypotheses on the contributing factors to the observed knowledge gaps. We will also consider the experience levels of the participants in terms of different types of software development environments as well as the types of software developed.

References

Benzel, T.V., Irvine, C.E., Levin, T.E., Bhaskara, G., Nguyen, T.D., Clark, P.C.: Design principles for security. Technical report, Naval Postgraduate School Monterey CA Department Of Computer Science (2005)
Google Scholar
Bishop, M.: Computer Security: Art and Science. Addison Wesley Professional, Westford (2003)
Google Scholar
Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 636–654. IEEE (2016)
Google Scholar
Hole, K.J., Moen, V., Tjostheim, T.: Case study: online banking security. IEEE Secur. Priv. 4(2), 14–20 (2006)
Article Google Scholar
Inglesant, P., Sasse, M.A., Chadwick, D., Shi, L.L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: Proceedings of the 4th symposium on Usable privacy and security, pp. 77–88 (2008)
Google Scholar
Jaferian, P., Rashtian, H., Beznosov, K.: To authorize or not authorize: helping users review access policies in organizations. In: 10th Symposium on Usable Privacy and Security ($\{$SOUPS$\}$ 2014), pp. 301–320 (2014)
Google Scholar
McGraw, G.: Software Security: Building Security In, 1st edn. Addison-Wesley Professional, Westford (2006). (Paperback) (Addison-Wesley Professional)
Google Scholar
Medvidovic, N., Taylor, R.N.: Software architecture: foundations, theory, and practice. In: 2010 ACM/IEEE 32nd International Conference on Software Engineering, vol. 2, pp. 471–472. IEEE (2010)
Google Scholar
Reeder, R.W., et al.: Expandable grids for visualizing and authoring computer security policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1473–1482 (2008)
Google Scholar
Saltzer, J., et al.: On the naming and binding of network destinations. In: Local Computer Networks, pp. 311–317 (1993)
Google Scholar
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Article Google Scholar
Sistla, A.P., Venkatakrishnan, V., Zhou, M., Branske, H.: CMV: automatic verification of complete mediation for java virtual machines. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 100–111 (2008)
Google Scholar
Smith, R.E.: A contemporary look at Saltzer and Schroeder’s 1975 design principles. IEEE Secur. Priv. 10(6), 20–25 (2012)
Google Scholar
Syverson, P.: Limitations on design principles for public key protocols. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 62–72. IEEE (1996)
Google Scholar
Wood, C.C.: Principles of secure information systems design. Comput. Secur. 9(1), 13–24 (1990)
Article Google Scholar
Wood, C.C.: Principles of secure information systems design with groupware examples. Comput. Secur. 12(7), 663–678 (1993)
Article Google Scholar

Download references

Author information

Authors and Affiliations

North Carolina A&T State University, Greensboro, NC, 27401, USA
May Almousa & Mohd Anwar
Northern Arizona University, Flagstaff, AZ, 86011, USA
Mahsa Keshavarz

Authors

May Almousa
View author publications
You can also search for this author in PubMed Google Scholar
Mahsa Keshavarz
View author publications
You can also search for this author in PubMed Google Scholar
Mohd Anwar
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohd Anwar .

Editor information

Editors and Affiliations

San Jose State University, San Jose, CA, USA
Abbas Moallem

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Almousa, M., Keshavarz, M., Anwar, M. (2020). Awareness and Working Knowledge of Secure Design Principles: A User Study. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_1

Download citation

DOI: https://doi.org/10.1007/978-3-030-50309-3_1
Published: 10 July 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50308-6
Online ISBN: 978-3-030-50309-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics