Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Training and Security Awareness Under the Lens of Practitioners: A DevSecOps Perspective Towards Risk Management

  • Conference paper
  • First Online:
HCI for Cybersecurity, Privacy and Trust (HCII 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14729))

Included in the following conference series:

  • 357 Accesses

Abstract

Critical infrastructures (CI) extend across various sectors within the economy, relying on a combination of software and hardware technologies to manage the operations of the systems, services, and assets. Risk Management plays a pivotal role in enduring viability of organizations in the long run, identifying potential threats and vulnerabilities. The realm of DevSecOps in CI undergoes continuous evolution, demanding organizations to consistently adapt their strategies in addressing emerging risks. The goal of this exploratory study is to understand how training and security awareness influence the adoption of DevSecOps practices and, consequently, their role in enhancing processes related to risk management in the context of CI. The study examines the perspectives of DevOps professionals, developers, security experts, and other experts working in CI using a survey. The results reveal a gap in regular training and awareness sessions, which has triggered practitioners to follow a proactive approach of acquiring knowledge and skills independently. The findings also highlight fostering a positive security culture by exhibiting risk-averse behavior, consequently reducing the occurrence of incidents, and promoting adherence to policies. The study offers valuable insights into DevSecOps in risk management, potentially encouraging the adoption of DevSecOps and guiding practitioners interested in harnessing its inherent benefits within the context of CI. Furthermore, our findings pave the way for future research endeavors on assessing the impact of training and awareness programs to shape and improve the security culture within CIs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Carter, K.: Francois Raynaud on DevSecOps. IEEE Softw. 34, 93–96 (2017). https://doi.org/10.1109/MS.2017.3571578

    Article  Google Scholar 

  2. Communication from the Commission to the Council and the European Parliament - Critical Infrastructure Protection in the fight against terrorism. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52004DC0702. Accessed 28 Jan 2024

  3. Fox, M.R.: IT governance in a DevOps world. IT Prof. 22, 54–61 (2020). https://doi.org/10.1109/MITP.2020.2966614

    Article  Google Scholar 

  4. Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing buzzword? - Mapping research on security in DevOps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE, Salzburg, Austria (2016). https://doi.org/10.1109/ARES.2016.92

  5. Aldawood, H., Skinner, G.: Educating and raising awareness on cyber security social engineering: a literature review. In: 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), pp. 62–68 (2018). https://doi.org/10.1109/TALE.2018.8615162

  6. Zeeshan, A.A.: Compliance and security. In: Zeeshan, A.A. (ed.) DevSecOps for .NET core: securing modern software applications, pp. 265–278. Apress, Berkeley, CA (2020). https://doi.org/10.1007/978-1-4842-5850-7_7

  7. Naidoo, R., Möller, N.: Building software applications securely with DevSecOps: a socio- technical perspective. In: Proceedings of the 21st European Conference on Cyber Warfare and Security. Academic Conferences and Publishing Limited, UK (2022)

    Google Scholar 

  8. 2023 State of Platform Engineering Report | Puppet by Perforce. https://www.puppet.com/resources/state-of-platform-engineering. Accessed 26 Jan 2024

  9. Smeds, J., Nybom, K., Porres, I.: DevOps: a definition and perceived adoption impediments. In: Lassenius, C., Dingsøyr, T., Paasivaara, M. (eds.) Agile Processes in Software Engineering and Extreme Programming, vol. 212, pp. 166–177. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18612-2_14

  10. Zhou, X., et al.: Revisit security in the era of DevOps: an evidence-based inquiry into DevSecOps industry. IET Softw. 17, 435–454 (2023). https://doi.org/10.1049/sfw2.12132

    Article  Google Scholar 

  11. Sánchez-Gordón, M., Colomo-Palacios, R.: Security as culture: a systematic literature review of DevSecOps. In: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, pp. 266–269. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3387940.3392233

  12. Morales, J.A., Yasar, H.: Experiences with secure pipelines in highly regulated environments. In: Proceedings of the 18th International Conference on Availability, Reliability and Security, pp. 1–9. Association for Computing Machinery, New York, NY, USA (2023). https://doi.org/10.1145/3600160.3605466

  13. The 2021 State of DevOps Report | Puppet by Perforce. https://www.puppet.com/resources/state-of-devops-report. Accessed 27 Oct 2023

  14. Riungu-Kalliosaari, L., Mäkinen, S., Lwakatare, L.E., Tiihonen, J., Männistö, T.: DevOps adoption benefits and challenges in practice: a case study. In: Abrahamsson, P., Jedlitschka, A., Nguyen Duc, A., Felderer, M., Amasaki, S., Mikkonen, T. (eds.) Product-Focused Software Process Improvement. LNCS, vol. 10027, pp. 590–597. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49094-6_44

    Chapter  Google Scholar 

  15. Mohan, V., ben Othmane, L., Kres, A.: BP: security concerns and best practices for automation of software deployment processes: an industrial case study. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 21–28 (2018). https://doi.org/10.1109/SecDev.2018.00011

  16. Kumar, R., Goyal, R.: Modeling continuous security: a conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Comput. Secur. 97, 101967 (2020). https://doi.org/10.1016/j.cose.2020.101967

    Article  Google Scholar 

  17. Yasar, H.: Overcoming DevSecOps Challenges: A Practical Guide for All Stakeholders. Carnegie Mellon University, Pittsburgh, PA, USA (2020)

    Google Scholar 

  18. Ramaj, X., Sánchez-Gordón, M., Chockalingam, S., Colomo-Palacios, R.: Unveiling the safety aspects of DevSecOps: evolution, gaps and trends. Recent Adv. Comput. Sci. Commun. 16, 61–69 (2023)

    Google Scholar 

  19. Plant, O.H., van Hillegersberg, J., Aldea, A.: Rethinking IT governance: designing a framework for mitigating risk and fostering internal control in a DevOps environment. Int. J. Account. Inf. Syst. 45, 100560 (2022). https://doi.org/10.1016/j.accinf.2022.100560

    Article  Google Scholar 

  20. Yasar, H.: Implementing secure DevOps assessment for highly regulated environments. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 1–3. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3098954.3105819

  21. Ramaj, X., Colomo-Palacios, R., Sánchez-Gordón, M., Gkioulos, V.: Towards a DevSecOps-enabled framework for risk management of critical infrastructures. In: Yilmaz, M., Clarke, P., Riel, A., Messnarz, R. (eds.) EuroSPI 2023. CCIS, vol. 1890, pp. 47–58. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-42307-9_4

  22. Rajapakse, R.N., Zahedi, M., Babar, M.A., Shen, H.: Challenges and solutions when adopting DevSecOps: a systematic review. Inf. Softw. Technol. 141, 106700 (2022). https://doi.org/10.1016/j.infsof.2021.106700

    Article  Google Scholar 

  23. Sung, S.Y., Choi, J.N.: Do organizations spend wisely on employees? Effects of training and development investments on learning and innovation in organizations. J. Organ. Behav. 35, 393–412 (2014). https://doi.org/10.1002/job.1897

    Article  Google Scholar 

  24. Chowdhury, N., Gkioulos, V.: Key competencies for critical infrastructure cyber-security: a systematic literature review. Inf. Comput. Secur. 29, 697–723 (2021). https://doi.org/10.1108/ICS-07-2020-0121

    Article  Google Scholar 

  25. Nurse, J.R.C.: Cybersecurity awareness. In: Jajodia, S., Samarati, P., Yung, M. (eds.) Encyclopedia of Cryptography, Security and Privacy, pp. 1–4. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-642-27739-9_1596-1

  26. Wilson, M., Hash, J.: Building an information technology security awareness and training program. Nat. Inst. Stand. Technol. (2003). https://doi.org/10.6028/NIST.SP.800-50

    Article  Google Scholar 

  27. Pfleeger, S.L., Kitchenham, B.A.: Principles of survey research: Part 1: turning lemons into lemonade. SIGSOFT Softw. Eng. Notes. 26, 16–18 (2001). https://doi.org/10.1145/505532.505535

    Article  Google Scholar 

  28. Kitchenham, B.A., Pfleeger, S.L.: Principles of survey research Part 2: designing a survey. SIGSOFT Softw. Eng. Notes. 27, 18–20 (2002). https://doi.org/10.1145/566493.566495

    Article  Google Scholar 

  29. Kitchenham, B.A., Pfleeger, S.L.: Principles of survey research: Part 3: constructing a survey instrument. SIGSOFT Softw. Eng. Notes. 27, 20–24 (2002). https://doi.org/10.1145/511152.511155

    Article  Google Scholar 

  30. Ramaj, X., Sánchez-Gordón, M., Colomo-Palacios, R., Vasileios, G.: Training and security awareness under the lens of practitioners: a DevSecOps perspective towards risk management - online appendix. https://figshare.com/s/d9c8a3a70684b0288c10. Accessed 3 Feb 2024

  31. Kitchenham, B., Pfleeger, S.L.: Principles of survey research Part 4: questionnaire evaluation. SIGSOFT Softw. Eng. Notes. 27, 20–23 (2002). https://doi.org/10.1145/638574.638580

    Article  Google Scholar 

  32. Kitchenham, B., Pfleeger, S.: Principles of survey research: Part 5: populations and samples. ACM SIGSOFT Softw. Eng. Notes. 27 (2002). https://doi.org/10.1145/571681.571686

  33. Kitchenham, B., Pfleeger, S.L.: Principles of survey research Part 6: data analysis. SIGSOFT Softw. Eng. Notes. 28, 24–27 (2003). https://doi.org/10.1145/638750.638758

    Article  Google Scholar 

Download references

Acknowledgments

This paper is partially funded by the Research Council of Norway (RCN) in the INTPART program, under the project “Reinforcing Competence in Cybersecurity of Critical Infrastructures: A Norway-US Partnership (RECYCIN)”, with the project number #309911.

Author information

Authors and Affiliations

  1. Østfold University College, 1757, Halden, Norway

    Xhesika Ramaj & Mary Sánchez-Gordón

  2. Universidad Politécnica de Madrid, 28660, Madrid, Spain

    Ricardo Colomo-Palacios

  3. Norwegian University of Science and Technology, 2802, Gjøvik, Norway

    Vasileios Gkioulos

Authors
  1. Xhesika Ramaj
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mary Sánchez-Gordón
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ricardo Colomo-Palacios
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vasileios Gkioulos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xhesika Ramaj .

Editor information

Editors and Affiliations

  1. San Jose State University, San Jose, CA, USA

    Abbas Moallem

Ethics declarations

The authors have no competing interests to declare that are relevant to the content of this article.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ramaj, X., Sánchez-Gordón, M., Colomo-Palacios, R., Gkioulos, V. (2024). Training and Security Awareness Under the Lens of Practitioners: A DevSecOps Perspective Towards Risk Management. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2024. Lecture Notes in Computer Science, vol 14729. Springer, Cham. https://doi.org/10.1007/978-3-031-61382-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-61382-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-61381-4

  • Online ISBN: 978-3-031-61382-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation