An Empirical Study of Security Culture in Open Source Software Communities

Open source software (OSS) is a core part of virtually all software applications today. Due to the rapidly growing impact of OSS on society and the economy, the security aspect has attracted researchers' attention to investigate this distinctive phenomenon. Traditionally, research on OSS security has often focused on technical aspects of software development. We argue that these aspects are important, however, technical security practice considering different social aspects of OSS development will assure the effectiveness and efficiency of the implementation of the tool. To mitigate this research gap, in this empirical study, we explore the current security culture in the OSS development phenomenon using a survey instrument with six evaluation dimensions: attitude, behavior, competency, subjective norms, governance, and communication. By exploring the current security culture in OSS communities, we can start to understand the influence of security on participants' security behaviors and decision-making, so that we can make realistic and practical suggestions. In this paper, we present the measurements of security culture adopted in the study and discuss corresponding security issues that need to be addressed in OSS communities.

[1]  David Kelly,et al.  Developing Open Source Software: A Community-Based Analysis of Research , 2006, Social Inclusion.

[2]  Vishal Midha,et al.  The Impact of Training and Social Norms on Information Security Compliance: A Pilot Study , 2012, ICIS.

[3]  Brian Fitzgerald,et al.  Understanding Free/Open Source Software Development Processes , 2006, Softw. Process. Improv. Pract..

[4]  Walt Scacchi,et al.  Understanding Continuous Design in F/OSS Projects , 2003 .

[5]  William G. Olchi The Transmission of Control Through Organizational Hierarchy , 1978 .

[6]  Sebastian Spaeth,et al.  The open source software phenomenon: Characteristics that promote research , 2007, J. Strateg. Inf. Syst..

[7]  Georg von Krogh,et al.  Special issue on open source software development , 2003 .

[8]  W. Ouchi A Conceptual Framework for the Design of Organizational Control Mechanisms , 1979 .

[9]  Wai Fong Boh,et al.  Mechanisms for sharing knowledge in project-based organizations , 2007, Inf. Organ..

[10]  P. Sheeran,et al.  Augmenting the Theory of Planned Behavior: Roles for Anticipated Regret and Descriptive Norms , 1999 .

[11]  Shao-Fang Wen,et al.  Software security in open source development: A systematic literature review , 2017, 2017 21st Conference of Open Innovations Association (FRUCT).

[12]  P. Weill,et al.  Don't Just Lead, Govern: Implementing Effective it Governance , 2002 .

[13]  Chandrasekar Subramaniam,et al.  Understanding Open Source Software: A Research Classification Framework , 2006, Commun. Assoc. Inf. Syst..

[14]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[15]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[16]  Hennie A. Kruger,et al.  Consensus ranking - An ICT security awareness case study , 2008, Comput. Secur..

[17]  W. M. Fox Sociotechnical System Principles and Guidelines: Past and Present , 1995 .

[18]  Nassim Belbaly,et al.  Understanding Developers’ Motives in Open Source Projects: A Multi-Theoretical Framework , 2010, Commun. Assoc. Inf. Syst..

[19]  Eckhard Klieme,et al.  Current Issues in Competence Modeling and Assessment , 2008 .

[20]  Srinivasan V. Rao,et al.  Information Security Cultures of Four Professions: A Comparative Study , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[21]  William G. Ouchi,et al.  Markets, Bureaucracies, and Clans. , 1980 .

[22]  Lilly M. Berry,et al.  Psychology At Work:An Introduction To Industrial And Organizational Psychology , 1993 .

[23]  G. Dhillon Managing information system security , 1997 .

[24]  Yutaka Yamauchi,et al.  Collaboration with Lean Media: how open-source software succeeds , 2000, CSCW '00.

[25]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[26]  A. B. Ruighaver,et al.  Security Governance: Its Impact on Security Culture , 2005, AISM.

[27]  G. Dhillon Challenges in Managing Information Security in the New Millennium , 2001 .

[28]  J. Mccroskey,et al.  Human Communication , 2008 .

[29]  Dan Harnesk,et al.  Shaping security behaviour through discipline and agility , 2011 .

[30]  Viswanath Venkatesh,et al.  A Longitudinal Investigation of Personal Computers in Homes: Adoption Determinants and Emerging Challenges , 2001, MIS Q..

[31]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[32]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[33]  Atreyi Kankanhalli,et al.  Investigation of IS professionals' intention to practise secure development of applications , 2007, Int. J. Hum. Comput. Stud..

[34]  Munindar P. Singh Norms as a basis for governing sociotechnical systems , 2013, IJCAI.

[35]  Matthew Warren,et al.  Understanding Transition towards Information Security Culture Change , 2005, AISM.

[36]  D. Zeitlyn Gift economies in the development of open source software: anthropological reflections , 2003 .

[37]  Shao-Fang Wen,et al.  Learning secure programming in open source software communities: a socio-technical view , 2018 .

[38]  A. B. Ruighaver,et al.  Understanding Organizational Security Culture , 2002 .

[39]  Brian Fitzgerald,et al.  Understanding open source software development , 2002 .

[40]  Douglas C. Schmidt,et al.  Leveraging Open-Source Communities To Improve the Quality & Performance of Open-Source Software , 2001 .

[41]  Michael W. Godfrey,et al.  Evolution in open source software: a case study , 2000, Proceedings 2000 International Conference on Software Maintenance.

[42]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[43]  Bilal Khan,et al.  Effectiveness of information security awareness methods based on psychological theories , 2011 .

[44]  Ruth Milkman,et al.  Microsoft Secrets: How the World's Most Powerful Software Company Creates Technology, Shapes Markets, and Manages People , 1995 .

[45]  Greg Madey,et al.  THE OPEN SOURCE SOFTWARE DEVELOPMENT PHENOMENON: AN ANALYSIS BASED ON SOCIAL NETWORK THEORY , 2002 .

[46]  Marty J. Wolf,et al.  Ethical issues in open source software , 2003, J. Inf. Commun. Ethics Soc..

[47]  Stephanie Teufel,et al.  Tool Supported Management of Information Security Culture , 2005, SEC.

[48]  Irena Bakanauskienė,et al.  Determining Managerial Competencies of Management Professionals: Business Companies Managers’ Approach in Western Lithuania Region , 2015 .

[49]  I. Ajzen,et al.  Attitudinal and normative variables as predictors of specific behavior. , 1973 .

[50]  B. A. Sabbagh,et al.  Developing social metrics for security modeling the security culture of it workers individuals (case study) , 2012, The 5th International Conference on Communications, Computers and Applications (MIC-CCA2012).

[51]  L. Kirsch The Management of Complex Tasks in Organizations: Controlling the Systems Development Process , 1996 .

[52]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[53]  Leila Lage Humes Communities of Practice for Open Source Software , 2007 .

[54]  Kouichi Kishida,et al.  Toward an understanding of the motivation of open source software developers , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[55]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[56]  Sebastian Spaeth,et al.  Carrots and Rainbows: Motivation and Social Practice in Open Source Software Development , 2012, MIS Q..

[57]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[58]  Charlie C. Chen,et al.  A cross-cultural investigation of situational information security awareness programs , 2008, Inf. Manag. Comput. Secur..

[59]  Bastin Tony Roy Savarimuthu,et al.  Externalization of Software Behavior by the Mining of Norms , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[60]  Sreenivasa Rao Vadalasetty Security Concerns in Using Open Source Software for Enterprise Requirements , 2009 .

[61]  Nicolas Ducheneaut,et al.  Socialization in an Open Source Software Community: A Socio-Technical Analysis , 2005, Computer Supported Cooperative Work (CSCW).

[62]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[63]  Ioannis Koskosas,et al.  Web Banking: A Security Management and Communications Approach , 2011 .

[64]  Vijayan Sugumaran,et al.  A framework for creating hybrid‐open source software communities , 2002, Inf. Syst. J..

[65]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[66]  Walt Scacchi,et al.  Understanding the requirements for developing open source software systems , 2002, IEE Proc. Softw..

[67]  Andrew Cox,et al.  Raising information security awareness in the academic setting , 2001 .

[68]  Brian J. Ruggeberg,et al.  DOING COMPETENCIES WELL: BEST PRACTICES IN COMPETENCY MODELING , 2011 .