For 20 years, the human-centered security community has investigated how to improve the usability and utility of security tools and interfaces aimed at end users. End users, however, are not the only people who make critical security decisions -- we must also consider how to make security easier for information-technology professionals such as software developers, software testers, and sysadmins. In this talk, I will introduce a research agenda for applying the methods and findings of human-centered security research to this constituency. I will report on findings from several studies exploring the human reasons why secure development and operation often fails and possible approaches for improvement. These include the effects of information resources (such as Stack Overflow), API design, and choice of programming tools on developers' likelihood of writing secure code; how white-hat hackers and software testers approach the vulnerability discovery process; and the efficacy of educational tools such as capture-the-flag contests and threat modeling frameworks for improving software development and security operations.
Michelle Mazurek is an Assistant Professor of Computer Science and UMIACS; she is an affiliate assistant professor of the iSchool and Electrical and Computer Engineering Department at the University of Maryland. Her research focuses on human-centered computer security. She is interested in understanding and influencing security and privacy behaviors and preferences by collecting real data from real users. She has focused on topics including making security easier for professionals including sysadmins and software developers to understand how and why end users learn and apply security behaviors. She also investigates the adoption of end-to-end encrypted messaging. She also directs the Security, Privacy, People lab (SP2) within the Maryland Cybersecurity Center.