The soft skills of software learning development : the psychological dimensions of computing and security behaviours

Ivory, Matthew and Towse, John and Levine, Mark and Sturdee, Miriam and Nuseibeh, Bashar (2025) The soft skills of software learning development : the psychological dimensions of computing and security behaviours. PhD thesis, Lancaster University.

Text (2025ivoryphd)
2025ivoryphd.pdf - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.
Download (5MB)

Abstract

Security is critical to high-quality software, yet vulnerabilities are routinely identified. Are cognitive and social psychology constructs relevant to software engineers' security behaviours? Empirical data to adjudicate this question is currently sparse. I argue that developers' psychology is a keystone which bridges technical knowledge and successful code. Through a multi-phase, mixed-methods approach and five empirical work packages, I answer questions about which soft skills are valued in software engineering and how latent psychological theories influence security behaviours. Phase one investigates the value of psychologically rooted soft skills through explorations of graduate and educator perceptions. Success is supported by communication, teamwork, problem solving, and critical thinking. These are translated into latent psychological dimensions: Social Identity Theory and Dual Processing Theory of Decision Making. Phase two investigates risk perception around secure coding in line with dual processing, establishing a complex but important relationship between cognitive reflection and unrealistic optimism for risk awareness. Security perceptions are explored through social identities, which modulate how developers represent security, resulting in complex constructions of software and personal responsibility. Identifying with others enhances developers' responsibility, but an absence of shared identities can lead to responsibility being rejected. A final study utilises dual processing theory to explain why security vulnerabilities are 'invisible' to developers, using a groundwork study and power analysis to emphasise the theory's potential to explain insecure behaviours. Phase one implications and identification of latent psychological dimensions reduce soft skill ephemerality and speak to improving software learning development processes. Phase two implications speak to enhanced theoretical understandings of how social and cognitive psychology can explain secure coding behaviours, practical applications of raising awareness of dangers of intuitive mindsets and improving responsibility through freelance platform gamification, and research implications such as power analyses. This thesis advances our current understanding of the human element in secure coding.