Ivory, Matthew and Towse, John and Sturdee, Miriam and Levine, Mark and Nuseibeh, Bashar (2026) Software Vulnerabilities as Cognitive Blindspots : assessing the suitability of a dual processing theory of decision making for secure coding. ACM Transactions on Software Engineering and Methodology. ISSN 1049-331X
![[thumbnail of Software Vulnerabilities as Cognitive Blindspots]](https://eprints.lancs.ac.uk/style/images/fileicons/text.png)
Blindspots_TOSEM_1_.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (661kB)
Abstract
Software vulnerabilities are present in many software systems, putting people who entrust software with their data in harm’s way. Many vulnerabilities are avoidable since they are well documented - yet they remain widespread. One explanation for their persistence is they represent software blindspots, problems that are implicit in the mental models of developers and which escape attention (Brun et al., 2023). Our current understanding of how attention and decision making influence specific secure coding behaviours is limited, and so we present a preregistered study to evaluate whether differences in decision making style impact blindspots and the identification of code vulnerabilities. Programmers were given code puzzles to complete, including some that contained vulnerabilities. Participants also competed the cognitive reflection test and measures of rational decision making. We replicate several key predictions from previous blindspot research, map the analysis onto dual-systems research, and describe effect sizes of psychological constructs. We then model data simulations to demonstrate the sampling required for highly powered empirical studies in this domain. We support previous findings that technical or cybersecurity expertise have little impact on the ability to detect vulnerabilities. We argue that dual processing theory helps to interpret security behaviours and the presence of software blindspots.