| Code . | Description . | Example Quote . |
|---|---|---|
| Amotivation - Felt lack of competence | ||
| Lack of resources | The shortage in resources, e.g. budget and human power, needed to perform security tasks | “We don’t have that much manpower to explicitly test security vulnerabilities, [..] we don’t have those kind of resources. But ideally if we did have [a big] company size, I would have a team dedicated to find exploits, um, that sorta thing. But unfortunately we don’t.” |
| Lack of support | The inadequate security tools and processes, or the lack thereof | “We don’t have any formal process of like a code review, sitting down and talking about security risks” |
| Amotivation - Lack of interest, relevance, value | ||
| Not my responsibility | Security is not part of my duties | “Developers are similar to me, they don’t care that much about security or it’s not part of their day to day job, therefore they don’t pay much attention to the security aspect of the code.” |
| Security is handled elsewhere | Security is another entity’s responsibility | “I usually don’t as a developer go to the extreme of testing vulnerability in my feature, that’s someone else’s to do.” |
| Induced passiveness | The surrounding environment causes passiveness toward security | “I don’t really trust them [my team members] to run any kind of like source code scanners or anything like that. I know I’m certainly not going to.” |
| No perceived loss | The lack of competition, expected repercussions, and loss | “I can introduce a big security issue and I definitely won’t be blamed that much for it” |
| No perceived risk | The company or application type is perceived as not a valuable target for attacks | “For a small company, nobody will usually attack or compromise the vulnerabilities in your system. If something really bad happens, usually, you don’t really get enough [bad] reputation as well.” |
| Competing priorities | Other tasks compete for resources and are prioritized over security | “I have security issues that are frustrating, but I haven’t been able to deal with them yet. [...] It’s not something that we’ve been able to deal with yet, just cause of priorities with everything else.” |
| Amotivation - Defiance/Resistance to influence | ||
| Inflexibility | The resistance to new technology and being set in one’s way | “[My team is] using a framework and these guys, they used the framework incorrectly, they didn’t like how certain part of this coding framework works and has been designed, so they decided to do things completely different than it [...] And I am sure it’s gonna result in a security risk down the line.” |
| Extrinsic Motivation - External | ||
| Audit fear | The presence of an overseeing and supervising entity | “One of the main reasons that they did [address security] was audits. I think they had to comply with certain security regulation standard, basically every quarter or so they’re being checked for compliance, therefore they had the make sure the auditors can’t find any issue during the penetration test.” |
| Business loss | Losses that a business can incur, e.g. losing customers, due to security issues | “We ended up ignoring security until we got a decent customer base where we were actually concerned that if our product was compromised, we will lose these customers.” |
| Pressure | Continuous pressure by superiors | “If they find a security issue, then you will be in trouble. Everybody will be at your back, and you have to fix it as soon as possible.” |
| Career advancement | Software security efforts and knowledge move employees up in the hierarchy | “When it comes time to do promotions or move throughout the scales and employment bands, the people with the higher knowledge on everything move up and the people who don’t necessarily, like, didn’t take those security training seriously, [...] they sort of stay in the same range.” |
| Extrinsic Motivation - Introjected | ||
| Prestige | Acknowledgement and preserving self-image | “Whenever somebody wants to find about you, then they go and check you in the employee website. Then, when they click your name and check, it shows a badge that you’re security certified, which gives you a good feeling.” |
| Extrinsic Motivation - Identified | ||
| Understanding the implications | Recognizing and understanding the potential implications of ignoring security | “Just understanding the implications, I guess, of what could happen [would motivate developers be more security-oriented]. I know for me personally when I realized just how catastrophic something could be, just by making a simple mistake, or not even a simple mistake, just overlooking something simple. uhh it changes your focus.” |
| Company reputation | The company and its employees care about their reputation and how customers perceive the company | “We need to know safe secure coding techniques, we need to know what paths the attackers might take, and have you fixed everything on your code and your code doesn’t have any vulnerabilities. [...] because finally, it is going to go under your logo.” |
| Shared responsibility | The responsibility of software security is shared among different teams within the project team | “[If we find a vulnerability,] we try not to say, ’you personally are responsible for causing this vulnerability’. I mean, it’s a team effort, people looked at that code and they passed on it too, then it’s shared, really.” |
| Induced initiative | Opportunities may exist that lead developers to take the software security initiative | “When you see your colleagues actually spending time on something, you might think that ‘well, it’s something that’s worth spending time on’, but if you worked in a company that nobody just touches security then you might not be motivated that much.” |
| Extrinsic Motivation - Integrated | ||
| Professional responsibility | Feeling responsible as a professional | “I would hesitate to release anything that’s not functional and I also hesitate to release anything that had security concerns.” |
| Concern for users | Caring about users’ privacy and security | “I would not feel comfortable with basically having something used by end users that I didn’t feel was secure, or I didn’t feel respective of privacy, umm so I would try very hard to not compromise on that.” |
| Intrinsic Motivation | ||
| Self-improvement | The interest in, and self-satisfaction from, improving one’s implementation | “And sometimes I will challenge [myself], that ‘okay, this time I’m going to submit [my code] for a review where nobody will give me a comment’, though that never happened, but still...” |
| Code . | Description . | Example Quote . |
|---|---|---|
| Amotivation - Felt lack of competence | ||
| Lack of resources | The shortage in resources, e.g. budget and human power, needed to perform security tasks | “We don’t have that much manpower to explicitly test security vulnerabilities, [..] we don’t have those kind of resources. But ideally if we did have [a big] company size, I would have a team dedicated to find exploits, um, that sorta thing. But unfortunately we don’t.” |
| Lack of support | The inadequate security tools and processes, or the lack thereof | “We don’t have any formal process of like a code review, sitting down and talking about security risks” |
| Amotivation - Lack of interest, relevance, value | ||
| Not my responsibility | Security is not part of my duties | “Developers are similar to me, they don’t care that much about security or it’s not part of their day to day job, therefore they don’t pay much attention to the security aspect of the code.” |
| Security is handled elsewhere | Security is another entity’s responsibility | “I usually don’t as a developer go to the extreme of testing vulnerability in my feature, that’s someone else’s to do.” |
| Induced passiveness | The surrounding environment causes passiveness toward security | “I don’t really trust them [my team members] to run any kind of like source code scanners or anything like that. I know I’m certainly not going to.” |
| No perceived loss | The lack of competition, expected repercussions, and loss | “I can introduce a big security issue and I definitely won’t be blamed that much for it” |
| No perceived risk | The company or application type is perceived as not a valuable target for attacks | “For a small company, nobody will usually attack or compromise the vulnerabilities in your system. If something really bad happens, usually, you don’t really get enough [bad] reputation as well.” |
| Competing priorities | Other tasks compete for resources and are prioritized over security | “I have security issues that are frustrating, but I haven’t been able to deal with them yet. [...] It’s not something that we’ve been able to deal with yet, just cause of priorities with everything else.” |
| Amotivation - Defiance/Resistance to influence | ||
| Inflexibility | The resistance to new technology and being set in one’s way | “[My team is] using a framework and these guys, they used the framework incorrectly, they didn’t like how certain part of this coding framework works and has been designed, so they decided to do things completely different than it [...] And I am sure it’s gonna result in a security risk down the line.” |
| Extrinsic Motivation - External | ||
| Audit fear | The presence of an overseeing and supervising entity | “One of the main reasons that they did [address security] was audits. I think they had to comply with certain security regulation standard, basically every quarter or so they’re being checked for compliance, therefore they had the make sure the auditors can’t find any issue during the penetration test.” |
| Business loss | Losses that a business can incur, e.g. losing customers, due to security issues | “We ended up ignoring security until we got a decent customer base where we were actually concerned that if our product was compromised, we will lose these customers.” |
| Pressure | Continuous pressure by superiors | “If they find a security issue, then you will be in trouble. Everybody will be at your back, and you have to fix it as soon as possible.” |
| Career advancement | Software security efforts and knowledge move employees up in the hierarchy | “When it comes time to do promotions or move throughout the scales and employment bands, the people with the higher knowledge on everything move up and the people who don’t necessarily, like, didn’t take those security training seriously, [...] they sort of stay in the same range.” |
| Extrinsic Motivation - Introjected | ||
| Prestige | Acknowledgement and preserving self-image | “Whenever somebody wants to find about you, then they go and check you in the employee website. Then, when they click your name and check, it shows a badge that you’re security certified, which gives you a good feeling.” |
| Extrinsic Motivation - Identified | ||
| Understanding the implications | Recognizing and understanding the potential implications of ignoring security | “Just understanding the implications, I guess, of what could happen [would motivate developers be more security-oriented]. I know for me personally when I realized just how catastrophic something could be, just by making a simple mistake, or not even a simple mistake, just overlooking something simple. uhh it changes your focus.” |
| Company reputation | The company and its employees care about their reputation and how customers perceive the company | “We need to know safe secure coding techniques, we need to know what paths the attackers might take, and have you fixed everything on your code and your code doesn’t have any vulnerabilities. [...] because finally, it is going to go under your logo.” |
| Shared responsibility | The responsibility of software security is shared among different teams within the project team | “[If we find a vulnerability,] we try not to say, ’you personally are responsible for causing this vulnerability’. I mean, it’s a team effort, people looked at that code and they passed on it too, then it’s shared, really.” |
| Induced initiative | Opportunities may exist that lead developers to take the software security initiative | “When you see your colleagues actually spending time on something, you might think that ‘well, it’s something that’s worth spending time on’, but if you worked in a company that nobody just touches security then you might not be motivated that much.” |
| Extrinsic Motivation - Integrated | ||
| Professional responsibility | Feeling responsible as a professional | “I would hesitate to release anything that’s not functional and I also hesitate to release anything that had security concerns.” |
| Concern for users | Caring about users’ privacy and security | “I would not feel comfortable with basically having something used by end users that I didn’t feel was secure, or I didn’t feel respective of privacy, umm so I would try very hard to not compromise on that.” |
| Intrinsic Motivation | ||
| Self-improvement | The interest in, and self-satisfaction from, improving one’s implementation | “And sometimes I will challenge [myself], that ‘okay, this time I’m going to submit [my code] for a review where nobody will give me a comment’, though that never happened, but still...” |
| Code . | Description . | Example Quote . |
|---|---|---|
| Amotivation - Felt lack of competence | ||
| Lack of resources | The shortage in resources, e.g. budget and human power, needed to perform security tasks | “We don’t have that much manpower to explicitly test security vulnerabilities, [..] we don’t have those kind of resources. But ideally if we did have [a big] company size, I would have a team dedicated to find exploits, um, that sorta thing. But unfortunately we don’t.” |
| Lack of support | The inadequate security tools and processes, or the lack thereof | “We don’t have any formal process of like a code review, sitting down and talking about security risks” |
| Amotivation - Lack of interest, relevance, value | ||
| Not my responsibility | Security is not part of my duties | “Developers are similar to me, they don’t care that much about security or it’s not part of their day to day job, therefore they don’t pay much attention to the security aspect of the code.” |
| Security is handled elsewhere | Security is another entity’s responsibility | “I usually don’t as a developer go to the extreme of testing vulnerability in my feature, that’s someone else’s to do.” |
| Induced passiveness | The surrounding environment causes passiveness toward security | “I don’t really trust them [my team members] to run any kind of like source code scanners or anything like that. I know I’m certainly not going to.” |
| No perceived loss | The lack of competition, expected repercussions, and loss | “I can introduce a big security issue and I definitely won’t be blamed that much for it” |
| No perceived risk | The company or application type is perceived as not a valuable target for attacks | “For a small company, nobody will usually attack or compromise the vulnerabilities in your system. If something really bad happens, usually, you don’t really get enough [bad] reputation as well.” |
| Competing priorities | Other tasks compete for resources and are prioritized over security | “I have security issues that are frustrating, but I haven’t been able to deal with them yet. [...] It’s not something that we’ve been able to deal with yet, just cause of priorities with everything else.” |
| Amotivation - Defiance/Resistance to influence | ||
| Inflexibility | The resistance to new technology and being set in one’s way | “[My team is] using a framework and these guys, they used the framework incorrectly, they didn’t like how certain part of this coding framework works and has been designed, so they decided to do things completely different than it [...] And I am sure it’s gonna result in a security risk down the line.” |
| Extrinsic Motivation - External | ||
| Audit fear | The presence of an overseeing and supervising entity | “One of the main reasons that they did [address security] was audits. I think they had to comply with certain security regulation standard, basically every quarter or so they’re being checked for compliance, therefore they had the make sure the auditors can’t find any issue during the penetration test.” |
| Business loss | Losses that a business can incur, e.g. losing customers, due to security issues | “We ended up ignoring security until we got a decent customer base where we were actually concerned that if our product was compromised, we will lose these customers.” |
| Pressure | Continuous pressure by superiors | “If they find a security issue, then you will be in trouble. Everybody will be at your back, and you have to fix it as soon as possible.” |
| Career advancement | Software security efforts and knowledge move employees up in the hierarchy | “When it comes time to do promotions or move throughout the scales and employment bands, the people with the higher knowledge on everything move up and the people who don’t necessarily, like, didn’t take those security training seriously, [...] they sort of stay in the same range.” |
| Extrinsic Motivation - Introjected | ||
| Prestige | Acknowledgement and preserving self-image | “Whenever somebody wants to find about you, then they go and check you in the employee website. Then, when they click your name and check, it shows a badge that you’re security certified, which gives you a good feeling.” |
| Extrinsic Motivation - Identified | ||
| Understanding the implications | Recognizing and understanding the potential implications of ignoring security | “Just understanding the implications, I guess, of what could happen [would motivate developers be more security-oriented]. I know for me personally when I realized just how catastrophic something could be, just by making a simple mistake, or not even a simple mistake, just overlooking something simple. uhh it changes your focus.” |
| Company reputation | The company and its employees care about their reputation and how customers perceive the company | “We need to know safe secure coding techniques, we need to know what paths the attackers might take, and have you fixed everything on your code and your code doesn’t have any vulnerabilities. [...] because finally, it is going to go under your logo.” |
| Shared responsibility | The responsibility of software security is shared among different teams within the project team | “[If we find a vulnerability,] we try not to say, ’you personally are responsible for causing this vulnerability’. I mean, it’s a team effort, people looked at that code and they passed on it too, then it’s shared, really.” |
| Induced initiative | Opportunities may exist that lead developers to take the software security initiative | “When you see your colleagues actually spending time on something, you might think that ‘well, it’s something that’s worth spending time on’, but if you worked in a company that nobody just touches security then you might not be motivated that much.” |
| Extrinsic Motivation - Integrated | ||
| Professional responsibility | Feeling responsible as a professional | “I would hesitate to release anything that’s not functional and I also hesitate to release anything that had security concerns.” |
| Concern for users | Caring about users’ privacy and security | “I would not feel comfortable with basically having something used by end users that I didn’t feel was secure, or I didn’t feel respective of privacy, umm so I would try very hard to not compromise on that.” |
| Intrinsic Motivation | ||
| Self-improvement | The interest in, and self-satisfaction from, improving one’s implementation | “And sometimes I will challenge [myself], that ‘okay, this time I’m going to submit [my code] for a review where nobody will give me a comment’, though that never happened, but still...” |
| Code . | Description . | Example Quote . |
|---|---|---|
| Amotivation - Felt lack of competence | ||
| Lack of resources | The shortage in resources, e.g. budget and human power, needed to perform security tasks | “We don’t have that much manpower to explicitly test security vulnerabilities, [..] we don’t have those kind of resources. But ideally if we did have [a big] company size, I would have a team dedicated to find exploits, um, that sorta thing. But unfortunately we don’t.” |
| Lack of support | The inadequate security tools and processes, or the lack thereof | “We don’t have any formal process of like a code review, sitting down and talking about security risks” |
| Amotivation - Lack of interest, relevance, value | ||
| Not my responsibility | Security is not part of my duties | “Developers are similar to me, they don’t care that much about security or it’s not part of their day to day job, therefore they don’t pay much attention to the security aspect of the code.” |
| Security is handled elsewhere | Security is another entity’s responsibility | “I usually don’t as a developer go to the extreme of testing vulnerability in my feature, that’s someone else’s to do.” |
| Induced passiveness | The surrounding environment causes passiveness toward security | “I don’t really trust them [my team members] to run any kind of like source code scanners or anything like that. I know I’m certainly not going to.” |
| No perceived loss | The lack of competition, expected repercussions, and loss | “I can introduce a big security issue and I definitely won’t be blamed that much for it” |
| No perceived risk | The company or application type is perceived as not a valuable target for attacks | “For a small company, nobody will usually attack or compromise the vulnerabilities in your system. If something really bad happens, usually, you don’t really get enough [bad] reputation as well.” |
| Competing priorities | Other tasks compete for resources and are prioritized over security | “I have security issues that are frustrating, but I haven’t been able to deal with them yet. [...] It’s not something that we’ve been able to deal with yet, just cause of priorities with everything else.” |
| Amotivation - Defiance/Resistance to influence | ||
| Inflexibility | The resistance to new technology and being set in one’s way | “[My team is] using a framework and these guys, they used the framework incorrectly, they didn’t like how certain part of this coding framework works and has been designed, so they decided to do things completely different than it [...] And I am sure it’s gonna result in a security risk down the line.” |
| Extrinsic Motivation - External | ||
| Audit fear | The presence of an overseeing and supervising entity | “One of the main reasons that they did [address security] was audits. I think they had to comply with certain security regulation standard, basically every quarter or so they’re being checked for compliance, therefore they had the make sure the auditors can’t find any issue during the penetration test.” |
| Business loss | Losses that a business can incur, e.g. losing customers, due to security issues | “We ended up ignoring security until we got a decent customer base where we were actually concerned that if our product was compromised, we will lose these customers.” |
| Pressure | Continuous pressure by superiors | “If they find a security issue, then you will be in trouble. Everybody will be at your back, and you have to fix it as soon as possible.” |
| Career advancement | Software security efforts and knowledge move employees up in the hierarchy | “When it comes time to do promotions or move throughout the scales and employment bands, the people with the higher knowledge on everything move up and the people who don’t necessarily, like, didn’t take those security training seriously, [...] they sort of stay in the same range.” |
| Extrinsic Motivation - Introjected | ||
| Prestige | Acknowledgement and preserving self-image | “Whenever somebody wants to find about you, then they go and check you in the employee website. Then, when they click your name and check, it shows a badge that you’re security certified, which gives you a good feeling.” |
| Extrinsic Motivation - Identified | ||
| Understanding the implications | Recognizing and understanding the potential implications of ignoring security | “Just understanding the implications, I guess, of what could happen [would motivate developers be more security-oriented]. I know for me personally when I realized just how catastrophic something could be, just by making a simple mistake, or not even a simple mistake, just overlooking something simple. uhh it changes your focus.” |
| Company reputation | The company and its employees care about their reputation and how customers perceive the company | “We need to know safe secure coding techniques, we need to know what paths the attackers might take, and have you fixed everything on your code and your code doesn’t have any vulnerabilities. [...] because finally, it is going to go under your logo.” |
| Shared responsibility | The responsibility of software security is shared among different teams within the project team | “[If we find a vulnerability,] we try not to say, ’you personally are responsible for causing this vulnerability’. I mean, it’s a team effort, people looked at that code and they passed on it too, then it’s shared, really.” |
| Induced initiative | Opportunities may exist that lead developers to take the software security initiative | “When you see your colleagues actually spending time on something, you might think that ‘well, it’s something that’s worth spending time on’, but if you worked in a company that nobody just touches security then you might not be motivated that much.” |
| Extrinsic Motivation - Integrated | ||
| Professional responsibility | Feeling responsible as a professional | “I would hesitate to release anything that’s not functional and I also hesitate to release anything that had security concerns.” |
| Concern for users | Caring about users’ privacy and security | “I would not feel comfortable with basically having something used by end users that I didn’t feel was secure, or I didn’t feel respective of privacy, umm so I would try very hard to not compromise on that.” |
| Intrinsic Motivation | ||
| Self-improvement | The interest in, and self-satisfaction from, improving one’s implementation | “And sometimes I will challenge [myself], that ‘okay, this time I’m going to submit [my code] for a review where nobody will give me a comment’, though that never happened, but still...” |
This PDF is available to Subscribers Only
View Article Abstract & Purchase OptionsFor full access to this pdf, sign in to an existing account, or purchase an annual subscription.
