Increasing software security by using mental models

Abstract

Cybercrime is a global problem and the economic damages are enormous (Center for Strategic and International Studies. http://csis.org/ [1]). Identifying reasons for software vulnerabilities is an important issue with some researchers assuming software developers to be part of the problem. As most developers aren’t security experts they create insecure and thus vulnerable software. To avoid this, a tool that supports software developers in dealing with security issues should be developed. This work uses the structure formation technique (Scheele et al. in Dialog-Konsens-Methoden zur Rekonstruktion Subjektiver Theorien: die Heidelberger Struktur-Lege-Technik (SLT) (1988) [2]) as a first step to develop the mental models of software developers when dealing with security measures. A core definition of mental models is compiled and the results of a pilot study deliver valuable information for the supporting tool. In further research the developed mental models of novices’ (software developers) should be compared with the mental models of security experts. On this basis the reliability of the novices’ mental models can be reviewed and occurring problems identified.