Abstract
With the increasing concerns over privacy in software systems, there is a growing enthusiasm to develop methods to support the development of privacy aware software systems. Inadequate privacy in software system designs could result in users losing their sensitive data, such as health information and financial information, which may cause financial and reputation loss. Privacy Engineering Methodologies (PEMs) are introduced into the software development processes with the goal of guiding software developers to embed privacy into the systems they design. However, for PEMs to be successful it is imperative that software developers have a positive intention to use PEMs. Otherwise, developers may attempt to bypass the privacy methodologies or use them partially and hence develop software systems that may not protect user privacy appropriately. To investigate the factors that affect software developers’ behavioural intention to follow PEMs, in this article, we conducted a study with 149 software developers. Findings of the study show that the usefulness of the PEM to the developers’ existing work to be the strongest determinant that affects software developers’ intention to follow PEMs. Moreover, the compatibility of the PEM with their way of work and how the PEM demonstrates its results when used were also found to be significant. These findings provide important insights in understanding the behaviour of software developers and how they perceive PEMs. The findings could be used to assist organisations and researchers to deploy PEMs and design PEMs that are positively accepted by software developers.
- 2015. GitHub blog, 2015 A Closer Look at Europe. Retrieved from: https://github.blog/2015-06-17-a-closer-look-at-europe/.Google Scholar
- 2016. European Union Data Protection. Retrieved from: http://ec.europa.eu/justice/data-protection/data-collection.Google Scholar
- Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic APIs. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE, 154--171.Google Scholar
Cross Ref
- Yasemin Acar, Sascha Fahl, and Michelle L Mazurek. 2016. You are not your developer, either: A research agenda for usable security and privacy research beyond end users. In Proceedings of the IEEE Cyber Security Development Conference (SecDev’16). IEEE.Google Scholar
Cross Ref
- Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security developer studies with Github users: Exploring a convenience sample. In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS’17). 81--95.Google Scholar
- Ritu Agarwal and Jayesh Prasad. 1997. The role of innovation characteristics and perceived voluntariness in the acceptance of information technologies. Dec. Sci. 28, 3 (1997), 557--582.Google Scholar
- Ritu Agarwal and Jayesh Prasad. 2000. A field study of the adoption of software process innovations by information systems professionals. IEEE Trans. Eng. Manag. 47, 3 (2000), 295--308.Google Scholar
Cross Ref
- Oshrat Ayalon, Eran Toch, Irit Hadar, and Michael Birnhack. 2017. How developers make design decisions about users’ privacy: The place of professional communities and organizational climate. In Proceedings of the ACM Conference on Computer Supported Cooperative Work and Social Computing. ACM, 135--138.Google Scholar
Digital Library
- Richard P. Bagozzi and Lynn W. Phillips. 1982. Representing and testing organizational theories: A holistic construal. Admin. Sci. Quart. 27, 3 (1982), 459--489.Google Scholar
Cross Ref
- Rebecca Balebako and Lorrie Cranor. 2014. Improving app privacy: Nudging app developers to protect user privacy. IEEE Sec. Priv. 12, 4 (2014), 55--58.Google Scholar
Cross Ref
- Henri Barki and Jon Hartwick. 2001. Interpersonal conflict and its management in information system development. MIS Quart. 25, 2 (2001), 195--228.Google Scholar
Digital Library
- Kristian Beckers, Stephan Faßbender, Maritta Heisel, and Rene Meis. 2012. A problem-based approach for computer-aided privacy threat identification. In Proceedings of the Annual Privacy Forum. Springer, 1--16.Google Scholar
- Victoria Bellotti and Abigail Sellen. 1993. Design for privacy in ubiquitous computing environments. In Proceedings of the 3rd European Conference on Computer-Supported Cooperative Work (ECSCW’93). Springer, 77--92.Google Scholar
Cross Ref
- Sean W. Brooks, Michael E. Garcia, Naomi B. Lefkovitz, Suzanne Lightman, and Ellen M. Nadeau. 2017. An introduction to privacy engineering and risk management in federal information systems. NIST Interagency/Internal Report (NISTIR)-8062 (2017).Google Scholar
- Cormac Callanan, Borka Jerman-Blažič, and Andrej Jerman Blažič. 2016. User awareness and tolerance of privacy abuse on mobile Internet: An exploratory study. Telemat. Inform. 33, 1 (2016), 109--128.Google Scholar
Digital Library
- J. C. Cannon. 2004. Privacy: What Developers and IT Professionals Should Know. Addison-Wesley Professional.Google Scholar
- Lee J. Cronbach. 1951. Coefficient alpha and the internal structure of tests. Psychometrika 16, 3 (1951), 297--334.Google Scholar
Cross Ref
- George Danezis, Josep Domingo-Ferrer, Marit Hansen, Jaap-Henk Hoepman, Daniel Le Metayer, Rodica Tirtea, and Stefan Schiffner. 2015. Privacy and data protection by design-from policy to engineering. European Union Agency for Network and Information Security. European Union Agency for Network and Information Security (ENISA).Google Scholar
- Fred D. Davis. 1985. A Technology Acceptance Model for Empirically Testing New End-user Information Systems: Theory and Results. Ph.D. Dissertation. Massachusetts Institute of Technology.Google Scholar
- Fred D. Davis, Richard P. Bagozzi, and Paul R. Warshaw. 1989. User acceptance of computer technology: A comparison of two theoretical models. Manag. Sci. 35, 8 (1989), 982--1003.Google Scholar
Cross Ref
- Edward L. Deci. 1972. Intrinsic motivation, extrinsic reinforcement, and inequity.J. Person. Soc. Psych. 22, 1 (1972), 113.Google Scholar
Cross Ref
- Mark T. Dishaw and Diane M. Strong. 1999. Extending the technology acceptance model with task--technology fit constructs. Inform. Manag. 36, 1 (1999), 9--21.Google Scholar
Cross Ref
- M. Eva and S. Guilford. 1996. Committed to a RADical approach? A survey of systems development methods in practice. In Proceedings of the 4th Conference of the British Computer Society Information Systems Methodologies Specialist Group. 87--96.Google Scholar
- Georgios Gousios, Andy Zaidman, Margaret-Anne Storey, and Arie Van Deursen. 2015. Work practices and challenges in pull-based development: The integrator’s perspective. In Proceedings of the 37th International Conference on Software Engineering, Volume 1. IEEE Press, 358--368.Google Scholar
Cross Ref
- Daniel Graziotin, Fabian Fagerholm, Xiaofeng Wang, and Pekka Abrahamsson. 2017. Unhappy developers: Bad for themselves, bad for process, and bad for software product. In Proceedings of the 39th International Conference on Software Engineering. IEEE Press, 362--364.Google Scholar
Digital Library
- Daniel Graziotin, Fabian Fagerholm, Xiaofeng Wang, and Pekka Abrahamsson. 2018. What happens when software developers are (un) happy. J. Syst. Softw. 140 (2018), 32--47.Google Scholar
Cross Ref
- Seda Gürses, Carmela Troncoso, and Claudia Diaz. 2011. Engineering Privacy by Design. Retrieved from https://software.imdea.org/˜carmela.troncoso/papers/Gurses-CPDP11.pdf.Google Scholar
- Irit Hadar, Tomer Hasson, Oshrat Ayalon, Eran Toch, Michael Birnhack, Sofia Sherman, and Arod Balissa. 2018. Privacy by designers: Software developers’ privacy mindset. Empir. Softw. Eng. 23, 1 (2018), 259--289.Google Scholar
Digital Library
- Joseph F. Hair, William C. Black, Barry J. Babin, Rolph E. Anderson, Ronald L. Tatham et al. 2006. In Multivariate Data Analysis, Vol. 6.Google Scholar
- Bill C. Hardgrave, Fred D. Davis, and Cynthia K. Riemenschneider. 2003. Investigating determinants of software developers’ intentions to follow methodologies. J. Manag. Inform. Syst. 20, 1 (2003), 123--151.Google Scholar
Digital Library
- Bill C. Hardgrave and Richard A. Johnson. 2003. Toward an information systems development acceptance model: The case of object-oriented systems development. IEEE Trans. Eng. Manag. 50, 3 (2003), 322--336.Google Scholar
Cross Ref
- Magda Huisman and Juhani Iivari. 2002. The individual deployment of systems development methodologies. In Proceedings of the International Conference on Advanced Information Systems Engineering. Springer, 134--150.Google Scholar
Cross Ref
- Shubham Jain and Janne Lindqvist. 2014. Should I protect you? Understanding developers’ behavior to privacy-preserving APIs. In Proceedings of the Workshop on Usable Security (USEC’14).Google Scholar
Cross Ref
- Carlos Jensen, Joseph Tullio, Colin Potts, and Elizabeth D. Mynatt. 2005. STRAP: A Structured Analysis Framework for Privacy. Technical Report. Georgia Institute of Technology.Google Scholar
- Richard A. Johnson, Bill C. Hardgrave, and E. Reed Doke. 1999. An industry analysis of developer beliefs about object-oriented systems development. ACM SIGMIS Datab.: Datab. Adv. Inform. Syst. 30, 1 (1999), 47--64.Google Scholar
Digital Library
- Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2008. Addressing privacy requirements in system design: The PriS method. Req. Eng. 13, 3 (2008), 241--255.Google Scholar
Digital Library
- Mohamed Khalifa and June M. Verner. 2000. Drivers for software development method usage. IEEE Trans. Eng. Manag. 47, 3 (2000), 360--369.Google Scholar
Cross Ref
- Jae-On Kim and Charles W. Mueller. 1978. Factor Analysis: Statistical Methods and Practical Issues. Vol. 14. Sage.Google Scholar
- Aniket Kittur, Ed H. Chi, and Bongwon Suh. 2008. Crowdsourcing user studies with Mechanical Turk. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 453--456.Google Scholar
Digital Library
- Rex B. Kline. 2015. Principles and Practice of Structural Equation Modeling. Guilford Publications.Google Scholar
- John P. Kotter et al. 1995. Leading change: Why transformation efforts fail. Harvard Business Review, May--June 1995 Issue.Google Scholar
- Kenneth A. Kozar. 1989. Adopting systems development methods: An exploratory study. J. Manag. Inform. Syst. 5, 4 (1989), 73--86.Google Scholar
Cross Ref
- Christopher Kuner. 2007. In European Data Protection Law: Corporate Regulation and Compliance (2nd Ed.).Google Scholar
- Saadi Lahlou, Marc Langheinrich, and Carsten Röcker. 2005. Privacy and trust issues with invisible computers. Commun. ACM 48, 3 (2005), 59--60.Google Scholar
Digital Library
- Thomas D. LaToza, Gina Venolia, and Robert DeLine. 2006. Maintaining mental models: A study of developer work habits. In Proceedings of the 28th International Conference on Software Engineering. ACM, 492--501.Google Scholar
Digital Library
- Paul Legris, John Ingham, and Pierre Collerette. 2003. Why do people use information technology? A critical review of the technology acceptance model. Inform. Manag. 40, 3 (2003), 191--204.Google Scholar
Digital Library
- Dorothy Leonard-Barton. 1987. Implementing structured software methodologies: A case of innovation in process technology. Interfaces 17, 3 (1987), 6--17.Google Scholar
Digital Library
- Tianshi Li, Yuvraj Agarwal, and Jason I. Hong. 2018. Coconut: An IDE plugin for developing privacy-friendly apps. Proc. ACM Interact., Mobile, Wear. Ubiq. Technol. 2, 4 (2018), 178.Google Scholar
Digital Library
- Kai-Uwe Loser and Martin Degeling. 2014. Security and privacy as hygiene factors of developer behavior in small and agile teams. In Proceedings of the IFIP International Conference on Human Choice and Computers. Springer, 255--265.Google Scholar
Cross Ref
- Jesus Luna, Neeraj Suri, and Ioannis Krontiris. 2012. Privacy-by-design based on quantitative threat modeling. In Proceedings of the 7th International Conference on Risks and Security of Internet and Systems (CRiSIS’12). IEEE, 1--8.Google Scholar
Digital Library
- Naresh K. Malhotra, Sung S. Kim, and James Agarwal. 2004. Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Inform. Syst. Res. 15, 4 (2004), 336--355.Google Scholar
Digital Library
- Yod Samuel Martín García and José María del Álamo Ramiro. 2017. A metamodel for privacy engineering methods. In Proceedings of the CEUR Workshop.Google Scholar
- Kieran Mathieson. 1991. Predicting user intentions: Comparing the technology acceptance model with the theory of planned behavior. Inform. Syst. Res. 2, 3 (1991), 173--191.Google Scholar
Digital Library
- Kunal Mohan and Frederik Ahlemann. 2013. Understanding acceptance of information system development and management methodologies by actual users: A review and assessment of existing literature. Int. J. Inform. Manag. 33, 5 (2013), 831--839.Google Scholar
Cross Ref
- Gary C. Moore and Izak Benbasat. 1991. Development of an instrument to measure the perceptions of adopting an information technology innovation. Inform. Syst. Res. 2, 3 (1991), 192--222.Google Scholar
Digital Library
- Emerson Murphy-Hill and Gail C. Murphy. 2011. Peer interaction effectively, yet infrequently, enables programmers to discover new tools. In Proceedings of the ACM Conference on Computer Supported Cooperative Work. ACM, 405--414.Google Scholar
- Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why do developers get password storage wrong? A qualitative usability study. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’17).Google Scholar
- Jum C. Nunnally, Ira H. Bernstein, and Jos M. F. ten Berge. 1967. Psychomet. Theor. Vol. 226. McGraw-Hill New York.Google Scholar
- Marie Caroline Oetzel and Sarah Spiekermann. 2014. A systematic methodology for privacy impact assessments: A design science approach. Europ. J. Inform. Syst. 23, 2 (2014), 126--150.Google Scholar
Cross Ref
- Michael Perscheid, Benjamin Siegmund, Marcel Taeumel, and Robert Hirschfeld. 2017. Studying the advancement in debugging practice of professional software developers. Softw. Qual. J. 25, 1 (2017), 83--110.Google Scholar
Digital Library
- Cynthia K. Riemenschneider, Bill C. Hardgrave, and Fred D. Davis. 2002. Explaining software developer acceptance of methodologies: A comparison of five theoretical models. IEEE Trans. Softw. Eng.12 (2002), 1135--1145.Google Scholar
Digital Library
- Robert Rosenthal and Ralph L. Rosnow. 1975. Primer of Methods for the Behavioral Sciences. John Wiley 8 Sons.Google Scholar
- Awanthika Senarath and Nalin A. G. Arachchilage. 2018. Why developers cannot embed privacy into software systems? An empirical investigation. In Proceedings of the 22nd Conference of Evaluation and Assessment in Software Engineering (EASE’18). ACM, 211--216.Google Scholar
- Awanthika Senarath and Nalin Asanka Gamagedara Arachchilage. 2019. A data minimization model for embedding privacy into software systems. Comput. Sec. 87 (2019), 101605.Google Scholar
Cross Ref
- Swapneel Sheth, Gail Kaiser, and Walid Maalej. 2014. Us and them: A study of privacy requirements across North America, Asia, and Europe. In Proceedings of the 36th International Conference on Software Engineering. ACM, 859--870.Google Scholar
Digital Library
- Dag I. K. Sjoberg, Bente Anda, Erik Arisholm, Tore Dyba, Magne Jorgensen, Amela Karahasanovic, Espen Frimann Koren, and Marek Vokác. 2002. Conducting realistic experiments in software engineering. In Proceedings of the International Symposium on Empirical Software Engineering. IEEE, 17--26.Google Scholar
Cross Ref
- Sarah Spiekermann and Lorrie Faith Cranor. 2009. Engineering privacy. IEEE Trans. Softw. Eng. 35, 1 (2009), 67--82.Google Scholar
Digital Library
- Fareena Sultan and Lillian Chan. 2000. The adoption of new technology: The case of object-oriented computing in software companies. IEEE Trans. Eng. Manag. 47, 1 (2000), 106--126.Google Scholar
Cross Ref
- Shirley Taylor and Peter A. Todd. 1995. Understanding information technology usage: A test of competing models. Inform. Syst. Res. 6, 2 (1995), 144--176.Google Scholar
Digital Library
- Ronald L. Thompson, Christopher A. Higgins, and Jane M. Howell. 1994. Influence of experience on personal computer utilization: Testing a conceptual model. J. Manag. Inform. Syst. 11, 1 (1994), 167--187.Google Scholar
Digital Library
- Louis G. Tornatzky and Katherine J. Klein. 1982. Innovation characteristics and innovation adoption-implementation: A meta-analysis of findings. IEEE Trans. Eng. Manag.1 (1982), 28--45.Google Scholar
Cross Ref
- Viswanath Venkatesh. 1999. Creation of favorable user perceptions: Exploring the role of intrinsic motivation. MIS Quart. 23, 2 (1999), 239--260.Google Scholar
Digital Library
- Viswanath Venkatesh and Fred D. Davis. 2000. A theoretical extension of the technology acceptance model: Four longitudinal field studies. Manag. Sci. 46, 2 (2000), 186--204.Google Scholar
Cross Ref
- Rolf H. Weber. 2010. Internet of Things—New security and privacy challenges. Comput. Law Secur. Rev. 26, 1 (2010), 23--30.Google Scholar
Cross Ref
- Dominik Wermke and Michelle Mazurek. 2017. Security developer studies with GitHub users: Exploring a convenience sample. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’17).Google Scholar
- Glenn Wurster and Paul C. van Oorschot. 2009. The developer is the enemy. In Proceedings of the Workshop on New Security Paradigms. ACM, 89--97.Google Scholar
- Kim Wuyts, Riccardo Scandariato, and Wouter Joosen. 2014. Empirical evaluation of a privacy-focused threat modeling methodology. J. Syst. Softw. 96 (2014), 122--138.Google Scholar
Cross Ref
- Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social influences on secure development tool adoption: Why security tools spread. In Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work 8 Social Computing. ACM, 1095--1106.Google Scholar
Digital Library
- Yuchen Yang, Longfei Wu, Guisheng Yin, Lijie Li, and Hongbin Zhao. 2017. A survey on security and privacy issues in Internet-of-Things. IEEE Int. Things J. 4, 5 (2017), 1250--1258.Google Scholar
Cross Ref
- Adriana Zaiţ and P. E. Bertea. 2011. Methods for testing discriminant validity. Manag. Market. J. 9, 2 (2011), 217--224.Google Scholar
- Gerald Zaltman, Robert Duncan, and Jonny Holbek. 1973. Innovations and Organizations. John Wiley 8 Sons.Google Scholar
- Dongpo Zhang. 2018. Big data security and privacy protection. In Proceedings of the 8th International Conference on Management and Computer Science (ICMCS’18). Atlantis Press.Google Scholar
Cross Ref
Index Terms
Will They Use It or Not? Investigating Software Developers’ Intention to Follow Privacy Engineering Methodologies
Recommendations
Why developers cannot embed privacy into software systems?: An empirical investigation
EASE '18: Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018Pervasive use of software applications continue to challenge user privacy when users interact with software systems. Even though privacy practices such as Privacy by Design (PbD), have clear instructions for software developers to embed privacy into ...
Investigating Determinants of Software Developers' Intentions to Follow Methodologies
Seeking to improve software development, many organizations attempt to deploy formalized methodologies. This typically entails substantial behavioral change by software developers away from previous informal practices toward conformance with the ...
Explaining Software Developer Acceptance of Methodologies: A Comparison of Five Theoretical Models
Many organizations attempt to deploy methodologies intended to improve software development processes. However, resistance by individual software developers against using such methodologies often obstructs their successful deployment. To better explain ...






Comments