skip to main content
research-article

Will They Use It or Not? Investigating Software Developers’ Intention to Follow Privacy Engineering Methodologies

Published:03 November 2019Publication History
Skip Abstract Section

Abstract

With the increasing concerns over privacy in software systems, there is a growing enthusiasm to develop methods to support the development of privacy aware software systems. Inadequate privacy in software system designs could result in users losing their sensitive data, such as health information and financial information, which may cause financial and reputation loss. Privacy Engineering Methodologies (PEMs) are introduced into the software development processes with the goal of guiding software developers to embed privacy into the systems they design. However, for PEMs to be successful it is imperative that software developers have a positive intention to use PEMs. Otherwise, developers may attempt to bypass the privacy methodologies or use them partially and hence develop software systems that may not protect user privacy appropriately. To investigate the factors that affect software developers’ behavioural intention to follow PEMs, in this article, we conducted a study with 149 software developers. Findings of the study show that the usefulness of the PEM to the developers’ existing work to be the strongest determinant that affects software developers’ intention to follow PEMs. Moreover, the compatibility of the PEM with their way of work and how the PEM demonstrates its results when used were also found to be significant. These findings provide important insights in understanding the behaviour of software developers and how they perceive PEMs. The findings could be used to assist organisations and researchers to deploy PEMs and design PEMs that are positively accepted by software developers.

References

  1. 2015. GitHub blog, 2015 A Closer Look at Europe. Retrieved from: https://github.blog/2015-06-17-a-closer-look-at-europe/.Google ScholarGoogle Scholar
  2. 2016. European Union Data Protection. Retrieved from: http://ec.europa.eu/justice/data-protection/data-collection.Google ScholarGoogle Scholar
  3. Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic APIs. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE, 154--171.Google ScholarGoogle ScholarCross RefCross Ref
  4. Yasemin Acar, Sascha Fahl, and Michelle L Mazurek. 2016. You are not your developer, either: A research agenda for usable security and privacy research beyond end users. In Proceedings of the IEEE Cyber Security Development Conference (SecDev’16). IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  5. Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security developer studies with Github users: Exploring a convenience sample. In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS’17). 81--95.Google ScholarGoogle Scholar
  6. Ritu Agarwal and Jayesh Prasad. 1997. The role of innovation characteristics and perceived voluntariness in the acceptance of information technologies. Dec. Sci. 28, 3 (1997), 557--582.Google ScholarGoogle Scholar
  7. Ritu Agarwal and Jayesh Prasad. 2000. A field study of the adoption of software process innovations by information systems professionals. IEEE Trans. Eng. Manag. 47, 3 (2000), 295--308.Google ScholarGoogle ScholarCross RefCross Ref
  8. Oshrat Ayalon, Eran Toch, Irit Hadar, and Michael Birnhack. 2017. How developers make design decisions about users’ privacy: The place of professional communities and organizational climate. In Proceedings of the ACM Conference on Computer Supported Cooperative Work and Social Computing. ACM, 135--138.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Richard P. Bagozzi and Lynn W. Phillips. 1982. Representing and testing organizational theories: A holistic construal. Admin. Sci. Quart. 27, 3 (1982), 459--489.Google ScholarGoogle ScholarCross RefCross Ref
  10. Rebecca Balebako and Lorrie Cranor. 2014. Improving app privacy: Nudging app developers to protect user privacy. IEEE Sec. Priv. 12, 4 (2014), 55--58.Google ScholarGoogle ScholarCross RefCross Ref
  11. Henri Barki and Jon Hartwick. 2001. Interpersonal conflict and its management in information system development. MIS Quart. 25, 2 (2001), 195--228.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Kristian Beckers, Stephan Faßbender, Maritta Heisel, and Rene Meis. 2012. A problem-based approach for computer-aided privacy threat identification. In Proceedings of the Annual Privacy Forum. Springer, 1--16.Google ScholarGoogle Scholar
  13. Victoria Bellotti and Abigail Sellen. 1993. Design for privacy in ubiquitous computing environments. In Proceedings of the 3rd European Conference on Computer-Supported Cooperative Work (ECSCW’93). Springer, 77--92.Google ScholarGoogle ScholarCross RefCross Ref
  14. Sean W. Brooks, Michael E. Garcia, Naomi B. Lefkovitz, Suzanne Lightman, and Ellen M. Nadeau. 2017. An introduction to privacy engineering and risk management in federal information systems. NIST Interagency/Internal Report (NISTIR)-8062 (2017).Google ScholarGoogle Scholar
  15. Cormac Callanan, Borka Jerman-Blažič, and Andrej Jerman Blažič. 2016. User awareness and tolerance of privacy abuse on mobile Internet: An exploratory study. Telemat. Inform. 33, 1 (2016), 109--128.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. C. Cannon. 2004. Privacy: What Developers and IT Professionals Should Know. Addison-Wesley Professional.Google ScholarGoogle Scholar
  17. Lee J. Cronbach. 1951. Coefficient alpha and the internal structure of tests. Psychometrika 16, 3 (1951), 297--334.Google ScholarGoogle ScholarCross RefCross Ref
  18. George Danezis, Josep Domingo-Ferrer, Marit Hansen, Jaap-Henk Hoepman, Daniel Le Metayer, Rodica Tirtea, and Stefan Schiffner. 2015. Privacy and data protection by design-from policy to engineering. European Union Agency for Network and Information Security. European Union Agency for Network and Information Security (ENISA).Google ScholarGoogle Scholar
  19. Fred D. Davis. 1985. A Technology Acceptance Model for Empirically Testing New End-user Information Systems: Theory and Results. Ph.D. Dissertation. Massachusetts Institute of Technology.Google ScholarGoogle Scholar
  20. Fred D. Davis, Richard P. Bagozzi, and Paul R. Warshaw. 1989. User acceptance of computer technology: A comparison of two theoretical models. Manag. Sci. 35, 8 (1989), 982--1003.Google ScholarGoogle ScholarCross RefCross Ref
  21. Edward L. Deci. 1972. Intrinsic motivation, extrinsic reinforcement, and inequity.J. Person. Soc. Psych. 22, 1 (1972), 113.Google ScholarGoogle ScholarCross RefCross Ref
  22. Mark T. Dishaw and Diane M. Strong. 1999. Extending the technology acceptance model with task--technology fit constructs. Inform. Manag. 36, 1 (1999), 9--21.Google ScholarGoogle ScholarCross RefCross Ref
  23. M. Eva and S. Guilford. 1996. Committed to a RADical approach? A survey of systems development methods in practice. In Proceedings of the 4th Conference of the British Computer Society Information Systems Methodologies Specialist Group. 87--96.Google ScholarGoogle Scholar
  24. Georgios Gousios, Andy Zaidman, Margaret-Anne Storey, and Arie Van Deursen. 2015. Work practices and challenges in pull-based development: The integrator’s perspective. In Proceedings of the 37th International Conference on Software Engineering, Volume 1. IEEE Press, 358--368.Google ScholarGoogle ScholarCross RefCross Ref
  25. Daniel Graziotin, Fabian Fagerholm, Xiaofeng Wang, and Pekka Abrahamsson. 2017. Unhappy developers: Bad for themselves, bad for process, and bad for software product. In Proceedings of the 39th International Conference on Software Engineering. IEEE Press, 362--364.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Daniel Graziotin, Fabian Fagerholm, Xiaofeng Wang, and Pekka Abrahamsson. 2018. What happens when software developers are (un) happy. J. Syst. Softw. 140 (2018), 32--47.Google ScholarGoogle ScholarCross RefCross Ref
  27. Seda Gürses, Carmela Troncoso, and Claudia Diaz. 2011. Engineering Privacy by Design. Retrieved from https://software.imdea.org/˜carmela.troncoso/papers/Gurses-CPDP11.pdf.Google ScholarGoogle Scholar
  28. Irit Hadar, Tomer Hasson, Oshrat Ayalon, Eran Toch, Michael Birnhack, Sofia Sherman, and Arod Balissa. 2018. Privacy by designers: Software developers’ privacy mindset. Empir. Softw. Eng. 23, 1 (2018), 259--289.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Joseph F. Hair, William C. Black, Barry J. Babin, Rolph E. Anderson, Ronald L. Tatham et al. 2006. In Multivariate Data Analysis, Vol. 6.Google ScholarGoogle Scholar
  30. Bill C. Hardgrave, Fred D. Davis, and Cynthia K. Riemenschneider. 2003. Investigating determinants of software developers’ intentions to follow methodologies. J. Manag. Inform. Syst. 20, 1 (2003), 123--151.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Bill C. Hardgrave and Richard A. Johnson. 2003. Toward an information systems development acceptance model: The case of object-oriented systems development. IEEE Trans. Eng. Manag. 50, 3 (2003), 322--336.Google ScholarGoogle ScholarCross RefCross Ref
  32. Magda Huisman and Juhani Iivari. 2002. The individual deployment of systems development methodologies. In Proceedings of the International Conference on Advanced Information Systems Engineering. Springer, 134--150.Google ScholarGoogle ScholarCross RefCross Ref
  33. Shubham Jain and Janne Lindqvist. 2014. Should I protect you? Understanding developers’ behavior to privacy-preserving APIs. In Proceedings of the Workshop on Usable Security (USEC’14).Google ScholarGoogle ScholarCross RefCross Ref
  34. Carlos Jensen, Joseph Tullio, Colin Potts, and Elizabeth D. Mynatt. 2005. STRAP: A Structured Analysis Framework for Privacy. Technical Report. Georgia Institute of Technology.Google ScholarGoogle Scholar
  35. Richard A. Johnson, Bill C. Hardgrave, and E. Reed Doke. 1999. An industry analysis of developer beliefs about object-oriented systems development. ACM SIGMIS Datab.: Datab. Adv. Inform. Syst. 30, 1 (1999), 47--64.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2008. Addressing privacy requirements in system design: The PriS method. Req. Eng. 13, 3 (2008), 241--255.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Mohamed Khalifa and June M. Verner. 2000. Drivers for software development method usage. IEEE Trans. Eng. Manag. 47, 3 (2000), 360--369.Google ScholarGoogle ScholarCross RefCross Ref
  38. Jae-On Kim and Charles W. Mueller. 1978. Factor Analysis: Statistical Methods and Practical Issues. Vol. 14. Sage.Google ScholarGoogle Scholar
  39. Aniket Kittur, Ed H. Chi, and Bongwon Suh. 2008. Crowdsourcing user studies with Mechanical Turk. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 453--456.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Rex B. Kline. 2015. Principles and Practice of Structural Equation Modeling. Guilford Publications.Google ScholarGoogle Scholar
  41. John P. Kotter et al. 1995. Leading change: Why transformation efforts fail. Harvard Business Review, May--June 1995 Issue.Google ScholarGoogle Scholar
  42. Kenneth A. Kozar. 1989. Adopting systems development methods: An exploratory study. J. Manag. Inform. Syst. 5, 4 (1989), 73--86.Google ScholarGoogle ScholarCross RefCross Ref
  43. Christopher Kuner. 2007. In European Data Protection Law: Corporate Regulation and Compliance (2nd Ed.).Google ScholarGoogle Scholar
  44. Saadi Lahlou, Marc Langheinrich, and Carsten Röcker. 2005. Privacy and trust issues with invisible computers. Commun. ACM 48, 3 (2005), 59--60.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Thomas D. LaToza, Gina Venolia, and Robert DeLine. 2006. Maintaining mental models: A study of developer work habits. In Proceedings of the 28th International Conference on Software Engineering. ACM, 492--501.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Paul Legris, John Ingham, and Pierre Collerette. 2003. Why do people use information technology? A critical review of the technology acceptance model. Inform. Manag. 40, 3 (2003), 191--204.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Dorothy Leonard-Barton. 1987. Implementing structured software methodologies: A case of innovation in process technology. Interfaces 17, 3 (1987), 6--17.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Tianshi Li, Yuvraj Agarwal, and Jason I. Hong. 2018. Coconut: An IDE plugin for developing privacy-friendly apps. Proc. ACM Interact., Mobile, Wear. Ubiq. Technol. 2, 4 (2018), 178.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Kai-Uwe Loser and Martin Degeling. 2014. Security and privacy as hygiene factors of developer behavior in small and agile teams. In Proceedings of the IFIP International Conference on Human Choice and Computers. Springer, 255--265.Google ScholarGoogle ScholarCross RefCross Ref
  50. Jesus Luna, Neeraj Suri, and Ioannis Krontiris. 2012. Privacy-by-design based on quantitative threat modeling. In Proceedings of the 7th International Conference on Risks and Security of Internet and Systems (CRiSIS’12). IEEE, 1--8.Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Naresh K. Malhotra, Sung S. Kim, and James Agarwal. 2004. Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Inform. Syst. Res. 15, 4 (2004), 336--355.Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Yod Samuel Martín García and José María del Álamo Ramiro. 2017. A metamodel for privacy engineering methods. In Proceedings of the CEUR Workshop.Google ScholarGoogle Scholar
  53. Kieran Mathieson. 1991. Predicting user intentions: Comparing the technology acceptance model with the theory of planned behavior. Inform. Syst. Res. 2, 3 (1991), 173--191.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Kunal Mohan and Frederik Ahlemann. 2013. Understanding acceptance of information system development and management methodologies by actual users: A review and assessment of existing literature. Int. J. Inform. Manag. 33, 5 (2013), 831--839.Google ScholarGoogle ScholarCross RefCross Ref
  55. Gary C. Moore and Izak Benbasat. 1991. Development of an instrument to measure the perceptions of adopting an information technology innovation. Inform. Syst. Res. 2, 3 (1991), 192--222.Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Emerson Murphy-Hill and Gail C. Murphy. 2011. Peer interaction effectively, yet infrequently, enables programmers to discover new tools. In Proceedings of the ACM Conference on Computer Supported Cooperative Work. ACM, 405--414.Google ScholarGoogle Scholar
  57. Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why do developers get password storage wrong? A qualitative usability study. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’17).Google ScholarGoogle Scholar
  58. Jum C. Nunnally, Ira H. Bernstein, and Jos M. F. ten Berge. 1967. Psychomet. Theor. Vol. 226. McGraw-Hill New York.Google ScholarGoogle Scholar
  59. Marie Caroline Oetzel and Sarah Spiekermann. 2014. A systematic methodology for privacy impact assessments: A design science approach. Europ. J. Inform. Syst. 23, 2 (2014), 126--150.Google ScholarGoogle ScholarCross RefCross Ref
  60. Michael Perscheid, Benjamin Siegmund, Marcel Taeumel, and Robert Hirschfeld. 2017. Studying the advancement in debugging practice of professional software developers. Softw. Qual. J. 25, 1 (2017), 83--110.Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Cynthia K. Riemenschneider, Bill C. Hardgrave, and Fred D. Davis. 2002. Explaining software developer acceptance of methodologies: A comparison of five theoretical models. IEEE Trans. Softw. Eng.12 (2002), 1135--1145.Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Robert Rosenthal and Ralph L. Rosnow. 1975. Primer of Methods for the Behavioral Sciences. John Wiley 8 Sons.Google ScholarGoogle Scholar
  63. Awanthika Senarath and Nalin A. G. Arachchilage. 2018. Why developers cannot embed privacy into software systems? An empirical investigation. In Proceedings of the 22nd Conference of Evaluation and Assessment in Software Engineering (EASE’18). ACM, 211--216.Google ScholarGoogle Scholar
  64. Awanthika Senarath and Nalin Asanka Gamagedara Arachchilage. 2019. A data minimization model for embedding privacy into software systems. Comput. Sec. 87 (2019), 101605.Google ScholarGoogle ScholarCross RefCross Ref
  65. Swapneel Sheth, Gail Kaiser, and Walid Maalej. 2014. Us and them: A study of privacy requirements across North America, Asia, and Europe. In Proceedings of the 36th International Conference on Software Engineering. ACM, 859--870.Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Dag I. K. Sjoberg, Bente Anda, Erik Arisholm, Tore Dyba, Magne Jorgensen, Amela Karahasanovic, Espen Frimann Koren, and Marek Vokác. 2002. Conducting realistic experiments in software engineering. In Proceedings of the International Symposium on Empirical Software Engineering. IEEE, 17--26.Google ScholarGoogle ScholarCross RefCross Ref
  67. Sarah Spiekermann and Lorrie Faith Cranor. 2009. Engineering privacy. IEEE Trans. Softw. Eng. 35, 1 (2009), 67--82.Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Fareena Sultan and Lillian Chan. 2000. The adoption of new technology: The case of object-oriented computing in software companies. IEEE Trans. Eng. Manag. 47, 1 (2000), 106--126.Google ScholarGoogle ScholarCross RefCross Ref
  69. Shirley Taylor and Peter A. Todd. 1995. Understanding information technology usage: A test of competing models. Inform. Syst. Res. 6, 2 (1995), 144--176.Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Ronald L. Thompson, Christopher A. Higgins, and Jane M. Howell. 1994. Influence of experience on personal computer utilization: Testing a conceptual model. J. Manag. Inform. Syst. 11, 1 (1994), 167--187.Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Louis G. Tornatzky and Katherine J. Klein. 1982. Innovation characteristics and innovation adoption-implementation: A meta-analysis of findings. IEEE Trans. Eng. Manag.1 (1982), 28--45.Google ScholarGoogle ScholarCross RefCross Ref
  72. Viswanath Venkatesh. 1999. Creation of favorable user perceptions: Exploring the role of intrinsic motivation. MIS Quart. 23, 2 (1999), 239--260.Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Viswanath Venkatesh and Fred D. Davis. 2000. A theoretical extension of the technology acceptance model: Four longitudinal field studies. Manag. Sci. 46, 2 (2000), 186--204.Google ScholarGoogle ScholarCross RefCross Ref
  74. Rolf H. Weber. 2010. Internet of Things—New security and privacy challenges. Comput. Law Secur. Rev. 26, 1 (2010), 23--30.Google ScholarGoogle ScholarCross RefCross Ref
  75. Dominik Wermke and Michelle Mazurek. 2017. Security developer studies with GitHub users: Exploring a convenience sample. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’17).Google ScholarGoogle Scholar
  76. Glenn Wurster and Paul C. van Oorschot. 2009. The developer is the enemy. In Proceedings of the Workshop on New Security Paradigms. ACM, 89--97.Google ScholarGoogle Scholar
  77. Kim Wuyts, Riccardo Scandariato, and Wouter Joosen. 2014. Empirical evaluation of a privacy-focused threat modeling methodology. J. Syst. Softw. 96 (2014), 122--138.Google ScholarGoogle ScholarCross RefCross Ref
  78. Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social influences on secure development tool adoption: Why security tools spread. In Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work 8 Social Computing. ACM, 1095--1106.Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. Yuchen Yang, Longfei Wu, Guisheng Yin, Lijie Li, and Hongbin Zhao. 2017. A survey on security and privacy issues in Internet-of-Things. IEEE Int. Things J. 4, 5 (2017), 1250--1258.Google ScholarGoogle ScholarCross RefCross Ref
  80. Adriana Zaiţ and P. E. Bertea. 2011. Methods for testing discriminant validity. Manag. Market. J. 9, 2 (2011), 217--224.Google ScholarGoogle Scholar
  81. Gerald Zaltman, Robert Duncan, and Jonny Holbek. 1973. Innovations and Organizations. John Wiley 8 Sons.Google ScholarGoogle Scholar
  82. Dongpo Zhang. 2018. Big data security and privacy protection. In Proceedings of the 8th International Conference on Management and Computer Science (ICMCS’18). Atlantis Press.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Will They Use It or Not? Investigating Software Developers’ Intention to Follow Privacy Engineering Methodologies

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Privacy and Security
            ACM Transactions on Privacy and Security  Volume 22, Issue 4
            November 2019
            170 pages
            ISSN:2471-2566
            EISSN:2471-2574
            DOI:10.1145/3364835
            Issue’s Table of Contents

            Copyright © 2019 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 3 November 2019
            • Accepted: 1 September 2019
            • Revised: 1 August 2019
            • Received: 1 March 2019
            Published in tops Volume 22, Issue 4

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          HTML Format

          View this article in HTML Format .

          View HTML Format
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!