Human-centred SE & CS in the age of ‘generative AI’
Abstract: Human-centred Software Engineering and Cybersecurity are being impacted heavily, just like most other areas, by the emergence of generative AI technologies. How will generative AI help us achieve the key themes in HCSE&CS? How might generative AI get in the way / mean we DON’T achieve them? What are the key HCSE&CS issues with generative AI technologies? What are the key generative AI issues with HCSE&CS? What key future research and practice directions should we take to best synergize HCSE&CS and generative AI?
Bio: John Grundy is Australian Laureate Fellow and Professor of Software Engineering at Monash University where he leads the Human-centric Software Engineering (‘HumaniSE’) lab. He has published in Automated Software Engineeering conference and journal for the past 25 years. His key interests include human-centrerd software engineering theories, techniques and tools, and use of various approaches to automation in software engineering. He is particularly interested in human-centric automated software engineering.
Software security continues to be a matter of concern for both end-users and developers, with the cost of potential lapses expected to become larger as software plays a larger role in society. Despite investments in secure coding training programmes, organisations are not achieving the expected success rate. An often overlooked reason for this among many others is that current training programmes are not tailored to consider the diversity among software developers as it relates to human aspects. In this research, data was gathered from software developers of various backgrounds on their perceptions of secure coding training, their expectations from and challenges with such a training program. The findings suggest that developers with personality traits of agreeableness tend to ignore secure coding standards. Additionally, developers with higher work experience tend to demand storage management, responsible use of privileges, security and privacy laws and testing topics to be included in the secure coding training. Furthermore, in terms of training structure, developers with higher openness tend to demand hands-on training to be included. The study’s findings seek to inform future researchers and organisations on factors to consider when designing adaptive secure coding programs that would address the needs of developers from different backgrounds.
DoS Attacks, Human Factors, and Evidence Extraction for the Industrial Internet of Things (IIoT) Paradigm
The unique characteristics of IIoT, including heterogeneity, existence of legacy infrastructure, and critical operational requirements, demand for tailored approaches to better comprehend and address security threats. A comprehensive investigation into the modelling and analysis of DoS attacks in IIoT is presented. Our research focuses on developing a DoS attack model for IIoT networks, facilitating effective analysis and response strategies. Additionally, we explore the mapping of these attacks to the MITRE ATT&CK framework, conduct simulations for attack scenarios, and collect data for analysis. By addressing the existing research gaps in DoS attack modelling for IIoT networks, such as limited research on Modbus TCP communications, lack of artifact extraction models, and mapping attacks to MITRE, we present standardization of attack modeling. Our simulation platform encompasses physical processes, controllers, and devices interacting with each other, provides multidimensional data for artifact extraction, fosters forensic investigations and analysis of attack impact. Overall, this research provides a deeper understanding of DoS attack vectors and vulnerabilities specific to IIoT networks, standardizes attack categorization and analysis through the MITRE framework, and facilitates deeper exploration of attack characteristics and behavior for digital forensic readiness.
Towards an Understanding of Developers’ Perceptions of Transparency in Software Development: A Preliminary Study
Software applications play an increasingly critical role in various aspects of our lives, from communication and entertainment to business and healthcare. As these applications become more pervasive, the importance of considering human values in software development has gained significant attention. In this preliminary study, we investigate developers’ perceptions and experiences related to human values, with a focus on the human value of transparency. We interviewed five experienced developers and conducted thematic analysis to explore how developers perceive transparency, violations of transparency, and the process of fixing reported violations of transparency. Our findings reveal the significance of transparency as a fundamental value in software development, with developers recognising its importance for building trust, promoting accountability, and fostering ethical practices. Developers recognise the negative consequences of the violation of the human value of transparency and follow a systematic process to fix reported violations. This includes investigation, root cause analysis, corrective action planning, collaborative problem-solving, and testing and verification. These preliminary findings contribute to the understanding of transparency in software development and provide insights for promoting ethical practices
Using digital devices and online products and services requires users to regularly authenticate themselves. Given that the vast majority of websites use passwords to authenticate users, this study focuses on the accessibility and inclusivity of this mechanism, using Universal Design Principles as a lens. Collecting and analysing autobiographical narrative data from 50 respondents, we use a qualitative approach to explore the views and experiences of senior citizens across various phases of website authentication. Our analysis uncovers barriers and challenges, leading to several undesirable consequences, when authentication is not accessible and inclusive. Our findings also show how users, many of whom have cognitive and other age-related infirmities which are seldom accommodated in authentication design, try to cope with these issues. We conclude by summarising how authentication may fail to align with the principles of universal design, arguing that this needs to be addressed to enhance authentication accessibility and inclusivity for all users.
A human-centric cybersecurity training tool for prioritising MSNAs
Analysts in cybersecurity are responsible for monitoring and responding to security incidents in computer systems. They constantly need to acquire sophisticated skills to detect and mitigate sophisticated attacks such as multi-stage and multi-step network attacks (MSNA) that can long hours, days and even months. Unfortunately, there is a lack of MSNA datasets where cybersecurity analyst can train themselves about this matter. Moreover, their inherent complexity makes very difficult to cybersecurity analysts to detect them just reading logs. This work presents a human-centric approach to create MSNAs scenarios for training cybersecurity analysts on detecting concurrent MSNAs. To do this, we have designed NetWars to simulate a training scenario for cybersecurity analyst based on the attacks perpetrated for highly skilled teams during capture The flag events. During the training, cybersecurity analysts receive multiple concurrent MSNAs from 19 different attackers, where the trainee must decide which attack to prioritize for mitigation given that she has limited resources. We hypothesize that using a human-centric cybersecurity approach for cybersecurity analysts learn about detecting and evaluating MSNAs priorities would be better than using traditional approach based on the outputs of Intrusion detection systems. Results are encouraging. the tool’s adoption also yielded a remarkable 95% success rate in generating accurate answers. The usability of the NetWars prototype was highlighted by the users.
