{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,23]],"date-time":"2026-03-23T22:49:35Z","timestamp":1774306175355,"version":"3.50.1"},"reference-count":109,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T00:00:00Z","timestamp":1741737600000},"content-version":"vor","delay-in-days":70,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000038","name":"NSERC","doi-asserted-by":"publisher","award":["RGPIN-2021-03808"],"award-info":[{"award-number":["RGPIN-2021-03808"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000038","name":"NSERC","doi-asserted-by":"publisher","award":["SMFSA-566403-2022"],"award-info":[{"award-number":["SMFSA-566403-2022"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000038","name":"NSERC","doi-asserted-by":"publisher","award":["RGPIN-2023-04653"],"award-info":[{"award-number":["RGPIN-2023-04653"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Developing secure software remains a challenge for developers despite the availability of security resources and secure development tools. Common factors affecting software security include the developer\u2019s security awareness and the rationales behind their development decisions with respect to security. In this work, we conducted interviews with software developers to examine how developers in organizations acquire security knowledge, and what factors motivate or prevent developers from adopting software security practices. Our analysis reveals that developers\u2019 security knowledge and motivations are intertwined aspects that are both important for promoting security in development teams. We identified a variety of learning opportunities used by developers and employers for increasing security awareness, including in-context learning activities preferred by developers. Based on our application of the self-determination theory, better security outcomes are expected when developers are internally driven toward security, rather than motivated by external factors; this aligns with our interpretation of participants\u2019 descriptions relating to security outcomes within their teams. Based on our analysis, we provide ideas on how to motivate developers to internalize security and improve their security practices.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf005","type":"journal-article","created":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T15:34:22Z","timestamp":1741793662000},"source":"Crossref","is-referenced-by-count":1,"title":["Software security in practice: knowledge and motivation"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3306-0558","authenticated-orcid":false,"given":"Hala","family":"Assal","sequence":"first","affiliation":[{"name":"Department of Systems and Computer Engineering , 1125 Colonel By Drive, Ottawa, ON, K1S 5B6 ,","place":["Canada"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-2218-1935","authenticated-orcid":false,"given":"Srivathsan G","family":"Morkonda","sequence":"additional","affiliation":[{"name":"School of Computer Science, Carleton University , 1125 Colonel By Drive, Ottawa, ON, K1S 5B6 ,","place":["Canada"]}]},{"given":"Muhammad Zaid","family":"Arif","sequence":"additional","affiliation":[{"name":"School of Computer Science, Carleton University , 1125 Colonel By Drive, Ottawa, ON, K1S 5B6 ,","place":["Canada"]}]},{"given":"Sonia","family":"Chiasson","sequence":"additional","affiliation":[{"name":"School of Computer Science, Carleton University , 1125 Colonel By Drive, Ottawa, ON, K1S 5B6 ,","place":["Canada"]}]}],"member":"286","published-online":{"date-parts":[[2025,3,12]]},"reference":[{"key":"2025062507145873400_bib1","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/VIZSEC.2016.7739576","article-title":"Cesar: visual representation of source code vulnerabilities","volume-title":"2016 Symposium on Visualization for Cyber Security (VizSec)","author":"Assal","year":"2016"},{"key":"2025062507145873400_bib2","doi-asserted-by":"crossref","first-page":"334","DOI":"10.1109\/EuroSP.2017.14","article-title":"Efficient and flexible discovery of PHP application vulnerabilities","volume-title":"2017 European Symposium on Security and Privacy (EuroS&P)","author":"Backes","year":"2017"},{"key":"2025062507145873400_bib3","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1109\/MSP.2004.111","article-title":"Static analysis for security","volume":"2","author":"Chess","year":"2004","journal-title":"IEEE Secur Priv"},{"key":"2025062507145873400_bib4","doi-asserted-by":"crossref","first-page":"248","DOI":"10.1145\/2786805.2786812","article-title":"Questions developers ask while diagnosing potential security vulnerabilities with static analysis","volume-title":"Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. ESEC\/FSE 2015","author":"Smith","year":"2015"},{"key":"2025062507145873400_bib5","first-page":"241","article-title":"Is secure coding education in the industry needed? An investigation through a large scale survey","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET)","author":"Espinha Gasiba","year":"2021"},{"key":"2025062507145873400_bib6","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1002\/spe.2774","article-title":"Interventions for long-term software security: creating a lightweight program of assurance techniques for developers","volume":"50","author":"Weir","year":"2020","journal-title":"Software Pract Exp"},{"key":"2025062507145873400_bib7","article-title":"Microsoft Security Development Lifecycle","author":"Microsoft Corp"},{"key":"2025062507145873400_bib8","article-title":"Mandiant Unveils M-Trends 2023 Report, Delivering Critical Threat Intelligence Directly from the Frontlines","author":"Mandiant","year":"2023"},{"key":"2025062507145873400_bib9","article-title":"CVSS Severity Distribution Over Time","author":"NIST"},{"key":"2025062507145873400_bib10","article-title":"Hackers Remotely Kill a Jeep on the Highway\u2014With Me in It","author":"Greenberg","year":"2015"},{"key":"2025062507145873400_bib11","article-title":"Hackers discover that vulnerabilities are rife in the auto industry","author":"Gitlin","year":"2023"},{"key":"2025062507145873400_bib12","article-title":"Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System","author":"Radcliffe","year":"2011"},{"key":"2025062507145873400_bib13","article-title":"Hackers Turn Smart Fridges into Cryptocurrency Miners, Causing Global Kitchen Meltdown","author":"Pance","year":"2024"},{"key":"2025062507145873400_bib14","article-title":"NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments","author":"Blank","year":"2012"},{"key":"2025062507145873400_bib15","article-title":"Why Johnny Can\u2019t Encrypt: A Usability Evaluation of PGP 5.0","volume-title":"USENIX Security Symposium","author":"Whitten","year":"1999"},{"key":"2025062507145873400_bib16","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1109\/SecDev.2016.013","article-title":"You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users","volume-title":"2016 Cybersecurity Development (SecDev)","author":"Acar","year":"2016"},{"key":"2025062507145873400_bib17","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1109\/MSP.2016.111","article-title":"Developers are Not the Enemy!: The Need for Usable Security APIs","volume":"14","author":"Green","year":"2016","journal-title":"IEEE Secur Priv"},{"key":"2025062507145873400_bib18","doi-asserted-by":"crossref","DOI":"10.1109\/EuroSPW.2019.00021","article-title":"A Survey on Developer-Centred Security","volume-title":"2019 European Symposium on Security and Privacy Workshops (EuroS&PW)","author":"Tahaei","year":"2019, 129-38"},{"key":"2025062507145873400_bib19","first-page":"59","article-title":"SoK: Human, Organizational, and Technological Dimensions of Developers\u2019 Challenges in Engineering Secure Software","volume-title":"Proceedings of the 2021 European Symposium on Usable Security","author":"Mokhberi"},{"key":"2025062507145873400_bib20","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1145\/2663887.2663898","article-title":"Technical and Personal Factors Influencing Developers\u2019 Adoption of Security Tools","volume-title":"Proceedings of the 2014 ACM Workshop on Security Information Workers, SIW \u201914","author":"Witschey","year":"2014"},{"key":"2025062507145873400_bib21","first-page":"1095","article-title":"Social Influences on Secure Development Tool Adoption: Why Security Tools Spread","volume-title":"Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing, CSCW \u201914","author":"Xiao","year":"2014"},{"key":"2025062507145873400_bib22","first-page":"161","article-title":"Why do programmers make security errors?","volume-title":"2011 Symposium on Visual Languages and Human-Centric Computing (VL\/HCC)","author":"Xie","year":"2011"},{"key":"2025062507145873400_bib23","article-title":"Passwords Found in the Wild for January 2013","author":"Marshall"},{"key":"2025062507145873400_bib24","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1145\/1595676.1595691","article-title":"The Developer is the Enemy","volume-title":"Proceedings of the 2008 New Security Paradigms Workshop, NSPW \u201908","author":"Wurster","year":"2008"},{"key":"2025062507145873400_bib25","first-page":"109","article-title":"Understanding Security Mistakes Developers Make: Qualitative Analysis from Build It, Break It, Fix It","volume-title":"Proceedings of the 29th USENIX Conference on Security Symposium","author":"Votipka","year":"2020"},{"key":"2025062507145873400_bib26","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1145\/2664243.2664254","article-title":"It\u2019s the Psychology Stupid: How Heuristics Explain Software Vulnerabilities and How Priming Can Illuminate Developer\u2019s Blind Spots","volume-title":"Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC \u201914","author":"Oliveira","year":"2014"},{"key":"2025062507145873400_bib27","doi-asserted-by":"crossref","first-page":"804","DOI":"10.1109\/ARES.2009.163","article-title":"Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?","volume-title":"2009 International Conference on Availability, Reliability and Security","author":"Baca","year":"2009"},{"key":"2025062507145873400_bib28","article-title":"Security in the Software Development Lifecycle","volume-title":"Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018)","author":"Assal","year":"2018"},{"key":"2025062507145873400_bib29","article-title":"Motivations and Amotivations for Software Security","volume-title":"SOUPS Workshop on Security Information Workers (WSIW)","author":"Assal","year":"2018"},{"key":"2025062507145873400_bib30","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1109\/MS.2019.2945300","article-title":"Taking the Middle Path: Learning About Security Through Online Social Interaction","volume":"37","author":"Lopez","year":"2020","journal-title":"IEEE Software"},{"key":"2025062507145873400_bib31","first-page":"810","article-title":"Software Security during Modern Code Review: The Developer\u2019s Perspective","volume-title":"Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/FSE 2022","author":"Braz","year":"2022"},{"key":"2025062507145873400_bib32","article-title":"Learning by expanding","author":"Engestr\u00f6m","year":"1987","journal-title":"Center for Activity Theory and Developmental Work Research"},{"key":"2025062507145873400_bib33","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511812774","volume-title":"Perspectives on Activity Theory","author":"Engestr\u00f6m","year":"1999"},{"key":"2025062507145873400_bib34","first-page":"17","article-title":"Activity theory as a potential framework for human-computer interaction research","author":"Kuutti","year":"1996","journal-title":"Context and Consciousness: Activity Theory and Human-Computer Interaction"},{"key":"2025062507145873400_bib35","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1080\/13639080020028747","article-title":"Expansive Learning at Work: Toward an activity theoretical reconceptualization","volume":"14","author":"Engestr\u00f6m","year":"2001","journal-title":"Journal Educ Work"},{"key":"2025062507145873400_bib36","volume-title":"Activity Theory","author":"O\u2019Connor","year":"2015"},{"key":"2025062507145873400_bib37","doi-asserted-by":"crossref","DOI":"10.1007\/978-1-4899-2271-7","volume-title":"Intrinsic Motivation and Self-Determination in Human Behavior","author":"Deci","year":"1985"},{"key":"2025062507145873400_bib38","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1037\/0003-066X.55.1.68","article-title":"Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being","volume":"55","author":"Ryan","year":"2000","journal-title":"Am Psychol"},{"key":"2025062507145873400_bib39","doi-asserted-by":"crossref","DOI":"10.1521\/978.14625\/28806","volume-title":"Self-determination theory: Basic psychological needs in motivation, development, and wellness","author":"Ryan","year":"2017"},{"key":"2025062507145873400_bib40","doi-asserted-by":"publisher","first-page":"599","DOI":"10.1111\/j.1467-6494.1992.tb00922.x","article-title":"Intrinsic, Extrinsic, and Amotivational Styles as Predictors of Behavior: A Prospective Study","volume":"60","author":"Vallerand","year":"1992","journal-title":"J Pers"},{"key":"2025062507145873400_bib41","doi-asserted-by":"crossref","DOI":"10.1145\/3548606.3560569","article-title":"Understanding the How and the Why: Exploring Secure Development Practices through a Course Competition","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Fulton","year":"2022"},{"key":"2025062507145873400_bib42","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1109\/CSAC.2004.41","article-title":"The Trustworthy Computing Security Development Lifecycle","volume-title":"20th Annual Computer Security Applications Conference.","author":"Lipner","year":"2004"},{"key":"2025062507145873400_bib43","article-title":"Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study","volume-title":"Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security, SOUPS\u201921","author":"Fulton","year":"2021"},{"key":"2025062507145873400_bib44","first-page":"1317","article-title":"Less is More: Supporting Developers in Vulnerability Detection during Code Review","volume-title":"Proceedings of the 44th International Conference on Software Engineering, ICSE \u201922","author":"Braz","year":"2022"},{"key":"2025062507145873400_bib45","article-title":"Code Reviewing as Methodology for Online Security Studies with Developers: A Case Study with Freelancers on Password Storage","volume-title":"Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security, SOUPS\u201921","author":"Danilova","year":"2021"},{"key":"2025062507145873400_bib46","first-page":"1","article-title":"\u201cIf you want, I can store the encrypted password\u201d: A Password-Storage Field Study with Freelance Developers","volume-title":"Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, CHI \u201919","author":"Naiakshina","year":"2019"},{"key":"2025062507145873400_bib47","doi-asserted-by":"crossref","DOI":"10.1145\/3377811.3380394","article-title":"Schr\u00f6dinger\u2019s Security: Opening the Box on App Developers\u2019 Security Rationale","volume-title":"2020 IEEE\/ACM 42nd International Conference on Software Engineering (ICSE)","author":"van der Linden","year":"2020"},{"key":"2025062507145873400_bib48","article-title":"Skills and Characteristics of Successful Cybersecurity Advocates","volume-title":"Workshop on Security Information Workers, Symposium on Usable Privacy and Security (SOUPS)","author":"Haney","year":"2017"},{"key":"2025062507145873400_bib49","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3589951","article-title":"A Narrative Review of Factors Affecting the Implementation of Privacy and Security Practices in Software Development","volume":"55","author":"Nurgalieva","year":"2023","journal-title":"ACM Comput Surv"},{"key":"2025062507145873400_bib50","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1080\/01972243.2019.1583296","article-title":"Engineering Privacy by Design: Are engineers ready to live up to the challenge?","volume":"35","author":"Kathrin Bednar","year":"2019","journal-title":"Inform Soc"},{"key":"2025062507145873400_bib51","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1109\/EnCyCriS52570.2021.00013","article-title":"Understanding Developer Security Archetypes","volume-title":"2021 IEEE\/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","author":"Ryan","year":"2021"},{"key":"2025062507145873400_bib52","doi-asserted-by":"publisher","first-page":"600","DOI":"10.1109\/JPROC.2018.2866769","article-title":"Inside the Organization: Why Privacy and Security Engineering Is a Challenge for Engineers","volume":"107","author":"Spiekermann","year":"2019","journal-title":"Proc IEEE"},{"key":"2025062507145873400_bib53","first-page":"136","article-title":"One Size Does Not Fit All: A Grounded Theory and Online Survey Study of Developer Preferences for Security Warning Types","volume-title":"Proceedings of the ACM\/IEEE 42nd International Conference on Software Engineering, ICSE \u201920","author":"Danilova","year":"2020"},{"key":"2025062507145873400_bib54","doi-asserted-by":"crossref","DOI":"10.1145\/3411764.3445616","article-title":"Security Notifications in Static Analysis Tools: Developers\u2019 Attitudes, Comprehension, and Ability to Act on Them","volume-title":"Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, CHI \u201921","author":"Tahaei","year":"2021"},{"key":"2025062507145873400_bib55","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1109\/SP.2017.52","article-title":"Comparing the Usability of Cryptographic APIs","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Acar","year":"2017"},{"key":"2025062507145873400_bib56","doi-asserted-by":"crossref","DOI":"10.1109\/ARES.2016.103","article-title":"An Empirical Study on the Relationship between Software Security Skills, Usage and Training Needs in Agile Settings","volume-title":"2016 11th International Conference on Availability, Reliability and Security (ARES)","author":"Oyetoyan","year":"2016"},{"key":"2025062507145873400_bib57","article-title":"An Analysis of the Role of Situated Learning in Starting a Security Culture in a Software Company","volume-title":"Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security, SOUPS\u201921","author":"Tuladhar","year":"2021"},{"key":"2025062507145873400_bib58","author":"Stack Overflow - Where Developers Learn, Share, and Build Careers"},{"key":"2025062507145873400_bib59","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1109\/SP.2017.31","article-title":"Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Fischer","year":"2017"},{"key":"2025062507145873400_bib60","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1109\/SP.2016.25","article-title":"You Get Where You\u2019re Looking for: The Impact of Information Sources on Code Security","volume-title":"2016 IEEE Symposium on Security and Privacy (SP)","author":"Acar","year":"2016"},{"key":"2025062507145873400_bib61","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1007\/s13278-023-01171-z","article-title":"Cybersecurity Discussions in Stack Overflow: A Developer-Centred Analysis of Engagement and Self-Disclosure Behaviour","volume":"14","author":"D\u00edaz Ferreyra","year":"2024","journal-title":"Soc Netw Anal Mining"},{"key":"2025062507145873400_bib62","doi-asserted-by":"crossref","DOI":"10.1145\/3491102.3502095","article-title":"Understanding How Programmers Can Use Annotations on Documentation","volume-title":"Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, CHI \u201922","author":"Horvath","year":"2022"},{"key":"2025062507145873400_bib63","article-title":"An Exploratory Study of Sharing Strategic Programming Knowledge","author":"Arab","year":"2022","journal-title":"Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, CHI \u201922"},{"key":"2025062507145873400_bib64","doi-asserted-by":"crossref","first-page":"46","DOI":"10.1145\/3171533.3171539","article-title":"Developer-centered Security and the Symmetry of Ignorance","volume-title":"Proceedings of the 2017 New Security Paradigms Workshop, NSPW 2017","author":"Pieczul","year":"2017"},{"key":"2025062507145873400_bib65","first-page":"2489","article-title":"Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group","volume-title":"Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, CSCW \u201917","author":"Poller","year":"2017"},{"key":"2025062507145873400_bib66","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1016\/j.ijhcs.2006.08.003","article-title":"Investigation of IS professionals\u2019 intention to practise secure development of applications","volume":"65","author":"Woon","year":"2007","journal-title":"Int J Hum-Comput Stud"},{"key":"2025062507145873400_bib67","article-title":"From Needs to Actions to Secure Apps? The Effect of Requirements and Developer Practices on App Security","volume-title":"Proceedings of the 29th USENIX Conference on Security Symposium","author":"Weir","year":"2020"},{"key":"2025062507145873400_bib68","first-page":"262:1","article-title":"Security During Application Development: An Application Security Expert Perspective","volume-title":"Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, CHI \u201918","author":"Thomas","year":"2018"},{"key":"2025062507145873400_bib69","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1109\/CESSER-IP.2019.00014","article-title":"Talking About Security with Professional Developers","volume-title":"2019 IEEE\/ACM Joint 7th International Workshop on Conducting Empirical Studies in Industry (CESI) and 6th International Workshop on Software Engineering Research and Industrial Practice (SER&IP)","author":"Lopez","year":"2019"},{"key":"2025062507145873400_bib70","doi-asserted-by":"crossref","first-page":"370","DOI":"10.1007\/978-3-030-86797-3_25","article-title":"CyberSecurity Challenges for Software Developer Awareness Training in Industrial Environments","volume-title":"Innovation Through Information Systems","author":"Gasiba","year":"2021"},{"key":"2025062507145873400_bib71","first-page":"1","article-title":"Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs","volume-title":"Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI \u201920","author":"Gorski","year":"2020"},{"key":"2025062507145873400_bib72","first-page":"394","article-title":"Characterizing Software Engineering Work with Personas Based on Knowledge Worker Actions","volume-title":"2017 ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)","author":"Ford","year":"2017"},{"key":"2025062507145873400_bib73","article-title":"The discovery of grounded theory: strategies for qualitative research","author":"Glaser","year":"1967"},{"key":"2025062507145873400_bib74","first-page":"179","article-title":"A Taxonomy of Software Types to Facilitate Search and Evidence-based Software Engineering","volume-title":"Proceedings of the 2008 Conference of the Center for Advanced Studies on Collaborative Research: Meeting of Minds, CASCON \u201908","author":"Forward","year":"2008"},{"key":"2025062507145873400_bib75","article-title":"Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory","author":"Strauss","year":"1998"},{"key":"2025062507145873400_bib76","article-title":"Recognition of Non-formal and Informal Learning - Home","author":"Organisation for Economic Co-operation and Development (OECD)"},{"key":"2025062507145873400_bib77","doi-asserted-by":"publisher","first-page":"300","DOI":"10.1063\/1.37526","article-title":"Formal, non-formal and informal education: concepts\/applicability","volume":"173","author":"Dib","year":"1988","journal-title":"AIP Conf Proc"},{"key":"2025062507145873400_bib78","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1348\/000709900158001","article-title":"Non-formal learning and tacit knowledge in professional work","volume":"70","author":"Eraut","year":"2000","journal-title":"Brit J Educ Psychol"},{"key":"2025062507145873400_bib79","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1007\/s10956-006-9027-1","article-title":"Bridging In-school and Out-of-school Learning: Formal, Non-Formal, and Informal Education","volume":"16","author":"Eshach","year":"2007","journal-title":"J Sci Educ Technol"},{"key":"2025062507145873400_bib80","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/s11412-015-9220-4","article-title":"Conceptualizing the Intersubjective Group","volume":"10","author":"Stahl","year":"2015","journal-title":"Int J Comput Supp Collab Learn"},{"key":"2025062507145873400_bib81","article-title":"National Vulnerability Database","author":"NIST"},{"key":"2025062507145873400_bib82","author":"CVE - Common Vulnerability Exposures"},{"key":"2025062507145873400_bib83","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1016\/j.cose.2011.12.001","article-title":"Unrealistic optimism on information security management","volume":"31","author":"Rhee","year":"2012","journal-title":"Comput Secur"},{"key":"2025062507145873400_bib84","article-title":"Cross Site Scripting (XSS)","author":"OWASP"},{"key":"2025062507145873400_bib85","article-title":"The security development lifecycle: SDL, a process for developing demonstrably more secure software","author":"Howard","year":"2006"},{"key":"2025062507145873400_bib86","article-title":"43 Percent of Cyber Attacks Target Small Business","author":"Sophy","year":"2016"},{"key":"2025062507145873400_bib87","article-title":"Vulnerability Anti-Patterns: A Timeless Way to Capture Poor Software Practices (Vulnerabilities)","volume-title":"Pattern Languages of Programs Conference","author":"Nafees","year":"2017"},{"key":"2025062507145873400_bib88","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1007\/978-3-319-62105-0_9","article-title":"Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities","volume-title":"Engineering Secure Software and Systems","author":"Nafees","year":"2017"},{"key":"2025062507145873400_bib89","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1109\/SP.2017.31","article-title":"Stack Overflow Considered Harmful? The Impact of Copy Paste on Android Application Security","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Fischer","year":"2017"},{"key":"2025062507145873400_bib90","article-title":"Cybersecurity Has a Serious Talent Shortage. Here\u2019s How to Fix It","author":"van Zadelhoff"},{"key":"2025062507145873400_bib91","article-title":"OWASP CTF Project","author":"OWASP"},{"key":"2025062507145873400_bib92","article-title":"Cyber Security Capture The Flag (CTF): What Is It?","author":"Harmon"},{"key":"2025062507145873400_bib93","article-title":"CTF? WTF?","author":"CTFtime"},{"key":"2025062507145873400_bib94","doi-asserted-by":"publisher","first-page":"331","DOI":"10.1002\/job.322","article-title":"Self-determination theory and work motivation","volume":"26","author":"Gagn\u00e9","year":"2005","journal-title":"J Organ Behav"},{"key":"2025062507145873400_bib95","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1016\/j.tate.2017.03.001","article-title":"Rewards, praise, and punitive consequences: Relations with intrinsic and extrinsic motivation","volume":"65","author":"Bear","year":"2017","journal-title":"Teach Teach Educ"},{"key":"2025062507145873400_bib96","doi-asserted-by":"publisher","first-page":"439","DOI":"10.1080\/00313830802346314","article-title":"Effects of Reward on Self-regulation, Intrinsic Motivation and Creativity","volume":"52","author":"Selart","year":"2008","journal-title":"Scand J Educ Res"},{"key":"2025062507145873400_bib97","article-title":"Survey reveals AI\u2019s impact on the developer experience","author":"Shani","year":"2023"},{"key":"2025062507145873400_bib98","article-title":"2024 Developer Survey","author":"Overflow"},{"key":"2025062507145873400_bib99","doi-asserted-by":"publisher","first-page":"e22039","DOI":"10.14742\/apubs.2022.39","article-title":"Developing feedback literacy capabilities through an ai automated feedback tool","author":"Tubino","year":"2022","journal-title":"Ascilite Publ"},{"key":"2025062507145873400_bib100","doi-asserted-by":"crossref","DOI":"10.24251\/HICSS.2023.201","article-title":"What\u2019s to Automate? A Task Analysis of AI-enabled Start-ups","author":"Schulte-Althoff","year":"2023","journal-title":"Proc 56th Hawaii Int Conf System Sci"},{"key":"2025062507145873400_bib101","first-page":"2785","article-title":"Do Users Write More Insecure Code with AI Assistants?","volume-title":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201923","author":"Perry","year":"2023"},{"key":"2025062507145873400_bib102","article-title":"How Secure is Code Generated by ChatGPT?","author":"Raphael Khoury and Anderson R. Avila and Jacob Brunelle and Baba Mamadou Camara","year":"2023"},{"key":"2025062507145873400_bib103","doi-asserted-by":"crossref","first-page":"754","DOI":"10.1109\/SP46214.2022.9833571","article-title":"Asleep at the Keyboard? Assessing the Security of GitHub Copilot\u2019s Code Contributions","volume-title":"2022 IEEE Symposium on Security and Privacy (SP)","author":"Pearce","year":"2022"},{"key":"2025062507145873400_bib104","doi-asserted-by":"crossref","DOI":"10.3389\/fdata.2024.1386720","article-title":"A systematic literature review on the impact of AI models on the security of code generation","volume":"7","author":"Negri-Ribalta","year":"2024","journal-title":"Front Big Data"},{"key":"2025062507145873400_bib105","article-title":"LLM Top 10 for LLMs v1.1","author":"OWASP","year":"2024"},{"key":"2025062507145873400_bib106","doi-asserted-by":"crossref","DOI":"10.1145\/3658644.3690283","article-title":"Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns","volume-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","author":"Klemmer","year":"2024"},{"key":"2025062507145873400_bib107","first-page":"2149","article-title":"On the Robustness of Code Generation Techniques: An Empirical Study on GitHub Copilot","volume-title":"Proceedings of the 45th International Conference on Software Engineering, ICSE \u201923","author":"Mastropaolo","year":"2023"},{"key":"2025062507145873400_bib108","article-title":"Survey Surfaces Widespread Reliance on Generative AI Among Developers","author":"Vizard","year":"2024"},{"key":"2025062507145873400_bib109","first-page":"1","article-title":"ChatGPT: Challenges and Benefits in Software Programming for Higher Education","volume":"16","author":"Silva","year":"2024","journal-title":"Sustainability"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf005\/62386596\/tyaf005.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf005\/62386596\/tyaf005.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,25]],"date-time":"2025-06-25T11:15:22Z","timestamp":1750850122000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf005\/8071721"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":109,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf005","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf005"}}