{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,21]],"date-time":"2026-05-21T16:54:33Z","timestamp":1779382473921,"version":"3.53.1"},"reference-count":71,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833756","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"893-910","source":"Crossref","is-referenced-by-count":38,"title":["How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study"],"prefix":"10.1109","author":[{"given":"Marco","family":"Gutfleisch","sequence":"first","affiliation":[{"name":"Ruhr University Bochum,Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jan H.","family":"Klemmer","sequence":"additional","affiliation":[{"name":"Leibniz University Hannover,Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Niklas","family":"Busch","sequence":"additional","affiliation":[{"name":"Leibniz University Hannover,Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yasemin","family":"Acar","sequence":"additional","affiliation":[{"name":"Max Planck Institute for Security and Privacy,Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"M. Angela","family":"Sasse","sequence":"additional","affiliation":[{"name":"Ruhr University Bochum,Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sascha","family":"Fahl","sequence":"additional","affiliation":[{"name":"Leibniz University Hannover,Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134059"},{"key":"ref57","article-title":"The best laid plans or lack thereof: Security decision-making of different stakeholder groups","author":"shreeve","year":"2020","journal-title":"IEEE Transactions on Software Engineering"},{"key":"ref12","article-title":"Replication: On the Ecological Validity of Online Security Developer Studies: Exploring Deception in a Password-Storage Study with Freelancers","author":"danilova","year":"2020","journal-title":"Proc 16th Symposium on Usable Privacy and Security (SOUPS’20)"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3386908"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382205"},{"key":"ref59","article-title":"The Battle for New York: A Case Study of Applied Digital Threat Modeling at the Enterprise Level","author":"stevens","year":"2018","journal-title":"Proc 27th Usenix Security Symposium (SEC’18)"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/1357054.1357219"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3419101"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.102"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2015.65"},{"key":"ref11","author":"corbin","year":"2014","journal-title":"Basics of Qualitative Research Techniques and Procedures for Developing Grounded Theory"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.101"},{"key":"ref10","author":"cooper","year":"2014","journal-title":"About Face 2 0 The essentials of interaction design"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.110"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2335356.2335360"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702442"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.111"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243767"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978382"},{"key":"ref50","author":"pressman","year":"2015","journal-title":"Software Engineering A Practitioner’s Approach"},{"key":"ref46","article-title":"Usability Smells: An Analysis of Developers’ Struggle With Crypto Libraries","author":"patnaik","year":"2019","journal-title":"Proc 15th Symposium on Usable Privacy and Security (SOUPS’19)"},{"key":"ref45","article-title":"Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications","author":"oltrogge","year":"2021","journal-title":"Proc 30th Usenix Security Symposium (SEC’21)"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3171533.3171539"},{"key":"ref47","article-title":"Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat","author":"pearman","year":"2017","journal-title":"Proc 24th ACM Conference on Computer and Communication Security (CCS’17)"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/191666.191729"},{"key":"ref41","article-title":"A Stitch in Time: Supporting Android Developers in Writing Secure Code","author":"nguyen","year":"2017","journal-title":"Proc 24th ACM Conference on Computer and Communication Security (CCS’17)"},{"key":"ref44","article-title":"To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections","author":"oltrogge","year":"2015","journal-title":"Proc 24th Usenix Security Symposium (SEC’15)"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-08-052029-2.50007-3"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/2998181.2998191"},{"key":"ref8","article-title":"Security in the Software Development Lifecycle","author":"assal","year":"2018","journal-title":"Proc 14th Symposium on Usable Privacy and Security (SOUPS’18)"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300519"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.95"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/322796.322806"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev.2016.013"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.5430\/elr.v3n1p39"},{"key":"ref5","article-title":"Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness","author":"akhawe","year":"2013","journal-title":"Proc 22nd Usenix Security Symposium (SEC’13)"},{"key":"ref40","article-title":"Deception Task Design in Developer Password Studies: Exploring a Student Sample","author":"naiakshina","year":"2018","journal-title":"Proc 14th Symposium on Usable Privacy and Security (SOUPS’18)"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/CHASE.2019.00023"},{"key":"ref34","article-title":"Keepers of the Machines: Examining How System Administrators Manage Software Updates For Multiple Machines","author":"li","year":"2019","journal-title":"Proc 15th Symposium on Usable Privacy and Security (SOUPS’19)"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376791"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884790"},{"key":"ref31","article-title":"I Have No Idea What I’m Doing” - On the Usability of Deploying HTTPS","author":"krombholz","year":"2017","journal-title":"Proc 26th Usenix Security Symposium (SEC’17)"},{"key":"ref30","article-title":"If HTTPS Were Secure, I Wouldn’t Need 2FA” - End User and Administrator Mental Models of HTTPS","author":"krombholz","year":"2019","journal-title":"Proc 40th IEEE Symposium on Security and Privacy (SP’19)"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3368826.3377905"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115707"},{"key":"ref2","article-title":"You Get Where You’re Looking For: The Impact of Information Sources on Code Security","author":"acar","year":"2016","journal-title":"Proc 37th IEEE Symposium on Security and Privacy (SP’16)"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.52"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134082"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300370"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/304851.304859"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.18"},{"key":"ref24","article-title":"We make it a big deal in the company”: Security Mindsets in Organizations that Develop Cryptographic Products","author":"haney","year":"2018","journal-title":"Proc 14th Symposium on Usable Privacy and Security (SOUPS’18)"},{"key":"ref68","article-title":"From Needs to Actions to Secure Apps? The Effect of Requirements and Developer Practices on App Security","author":"weir","year":"2020","journal-title":"Proc 29th Usenix Security Symposium (SEC’20)"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00053"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP.2019.00013"},{"key":"ref26","article-title":"A Large-Scale Interview Study on Information Security in and Attacks against Small and Medium-sized Enterprises","author":"huaman","year":"2021","journal-title":"Proc 30th Usenix Security Symposium (SEC’21)"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00094"},{"key":"ref69","article-title":"Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0","author":"whitten","year":"1999","journal-title":"Proc 8th Usenix Security Symposium (SEC’99)"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1080\/01449290310001624329"},{"key":"ref64","article-title":"Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It","author":"votipka","year":"2020","journal-title":"Proc 29th Usenix Security Symposium (SEC’20)"},{"key":"ref63","article-title":"Schrödinger’s Security: Opening the Box on App Developers’ Security Rationale","author":"van der linden","year":"2020","journal-title":"Proc 42nd IEEE\/ACM International Conference on Software Engineering (ICSE’20)"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3481357.3481512"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1002\/spe.2774"},{"key":"ref21","article-title":"Replication Package: “How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study","author":"gutfleisch","year":"2021"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00003"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3274361"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1515\/icom-2016-0026"},{"key":"ref29","author":"kotter","year":"2012","journal-title":"Leading Change"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833755"},{"key":"ref62","article-title":"Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators","author":"tiefenau","year":"2020","journal-title":"Proc 16th Symposium on Usable Privacy and Security (SOUPS’20)"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3173836"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833756.pdf?arnumber=9833756","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:28:54Z","timestamp":1699486134000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833756\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":71,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833756","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}