"I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students
This research addresses the problem of understanding how security mindsets form in future developers, which is incremental as it builds on prior observations of professionals.
The study investigated the security and privacy perceptions, experiences, and practices of Computer Science students, finding that their attitudes already align with those of professional developers, including hacker mindsets and trust in others' code.
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.