{"id":"https://openalex.org/W4288057734","doi":"https://doi.org/10.1109/sp46214.2022.9833756","title":"How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study","display_name":"How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study","publication_year":2022,"publication_date":"2022-05-01","ids":{"openalex":"https://openalex.org/W4288057734","doi":"https://doi.org/10.1109/sp46214.2022.9833756"},"language":"en","primary_location":{"id":"doi:10.1109/sp46214.2022.9833756","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833756","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://discovery.ucl.ac.uk/10155845/1/2020_casa_usec_devs_cr.pdf","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5070432440","display_name":"Marco Gutfleisch","orcid":"https://orcid.org/0000-0003-1400-5825"},"institutions":[{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Marco Gutfleisch","raw_affiliation_strings":["Ruhr University Bochum,Germany","Ruhr University Bochum, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Ruhr University Bochum,Germany","institution_ids":["https://openalex.org/I904495901"]},{"raw_affiliation_string":"Ruhr University Bochum, Germany","institution_ids":["https://openalex.org/I904495901"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037107748","display_name":"Jan H. Klemmer","orcid":"https://orcid.org/0000-0002-6994-7206"},"institutions":[{"id":"https://openalex.org/I114112103","display_name":"Leibniz University Hannover","ror":"https://ror.org/0304hq317","country_code":"DE","type":"education","lineage":["https://openalex.org/I114112103"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Jan H. Klemmer","raw_affiliation_strings":["Leibniz University Hannover,Germany","Leibniz University Hannover, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Leibniz University Hannover,Germany","institution_ids":["https://openalex.org/I114112103"]},{"raw_affiliation_string":"Leibniz University Hannover, Germany","institution_ids":["https://openalex.org/I114112103"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5045109598","display_name":"Niklas Busch","orcid":"https://orcid.org/0000-0001-5621-8461"},"institutions":[{"id":"https://openalex.org/I114112103","display_name":"Leibniz University Hannover","ror":"https://ror.org/0304hq317","country_code":"DE","type":"education","lineage":["https://openalex.org/I114112103"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Niklas Busch","raw_affiliation_strings":["Leibniz University Hannover,Germany","Leibniz University Hannover, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Leibniz University Hannover,Germany","institution_ids":["https://openalex.org/I114112103"]},{"raw_affiliation_string":"Leibniz University Hannover, Germany","institution_ids":["https://openalex.org/I114112103"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074668699","display_name":"Yasemin Acar","orcid":"https://orcid.org/0000-0001-7167-7383"},"institutions":[{"id":"https://openalex.org/I4210096592","display_name":"Max Planck Institute for Security and Privacy","ror":"https://ror.org/00bj0r217","country_code":"DE","type":"facility","lineage":["https://openalex.org/I149899117","https://openalex.org/I4210096592"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Yasemin Acar","raw_affiliation_strings":["Max Planck Institute for Security and Privacy,Germany","Max Planck Institute for Security and Privacy, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Max Planck Institute for Security and Privacy,Germany","institution_ids":["https://openalex.org/I4210096592"]},{"raw_affiliation_string":"Max Planck Institute for Security and Privacy, Germany","institution_ids":["https://openalex.org/I4210096592"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5108226584","display_name":"M. Angela Sasse","orcid":"https://orcid.org/0000-0003-1823-5505"},"institutions":[{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"M. Angela Sasse","raw_affiliation_strings":["Ruhr University Bochum,Germany","Ruhr University Bochum, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Ruhr University Bochum,Germany","institution_ids":["https://openalex.org/I904495901"]},{"raw_affiliation_string":"Ruhr University Bochum, Germany","institution_ids":["https://openalex.org/I904495901"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087356408","display_name":"Sascha Fahl","orcid":"https://orcid.org/0000-0002-5644-3316"},"institutions":[{"id":"https://openalex.org/I114112103","display_name":"Leibniz University Hannover","ror":"https://ror.org/0304hq317","country_code":"DE","type":"education","lineage":["https://openalex.org/I114112103"]},{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sascha Fahl","raw_affiliation_strings":["Leibniz University Hannover,Germany","Leibniz University Hannover, Germany","CISPA Helmholtz Center for Information Security, Germany"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Leibniz University Hannover,Germany","institution_ids":["https://openalex.org/I114112103"]},{"raw_affiliation_string":"Leibniz University Hannover, Germany","institution_ids":["https://openalex.org/I114112103"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":4.4784,"has_fulltext":true,"cited_by_count":41,"citation_normalized_percentile":{"value":0.96128423,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"893","last_page":"910"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9976999759674072,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9929999709129333,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/usability","display_name":"Usability","score":0.7017847299575806},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6310213804244995},{"id":"https://openalex.org/keywords/usable","display_name":"USable","score":0.5973854064941406},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.5836552977561951},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.4872664213180542},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.46917015314102173},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.45889756083488464},{"id":"https://openalex.org/keywords/software-development-process","display_name":"Software development process","score":0.4534651041030884},{"id":"https://openalex.org/keywords/software-peer-review","display_name":"Software peer review","score":0.44329822063446045},{"id":"https://openalex.org/keywords/stakeholder","display_name":"Stakeholder","score":0.4429454505443573},{"id":"https://openalex.org/keywords/personal-software-process","display_name":"Personal software process","score":0.4414592385292053},{"id":"https://openalex.org/keywords/knowledge-management","display_name":"Knowledge management","score":0.43858349323272705},{"id":"https://openalex.org/keywords/process-management","display_name":"Process management","score":0.3458262085914612},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.34198564291000366},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3026440143585205},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.2482432723045349},{"id":"https://openalex.org/keywords/software-construction","display_name":"Software construction","score":0.23726391792297363},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.21415534615516663},{"id":"https://openalex.org/keywords/human\u2013computer-interaction","display_name":"Human\u2013computer interaction","score":0.20506387948989868},{"id":"https://openalex.org/keywords/public-relations","display_name":"Public relations","score":0.10400158166885376},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.08845019340515137},{"id":"https://openalex.org/keywords/political-science","display_name":"Political science","score":0.07394826412200928}],"concepts":[{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.7017847299575806},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6310213804244995},{"id":"https://openalex.org/C2780615836","wikidata":"https://www.wikidata.org/wiki/Q2471869","display_name":"USable","level":2,"score":0.5973854064941406},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.5836552977561951},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.4872664213180542},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.46917015314102173},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.45889756083488464},{"id":"https://openalex.org/C180152950","wikidata":"https://www.wikidata.org/wiki/Q2904257","display_name":"Software development process","level":4,"score":0.4534651041030884},{"id":"https://openalex.org/C74579156","wikidata":"https://www.wikidata.org/wiki/Q7554342","display_name":"Software peer review","level":5,"score":0.44329822063446045},{"id":"https://openalex.org/C201305675","wikidata":"https://www.wikidata.org/wiki/Q852998","display_name":"Stakeholder","level":2,"score":0.4429454505443573},{"id":"https://openalex.org/C39890963","wikidata":"https://www.wikidata.org/wiki/Q1702721","display_name":"Personal software process","level":5,"score":0.4414592385292053},{"id":"https://openalex.org/C56739046","wikidata":"https://www.wikidata.org/wiki/Q192060","display_name":"Knowledge management","level":1,"score":0.43858349323272705},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.3458262085914612},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.34198564291000366},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3026440143585205},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.2482432723045349},{"id":"https://openalex.org/C186846655","wikidata":"https://www.wikidata.org/wiki/Q3398377","display_name":"Software construction","level":4,"score":0.23726391792297363},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.21415534615516663},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.20506387948989868},{"id":"https://openalex.org/C39549134","wikidata":"https://www.wikidata.org/wiki/Q133080","display_name":"Public relations","level":1,"score":0.10400158166885376},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.08845019340515137},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.07394826412200928},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/sp46214.2022.9833756","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833756","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},{"id":"pmh:oai:eprints.ucl.ac.uk.OAI2:10155845","is_oa":true,"landing_page_url":"https://discovery.ucl.ac.uk/id/eprint/10155845/","pdf_url":"https://discovery.ucl.ac.uk/10155845/1/2020_casa_usec_devs_cr.pdf","source":{"id":"https://openalex.org/S4306400024","display_name":"UCL Discovery (University College London)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I45129253","host_organization_name":"University College London","host_organization_lineage":["https://openalex.org/I45129253"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"     In:  Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP).  (pp. pp. 893-910).  IEEE (2022)     ","raw_type":"Proceedings paper"}],"best_oa_location":{"id":"pmh:oai:eprints.ucl.ac.uk.OAI2:10155845","is_oa":true,"landing_page_url":"https://discovery.ucl.ac.uk/id/eprint/10155845/","pdf_url":"https://discovery.ucl.ac.uk/10155845/1/2020_casa_usec_devs_cr.pdf","source":{"id":"https://openalex.org/S4306400024","display_name":"UCL Discovery (University College London)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I45129253","host_organization_name":"University College London","host_organization_lineage":["https://openalex.org/I45129253"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"     In:  Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP).  (pp. pp. 893-910).  IEEE (2022)     ","raw_type":"Proceedings paper"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4288057734.pdf","grobid_xml":"https://content.openalex.org/works/W4288057734.grobid-xml"},"referenced_works_count":71,"referenced_works":["https://openalex.org/W1615506555","https://openalex.org/W1753385428","https://openalex.org/W1800552373","https://openalex.org/W1982451263","https://openalex.org/W2028171449","https://openalex.org/W2033811191","https://openalex.org/W2037202491","https://openalex.org/W2099889974","https://openalex.org/W2103370348","https://openalex.org/W2104859803","https://openalex.org/W2108353880","https://openalex.org/W2128551894","https://openalex.org/W2139179587","https://openalex.org/W2357927175","https://openalex.org/W2509067210","https://openalex.org/W2519682670","https://openalex.org/W2539276346","https://openalex.org/W2540735130","https://openalex.org/W2541261609","https://openalex.org/W2541640915","https://openalex.org/W2546061331","https://openalex.org/W2585818648","https://openalex.org/W2588952840","https://openalex.org/W2698406033","https://openalex.org/W2765843494","https://openalex.org/W2767943400","https://openalex.org/W2792247140","https://openalex.org/W2794659749","https://openalex.org/W2796056969","https://openalex.org/W2888915331","https://openalex.org/W2889126501","https://openalex.org/W2889482448","https://openalex.org/W2891114826","https://openalex.org/W2899061406","https://openalex.org/W2940466285","https://openalex.org/W2941123418","https://openalex.org/W2945001297","https://openalex.org/W2954460228","https://openalex.org/W2969602319","https://openalex.org/W2972780856","https://openalex.org/W2996275070","https://openalex.org/W3011354786","https://openalex.org/W3021192591","https://openalex.org/W3023580939","https://openalex.org/W3031020798","https://openalex.org/W3048561961","https://openalex.org/W3085848379","https://openalex.org/W3088431595","https://openalex.org/W3090212251","https://openalex.org/W3091507678","https://openalex.org/W3127779827","https://openalex.org/W3154021468","https://openalex.org/W3158201466","https://openalex.org/W3160726922","https://openalex.org/W3208153782","https://openalex.org/W4200290853","https://openalex.org/W4299818415","https://openalex.org/W4300948847","https://openalex.org/W6679151981","https://openalex.org/W6754257759","https://openalex.org/W6754285855","https://openalex.org/W6754369729","https://openalex.org/W6767406509","https://openalex.org/W6775681617","https://openalex.org/W6780313290","https://openalex.org/W6781832789","https://openalex.org/W6782847358","https://openalex.org/W6783752706","https://openalex.org/W6790477851","https://openalex.org/W6794922378","https://openalex.org/W7006072696"],"related_works":["https://openalex.org/W1559518392","https://openalex.org/W2186532739","https://openalex.org/W2018449243","https://openalex.org/W2134109003","https://openalex.org/W2951182348","https://openalex.org/W4211055703","https://openalex.org/W2905177625","https://openalex.org/W2468705748","https://openalex.org/W3182563779","https://openalex.org/W1987870723"],"abstract_inverted_index":{"For":[0],"software":[1,25,29,55,80,102,168],"to":[2,9,14,37,63,128,187],"be":[3,10,35],"secure":[4,54],"in":[5,49,52,105,124,167],"practice,":[6],"users":[7],"need":[8],"willing":[11],"and":[12,65,90,94,98,118,131,154,157,181,190],"able":[13],"appropriately":[15],"use":[16],"security":[17,68,97,166,189],"features.":[18],"These":[19],"features":[20,69],"are":[21,70],"usually":[22],"implemented":[23],"by":[24,174],"professionals":[26,81],"during":[27,100],"the":[28,39,101,136,158,162,195],"development":[30,103,122],"process":[31,104],"(SDP),":[32],"who":[33],"may":[34],"unable":[36],"consider":[38],"usability":[40,99],"of":[41,112,144,152,161,194],"these":[42,67],"mechanisms.":[43],"While":[44],"research":[45],"has":[46,60],"made":[47,71],"progress":[48],"supporting":[50],"developers":[51],"creating":[53],"products,":[56],"very":[57],"little":[58],"attention":[59],"been":[61],"paid":[62],"whether":[64],"how":[66,88],"usable.":[72],"In":[73,126],"a":[74,141],"semi-structured":[75],"interview":[76,113],"study":[77],"with":[78,96],"25":[79],"(software":[82],"developers,":[83],"designers,":[84],"architects),":[85],"we":[86,115,139],"explored":[87],"they":[89],"other":[91],"decision-makers":[92],"encounter":[93],"deal":[95],"their":[106],"companies.":[107],"Based":[108],"on":[109,164],"37":[110],"hours":[111],"recordings,":[114],"qualitatively":[116],"analyzed":[117],"investigated":[119],"23":[120],"distinct":[121],"contexts":[123],"detail.":[125],"addition":[127],"individual":[129],"awareness":[130],"factors":[132,184],"that":[133,185],"directly":[134],"influence":[135],"implementation":[137,160],"phase,":[138],"identify":[140],"high":[142],"impact":[143],"contextual":[145,183],"factors,":[146],"such":[147,178],"as":[148,179],"stakeholder":[149],"pressure,":[150],"presence":[151],"expertise,":[153],"collaboration":[155],"culture,":[156],"specific":[159],"SDP":[163],"usable":[165,188],"products.":[169],"We":[170],"conclude":[171],"our":[172],"work":[173],"highlighting":[175],"important":[176],"gaps,":[177],"studying":[180],"improving":[182],"contribute":[186],"discussing":[191],"potential":[192],"improvements":[193],"status":[196],"quo.":[197]},"counts_by_year":[{"year":2026,"cited_by_count":4},{"year":2025,"cited_by_count":10},{"year":2024,"cited_by_count":9},{"year":2023,"cited_by_count":15},{"year":2022,"cited_by_count":3}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}