Distrubuting expertise between users and developers - SDP Breakout Padlet Summary - 09/11/2020


Key Themes

Self-efficacy, Making the implicit explicit in relationship, Open inter-disciplinary dis- course, accountability and trust.

Summary

The main problems stem from the difficulty in communication between disciplines. This opens up several further research options.

A solution proposed is a dictionary of common terms. It would allow different perspectives of security to be voiced and catered for, to help ensure users believe what they’re building is secure by facilitating cross disciplinary conversations. Touched on in the ’Threat modelling to bridge design and development’ padlet, a shared lexicon unlocks the ability to talk openly and collaboratively across teams in an organisation and bring more individual perspectives into the mix, meaning more robust security can be instilled. It would be worthwhile to verify the hypothesis of whether or not it is true for users and developers, not just useful within the context of an organisation.

To grasp the perspectives of all stakeholders, identifying what’s important to them is integral. This can be done through shared documentation - adding visibility of all stakeholders perspectives. Where possible this will allow elicitation of common goals and the ability to emphasise these.

Barriers

  • Different groups/people have different vocabulary, perspectives and opinions on whats important
  • May lack the language to describe their requirements
  • Actual security vs perceived security
  • Distributing expertise between all stakeholders and not just software developers/users

Opportunities

What could/is be/being done to help distribute expertise between users and developers

  • Training managers to support users
  • Involve them early in the process (this is in line with AGILE)
  • Identify whats important - collate all stakeholders perspectives and wants and identify whats important and the common goals
  • Peer networks - Communication between organisation Risk Ledger is a good example of this being used effectively albeit for a slightly different usecase)
  • Encourage communication and engagement between different groups instead of making assumptions.

Contact Information

If you have any questions or thoughts about this post, feel free to let me know at liam@netpaladin.co.uk and thanks for reading.