USRSE25 Conference Proceedings
Published October 6, 2025 | Version v1
Poster Open

Characterizing the Security Culture of the Research Software Engineering Community

Authors/Creators

  • 1. ROR icon University of Alabama
  • 2. Sandia National Laboratories

Description

 

The growing importance of research software heightens concerns about research software security, which will only intensify if not proactively addressed. Before any specific measures or interventions can be suggested, it is essential to understand the RSE community’s security behaviors, competencies, and values, collectively referred to as their ‘security culture’ [1]. While studying the climate and culture within a group of people is not a new concept or research topic, to our knowledge, no security culture research has taken place within the RSE community.

In this study, we aim to characterize the security culture of the RSE community by replicating a prior work performed in the open-source software space [3]. To broaden our sample, we distributed this survey to RSE community members in both the US and Germany. By replicating an existing survey, we can compare the RSE community’s responses with those of the open-source community, which shares some characteristics with RSE [4-5]. In addition to the original survey, we added a series of vignettes to gauge the RSE community’s knowledge and perception of threat modeling, a standard “shift-left” approach to security. By doing so, we gauge RSE interest in participating in security efforts and motivate future security research in the research software domain.

Ultimately, we surveyed 104 members of the RSE community, including both those in the US and Germany. To characterize RSE security culture, we ask the following research questions:

RQ1: What is the security culture of the RSE community?

RQ2: How does the RSE community’s security culture compare with the Open-Source Community’s security culture?

RQ3: What is the perception among RSE community members on adopting threat modeling during development?

The primary contributions of this study are: 1) A novel characterization of the RSE community’s security culture, 2) an empirical comparison of the security culture of RSEs and OSS developers, and 3) recommendations for internal and external stakeholders to improve RSE security culture. This study is a first step toward tailoring “shift-left” security principles to address the unique challenges that RSEs face.

Files

US-RSE25.pdf

Files (330.5 kB)

Name Size Download all
md5:0b714b3b9d201bf08d6a3546df22cf3d
330.5 kB Preview Download

Additional details

References

  • Schlienger, Thomas & Teufel, Stephanie. (2002). Information Security Culture: The Socio-Cultural Dimension in Information Security Management. 191-202.
  • Schneider, Benjamin, Mark G. Ehrhart, and William H. Macey. "Organizational climate and culture." Annual review of psychology 64.1 (2013): 361-388.
  • Wen, Shao-Fang, Mazaher Kianpour, and Stewart Kowalski. "An empirical study of security culture in open source software communities." Proceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 2019.
  • R. Milewicz, J. Carver, S. Grayson and T. Atkison, "A Secure Future for Open-Source Computational Science and Engineering," in Computing in Science & Engineering, vol. 24, no. 4, pp. 65-69, 1 July-Aug. 2022, doi: 10.1109/MCSE.2022.3221877.
  • Hasselbring, Wilhelm, et al. "Open source research software." Computer 53.8 (2020): 84-88.