Software Vulnerabilities as Cognitive Blindspots; assessing the suitability of a dual processing theory of decision making for secure coding

Security vulnerabilities are present in many software systems, putting those who entrust software with their data in harm’s way. Many vulnerabilities are avoidable since they are not new and are well-described. Despite this awareness, they remain widespread. One hypothesis for their persistence is that they represent software blindspots, problems that are implicit in the mental models of developers and thus escape attention (Brun et al., 2023; Oliveira et al. 2018). Our current understanding of how cognitive influences secure coding is limited, and we address this by extending the hypothesis by suggesting differences in decision making approaches alter the ability to detect vulnerabilities. Through an empirical study and power analysis, we show the potential value of dual processing theory, where individuals make decisions using one of two cognitive systems: a default system reliant on heuristics and intuitive mechanisms, and a more deliberate and computational interventionist system. This preregistered study replicates key predictions from previous blindspot research, extends the analysis towards cognition, and models effect sizes of variables that might impact software security. We complement this analysis with data simulations to expose the sampling scale of empirical studies that would be necessary for highly powered work in this domain.