Understanding developers’ privacy and security mindsets via climate theory

Privacy and security by design are policy measures that guide software developers to engineer privacy and security solutions inherently into the software systems they develop. However, although these policy measures have been widely discussed and promoted over the years, recent studies still show a consistent underperformance of privacy and security practices in industry. This research follows previous findings that indicate the role the organizational work environments of developers play in forming their mindsets and behavior. Specifically, we aimed to explore the potential of using organizational climate theory for attaining a better understanding of developers’ perceptions and behaviors and the underlying forces affecting them, and to unveil the constructs that compose organizational privacy and security climates. To this end, we conducted interviews with 27 practitioners involved in developing software systems from 14 companies and qualitatively analyzed the collected data. Our findings indicate that software developers are faced with inconsistent and confusing cues conveyed by management and other parties in their work environment, many of which indicate that these facets are of relatively low priority, leading to perceptions and behaviors that are not in line with those expected and recommended by policy makers. Further, we show how these perceptions and behaviors can be explained by constructs of the organizational climate theory and how, based on our findings, organizational climate mechanisms can be used to go beyond understanding developers’ current privacy and security mindsets toward improving them, thereby leading to an effective implementation of privacy and security by design.