@article{Sharman_Acemyan_Kortum_Wallach_2021, title={Bad Tools Hurt: Lessons for teaching computer security skills to undergraduates}, volume={5}, url={https://ijcses.org/index.php/ijcses/article/view/131}, DOI={10.21585/ijcses.v5i2.131}, abstractNote={<p>Understanding why developers continue to misuse security tools is critical to designing safer software, yet the underlying reasons developers fail to write secure code are not well understood. In order to better understand how to teach these skills, we conducted two comparatively large-scale usability studies with undergraduate CS students to assess factors that affect success rates in securing web applications against cross-site request forgery (CSRF) attacks. First, we examined the impact of providing students with example code and/or a testing tool. Next, we examined the impact of working in pairs. We found that access to relevant secure code samples gave significant benefit to security outcomes. However, access to the tool alone had no significant effect on security outcomes, and surprisingly, the same held true for the tool and example code combined. These results confirm the importance of quality example code and demonstrate the potential danger of using security tools in the classroom that have not been validated for usability. No individual differences predicted one’s ability to complete the task. We also found that working in pairs had a significant positive effect on security outcomes. These results provide useful directions for teaching computer security programming skills to undergraduate students.</p>}, number={2}, journal={International Journal of Computer Science Education in Schools}, author={Sharman, Jonathan and Acemyan, Claudia and Kortum, Philip and Wallach, Dan}, year={2021}, month={Dec.}, pages={74–92} }