City Research Online

Abstract

Software vulnerabilities are present in many software systems, putting people who entrust software with their data in harm's way. Many vulnerabilities are avoidable since they are well documented - yet they remain widespread. One explanation for their persistence is they represent software blindspots, problems that are implicit in the mental models of developers and which escape attention (Brun et al., 2023). Our current understanding of how attention and decision making influence specific secure coding behaviours is limited, and so we present a preregistered study to evaluate whether differences in decision making style impact blindspots and the identification of code vulnerabilities. Programmers were given code puzzles to complete, including some that contained vulnerabilities. Participants also competed the cognitive reflection test and measures of rational decision making. We replicate several key predictions from previous blindspot research, map the analysis onto dual-systems research, and describe effect sizes of psychological constructs. We then model data simulations to demonstrate the sampling required for highly powered empirical studies in this domain. We support previous findings that technical or cybersecurity expertise have little impact on the ability to detect vulnerabilities. We argue that dual processing theory helps to interpret security behaviours and the presence of software blindspots.

Publication Type:	Article
Additional Information:	Copyright © 2026 Copyright held by the owner/author(s). Publication rights licensed to ACM.
Publisher Keywords:	security, cognitive psychology, dual processing theory, code comprehension, blindspots
Subjects:	B Philosophy. Psychology. Religion > BF Psychology Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments:	School of Science & Technology
SWORD Depositor:	Symplectic Administrator

Export

Downloads