Graduation Year


Document Type




Degree Name

Doctor of Philosophy (Ph.D.)

Degree Granting Department

Computer Science and Engineering

Major Professor

Xinming Ou, Ph.D.

Committee Member

Adriana Iamnitchi, Ph.D.

Committee Member

Jarred Ligatti, Ph.D.

Committee Member

Yu Zhang, Ph.D.

Committee Member

Daniel Lende, Ph.D.


Ethnography, Secure Development, Situated Learning, Transportation Security


Cybersecurity is a pressing issue. Researchers have proposed numerous security solutions over the years in order to combat security issues but it is still common to find known, well understood security issues in production environments. In this thesis, I seek to find the underlying reasons to why existing security solutions and best practices are not consistently applied and how to improve the utilization of secure best practices. To this end, I adopt the anthropological research method of long term participant observation and embed myself in real-world settings in order to understand the existence of security issues and the perception of security from a “native’s point of view”.

First, I conducted an in-depth, six-month embedding in a traffic management center (TMC) of a mid-size city in the U.S. to gain first-hand knowledge of the cyber-security issues in vehicular transportation systems, which is a multi-disciplinary field with combined contributions from civil & transportation engineering, traffic engineering, electrical engineering, communications engineering, and computer science. We identify the existence of silos of different disciplines, making it difficult to understand and communicate the security impact one can have in the context of the whole transportation ecosystem. Based on our observations, we present a systematization framework which identifies key components, technologies, and stakeholders in the whole ecosystem which forms the basis for understanding attack scenarios, their impacts and mitigations. This methodology helps to put security analysis into the context of the transportation ecosystem and provides a common platform for communication to help break down the silos existing both in research and in practice.

Next, I conducted an eight-month long ethnographic study of a software development company to explore if and how a development team adopts security practices into the development lifecycle. This effort involved working as a software engineer and participating in all development activities as a new hire would. During the fieldwork, I observed a positive shift in the development team’s practice regarding secure development. Our analysis of data indicates that the shift can be attributed to enabling all software engineers to see how security knowledge could be applied to the specific software products they worked on. I also observed that by working with other developers to apply security knowledge under the concrete context where the software products were built, developers who possessed security expertise and wanted to push for more secure development practices (security advocates) were more effective in achieving this goal. Our data analysis point to an interactive learning process where software engineers acquire knowledge, apply it in practice, and contribute to the team, leading to the creation of a set of preferred practices which is often collectively referred to as “company culture.” This learning process can be understood through the lens of the situated learning framework, where it is recognized that knowledge transfer happens within a community of practice, and applying the knowledge is the key in individuals (software engineers) acquiring it and the community (the company) embodying such knowledge in its practice. Our data show that enabling a situated learning environment for security gives rise to security-aware software engineers. I discuss the roles of management and security advocates in driving the learning process to start a security culture in a software company.