¶ … released by the FBI and the Computer Security Institute (CSI), over 70% of all attacks on sensitive data and resources reported by organizations occurred from within the organization itself. Implementing an internal security policy appears to be just as important as an external strategy. The objective of this report is to highlight the necessity of internal processes and policy alongside technology when managing and mitigating risk. The author narrates the problems of security from the unseen forces in an individual that influence thought, behavior and personality. Once organizations truly understand the psychology behind the motivations of software engineers and developers, risk analysis and risk management strategies will become more efficient. The research contained in this report establishes that there is some connection between nurture/nature and the development and engineering of software. With this information, organizations of all sizes can better prepare for the threats that they face in the realm of information technology. Computers do not yet have the intelligence to question human reasoning, understand the human psyche and then take action based upon logical deduction. The subject matter for this dissertation is based the authors own personal working experiences, modules taught in the Master of Software Engineering and course materials used.
Table of Contents
Chapter I. Introduction
Introduction
Background Information
Purpose of the Study
Research Questions
Limitations and Assumptions
Definition of Key Terms
Chapter II Literature Review
Introduction
Practical Software Engineering
People and Security
Major Threats
Malware and Botnets
Thieves
Employees
Social Networks
Outsource partners
Phishing
Cell Phones
Spamming
Hackers
Who becomes a Hacker
Why do people hack into computer systems
Security Risk Analysis and Management
Risk Analysis
Risk Management
Security Principles
Summary
Chapter III Research Design and Methodology
Design and Methodology
Problem and Purpose Overview
Research Questions
Data Analysis
Organization of Data Analysis
Chapter IV Analysis of Data
Nature vs. Nature
Nature vs. nurture in Software engineering
Linguistic Relativity
Neuroplasticity
Major Software Engineering Failures
Summary
Chapter V Findings, Conclusions and Implications
Findings
Conclusions
Implications
Chapter I.
Introduction
Introduction
Throughout the history of mankind there has been a perpetual movement towards the development of tools that make life easier to maneuver. Since the industrial age that has been a rapid increase in the development and use of technologically advanced tools including calculators, remote controls and computers. Although inventions in the aforementioned areas have expanded rapidly and with little hesitation, the securing these systems has proven to be more problematic. That is technology has developed at a faster pace than have the mechanisms needed to ensure that technology is properly controlled.
Indeed, Information technology has changed the manner in which the world operates and the way that business is conducted. These changes have led to expansive global implications in the spheres of business and society. The increased dependency on technology has also increased the need for security. In turn the need for security has transformed the field of software engineering. Organizations that are now extremely dependent upon information technology also have the need to protect the information that is transferred via this technology. For this reason an increased emphasis has been placed on risk analysis and risk management within the realm of IT security.
Additionally as it pertains to protecting computer systems and networks, there must also be an emphasis placed on software engineering. This emphasis is necessary because a greater understanding of why people create certain types of software is needed to determine how to deal with the risks associated with the distribution of malicious software. By gaining a greater understanding of human behavior through the prism of the nature vs. nurture dichotomy. Once organizations understand how human behavior influences the interaction that people have with computers, they can formulate a holistic risk management system that will allow for the better mitigation of risks.
Background
Many of the firms that I worked for invest significant sums of money per annum into technology, with the newfound belief that software creates the competitive advantage and brings business value to the market place. These assets, some of which are tangible require many forms of security to protect them from vandals, hackers, thieves and yes, even competitors. It is the traditional techniques of using hardware and software to manage this risk that the author believes to be the underlying problem of safe keeping their information commodities.
There is not yet a computer with the artificial intelligence, to understand, that one person accessing a system with another person's credentials maybe alarm for suspicion. It cannot discuss this with another peer computer or explain the extra sensory feelings it has to its human superior. It does not have the ability to correlate the company's compliance rule regarding computer access against the activity a person is performing on a machine it knows does not belong to that person. Just as computers need rules and boundaries in order to operate in, so do people, as a society we remain sure of this. We cannot however assume that the person knows the consequences of their actions, and understands that what they are doing may be wrong based upon the rules which have been put in place by the company. We have to educate and teach first, discipline and enforce last.
Statement of the Problem
Within organizations a significant amount of the IT budget is spent on securing computer systems and networks. There are a plethora of threats that organizations face from within and from without. In today's economic environment organizations are faced with having to secure computer systems with smaller budgets. As such the type of security that is offered must be evaluated more carefully through the use of risk analysis and risk management. These tools assist organizations in gathering information that will allow them to make better decisions concerning the securing of computer systems.
In addition, while there has been a great deal of research related to the issue of nature vs. nurture strictly within the realm of human development, little research has been dedicated to the role of nature and nurture within the discipline of software engineering. Understanding the factors that cause individuals to create certain types of software can assist in helping organizations to better evaluate risks and mitigate those risks. At the current time approaches associated with risk analysis, risk management and IT security fail to incorporate the role that the human mind plays in the development of software. Moreover, it fails to take into consideration why people commit crimes against computer systems. The answer as to why these crimes are committed are key to mitigating the risks posed by such crimes.
Purpose of the Study
The purpose of the study is to investigate the role of nurture vs. nature in software engineering. The research will focus on whether or not the software that individuals create is extension of their assumptions and values. The research will also focus on the ways in which organizations can secure their computer systems once they understand the types of threats that there security systems need to address. Overall, the research will provide organizations with a more holistic way of conducting risk analysis and risk management procedures. Such a holistic approach will give the organizations an opportunity to better secure their systems and to avert financial disaster.
Research Questions
The research questions for this investigation are as follows:
1. What leads hackers to commit computer crimes
2. How is risk management and risk analysis impacted by security threats
3. Does an individuals genetic make up and social up bringing (nature and nurture), have a definitive role to play in software engineering
4. Do traits and imperfections act as extensions of ourselves thus becoming a part of the things we create?
5. How can impact of genetic make up and social up bringing on software engineering be analyzed so that the risk involved can be mitigated and managed ?
Limitations and Assumptions
The research to be presented assumes that the securing of computer systems is an important factor to consider within the context of risk analysis and risk management. The research also assumes that software development and engineering is influenced by human behavior shaped by nature or nurture. That is, the research assumes that the software that is created may be closely the mind of the developer or engineer.
Definition of Key Terms
Computer Network-computers linked together through cables or a wireless connection for the purpose of communicating with one another ("PC Basics").
Computer System -- An operational unit, composed of computers and related software. These computers utilize the same storage for all or some part of a program or data needed to operate the program. The system also "executes user-written or user-designated programs, and (c) performs user-designated data manipulation, including arithmetic and logic operations. A computer system may be a stand-alone system or may consist of several interconnected systems ("computer system")."
Hacking- Gaining illegal access to computers ("Hack")
Human Behavior- an assortment of behaviors seen in human beings that are influenced by attitudes, culture, emotions, ethics, authority, values, rapport, persuasion, coercion and heredity. The behavior of human beings falls within a specific range and some behaviors are "common, some unusual, some acceptable, and some outside acceptable limits ("Human Behavior")."
Human development- behavioral shifts in human being that tae place during the course of an entire lifespan ("Human Behavior").
Risk Analysis- the activity of determining and analyzing the dangerous natural and human caused negative events. This analysis takes into consideration the risks these event pose to businesses individuals and governments. Within the domain of information technology risk analysis reports are utilized to tailor technology-related objectives with a an organization's business objectives. Such reports are either quantitative or qualitative ("What is Risk analysis").
Risk management - includes policies, procedures, and practices needed to identify, analyze, assess, control, and avoid, minimize, or eliminate of intolerable risks. An organization may use risk retention, risk assumption, risk avoidance, risk transfer, or any other strategy to efficiently manage events that might occur in the future ("Risk Management").
Summary
The correlation between software development, risk analysis, risk management and human behavior is a complex association. This multidimensional approach to addressing the issue of IT security requires the explanation of several complicated concepts. This chapter has established what the following research endeavors to uncover. Now that the premise of the research has been established let us review some of the literature devoted to the aforementioned topics.
Chapter II Literature Review
Introduction
Software Engineering, Risk analysis and management, and security threats are all issues that effect organizations. The purpose of this literature review is to explore these issues in greater detail. The literature review will provide some insight into the factors that effect IT security. Let us begin by discussion Practical Software engineering.
Practical Software Engineering
Petkovic, Thompson & Todtenhoefer (2006) explain that changes associated with the globalization of software development necessitate newer ways of teaching software engineering. SE is defined as "The application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software (Petkovic, Thompson & Todtenhoefer, 2006, 294) ." In addition according to a report entitled "Software Engineering 2004: Curriculum Guidelines for Undergraduate Degree Programs in Software Engineering," Software Engineering education should merge computer science elements with engineering, coordination, teamwork, communication and project management matters (Petkovic, Thompson & Todtenhoefer, 2006, 294; "Software Engineering…," 2004).
Additionally standards associated with the delivery of curriculum claim that there is a need for practical project and team-oriented exercises to be incorporated into a significant capstone project. The author insists further that many studies have found that the majority of failures associated with delivering Software "to specs, on time and budget, and to a user "satisfaction" were in misunderstanding user needs, poor design, planning and organization (Petkovic, Thompson & Todtenhoefer, 2006, 294)."
In addition to having the proper capabilities for businesses, software must also be engineered in a manner that ensure the security of the computer system/network on which it operates. In this way software engineering must be viewed in quite broad terms. Moreover the training of software engineers must reflect the needs and security concerns that organizations face within the context of globalization and the widespread use of information technology. Now that practical software engineering has been discussed let us focus the issue of people and security.
People and Security
Attacks on Computer Systems
The increase in the use of computer systems and networks in recent years, has resulted in an increase in attacks. These attacks are both internal and external. According to the National Institute of Standards and technology organizations of all sizes are vulnerable to security threats ("Small business Corner"). The institute even notes that the threat to small and medium sized businesses can be particularly problematic as they are the foundation of the nation's economy. The NIST reports that
"In the special arena of information security, vulnerable SMBs also run the risk of being compromised for use in crimes against governmental or large industrial systems upon which everyone relies. SMBs frequently cannot justify an extensive
security program or a full-time expert. Nonetheless, they confront serious security challenges and must address security requirements based on identified needs
("Small business Corner")."
Indeed no organizations are immune to attack, in fact even the organizations that are responsible for investigating computer crimes have experienced computer attacks. Currently, the FBI and the U.S. Marshalls are dealing with a computer virus that has attacked the organizations' system. According to Barrett (2009) "Law enforcement computers were struck by a mystery computer virus Thursday, forcing the FBI and the U.S. Marshals to shut down part of their networks as a precaution (Barrett, 2009)." The article explains that only the external networks of these organizations have been effected by this virus. These external networks do not contain sensitive data and the internal networks are still running smoothly. Although this security issue is still a serious problem, it is not as harmful as it could have been.
Major threats to Computer Systems
If an organization is to guard itself against attacks it must first understand the types of attacks that might be levied against it. According to Young (2008) there are several major threats to computer security. These threats are as follows
Malware and Botnets- Botnets involve a number of computers that are connected to the internet and have been infiltrated to spread viruses and/or spam ("Botnet"). The owner of the computer is unaware that their system is being used to spread these harmful transmissions ("Botnet"). Botnets are also known as zombie armies because of the manner in which they are used by the creator of the spam or virus. The author explains that most botnet computers are home systems.
"According to a report from Russian-based Kaspersky Labs, botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion. Computers that are coopted to serve in a zombie army are often those whose owners fail to provide effective firewalls and other safeguards. An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army "controller" can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site ("Botnet")."
Although most of the computers used as botnets are home computers, the presence of botnets can be particularly devastating to companies, particularly those involved in ecommerce ("Botnet"). According to the article, the computers contained within the botnet can be programmed to redirect transmission to specific computers. This means that websites can actually be shutdown as a result of having too much traffic caused by the redirected transmissions ("Botnet"). This is known as a distributed denial-of-service attack ("Botnet"). Such attacks are designed to disable a competitors ability to make money ("Botnet"). At the same time such attacks may result in more money for the originator of the attack ("Botnet"). These types of attack are quite common amongst companies that operate solely on the internet.
In fact according to the Georgia Tech Information Security Center,
nearly 15% of online computers worldwide are part of botnets (Young, 2009). This percentage is actually 10% higher when compared to 2008 (Young, 2009). This type of malware is so detrimental and destructive because it is updated faster than the antivirus software that is designed to protect systems from such infiltration (Young, 2009). The article explains that "The bad guys can repack and rerelease their malicious code faster than the good guys can build and distribute antivirus signatures to Identify and block it (Young, 2009)" The abundance of Botnets and other forms of Malware are indeed a major security issue that must be addressed in risk analysis and risk management (Young, 2009).
Thieves. Theft is another major concern for computer systems. Young (2009) explains that there as been a marked increased in the number of thefts involving computers containing sensitive data over the last five years. This type of theft has effected every type of organization from colleges to government agencies. In fact in 2008 nearly thirty colleges reported the lost or theft of various computers containing sensitive data. The author explains that thefts are likely to increase as the size of laptops and flash drives continue to decrease in size. For this reason it recommended that organizations encrypt sensitive information so that thieves cannot access the data even if the flash drive or laptop is stolen.
Employees. can also pose a major security risk to computer systems. In some cases have used their ability to access computer networks legitimately to get customer information such as credit card numbers (Young, 2009). This information has been sold and aided others in identity theft. In other instances employees have been responsible for stealing or losing laptops containing sensitive information. This information has included everything from social security numbers to tope secret government files. In fact several reports have found that security breaches are more likely to come form inside of an organization than from hackers (Young, 2009).
Social Networks. Another major concern is social networking sites. These sites have become more popular in recent years and the risks that they pose has also become more evident. According to Young (2009) Social networking sites are vulnerable to security problems related to phishing. In fact a study conducted by Indiana University found that phishing schemes were more likely to occur through social networking sites, than through email. For this reason organizations must be aware of the types of sites that employees and other end users are accessing so that the appropriate security can be implemented.
Outsource partners. Outsourcing can also present a security risk for businesses and other organizations. This risk is present because organizations are now outsourcing more than ever before. With this outsourcing comes the placement of responsibility in the hands of a third party. In most cases these venders do not pose a threat but some vendors are not looking out for the best interests of their clients. For this reason when using outsourcing organizations must also keep security in mind and ensure that the vendor has the proper security mechanisms in place.
Phishing. Phishing is also a major security concern, According to the author
"Phishing scams are getting more sophisticated. Some early e-mail messages that attempted to trick users into revealing passwords were littered with spelling errors or poor grammar, tipping people off that they were fakes. But today the bait is more lifelike. In a scheme that has emerged in the past year, scammers pretend to be college network officials asking recipients for their network ID's and passwords. Colleges are struggling to educate students and professors that they should never, ever give out their passwords via e-mail (Young, 2009)."
Cell Phones. Mobile phones are another major security concern. Cell Phone usage has increased dramatically over the last decade. Newer cell phones are equipped with wireless internet capabilities (Young 2009). This means that anytime a user is in a wireless hotspot such as a university, airport or near a business with wireless network, that network can be accessed (Young 2009). This makes organizations more vulnerable to attack, particularly if the protection that has been implemented to protect the network is inadequate. In addition hackers can create viruses specifically designed for use on cell phones (Young 2009). As cell phone increase in popularity and capabilities an increased amount of data will be stored on these phones. The author explains that these newer smart-phones are much more difficult to secure, because the software needed can run down a cell phone battery. With this understood they can cause a real problem with security (Young 2009).
Spamming. Spamming has also been a security concern form many years. According to Young (2009) spamming involves the sending out of unwanted or unsolicited emails in large numbers. Spamming is problematic because it can dramatically slow down the performance of a network. In addition employees or others using the computer systems have to deal with large amounts of unwanted emails.
The article also explains that spamming causes other network problems. These problems are most evident on college campuses when "some attackers aim at college networks to help them send more spam, by hijacking student computers and turning them into spam servers. So if spammers could be stopped, that would help reduce other kinds of network threats. (Young 2009).
Hackers. Although the aforementioned threats to computer security are serious and can be costly, one of the most imminent threats to computer systems is hackers. Hackers are people who use system vulnerabilities and conspicuously designed programs to hack into computer systems and networks throughout the world. Hackers cause a great deal of damage and cost organizations millions each year.
Computer security is needed and necessary because of the prevalence of those that seek to gain access to information through hacking. When hackers gain access to these computer systems not only is the personal information of the organization compromised, but the personal information of customers is also compromised.
- Why does a person hack computer systems? What makes them do this? Is their a median hacker age? What stats can prove this? If there is an age pattern would that be part of a process company's would implement to help prevent internal hacking based on age, gender, chemical make up? What are the moral implications of such a thing?
In fact Pontell and Rosoff (2008) report that even though hacking was once thought to be a harmless prank, it has now become a serious economic crime with far reaching consequences. The authors explains that hacking is even become an act of terrorism. Hacking can lead to "viruses causing worldwide damage, security breaches, large-scale financial crimes, and the illegal copying, buying and selling software, movies, music cds, electronic games, and other forms of copyrighted material or intellectual property (Pontell & Rosoff 2008)."
Who becomes a Hacker
Although hackers are inclusive of a wide range of individuals, there is a definite pattern as it pertains to who becomes a hacker. Hackers tend to be overwhelmingly male. These men tend to be in their teens and twenties. The authors explains that because juveniles tend to commit hacking crimes that are not forms of terrorism, their antics are often overlooked. The authors assert that "serious computer crimes by juveniles have fallen between the theoretical cracks; criminologists have failed to account adequately for these new forms of deviance although the societal losses from such crimes are likely to far outweigh those of conventional delinquency (Pontell & Rosoff 2008)."
There are several cases of hacking that have revealed that the culprots were very young hackers. For instance, in February of 2000, the busiest ecommerce sites in the world were attacked during a two day coordinated cyber attack. It was estimated tha the damage done was well over $1 billion. The author explains that this was a denial of service attack in which
"The attacker hits a site so frequently that legitimate surfers can't get in. In distributed attacks the hackers take over a large number of computers connected to the Internet and force those computers to pound the site simultaneously. The subverted computers, called 'zombies,' respond to a single command from the attacker, who conveniently hides in anonymity while the zombies do the dirty
Work
(Pontell & Rosoff 2008)."
Following the attack, the FBI launched an investigation to find out the origin of the attack. After a week of investigating a 15-year-old boy was identified as the hacker known as mafia boy, The hacker was a ninth grader who was able to hack into computer systems but he also lefts an electronic trail. According to the authorities this particular hacker was known to authorities, but they did not believe that he had the know how to hack into such important systems. According to the article Mafia boy was arrested for mischief related to the hacking crime (Pontell & Rosoff 2008).
The article also reports that one of the reasons that Mafiaboy was caught had to do with his proclivity to brag about what he had done all over the internet. The article explains that "He left a trail of electronic bread crumbs, using Internet chat rooms to discuss his plans for attacking Web sites and then boast about having carried out the attacks" (Johnson, 2000). He bragged that he had hacked big computers at major American universities, including Harvard and Yale ("Hacker 'Mafiaboy' pleads guilty," 2001), and utilized them to bombard the Web sites. Some of the hackers who read these postings called the FBI (Pontell & Rosoff 2008)."
It is evident that many hackers are young men in their teens and early twenties. For the most part young men that have been caught seem not to be phased by what they have done and the trouble that they have caused. So then just what causes people to hack into computer systems? This question will be explored in the following section of this literature review.
Why do people hack into computer systems
One of the primary reasons for hacking into computers seems to be bragging rights. Research seems to suggest that hacking is nothing more than a sport in which those that are able to hack into the largest computer systems receive the greatest accolades. These accolades most often come from inside of the underground hacker community. Receiving such accolades occurred in the aforementioned case involving Mafiaboy. Although his hacking caused a great deal of harm and costs businesses a substantial amount of money, many hailed him as a "smarter-than-average computer geek with 1 foot in the doghouse and the other foot in the computer hall of fame (Pontell & Rosoff 2008)." Friends of the teenage boy claimed that he had their respect because he was able to shut down so many computers (Pontell & Rosoff 2008).
Although the accolades often occur amongst fellow hackers, in some instances hackers have actually been offered and received jobs in network security. Organizations such as banks pay these hackers to get access to their systems so that the organizations knows the vulnerabilities of the system. Understanding these vulnerabilities allows companies to develop and implement software and hardware that eliminate the problems.
Security Risk Analysis and Management
Risk Analysis
The aforementioned security threats are one of the reasons why risk analysis and risk management is necessary. In addition the nature of technology is such that constant changes necessitate that special attention be paid to Security Risk Analysis and Management.
"The structure and type of information technologies have changed enormously over last decade. The simple stand-alone batch applications evolved into distributed computing environments, including realtime control, multitasking and distributed processing. The process of information security risk analysis has also been affected by these enormous changes (Karabacak & Sogukpinar, 2004)."
According to the authors there are two kinds of risk analysis methods: quantitative and qualitative. A quantitative risk analysis method involves the use of statistics and mathematics to reflect the type of risks that will be taken. On the other hand, the qualitative risk analysis involves describing and explaining risks through adjectives as opposed to mathematic. The authors explain that risk analysis methods that use intensive quantitative measures are not efficient when analyzing information security risks.
At the current time the complex structure and abundant use of information technology has made it more difficult to secure. As such the "intensive mathematical measures used to model risk for complex environments make the process more difficult. Calculations performed during the risk analysis process are also very complex. Quantitative methods may not be able to model today's complex risk scenarios (Karabacak & Sogukpinar, 2004, 149)."
In addition risks analysis while methods that embrace a qualitative approach are more efficient as it pertains to addressing the risks associated with the current use of information systems such methods are still problematic. The author explains that qualitative methods tend to produce results that are inconsistent. Unlike the quantitative methods which utilize math and statistics tools, the qualitative method is largely subjective, based on the opinions of people. Therefore, results are not always accurate because they have opinion as a foundation instead of fact.
There are various examples of qualitative and quantitative risk analysis methods. For instance, Tuar is a quantitative tool, that utilizes fault trees and fuzzy logic to determine the risk that companies face (Bilbao, 1992; Karabacak & Sogukpinar, 2004). On the other hand RaMEX is a qualitative tool, that does not depend on mathematics or statistics (Kailey and Jarratt, 1995; Karabacak & Sogukpinar, 2004). The authors also explains that software can be used with both qualitative and quantitative risk analysis methods.
Risk analysis methods that are not supported by software are referred to as paper-based methods (Gordon, 1992; Karabacak & Sogukpinar, 2004). However there are plenty of risk analysis methods that are implemented and managed through theuse of software. (Spinellis et al., 1999; Karabacak & Sogukpinar, 2004). The authors assert that Software- based risk analysis methods does have some drawbacks, mainly costs. The implementing and management of a software based approach to system analysis is more costly than a paper based approach. The paper-based method usually consist of worksheets discussions and meetings. The disadvantage associated with the paper-based method is the amount of time that it requires. The authors explain that the nature of the meetings often leads to the inability to get quick risk results (Karabacak & Sogukpinar, 2004).
In an effort to confront the complexities of Information Security, newer models of risks analysis have been developed. One such model is the Information Security Risk Analysis Method (ISRAM). This particular model is designed to take onto consideration the everchanging landscape of information technology. More specifically ISRAM is designed to analyze the risks of complicated computer systems by permitting managers and staff to participate in accessing risks (Karabacak & Sogukpinar, 2004).
The authors explain that the ISRAM information risk analysis method is important because it takes into consideration the changing environment that is present as it pertains to information technology. The article further asserts that the technological environments of the time risk analysis methods are composed of complex mathematical and statistical tools (Karabacak & Sogukpinar, 2004). In addition such analysis might necessitate expert participation that may have to occur over a long period of time (Karabacak & Sogukpinar, 2004). The authors also explain that an efficient risk analysis process can not only consist of qualitative measures, because the results may biased (Karabacak & Sogukpinar, 2004). Additionally risk analysis methods that do not have these characteristics may not meet the needs of organizations desiring to protect their computer systems (Karabacak & Sogukpinar, 2004). Additionally the ISRAM is a quantitative, paper-based method that has the aforementioned characteristics. The underlying risk model of ISRAM is based on the fundamental risk formula that follows
Risk=Probability of occurrence of security breach X Consequence of occurrence of security breach.(NIST, 2001; McEvoy and Whitcombe, 2002; USGAO, 1999), The authors further explain that
"ISRAM is basically a survey preparation and conduction process to assess the security risk in an organization. Two separate and independent survey processes are being conducted for two risk parameters in formula (2). The preparation and conduction of survey, so as the analysis of its results are defined according to the well-defined steps to yield the risk. Formula (2) represents these steps mathematically (Karabacak & Sogukpinar, 2004)."
In addition to ISRAM there are other risk analysis tools that can be used. The type of risk analysis tools or methods that are chosen by an organization should be a direct reflection of the needs of the organization.
Risk Management
Once a risk analysis has taken place, the process of risk management must ensue. According to Stoneburner et al. (2002) all organizations have established a mission related to what the organization endeavors to achieve. At the current time organizations use technology as a tool to assist in the realization of a stated mission. With the understood the capacity of an organization to management risk in the realm of information technology is critical. The authors explain
"An effective risk management process is an important component of a successful
IT security program. The principal goal of an organization's risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization (Stoneburner et al. 2002, 7) ."
The authors also explain that there are three primary objectives associated with the risk management process. These objectives include
1. More efficient securing of IT systems that store, process, or transmit the information of the organization (Stoneburner et al. 2002).
2, Enabling those in leadership positions to make knowledgeable risk management decisions that rationalize the amount of resources needed from IT budget (Stoneburner et al. 2002).
3. Aiding managers in authorizing IT systems on the supporting documentation resulting from the process of risk management (Stoneburner et al. 2002).
The authors point out further that risk mitigation is an essential component of risk management. According to the authors
"Risk mitigation…involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of senior management and functional and business managers to use the least-cost approach and implement the most appropriate controls to decrease mission risk to an acceptable Level, with minimal adverse impact on the organization's resources and mission (Stoneburner et al. 2002, 27)."
There are several tactics that can be utilized to mitigate risks. These tactics include Risk Assumption, Risk Avoidance, Risk Limitation, Risk Planning, Research and Acknowledgment. And Risk Transference. The tactic that an organization uses is dependent upon the nature of the threat and the overall mission of the organization.
Security Principles
Security principles are essential to understanding the types of issues that firms are confronted with as it pertains to the use of information technology. Understanding these principles can assist companies in developing a risk management plan that is efficient and effective.
1. The system should be undecipherable;
2. The system should not require confidentiality and may be stolen by those that seek to do harm without resulting in negative consequences.
3. The employed security measure should be simple to communicate and shouldn't necessitate written notes, it should also be simple to adjust the keys with different participants.
4. The system should be well-suited for telegraph communication.
5. Portability should be possible, and should not require more than one individual;
6. The implementation of the system should be easy to use and must neither require stress of mind nor the knowledge of a long series of rules (Josang et al., 2007).
The primary goal of information security systems is to protect against unfavorable outcomes. The authors explain that
"Generally, the strength of a security system is determined by the weakest link. In many cases it is the human operator who represents the weakest link [16]. Social engineering attacks precisely target the human link, and represent a very effective attack vector. For example, reformed computer hacker Kevin Mitnick found that he never had to crack passwords by technical means, because he could always get them from people [12] (Josang et al., 2007)."
The authors further insist that security systems should be seen as socio-technical in there purpose. That is, security systems rely upon a social context to operate properly (Josang et al., 2007). With this understood IT security systems can only supply the proper amount of protection when users understand the systems and utilize them in the proper manner (Josang et al., 2007).
The authors also posit that there is a very thin line between systems being considered theoretically secure and actually secure (Josang et al., 2007). The former assumes that the systems are functioning properly and the latter assumes that the system sill not function properly (Josang et al., 2007).
In addition, there is usually a compromise that takes place between usability and theoretical security. For instance, the act of decreasing the amount of theoretical security to increase the amount of available actual security can be a significant gesture. For instance the authors explain that
"the strongest passwords, from a theoretical perspective, are randomly generated.
However, since it is very difficult to remember such passwords, people will write them down, and thereby undermine the system's security. Thus, it may be meaningful to allow people to choose passwords that are easier to remember.
Although this reduces the theoretical strength of the passwords, it increases the security of the system as a whole (Josang et al., 2007)."
It is important to note that in most cases the compromise between theoretical security and usability is not normally viewed as a primary principle of security design (Josang et al., 2007).
In fact many researchers have asserted that such compromises in theoretical security are unnecessary when usability factors are considered during the design phase of the security system (Josang et al., 2007). There are some particular methods and processes of development that can be utilized so that the aforementioned compromises are not necessary. These methods can improve usability outcomes. These methods are known as the sustaining approach. The purpose of this approach is to develop user friendly security because it does not challenge the foundation of the security building blocks, only how they are executed (Josang et al., 2007). The authors further explains that even with a development process that is devoted to usability design, some security building blocks are fundamentally inappropriate as it pertains to creating security solutions that are easy to use (Josang et al., 2007). Additionally Some authors have pointed out that when security building blocks have limited potential for being implemented as user friendly, it can be necessary to invent radically new security building blocks in order to create security systems that are user friendly (Josang et al., 2007)"
Summary
A review of the literature began by describing software engineering and the need fro the proper type of education. The literature asserts that instruction in software engineering should be consistent with the types of issues that organizations are addressing in a time of rapid technological change. If systems can be developed properly at the engineering level security concerns would be less of a problem.
Overall the literature review also demonstrates that there are some definitive threats that organizations face and will continue to face well into the future. These threats are from without and from within. However, threats from inside an organization are usually more likely to occur. Threats from outside of the organization are likely to occur in the form of botnets and hackers. The research found that many hackers are young men in their teens and early twenties. Hackers who have managed to shut down many computers or cause a great deal of mayhem are given a great deal of attention. The attention comes from the hacker community and others. In fact companies have been known to hire hackers in an effort to improve their security systems.
The literature review reveals that risk analysis is a useful tool that can be utilized to determine what the specific risk are. Risk analysis can take on qualitative of quantitative methods. The research also asserts that the rapid changes in technology have birthed new types of risk analysis methods. These methods are more efficient at meeting the complex analysis needs that many businesses face. Once the type of risks that an organization faces is understood the management of risks can be undertaken. Existing literature suggest that the risk management tactics that an organization uses is dependent upon the needs of the organization. The literature also suggest the risk mitigation is a key component of risk management.
Chapter III Research Design and Methodology
Design and Methodology
This research will utilize a secondary research methodology. That is the information contained in the dissertation will be derived from existing sources. These sources include scholarly journals, books and internet sites. This particular method was chosen because it provides the most thorough and succinct information across a broad range of issues including software development, computer security and theories of human behavior. In addition this method was chosen because it allows the researcher to compare and contrasts the various opinions that have been formulated involving the aforementioned subject matter over time.
Although there are the aforementioned advantages associated with the methodology there are also some disadvantages. Chief among the disadvantages is the potential for misinterpreting the data. Since the researcher did not actually conduct the studies presented there is the possibility that outcomes will be misinterpreted.
Problem and Purposes Overview
Given the current economic environment organizations are faced with having to secure computer systems with smaller budgets. As such the type of security that is offered must be evaluated more carefully through the use of risk analysis and risk management. These tools assist organizations in gathering information that will allow them to make better decisions concerning the securing of computer systems. Additionally, even though there has been a great deal of research related to the issue of nature vs. nurture strictly within the realm of human development, little research has been dedicated to the role of nature and nurture within the discipline of software engineering. Understanding the factors that cause individuals to create certain types of software can assist in helping organizations to better evaluate risks and mitigate those risks.
The purpose of the study is to investigate the role of nurture vs. nature in software engineering. The research will focus on whether or not the software that individuals create is extension of their assumptions and values. The research will also focus on the ways in which organizations can secure their computer systems once they understand the types of threats that there security systems need to address. Overall, the research will provide organizations with a more holistic way of conducting risk analysis and risk management procedures. Such a holistic approach will give the organizations an opportunity to better secure their systems and to avert financial disaster.
Research Questions
The research questions to follow remain identical to those written in chapter 1. Thse questions are as follows.
1. What leads hackers to commit computer crimes
2. How is risk management and risk analysis impacted by security threats
3. Does an individuals genetic make up and social up bringing (nature and nurture), have a definitive role to play in software engineering
4. Are traits and imperfections carried over to become part of the things we create?
5. How can impact of genetic make up and social up bringing on software engineering be analyzed so that the risk involved can be mitigated and managed ?
Data Collection and Instrumentation
Data was collected over several weeks. The data was gathered via the lLibrary the internet and internet databases. The Data was collected from books journals and internet sites. The majority of the internet sites that were accessed are federal government sites that provide specific information and statistic relevant to the topic being explored.
Chapter IV Data Analysis
Organization of Data Analysis
The data is divided into five sections. These sections are Nature vs. Nature debate, Nature vs. nurture in Software engineering, Linguistic Relativity, Neuroplasticity, Major Software Engineering Failures. Each of these topics will be explored in great detail.
Analysis of Data
Over the next few paragraphs the data will be thoroughly examined and provide insight into how theories developed by social scientist can play a key role in the development of an appropriate risk management strategy. More specifically the research will focus in the social science theories of Nature vs. nurture and Linguistic Relativity. In addition the analysis will focus on Neuroplasticity. Major Software Engineering Failures will also be explored in terms of why they happened and what could have been handled differently.
Nature vs. Nature Debate
The theory of nature vs. nurture usually belongs to the sphere of social science. It is a debate that is thousands of years old. According to Gander (2003) this debate can be traced back to ancient Greece when it was presented as a conflict between phusis (nature) and nomo (law, culture and customs) (2).
The foundation of the debate involves three theories concerning human behavior. These theories include humans as spirits who have been endowed by their creator, humans as social beings influenced by their environment and humans as animals with instincts driven by nature. The first theory is difficult if not impossible to test because it is beyond the realm of science (Sherry, 2004). However the last two theories involve nurture vs. nature (Sherry, 2004). These are theories that have been thoroughly tested, but yet the debate rages on.
During the 19th century this debate became more intense with Darwin's publication entitled On the Origin of Species (Sherry, 2004). In this particular publication Darwin argues that human being have an evolutionary nature. That is, Darwin
"theorized that human development is the result of a long chain of natural adaptation to the demands of the environment. In times of competitive scarcity, humans who possess adaptive characteristics survive and breed; those who do not die out
(e.g., from lack of nourishment) without passing their genetic information to the next generation. The result is "survival of the fittest" in which the most adaptive characteristics are carried in the gene pool and maladaptive characteristics are eliminated (Sherry, 2004)."
Darwin also insisted that over substantial periods of time humans were better able to cope with their environment. Darwin believed that the adaptations of human beings involved not just physiological changes but also psychological changes involving emotions, behavior and memory (Sherry, 2004).
Darwin's argument about nature controlling evolution and human behavior became the source of argument for many intellectuals (Sherry, 2004). There were those that believed that his argument was valid. On the other hand, some opposed this idea of human evolution. Eventually Darwin's ideas became an integral part of psychological study. Some psychologist came to the conclusion that human development took place through a series of events that are determined by biology or nature (Sherry, 2004). That is, they believed that human development had as a foundation a biological explanation (Sherry, 2004). More specifically G. Stanley Hall who served as the first president of the American Psychological Association (APA) developed a theory of recapitulation which asserted that "physiological mechanisms move human development through a series of universal, predetermined stages mirroring humankind's evolutionary path from "animal-like primitivism, through a period of savagery, to the more recent civilized ways of life that characterize maturity" (Muuss, 1988, p. 21).
Initially researchers were mostly concerned with describing human development as an opposed to creating a causal model for said development. As a result stage theory was developed (Sherry, 2004). The author explains that while stage theorists believed in the natural sequence of development, they did not abandon the idea that environment also plays a role in human development. In this way stage theory combines the theories of nature and nurture in explaining human development and behavior (Sherry, 2004). From the stage theory emerged many other theories including stages of cognitive development, stages of moral development, and stages of identity development (Sherry, 2004).
However some psychologist who were proponents of Darwin's theory began to adhere to this theory of nature guiding human development in a more succinct a profound way than did stage theorists. For instance, William James believed that the mind of human beings was active and always adapting to the social environment (Dixon&Lerner, 1988). William James was different from stage theorists in that he believed that human beings were genetically different and possessed instincts. William James believed these instincts to be "natural impulses that could be used to respond to sensory demands of the environment and believed that they varied within the species (Sherry, 2004)."
The instincts identified by James include sucking, crying, imitation, vocalization, hunting, anger, sympathy, constructiveness, play, fears, jealously, love, modesty and a whole host of other types of instincts. James asserted that these instincts were malleable according to two constructs (Sherry, 2004). As it pertains to the first construct, these instincts interact with the environment and as such they become long-term behaviors that are exhibited by human beings.
Additionally instincts create impulses to engage in specific behaviors such as the playing of an instrument ( Sherry, 2004). In addition if the environment supports or encourages such behavior the impulse or instinct becomes a habit and the person becomes a musician. However if the environment fails to encourage the impulse it will dissolve. The second construct is that instincts are transitory (Sherry, 2004). This means that instincts are present and absent during the various stages of life. In addition the instincts change in degree during the course of a lifespan ( Sherry, 2004). For instance, instincts such as self preservation and the need to eat last for a lifetime. However, instincts associated with marrying and raising children occur at a certain time in life and wane at other times. These ideas concerning instincts are harmonious with Darwin's assertions that "instincts that are most highly adaptive for human society become dominant across humankind (Sherry, 2004)."
In addition to the aforementioned view there is also the assertions made by behaviorists. This view involves the theory of environmental determinism. This theory is based on claims made by John Locke who believed that people begin life as a blank slate.(Sherry, 2004) He also asserted that human development involves the process of filling the slate. Locke asserted that environmental interactions are responsible for assisting individuals in receiving the information necessary for filling the slate (Sherry, 2004). This idea of environmental influence asserts that societal influence instead of biology is responsible for human development (Sherry, 2004). That is this theory contends that nurture is responsible for human development instead of nature. In addition this theory purports that the mother in particular can shape the development of children (Sherry, 2004).
The author further explains that many theories have evolved from the concept of nurture being essential to human development. This includes learning theories, social learning theories and environmental determinism (Sherry, 2004). In fact Watson, an environmental determinists wrote
"Give me a dozen healthy infants, well-formed, and my own specified world to bring them up in, and I'll guarantee to take any one at random and train him to become any type of specialist I might select -- doctor, lawyer, artist, merchant-
chief, and yes, even beggar man and thief, regardless of his talents, penchants, abilities, vocations, and the race of his ancestors. (Watson 1925, p. 82)"
The author explains that the foundation of Watson's argument was the desire to merge psychology with that natural sciences through placing emphasis on verifiable, objective and reproducible information based on observations (Sherry, 2004). Watson asserted that behavior that was not observable did not belong to the sphere of psychology that was reflective of natural science. In addition, Watson asserted that the theory of instincts purported by James was problematic because it could not be substantiated through observation.
Instead of simply listing characteristics of human behavior Watson wanted to offer a causal explanation for human behavior (Sherry, 2004). Watson asserted that the stages of human development happened as a result of sequential learning within the context of society. Watson believed that a child had the capacity to learn certain skills at an age younger than had been proposed by stage theorists (Sherry, 2004).
As it pertained to the aforementioned instincts, Watson asserted that
"there is no such thing as an inheritance of capacity, talent, temperament, mental constitution and characteristics (Watson 1925 pp. 74 -- 75)." Watson argued that these are simply learned responses. In fact he asserted that there were very few responses that were unlearned. He explains that unlearned responses include such things as crying, sneezing, erections, urination, smiling, and movement of extremities (Sherry, 2004).
Watson also argues that the instincts James lists are all developed as a result of training as opposed to some compelling instinct. The author also notes that although Watson was interested in human biology and physiology he differed in his beliefs concerning the influence of biology on human development. In short he believed that
"environment affected/changed biology, not the opposite, and therefore did not allow for an impact of biology on the behavior of the individual or on the environment/culture (Watson 1925; Sherry, 2004)."
The debate of nurture vs. nature has lead to some extremely interesting theories about human beings. For instance some eugenicists used the nature argument to assert that some races were inferior to others and therefore they should be destroyed.
However, Watson and many other argued that when children are raised in the same type of positive environment they will thrive regardless of race (Sherry, 2004). He argued that it is society and not biology that creates paradigms in which certain groups of people have difficulty succeeding (Sherry, 2004).
So then the nature vs. nurture debate expresses two separate opinions about human development. The nature argument asserts that the development of human beings is dependent upon biological factors. That is, people are shaped by instincts and by biological factors which come in the form of various stages that occur throughout ones lifespan. However the nurture argument asserts that the environment or societal influence is the determinant of human development. In other words people are shaped by the environment in which they live and not biological factors. Now that we have garnered an understanding of this particular argument, let us investigate the manner in which this debate has an influence upon software engineering.
Nature vs. nurture in Software engineering
Although this idea of nature vs. nurture developed from a context of human development, it has evolved to include questions about other spheres in which these ideas can be applied. One such sphere is software engineering. That is, an idea has emerged which purports that an individuals genetic make up and social up bringing (both nature and nurture), have a definitive role to play in software engineering. This theory suggest that that traits and imperfections are carried over to become part of the things we create? If so how do we analyze this and what do we do to mitigate and manage the risk involved?
Indeed the concept of nurture vs. nature can be applied to other disciplines. For the purposes of this discussion we will seek to explain the application of the nurture vs. nature theory to software engineering. Although there is not a great deal of research that has been conducted in this area, there is some available research on this topic. For instance, Douglass () explains that various forms of technology are viewed as being discovered instead of being created. In addition technology is ntot usually thought of as being something that is pliable and able to be fashioned into a technology through the vacillation of competing social interests.
"According to this view, technologies don't evolve; they more or less unfurl like a rolled carpet, bowling happily along the pathway already earmarked out for them workings of their own fundamental properties. It's an interesting
and ultimately seductive argument, providing its proponents with something approximating an Olympian perspective on the technology working through time:
once you get its inherent qualities down straight, you can safely predict exactly how its going to function, regardless of the culture or context in which it is used
(Douglas)."
The author explains that the nature argument for software development would assert that if technology is misused or customized to fit the interest of the creator it will withdraw. The nurture argument asserts that when technology is injected with the values and assumptions of the one creating the technology "it can become the instrument of those values, embodying them so effectively, you'll probably end up convincing yourself that they were present in its fundamental nature from the outset (Douglas)."
These two arguments are fundamental to understanding that software engineering is related to the theories of nature and nurture. On the one hand it can be assumed that software is born and any attempt to change its nature will end in failure of the technology. On the other hand the nurture argument asserts that the technology is created and can be given the values of the people who create the technology. In addition when such values and assumptions are injected into to a technological device they are so reflective of the individual(s) who created it, that they appear to be an aspect of the fundamental nature of the technology.
So then on one end of the spectrum there is a belief that there is a natural state of technology that is simply born and there should be no attempts to alter it. On the other end of the spectrum is a belied that technology should be and is engineered in a way that is reflective of the values inherent in the person that engineered the technology. Which of these assertions is correct.
According to Douglas the nature argument is not without merit. He argues that the nature argument is definitive as it pertains to explaining processes over an expanse of time. That is the nature argument is timeless and can explain the development of technology through many different time periods. In addition, the author explains that the nature assertions are global as opposed to local. On the other hand the nurture argument's assertion is that
"technologies emerge out of a snarl of social, political, and economic conditions, out of opportunistic gestures by certain groups and rear-guard action by others.
Technical capacity is inevitably underdetermined by nature, meaning that what seems like a physical given to one group doesn't even become apparent to another. You can never claim to be able to clearly distinguish a cause from an effect (although you're allowed to engage in some finger-pointing or name-calling when you catch somebody else doing it), and you have to content yourself with talking about a technology strictly in local, time-bound terms (Douglas 2)."
As it pertains more specifically to software engineering Douglas uses hypertext software in explaining the nurture vs. nature theory in software engineering. The primary question the Douglas asks is whether or not hypertext is born or made. Douglas explains that hypertext is a computer language that is still evolving and has different forms. The language is fashioned by groups of software engineers, researchers and end users. These individuals design the software in a manner that is designed to meet various needs. In addition the author asserts that the main "capacity of hypertext, first discovered by Vannevar Bush, exists in unchanged form in all "true" examples of the technology in certain fundamental qualities that distinguish the technology and transcend the interests or uses of individual creators (Douglas)."
There exist some conflicting beliefs concerning the programming language known as hypertext. The author explains that much of the confusion exist because there are differing opinion about the language. These opinions tend to reflect the differences in beliefs about hypertext between software engineers and media theorists. The author explains that such disagreements don't "necessarily mean that software engineers, specialists in computer-human interaction (CHI), designers, media theorists, and other researchers writing about the technology from the perspective of a single discipline can even agree on a single set of defining characteristics that distinguish the genuine article from its close imitators. In fact, there is practically no agreement on what "true" or "real" hypertext should look like or how it should work (Douglas; 1)."
However there does seem to be some agreement as it pertains to an underlying idea that the hypertext language possesses parameters that are inherent to the nature of technology . In addition, Douglas asserts that those the have developed hypertext applications get the nature of technology right or they get it wrong. Some researchers have asserted that "many hypermedia systems have been designed to support a specific task. . . [so that] the features and capabilities emphasized in the system often reflect the requirements of this target (841).
At the other end of the spectrum, some researchers define hypertext via lengthy laundry lists of specifications that hypertexts "should" include or its users "need" to consider. Only a few seem to have the ability to admit that there are many different definitions which can result in the obstruction of the true meaning of the word. According to the author the word hypertext that has a unitary meaning. This unitary meaning has a capacity to change because there are several different implementations that are being used such as Apple's HyperCard. This implementation has the ability to permit the construction of a range of different applications.
The author further explains that there may also be a unitary concept that is present underneath the differences in belief concerning the features and tools of the application. Certaininly in its most basic form hypertext can be described as "a way of using the computer to "liberate" its users from the linear order of the printed page."
In fact according to Smith & Weiss (1998) that the purpose of the language is to create tools for the purposes of reading and writing that are consistent with the structure of the human memory ( Smith & Weiss 816). Other researchers have come to similar conclusions concerning the correlation between hypertext and brain function . For instance Jones & Spiro asserted that hypertext was designed to support the cognitive processes of human beings. The author further explains that
"following the concept of the Memex, first described by Vannevar Bush in 1945,
later realized in the form of Douglas Englebart's Augment system. Both Bush and Englebart sketched out systems for storing and retrieving texts hat would enable readers and writers to order information in a way or ways that better reflected the workings of the mind than print, at the same time these systems took account of the wide variety of demands that could be satisfied by structuring and r estructuring a single body of information."
So then these researchers have established a definite correlation between software development and the natural workings of the human brain. The researchers insists that the hypertext program is nothing more than an extension of the human cognitive processes of reading and writing.
Not only are these researchers asserting that this correlation exist, but Douglas asserts that there are very few that disagree with this idea. However there does seem to be some dispute concerning the validity of this claim. According to the author, "the longer you linger over the notion that hypertext more closely approximates the workings of the human mind, the more problematic the whole concept becomes (Douglas).
The article further explains that "In one of the most frequently cited sections of his influential article, "As We May Think," Bush argues the human mind. . . operates by association. With one item in its grasp, it snaps instantly to the next that is suggested by the association of thought, in accordance with some intricate web of trails carried by the cells of the brain (103)."
The author explains that also many have embraced the assertions made by Bush, these assertions are difficult to prove. This difficulty is present because cognition theories that are often championed by both humanists and computer sccientis serve as models for though, a group of standards for addressing what still remains, and these theories tend to be stagnant. The author asks "Can we record what a thought looks like in its elemental state, or trace its trajectory from "input" to" output"? There is no more evidence that the mind "actually" operates by association, than that it "really" operates through machinations resembling the linear logic of a printed text (Douglas)."
The article written by Bush also combines the words mind and brain so that thinking becomes an exercise that is hardwired into physical cells. However, Bush's argument seems to become illogical when this amalgamation occurs. This occurs because the manner in which the brain operates is not fully understood and as such any theory that proposes to understand such a complex relationship becomes illogical. The author also adds that there is also very little known about the relationship between the brain and the mind.
The author also posits that if hypertext is not a computer language that encompasses the idea that "something essential to human cognition, shaping the Word into a medium more congenial to the process of human thought than the printed book or article -- then what is it?" If we have to abandon the human mind as something that exists Out There, as a singular, unvarying, monolithic slab of nature we can use as the basis of a unified concept of hypertext, then we have likewise to abandon the idea of hypertext as a concept to which certain applications will have essentially "true" or "false" relationships (Douglas)."
Indeed, during the actual development of interfaces and software tools, designers of applications cannot really know how the mind operates while reading and writing. This is difficult to understand because it is difficult to produce evidence as it pertains to such an issue. That is there is no way to determine just how the mind function while reading and writing is occurring. There is also no way to determine how the brain would functiion more efficiently if it was in a more agreeable enviroment. With these things understood hypertext simply serves as a conduit through which people can manipulate, create, store and retrieve information.
Douglass relates that words of Bruno Latour who once said that technology is society made durable. If this is the case than technology represents an extension of not only the mind that created it but the values and assumptions of an entire society. I addition if this is the case, Douglas posits that hypertext can be defined as the mechanism that it used by a society to inject a certain set of values that the society believes to be essential to communication (Douglas).
The author also explains that a great deal of the literature related to software engineering and interface design asserts that the number of different types of hypertext systems is equivalent to the number of obvious uses for the technology, The literature also suggest that the design of the software usually mirrors the type of activities it was created to support. The author explains that activities Such as reading, writing, and learning, are processes that change from one social setting to another. These processes also change as it pertain to tasks, genres, and texts. The author contends that the "rhetoric about the concept of hypertext stresses shedding the constraints of print linearity, studies of, for example, how users read documentation -- in both print and hypertext form -- tend to exist mostly as exercises devised for small populations or in the largely anecdotal form educators refer to, somewhat pejoratively, as "lore." Ironically, & #8230; although much of the talk in CHI and software engineering concentrates on user "empowerment," the users are not merely mute: they are almost wholly convenient fictions, fabrications enabling the producers of software applications to support the assumptions and practices they and their peers deem as "important" to, for example, the acts of creating, handling and digesting information (Douglas)."
The author argues that even ife software engineers and developers are not consciously aware of the nature argument when developing software, the correlation between the argument and the products that are being produced in clearly present. In addition developers are also making unconscious decisions about the aspects of their software that should be nurtured. In this way the nature vs. nature debate continues with in the context of software engineering.
The author also posits that the properties of software that seem to be inherent or fundamental are not one dimensional properties that throw themselves on the culture in which they reside. Likewise, the social influence of computer languages like hypertext is only demonstrable if the technology is accepted within the society or at organizations within the society. This acceptance is currently present as it pertains to hypertext. It is being utilized at various types of institutions from schooll, to businesses to government agencies. The author explains that all of these groups will probably create "applications and definitions of hypertext that support the values and aims essential to the maintenance or propagation of their own interests. As these values and assumptions are ossified in the design of the software tools and interface itself, moreover, even the designers (as we saw with Halasz's dismissal of certain packages for not being "real" forms of hypertext) who have created the stuff may end up believing that the interface and tools they build are somehow intrinsic to the idea of the technology itself -- and not something they created to support supreme court justices or teachers of English as a second language (Douglas)."
In any case it is apparent that the hypertext language serves as an extension of biology and society. That is, it appears from the research that both nature and nurture play a role in shaping software engineering. In fact language such as hypertext serve as conduits through which the values of an entire society can be communicated through software. Software merely serves as an extension of a society. The research seems to indication that the correlation between society and the products that it creates cannot be unraveled. It is an symbiotic relationship that continues from one generation to the next. Now that we have garnered a greater understanding of the nurture vs. nature debate within the context of software engineering let us explore the issue if linguistic relativity.
Linguistic Relativity
Linguistic relatively must also be explored as it pertains to the nurture vs. nature debate. Linguistic relativity also referred to as the Sapir-Whorf Hypothesis
asserts that the language that one speaks has an influence upon the way that an individual thinks (Lucy, 1997; Kay & Kempton 1984). That is, language influences the manner in which human beings think. This particular hypothesis is connected to the nature vs. nurture argument because it insist that the language one learns and speaks influences thought. Eventually thought influences behavior. Out of the hypothesis established by Sapir-Whorf
"a new school of linguistic relativity scholars, rooted in the advances within cognitive and social linguistics have examined the effects of differences in linguistic categorization on cognition finding broad support for the hypothesis in experimental contexts. Effects of linguistic relativity have been shown particularly in the domain of spatial cognition and in the social use of language, but also in the field of color perception. Recent studies have shown that color perception is particularly prone to linguistic relativity effects when processed in the left brain hemisphere, suggesting that this brain half relies more on language than the right one. Currently a balanced view of linguistic relativity is espoused by most linguists holding that language influences certain kinds of cognitive processes in non-trivial ways but that other processes are better seen as subject to universal factors ("Linguistic Relativity")."
As it pertains specifically to software engineering Kaplan-Moss (2009) asserts that the aforementioned hypothesis can be wholly applied to software development because "different languages make it easier or harder to conceive of certain types and classes of algorithms ("Syntactic Sugar")." This syntactic sugar increases efficiency because one language might intuitively lend itself to writing something similar to the theoretically optimal case. On the other hand, another language might gravitate towards aother solution that may not be as proficient. The author explains that the most significant issue is that computer languages can intersect with our own thought process. This premise is often articulated by software developers who may make references to certain languages stating that their favorite languages parallel the manner in which they think ("Syntactic Sugar"). The author also explains that as a group of analytical thinkers, developers tend to abandon "these types of assertions in favor of more quantitative measurements of performance or memory consumption. But that's a huge mistake: we'll always be more productive in a language that promotes a type of thought with which were already familiar ("Syntactic Sugar")."
Linguistic relatively seems to explains the relationship between natural thought processes and the types of programming languages that evolve as an extension of that thought process. This theory is consistent with the idea that nature shapes human behavior even as it relates to the technology that is produced.
Neuroplasticity
Neuroplasticity involves the capacity of the brain to reorganize itself through the development of new neural connections throughout life. Neuroplasticity permits the nerve cell in the brain to compensate when injury or disease effects the brain. Neuroplasticity also allows nerve cells to modify their activities as a response to changes in their environment.
According to the medical dictionary brain reorganization happens via mechanisms known as "axonal sprouting." During axonal sprouting, axons that have not been damaged produce new nerve endings to rewire neurons whose connection were harmed or severed. In addition, undamaged axons have the capacity to sprout nerve endings and attach to other undamaged nerve cells. They then form new neural corridors to meet the needs associated with various brain functions. Furthermore, the article further explains that
"if one hemisphere of the brain is damaged, the intact hemisphere may take over some of its functions. The brain compensates for damage in effect by reorganizing and forming new connections between intact neurons. In order to reconnect, the neurons need to be stimulated through activity. Neuroplasticity sometimes may also contribute to impairment. For example, people who are deaf may suffer from a continual ringing in their ears (tinnitus), the result of the rewiring of brain cells starved for sound. For neurons to form beneficial connections, they must be correctly stimulated. Neuroplasticity is also called brain plasticity or brain malleability ("Neuroplasticity")."
As it relates specifically to software engineering there are certain parallels that are present between Neuroplasticity and software engineering. One such parallel can be seen in the fact that software often needs to run within the context of a changing environment. That is consistent with the changes that occur within the brain through neuroplasticity. Software development is also similar to neuroplasticity because it requires that the software that is created has the capacity to communicate with the other software on the computer.
Psychology of Hackers
The literature review provided some insight as to why people choose to hack into computer systems. Though there is not a great deal of research as it pertains to understanding the mind of hackers. Voiskounsky & Smyslova, (2003) explain that hackers are a difficult group to evaluate because they are secretive and operate in an anonymous fashion. The author further explains that the professionals that best understand the minds of hackers are their counter partners who are usually computer security experts (Voiskounsky & Smyslova, 2003). However these security experts do not have to necessarily know the psychological makeup of hackers to protect systems from being attacked. In actuality many security professionals are former hackers, so they understand full well what hacker are thinking. According to the authors the intentions and tactics of hackers have changed over the years (Voiskounsky & Smyslova, 2003). The authors explain.
"Hackers were presented in 1960s as smart and competent enthusiasts, interested exclusively in computers and software.4 Their dominant motivation was
reportedly cognition, they were fully engaged both in productive and non-
productive projects. The latter include for example some ambitious Artificial
Intelligence projects.4 Many people believe that the best software products ever created were composed by hackers.5,6 For hackers, the use of computers often replaced universal qualities of life. As Sterling6 wrote, "hacking could involve the heartfelt conviction that beauty can be found in computers, that the fine aesthetic in a perfect program can liberate the mind and spirit." At early stages of computerization, many competent programmers outside the hackers' community shared these views.7 Knuth8 expressed the idea that "it is possible to write grand programs, noble programs, truly magnificent ones! (Voiskounsky & Smyslova,
2003)"
The author explains that since the time of the first computers many things have changed and there are now some distinctions that should be made between four generations of technology users. The author asserts that the first generation concerned itself with developing the earliest software products. The first generation also developed various programming techniques (Voiskounsky & Smyslova,
2003). The second generation is composed people who were responsible for the engineering and mass distribution of Personal computers. The third generation is composed of gamers who developed computer games and sold them to the public (Voiskounsky & Smyslova,
2003). The fourth and final generation is composed of hackers who are responsible for illicitly hacking into other peoples computers (Voiskounsky & Smyslova,
2003).
The research thus far indicates that not all people who are interested in computers become hackers. The first second and third generation of computer users tended to use their expertise to develop meaningful software programs. However the fourth generation turned to hacking as a way to express themselves and their desires to work with computers. Why are these fourth generation computer users turning to hacking?
According to Voiskounsky & Smyslova, (2003) hackers tend to find value in their activities. The author further explains that the popular media is often portraying hacker as modern pirates who take information and money from innocent people . There are also portrayed as those that develop computer viruses. In addition to the media, analysts also share a similar view. In addition hackers also share them same view. Hackers believe that "illegal intentions and actions are attributed to crackers -- "bad guys" who stay outside (though most people believe within) the hackers' community. Hackers' community is not uniform indeed: there are various sub-groups under the hacker umbrella. Since hackers obviously differ, a number of classifications were suggested. The subgroups are classified dependent on their expertise, areas of interests (e.g., software, hardware, cell phones, the Internet) and behavior patterns. Subgroups vary from novices to professionals (Sterling, 1992; Denning 1990; Hafner, K., & Markoff, J. 1995)."
In fact Rodgers (1999) identifies seven different types of Hackers. These seven types are as follows
1. Tool kit / newbie's- these are individuals that are new to hacking. Typically they do not possess the skills to develop their own software. Instead they rely on tool kits or ready to use software to engage in hacking activities (Rodgers, 1999) .
2. cyber-punks- these individuals have the capacity to create their own software. However they still have very little knowledge (Rodgers, 1999). Cyber punks also tend to engage in malicious acts, including the defacing of websites, spam and stealing credit card numbers (Rodgers, 1999).
3. Internals-. these are hackers that were once employed at organizations as computer security professionals. After gaining knowledge about various computer security systems they engage in hacking.
4. Coders- These individuals are highly skilled programmers. They write programs for the benefit of all the other hackers in this list
5. old guard hackers- These are the most experienced hacker who still attempt to view hacking as an intellectual cognitive exercise.
You’re 80% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.