Understanding and Improving Secure Coding Behavior with Eye Tracking Methodologies

Secure coding is a mission that cannot be neglected as computing devices continue increasing. Every year, thousands of new software vulnerabilities are identified. Education is a crucial factor and a significant challenge to counter cyber threats. But gaining insight into how people learn has always been challenging. There is a considerable need for improved methodologies with active hands-on educational techniques for programmers to learn practical strategies to mitigate software vulnerabilities; to protect private data; and ultimately to write secure code in the first place. To the best of our knowledge, this is the first usage of eye tracking technologies to understand secure coding practices and to improve education. We focused on exploring the ways that students comprehended and learned to develop secure software. We recorded their eye gaze movements while they studied our hands-on learning module and mitigated the weaknesses within the source code. Our study involved 29 students mitigating software vulnerabilities via manual analysis of the source code. The eye tracking data allows us to objectively study and gain insight in order to understand and improve students learning behavior. Our analysis indicates that there is a distinction in the learning phase for students that answered correctly compared to students that did not provide the correct mitigation strategy. Specifically, our research indicates the most effective and efficient way to learn secure coding is to fully understand coding errors before working on the source code. Our findings also suggest that we can use reading patterns to understand student behaviors in order to be capable of developing improved hands-on learning material.