"It's not my responsibility to write them": An Empirical Study of Software Product Managers and Security Requirements

Abstract

Product managers play a key role in defining and prior- itizing requirements overall, yet little is known about how they approach security requirements (SRs). To address this gap, we conducted a study with 50 participants in product management roles. Our 60-minute online study consisted of a requirement-writing task, followed by a questionnaire. Our analysis shows that, while security is not the top priority for our participants, only 10% did not include any SRs, and only 4% did not identify any security risks in their tasks. Most par- ticipants viewed SRs as a shared responsibility that should be discharged in collaboration with other roles - security experts, architects, and development teams - but without a clear as- signment or process. There is an assumption that security will be taken care of, somehow, in the process, with 54% believ- ing that security will be addressed, even when not explicitly stated in the requirements. To mitigate the concern of "diffu- sion of responsibility" for security, we identified a number of recommendations to involve stakeholders to address security throughout the development process.