An Empirical Study on Security Knowledge Sharing and Learning in Open Source Software Communities

: Open source software (OSS) security has been the focus of the security community and practitioners over the past decades. However, the number of new vulnerabilities keeps increasing in today’s OSS systems. With today’s increasingly important and complex OSS, lacking software security knowledge to handle security vulnerabilities in OSS development will result in more breaches that are serious in the future. Learning software security is a difﬁcult and challenging task since the domain is quite context speciﬁc and the real project situation is necessary to apply the security concepts within the speciﬁc system. Many OSS proponents believe that the OSS community offers signiﬁcant learning opportunities from its best practices. However, studies that speciﬁcally explore security knowledge sharing and learning in OSS communities are scarce. This research is intended to ﬁll this gap by empirically investigating factors that affect knowledge sharing and learning about software security and the relationship among them. A conceptual model is proposed that helps to conceptualize the linkage between socio-technical practices and software security learning processes in OSS communities. A questionnaire and statistical analytical techniques were employed to test hypothesized relationships in the model to gain a better understanding of this research topic.


Introduction
Open source software (OSS) is based on the principle that computer programs should be shared freely among users, giving them the possibility of introducing improvements and modifications.OSS is at the core of today's information technology (IT) infrastructure and information systems; about 80% of companies run their operations on OSS [1] and 96% of applications utilize OSS as the software components [2].OSS is developed collectively by an online community of practices (CoPs) with a strong relationship between the social and technical interactions in a decentralized and knowledge-intensive process [3,4].Groups of volunteers participate in the communities that are essential for OSS project development.They collaborate and integrate expertise to solve particular programming problems, as well as to deliver and maintain the software that is produced by the OSS community [5][6][7].
OSS security has been the focus of the security community and practitioners over recent decades.Many studies have been conducted by both researchers and practitioners on the mechanisms of building security in OSS development [8].However, the number of new vulnerabilities keeps increasing in today's OSS systems.The Blackduck 2017 Open Source Security and Risk Analysis report announced that 3623 new OSS vulnerabilities occurred in 2016-almost 10 per day on average and a 10% increase from 2015 [2].These vulnerabilities open some of the most critical OSS projects to potential exploitation such as Heartbleed and Logjam (in OpenSSL); Quadrooter (in Android); Glibc Vulnerability (in Linux servers and web frameworks); NetUSB (in Linux kernel), and many others [9,10].With today's increasingly important and complex OSS, lacking software security knowledge to handle security vulnerabilities in OSS development will result in breaches that are more serious in the future.
Building secure applications is a complex and demanding task that developers often face.Knowledge of software security is more than simply having a checklist or reminders of things [11].
It is about understanding the potential security risks that are induced by the software, and how to manage them [12].Comparing with proprietary software development in enterprises, which usually involves formal training and practices about secure software development, OSS development relies mainly on the ability of participants themselves to acquire, refine, and use new aspects of security knowledge to fulfill the needs of their work in the community.Much of an OSS community's security knowledge lies within its documents, discussions, decisions, processes, and the awareness by members of other members' expertise.Both finding and learning the security requirements and practices of the project become key challenges that are highly dependent on the knowledge resources the community provides.Many OSS proponents believe that the OSS community offers significant learning opportunities from its best-practices [13,14], which are different from the education of traditional models [15,16].However, studies that specifically explore security knowledge sharing and learning in OSS communities are scarce.
As there is still a dearth of empirical research into security knowledge learning in the context of OSS development, this study intends to fill this gap by empirically investigating factors that affect knowledge sharing and learning about software security and the relationships among them.The purpose is twofold.Firstly, we are interested in obtaining a deeper understanding of how factors complement each other in shaping security knowledge sharing and learning behavior.Secondly, we suggest a conceptual framework that includes both social (security culture) and technical (security expertise coordination) constructs to investigate how OSS communities can shape this behavior.We attempt to fulfill this purpose by utilizing a questionnaire survey and statistical analytical techniques on OSS project participants.The data analysis result is the main contribution of the paper.This is presented as a preliminary research model, which includes a set of socio-technical constructs that could potentially describe security knowledge sharing mechanisms and learning processes in OSS communities.
The rest of this paper is structured as follows.Section 2 describes the theoretical background of the research.The conceptual framework defining the constructs and hypothesized relationships are depicted in Section 3. The research method is explained in Section 4. In Section 5, we present the result of data analysis.Section 6 provides a discussion based on the result.We describe the conclusion and limitation of this study in Sections 7 and 8 respectively.

Knowledge Sharing
Christensen [17] defines knowledge sharing as a process that exploits existing knowledge by identifying, transferring, and applying it to solve tasks better, faster, and cheaper.It is 'the process of transferring knowledge from a person to another in an organization' [18].Knowledge sharing is a deliberate act that makes knowledge reusable by other people through knowledge transfer [19].It is about "how people share and use what they know" [20] and requires the active engagement of individuals in a process of interaction and learning [21].As Nonaka [22] points out, the knowledge is created and expanded through social interaction between people and their creative activities [22].Through knowledge sharing individuals could exchange tacit or explicit knowledge, hence, together create new knowledge [23].
Terminologies such as 'knowledge distribution' and 'knowledge transfer' are also used for referring to knowledge sharing and bring paronomasia; e.g., Haas and Hansen [24], Christensen [17], Cabrera et al. [25], Wasko and Faraj [26], and Inkpen and Tsang [27].Although these definitions and discussions of knowledge sharing vary in different perspectives, they do deliver a similar core concept, which is using existing knowledge within the organization to solve problems, generating new learning, and empowering the organization for innovation.

Knowledge Sharing and Learning in OSS Communities
The purpose of the OSS community is essentially knowledge sharing and collaboration [28,29].An OSS community has been considered as a social leaning CoP [30][31][32], which aims to establish a structure where tacit and explicit knowledge is shared and exchanged among various members within a given domain to create a collective value useful to everyone [33,34].Developers build the software by relying on extensive peer production and through the skillful use of the software and communication tools available on the Internet [35].They share and acquire knowledge associated with their profession.Furthermore, OSS communities have been a source of learning for participants since their creation [36], which offer 24 h, 7 days a week, 365 days support with up to date content and learning materials, and all of this provided by volunteers at no charge.Therefore, an open source community is more than about software development, but also provides a rich field to explore the process of software knowledge creation, accumulation, and dissemination [30].
Knowledge sharing and learning in open source communities have been broadly studied in the literature.Sowe et al. have introduced a knowledge-sharing model to develop an understanding of the dynamics of collaboration and how knowledge sharing is distributed over OSS development teams [37,38].Chen, Xiaogang et al. adopted the perspective of the transactive memory system (TMS) to empirically examine the possible team cognitive mechanisms that facilitate knowledge sharing in OSS communities [39].Their study showed that communication quality positively influences knowledge sharing and technical performance of the team.Iskoujina and Roberts investigated the factors that motivate participants to share their knowledge in OSS communities and concluded that the quality of management influences the extent to which the motivations of members actually result in knowledge sharing [40].Chen, Xiaohong analyzed key factors affecting knowledge sharing in OSS projects, which include participative motivation, social network, and organizational culture [41,42].Au et al. explored open-source debugging as a form of organizational learning [43], which heavily relies on adaptive learning [44] to overcome the complexity of software.Singh and Holt provided insights on how the OSS community uses the forums for learning and solving problems.They explored the motivations for joining OSS communities [36], the learning that occurs in the communities, and the challenges to learning.Hardi had a case study using Google Chrome project [45] to affirm that situated learning [46] is present among open source developers at an earlier time of a project.Hemetsberger and Reinhardt examined how knowledge sharing and learning processes develop at the interface of technology and communal structures of an OSS community [4,32].They suggested that knowledge is shared and learned in OSS communities through the establishment of processes and technologies that enable virtual re-experience for the learners at various levels.They viewed learning in OSS communities as experiential learning whereas learning is a process whereby learning is created through the transformation of experiences as developed by Kolb [47].

Conceptual Framework
The conceptual framework is developed based on the author's prior ethnographic study on three OSS communities [48].The study applied a socio-technical systems perspective [49], which systematically and holistically took into account the social context as well as technological aspects.The observation result was analyzed and categorized with social (culture and organization structure) and technical (method and machine) aspects.Figure 1 depicts the conceptual and theoretical structure that includes four constructs, namely: security culture, expertise coordination, security knowledge sharing, and software security learning.The background of the conceptual framework is described below.

Security Culture and Security Knowledge Sharing
Security culture is recognized in the security community and scientific literature as one of the most important foundations of organizational security.In short, security culture is the way our minds are programmed to create different patterns of thinking, feeling, and actions for providing the security process [50].Security culture is based on the interaction of people with information assets and the security behavior they exhibit within the context of the organizational culture in the organization [51].Security culture involves identifying security-related ideas, beliefs, and values of the group, which shape and guide security-related behaviors [52].Martins and Eloff define information security culture as the perceptions, attitudes, and assumptions that are accepted and encouraged by employees in an organization in relation to information security [53].Ngo et al. suggest that security culture is the accepted behavior and actions of employees and the organization as a whole, as well as how things are done in relation to information security [54].Therefore, the four main aspects of security culture formed in this study are: Belief: An acceptance or a firmly held opinion that security is of value to the community.Attitude: A feeling or emotion toward various activities that pertain to the security of the software product produced by the community.Behavior: Actual or intended activities and risk-taking actions in secure software developments.Subjective norms: A combination of perceived expectations from relevant individuals or groups along with intentions to comply with security-related expectations.
Organizational culture has been shown to influence the success of knowledge management practices [55][56][57][58].Culture shapes what a group defines as relevant knowledge, and this directly affects the knowledge a unit focuses on [57].In the context of information security, security culture decides how much security knowledge is disseminated within the community and what knowledge learners can learn.The security culture backgrounds either at organizational or individual levels impact on the amount of security knowledge transferred within the community, further affecting the participants' learning processes.Thus, the research hypothesis is as follows: Hypothesis H1.Security culture is positively associated with security knowledge sharing.

Expertise Coordination and Security Knowledge Sharing
Expertise coordination is the process of knowledge integration and the outcome of exchanging and combining knowledge through interactions among team members [59,60].Expertise coordination is believed to serve as an important component of software development.According to

Security Culture and Security Knowledge Sharing
Security culture is recognized in the security community and scientific literature as one of the most important foundations of organizational security.In short, security culture is the way our minds are programmed to create different patterns of thinking, feeling, and actions for providing the security process [50].Security culture is based on the interaction of people with information assets and the security behavior they exhibit within the context of the organizational culture in the organization [51].Security culture involves identifying security-related ideas, beliefs, and values of the group, which shape and guide security-related behaviors [52].Martins and Eloff define information security culture as the perceptions, attitudes, and assumptions that are accepted and encouraged by employees in an organization in relation to information security [53].Ngo et al. suggest that security culture is the accepted behavior and actions of employees and the organization as a whole, as well as how things are done in relation to information security [54].Therefore, the four main aspects of security culture formed in this study are: Belief : An acceptance or a firmly held opinion that security is of value to the community.Attitude: A feeling or emotion toward various activities that pertain to the security of the software product produced by the community.Behavior: Actual or intended activities and risk-taking actions in secure software developments.Subjective norms: A combination of perceived expectations from relevant individuals or groups along with intentions to comply with security-related expectations.
Organizational culture has been shown to influence the success of knowledge management practices [55][56][57][58].Culture shapes what a group defines as relevant knowledge, and this directly affects the knowledge a unit focuses on [57].In the context of information security, security culture decides how much security knowledge is disseminated within the community and what knowledge learners can learn.The security culture backgrounds either at organizational or individual levels impact on the amount of security knowledge transferred within the community, further affecting the participants' learning processes.Thus, the research hypothesis is as follows: Hypothesis 1. Security culture is positively associated with security knowledge sharing.

Expertise Coordination and Security Knowledge Sharing
Expertise coordination is the process of knowledge integration and the outcome of exchanging and combining knowledge through interactions among team members [59,60].Expertise coordination is believed to serve as an important component of software development.According to the findings of empirical studies in the literature, expertise coordination strongly influences project performance, team effectiveness, and team efficiency in software development projects [61][62][63][64].This has a bearing on both physical and virtual development teams [65][66][67].For complex non-routine intellectual tasks, expertise coordination (the management of knowledge and skill of dependencies) is necessary so that the software team can recognize where expertise is located, needed, and accessed [61].A great challenge of security expertise coordination is to combine explicit and tacit knowledge in all management and security expert decisions, and to get knowledge moved from individuals within the whole organization between different actors, and from tacit domain to explicit domain and also vice versa [68].In this study, expertise coordination is manifested through the two following strategies: coordinating organizational structure and security infostructure.

Coordinating Organizational Structure
The organizational structure supports the assignment of both technical and human resources to the tasks that must be done and provide mechanisms for their coordination [69].It also establishes and enables strategic-and operational decision-making, monitoring of performance, and operating mechanisms that transfer directives on what is expected of organizational members and how the directives should be followed [69].The organizational challenges faced by OSS projects are significant because the project must deal not only with problems faced by any software development process, but also with the complexity of coordinating efforts of a geographically distributed base of volunteers working on the software [70].OSS projects usually utilize security experts to define security requirements and best practices, help perform code reviews, and provides the necessary education for the software development staff [71].The coordinating organizational structure serves as a subject matter expert to ensure that security-related issues receive necessary attention in the community.Through this structural mechanism, the security knowledge is able to gain valuable insights from the organization to facilitate strategic decision making [72].

Security Infostructure
The term infostructure is commonly used to describe the infrastructure of information that is used in multiple disciplines.As indicated by Tilton, an infostructure is the layout of information in a manner such that it can be navigated-it is what is created any time an amount of information is organized in a useful fashion [73].In the knowledge sharing process, infostructure serves as a role to provide rules, which govern the exchange between the actors on the network providing a set of cognitive resources (metaphors, common language) whereby people make sense of events on the network [74].In the context of OSS development, developers contribute from around the world, meet face-to-face infrequently if at all, and coordinate their activity primarily by means of digital channels on the internet [75,76].A proper infostructure can help learners identify the location of the security information, knowing where an answer to a problem is located, and acquiring as much knowledge as possible [77].
Based on the above discussion, the research hypotheses are given as follows: Hypothesis 2. Expertise coordination is positively associated with security knowledge sharing.

Hypothesis 2a.
Coordinating organizational structure has a positive effect on security knowledge sharing.

Hypothesis 2b.
Infostructure has a positive effect on security knowledge sharing.

Security Knowledge Sharing and Software Security Learning
Learning may be the most strategically valuable dynamic capability [78].Learning is the process by which knowledge comes into being and is enhanced over time, and is therefore intimately associated with knowledge sharing process [79].Learning experts argue that online knowledge sharing can be regarded as an important form of collective learning [80].In OSS projects, the fundamental functionality for security knowledge sharing is to capture security experts' knowledge in the project repository that other project participants can access and learn about software security.Knowledge sharing can be facilitated by the project-based organization by using codification or personalization mechanisms [81,82].

Codification Security Knowledge Sharing
The codification knowledge sharing mechanism captures individual or group-held knowledge and makes it the wider property of the organization [81], which facilitates a setting for participants to exercise self-directed learning.The basic functionality for this knowledge sharing mechanism is to capture security experts' knowledge in the project repository that other project participants can access and learn about software security, which provides a setting for participants to exercise self-directed learning.Moreover, the internet resources have the advantage to provide the community with an information infrastructure for sharing codification materials of software development in the form of hypertext, video, and a software artifact content indexes or directories.These codification materials (documentation, wiki, release notices, security advisories, source code, etc.) provides the participants with a shortcut for obtaining an overview of the system or for understanding the code that provides a particular feature.At the very least, it includes instructions on how to get started and details of where to find more information.

Personalization Security Knowledge Sharing
Personalization knowledge sharing provides communications in another form, as it is concerned with the use of people as a mechanism for sharing knowledge [83].Personalization as a knowledge sharing mechanism has the inherent flexibility of transmitting tacit knowledge, and allowing for discussions and sharing interpretations that may lead to the development of new knowledge [81].OSS communities adopt various forms of technologies, such as mailing list, forum, and Internet Relay Chat (IRC) to support knowledge sharing via personalization mechanisms.These technologies provide useful means of storage and acquisition for the communities' experiential knowledge, given that individuals have a general preference for obtaining information from other people, rather than from documents [84].Although in OSS development, a programmer may write a complete program independently from other programmers, the software code will be still examined by other software engineers.Coding review also represents a form of personalization knowledge sharing mechanism in which knowledge is created collectively in a distributed work process.Peer review process emphasizes the importance of collecting learning and shared dialogue [30].During code review, questions, answers, and discussion about the coding issues are communicated back and forth between the community and the members.Developers have the opportunities to reflect their code, to take corrective actions and build concrete experiences in the code review process.
Based on the above discussion, the following hypotheses were made: Hypothesis 3. Security knowledge sharing is positively associated with software security learning.

Hypothesis 3a.
Codification knowledge sharing has a positive effect on software security learning.

Hypothesis 3b.
Personalization knowledge sharing has a positive effect on software security learning.

Methodology
This research adopted a quantitative approach to a survey research method to investigate the relationships among security culture, expertise coordination, security knowledge sharing, and software security learning.A self-administered Web-based survey was used to collect individual-level perception data from participants in OSS projects.The use of an OSS participant survey was deemed appropriate to test the hypotheses outlined in the previous section.

Instruments
The survey instrument used in this study was the outcome of an iterative process of checking and refinement.The constructs and items used to operationalize the research were developed following the generally accepted guidelines of reliability and validity or multiple-item measures [85].After synthesizing the results of the literature review, a questionnaire was developed based on the structure of the research framework.Some survey questions were inspired by existing studies, while others were created specifically to suit the research context of our study.For the measurement instrument of key variables, each item was measured on a five-point Likert scale (Cf.Appendix A).The primary references for the constructs and items used in this study are summarized in Table 1.

Data Collection
Samples for the empirical study were randomly collected from participants in OSS development projects, available on GitHub.GitHub is an online database of open source software projects.Users and potential contributors can access information about the projects and download current versions of the software being developed.As of April 2017, GitHub reports having almost 20 million users and 57 million repositories [93], making it the largest host of source code in the world [94].The anonymous questionnaires were sent via e-mail to a list of OSS participants at the beginning of August 2017.Data collection period lasted 3 months and 402 questionnaires were completed.Among them, 324 were valid; and another 78 respondents were discarded due to the reason that they did not participate in any open source community.Table 2 shows demographic information about the sample, which includes gender, age, and the seniority in the community and product categories of the projects.

Reliability and Validity Analysis
Validating constructs is important before any further analysis is conducted.To this end, reliability and validity tests were carried out following the sequence and approach that was taken by Straub [95].Table 3 outlines the results of the reliability and validity tests performed on the survey items.Convergent validity, the degree to which multiple attempts to measure the same concept are in agreement, was evaluated by examining the factor loading within each construct, composite reliability, and variance extracted [96,97].We used confirmatory factor analysis (CFA) with AMOS to examine the convergent validity of each construct.The factor loadings range from 0.493 to 0.872, and these are greater than the recommended level of 0.35, which is based on 250 samples and a 0.05 significance level [97].All composite reliabilities and variance-extracted measures of constructs exceed the recommended level of 0.8 and 0.5 each.Reliability of a scale (factor or construct) is to examine its internal consistency by calculating Cronbach's alpha.This method indicates the extent to which items within a scale are homogenous or correlated [98,99].It is also reflective of the consistency between different items on a scale, in measuring the same attribute.The resulting alpha values ranged from 0.827 to 0.907, which were above the acceptable threshold (0.70) suggested by Nunnally [85].From the analyses mentioned above, it was found that the survey items on each construct met the requirements for reliability and validity.

Analysis and Result
Statistic software SPSS 24.0 for Windows was used to analyze the data.Pearson's correlation analysis and multiple regression analysis were to analyze security culture, expertise coordination, security knowledge sharing, and software security learning.

Relationship between Security Culture and Security Knowledge Sharing
This study adopted Pearson's correlation analysis to determine the correlation between security culture and security knowledge sharing.Table 4 shows that the correlation coefficient between security culture and security knowledge sharing is 0.671, a highly positive correlation.The correlation coefficients of each of the security culture factors-belief, attitude, behavior, and subjective norms are 0.591, 0.628, 0.427, and 0.584 respectively.Regarding correlation among all security culture factors, the results show a strong correlation among them that reaches a significant level (p < 0.01).Thus, security culture has a significant positive correlation with security knowledge sharing.Hence, Hypothesis 1 is proven.

Relationship between Expertise Coordination and Security Knowledge Sharing
Table 5 indicates that expertise coordination has a significant positive correlation with security knowledge sharing in which Pearson correlation is 0.400 and p < 0.01.The correlation coefficients of expertise coordination factors-coordinating organizational structure and infostructure are 0.628 and 0.584 respectively.The results showed a strong correlation among all expertise coordination factors that reached a significant level (p < 0.01).Consequently, the research result favored Hypothesis 2, the stronger coordinating organizational structure and security infostructure, the higher the security knowledge sharing degree.Hence, H2a and H2b are also proven valid.Since expertise coordination has a significant correlation with security knowledge sharing, this study used multiple-regression analysis to understand the linear relationship between a group of forecast variable and a valid variable.The multiple-regression analysis used in this research is shown in Table 6.As indicated in the table, B value, Beta, and t-value have positive values.The prediction equation is based on the unstandardized coefficients, as follows: y 1 = 2.418 + 0.151x 3 + 0.217x 4 (where x 3 is coordinating organizational structure and x 4 is security infostructure).All variables show a positive relationship.Looking at the p-value for each variable, the predictor variables of coordinating organizational structure and security infostructure not statistically significant because of both of their p-value greater than 0.05.In this model, the two factors do not provide a significant impact on security knowledge sharing.Thus, given the above relationship, Hypotheses 2a and 2b are partially supported.

Relationship between Security Knowledge Sharing and Software Security Learning
Table 7 indicates that security knowledge sharing has a significant positive correlation with software security learning in which the Pearson correlation is 0.578 and p < 0.01.The correlation coefficients of security knowledge sharing factors-codification knowledge sharing and personalization

Hypothesis Result
H1. Security culture is positively associated with security knowledge sharing.Supported H2.Expertise coordination is positively associated with security knowledge sharing.Supported H2a.Coordinating organizational structure has a positive effect on security knowledge sharing.Partially supported H2b.Infostructure has a positive effect on security knowledge sharing.
Partially supported H3.Security knowledge sharing is positively associated with software security learning.Supported H3a.Codification knowledge sharing has a positive effect on software security learning.Supported H3b.Personalization knowledge sharing has a positive effect on software security learning.Supported According to the result of the Pearson's correlation analysis (Table 4), there is a significant positive relation between security culture and security knowledge sharing.This means that if an OSS project truly holds the value that software security is important, then particular security knowledge sharing behaviors and actions can be expected.The more perceived normative support for security culture in their community means that participants are more likely to perform exemplary secure behaviors and avoid risk.As the security culture would certainly influence the operation activities of security knowledge sharing and further impact on the effectiveness of software security learning, the community should regard security culture as an important factor for supporting and guiding security practices.
Regarding the relation between expertise coordination and security knowledge sharing, this study finds that security expertise coordination is associated with the degree of security knowledge sharing.According to the Pearson's correlation analysis (Table 5), there is a significant positive relation between security expertise coordination and security knowledge sharing.Moreover, when the factors of expertise coordination are more significant, they meaningfully affect security knowledge sharing, as evidenced by the significant variance explained by the regression analysis (Table 6).This implies that if the factors of expertise coordination-coordinating organizational structure and security infostructure are more efficient and effective-they can significantly enhance security knowledge sharing.Although the two factors do not have a significant correlation with security knowledge sharing in the regression model, they still have positive coefficients.Achieving a successful software system requires tight coordination among the various efforts involved in the software development cycle [64].If OSS communities can provide an internal security consulting organization with dedicated responsible people for security activities, and place the security information in a structured and collected manner, it will lead to a knowledge sharing arrangement actually being established.
On the other hand, our regression model also provides strong support for a significant contribution of security knowledge sharing to the software security learning process.The result of the Pearson's correlation analysis (Table 7) shows a significant positive relation between security knowledge sharing and software security learning.Moreover, as evidenced by the significant variance explained by the regression analysis (Table 8), while codification and personalization knowledge sharing are more significant, software security learning is significantly and positively affected.In the context of OSS communities, codification can be a good mechanism to store large amounts of security knowledge on the project website and to create an organizational memory for all participants.The method of personalization knowledge sharing reflects security experts' experience (via the forum, mailing list, code review etc.) which collectively produces knowledge that can be spread further to the individuals or the whole team.The two knowledge-sharing mechanisms create a digital pipeline or an intelligent link for knowledge building that appears to support the software security learning process.As the community provides opportunities for its members to share security knowledge or experiences with others, which increases the amount of knowledge sharing, it should stimulate the software security learning.

Conclusions
This empirical study focuses on investigating the organizational practices and behaviors that affect knowledge sharing and learning about software security in OSS communities, and the relationships among them.OSS has become a critical component and a key competency of information and communication technology (ICT) ecosystems.While the number of found vulnerabilities in OSS is increasing, it is noteworthy that effective learning about security knowledge in the context of OSS development has not gained much attention.Thus, it is necessary to examine how the security knowledge is transferred and acquired by OSS participants.
As Scacchi points out, the meaning of open source in the socio-technical context is broader than its technical definition and includes communities of programming practice, organizational culture and structure, and technical practices [100].This can be viewed as a necessary condition within a learning framework as both social and technical aspects are of equal importance.This research proposes a model that helps conceptualize the linkage between such socio-technical practices and software security learning process in OSS communities.We gathered empirical evidence from 324 questionnaires and quantitatively analyzed data to test the hypothesized relationships in the model.
The statistical analysis shows that both security culture and the coordination of expertise can positively influence and contribute to security knowledge sharing at a certain level in OSS communities.Security culture provides a strong indication of a participant's disposition to act.It is important because unless the community believes that security is valuable to the software product, participants are unlikely to work securely and exchange their experiences in the field of software security.Indeed, every member involves in OSS development should be concerned with software security, but it is inefficient to demand each participant taking care of all security aspects.Hence, in order to enhance security knowledge sharing, a community should cultivate a culture that engages dialogue and interest among participants in order to promote the value of software security to their products and raise awareness.If OSS communities can nurture a security culture, it will be easy for them to create an environment where developers and users are willing to share and talk about software security, providing the opportunity to draw lessons from each other's experiences.
On the other hand, as OSS and its communities continue to grow in size and complexity, security expertise coordination within the community plays a larger role in security governance.While security information is provided with an adequate coordinating structure and infostructure support in the community, the implementation of security knowledge sharing throughout the community can be instilled in its culture.This study also concludes that the learning process (self-directed and collective learning) of software security and learning satisfaction are definitely influenced by security knowledge sharing.It indicates that the successful sharing of security knowledge in the OSS community, either through codification or personalization mechanisms, will enable software security learning to flow through an entire community.
People join the OSS community at different ages and have different backgrounds, capacities, and resources, as well as different objectives.They come from many disciplines which might lack formal, college-level software security training, and therefore do not see any economic incentive for squeezing security thinking into their work to produce secure codes.On the other hand, learning software security is a difficult and challenging task as the domain is rather context-specific, and the real project situation is necessary to apply the security concepts within the specific system.It is suggested that OSS communities must establish beliefs and norms, as well as roles and knowledge facilities for secure software developments; i.e., to offer environments and opportunities for security knowledge sharing and the development of software security knowledge for participants as well on the horizontal level between the experienced (but ever-learning) community members.
Ultimately, the contributions of this research supply researchers with a conceptual framework for software security knowledge sharing and learning in the OSS community in a thorough manner, providing a context in which to operate.The study also provides other researchers a firm basis to develop new security learning approaches for OSS communities, addressing many of the identified limitations.

Limitations
Several limitations of this research should be noted.Despite a rigorous examination of the trustworthiness of the collected data, this study might have some method bias.First, the samples were chosen opportunistically from GitHub projects, and the number of responses obtained from the survey was rather small compared with today' enormous OSS projects and field workers.Second, even though there are other known human factors that facilitate security knowledge sharing behaviors in organizations as Safa and Von Solms suggested, this study did not consider factors such as motivation or intention in OSS communities [101].Thus, there is a need for further research efforts focused on accumulating more evidence that is empirical and data to break through the limitations.These efforts should improve the generalizability of this study to the entire OSS development phenomenon by considering a larger number of responses covering a range of diverse OSS projects.In addition, special attention should be geared toward finding the human factors, which affect independent variables such as reputation, self-efficacy, and promotion.

Multimedia
The community transfers security knowledge through words, pictures, or video.

Experience
Members are willing to share their experience and knowledge about software security.

Collaboration
Members help each other solve security problems.
Exploration I learn software security by exploring the project repository (source code, documentation, wiki, etc.) Search I browse mailing list, forum, blog or other information channels of the community to learn about software security.
Feedback I learn coding errors or security vulnerabilities by receiving comments from code reviews (pull request).
Problem solving I learn software security through discussions in the community.
Enjoyment I enjoy learning software security in the community.

Simplicity
It is easy for me to find the security information in the community.

Table 1 .
Measurement instrument for key variables in the questionnaire.

Table 3 .
The convergent validity and reliability test results.
1Factor loadings are from confirmatory factor analysis.

Table 4 .
The correlation analysis for security culture and security knowledge sharing.

Table 5 .
The correlation analysis for expertise coordination and security knowledge sharing.

Table 6 .
The multiple-regression analysis for expertise coordination on security knowledge sharing.

Table 9 .
Testing results of research hypotheses.