A just culture is fundamental: extending security ergonomics by design

Human error when developing and using smart cyber physical systems is inevitable. Earlier work has set out Security Ergonomics by Design---principles by which developers of systems can ensure that the active user error cannot occur when latent system failures introduced in development are in play. This paper underpins these principles by showing there is a fundamental need to adopt a Just Culture within which i) user error is captured for improvement in the development cycle, and ii) to provide software engineers assurance that their own mistakes are not automatically punished but rather treated as learnings that can be fed back into building safer and more secure practice.