05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security

Fall 2009: NSH 3002, Tuesdays and thursdays 3-4:20 pm
Class web site: http://cups.cs.cmu.edu/courses/ups-fa09/
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/ups

Students in this course may also be interested in joining the CUPS mailing list.

This course does not use Blackboard.

Professor: Lorrie Cranor

Email: lorrie AT cs DOT cmu DOT edu
Web: http://lorrie.cranor.org/
Phone: 412-268-7534
Office: CIC 2207
Office hours: Tuesdays 9-10:30 am and by appointment

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an important role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user interface problems related to privacy and security and to give them experience in designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do a weekly reading assignment and each week different students will prepare a presentation for the class. Students will also work on a group project throughout the semester.

Readings

Readings will be assigned from the following text (available in the CMU bookstore and from all the usual online stores). Additional readings will be assigned from papers available online or handed out in class.

Security and Usability: Designing Secure Systems that People Can Use, edited by Lorrie Cranor and Simson Garfinkel

Additional readings will be assigned from the course reading list. Most of these readings are in papers available online. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU VPN).

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Date	Topics	Assignment To be done before coming to class
Tuesday, August 25	Course overview and introductions
Thursday, August 27	A Framework for Reasoning About the Human in the Loop [slides] Approaches to making security usable Human-in-the-loop framework Human threat identification and mitigation process	Required reading: L. Cranor. A Framework for Reasoning About the Human in the Loop. Usability, Psychology and Security 2008. W. K. Edwards, E. Shehan and J. Stoll, Security Automation Considered Harmful? Proceedings of the IEEE New Security Paradigms Workshop (NSPW 2007). Optional reading: Motivation, models, and approaches
Tuesday, September 1	Introduction to HCI methods and UI design [slides] Usability and user interfaces Design Prototyping Evaluation	Required reading: Chapter 1 Psychological Acceptability Revisited (M. Bishop) Chapter 2 The Case for Usable Security (M. A. Sasse and I. Flechais) Chapter 3 Design for Usability (B. Tognazzini) Optional reading: Motivation, models, and approaches
Thursday, September 3	Designing experiments [slides] Types of experiments Experimental design process Case studies	Required reading: Chapter 4 Usability Design and Evaluation for Privacy and Security Solutions (C.M. Karat, C. Brodie, and J. Karat) Optional reading: HCI methods and experimental design Homework 1 due - Reading summaries from 8/27, 9/1, 9/3; complete human subjects training and submit certificate [+ summary of 1 optional reading]
Tuesday, September 8	Introduction to security Guest speaker: David Brumley [slides]	Required reading: Chapter 13 Goals and Strategies for Secure Interaction Design (K. Yee) Chapter 34 Why Johnny Can't Encrypt (A. Whitten and J. D. Tygar) K. Thompson, Reflections on Trusting Trust, CACM 27(8), August 1984. Optional reading: Security and threat modeling
Thursday, September 10	Threat modeling Introduction to threat modeling Threat modeling game	Required reading: A. Shostack. Experiences Threat Modeling at Microsoft. Modeling Security Workshop, 2008. S. Herman, S. Lambert, T. Ostwald, and A. Shostack. Uncover Security Design Flaws Using the STRIDE Approach. MSDN Magazine, November 2006. Optional reading: Security and threat modeling Homework 2 due - Reading summaries from 9/8, 9/10 [+ summary of 1 optional reading]
Tuesday, September 15	Surveys, interviews, and focus groups [slides]	Required reading: S. Gaw, E. W. Felten, and P. Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail. Proceedings of CHI 2006 Conference on Human Factors in Computing Systems, 2006. L. Little, E. Sillence and P. Briggs. Ubiquitous Systems and the Family: Thoughts about the Networked Home. SOUPS 2009. [see also the videos used in the study] Optional reading: HCI methods and experimental design
Thursday, September 17	Observing users in the field [slides]	Required reading: P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. SOUPS 2009. Optional reading: HCI methods and experimental design Homework 3 due - Reading summaries from 9/15, 9/17 [+ summary of 1 optional reading]
Tuesday, September 22	Privacy by design [slides] (note this was originally scheduled for Sept 29)	Required reading: S. L. Garfinkel and R. C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. SOUPS 2005. The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection S. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. 2007 IEEE Symposium on Security and Privacy, May 20-27, 2007, Oakland California. - Also read and comment on Andrew Patrick's Commentary on Research on New Security Indicators Optional reading: HCI methods and experimental design
Thursday, September 24	Project group formation	If you have an idea for a project, come to class prepared to pitch it to your classmates. Homework 4 due - Reading summaries from 9/22, observations report [+ summary of 1 optional reading]
Tuesday, September 29	Laboratory studies (Note this was originally scheduled for Sept 22)	Required reading: Chapter 19 Privacy Issues and Human-Computer Interaction (M. Ackerman and S. Mainwaring) Chapter 21 Five Pitfalls in the Design for Privacy (S. Lederer, J. Hong, A. Dey, and J. Landay) Chapter 24 Informed Consent by Design (B. Friedman, P. Lin, and J. Miller) Optional reading: Privacy
Thursday, October 1	Privacy and mobile and ubiquitous computing [student presentations - T. Christian] [slides]	Required reading: G. Iachello, I. Smith, S. Consolvo, M. Chen, and G. Abowd. Developing Privacy Guidelines for Social Location Disclosure Applications and Services. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005. Optional reading: Privacy in mobile and ubiquitous computing Homework 5 due - Reading summaries from 9/29, 10/1 [+ summary of 1 optional reading]
Tuesday, October 6	Privacy policies [student presentations - P. Kelley] [slides]	Required reading: Chapter 22 Privacy Policies and Privacy Preferences (L. Cranor) Chapter 33 Usability and Privacy: A Study of Kazaa P2P File Sharing (N. Good and A. Krekelberg) P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009. Optional reading: Privacy policies One-page project proposal due
Thursday, October 8	Privacy software [student presentations - I. Adjerid]	Required reading: Chapter 20 A User-Centric Privacy Space Framework (B. Brunk) Chapter 23 Privacy Analysis for the Casual User Through Bugnosis (D. Martin) Chapter 26 Anonymity Loves Company: Usability and the Network Effect (R. Dingledine and N. Mathewson) Optional reading: Privacy Homework 6 due - Reading summaries from 10/6, 10/8 [+ summary of 1 optional reading]
Tuesday, October 13	Web browser privacy and security [student presentations - N. Li, G. Norcie, J. Salk] [Li slides] [Salk slides] [Norcie slides]	Required reading: Chapter 25 Social Approaches to End-User Security and Privacy Management (J. Goecks and E. Mynatt) Chapter 28 Firefox and the Worry-free Web Optional reading: Web browser privacy and security
Thursday, October 15	Security warnings [student presentations - C. Bravo-Lillo] [slides]	Required reading: S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009. Optional reading: Warnings Homework 7 due - Reading summaries from 10/13, 10/15 [+ summary of 1 optional reading]
Tuesday, October 20	Trust and semantic attacks [student presentations - H. Takabi, Y. Liao] [Takabi slides] [Liao slides]	Required reading: Chapter 5 Designing Secure Systems that People will Trust (A. Patrick, P. Briggs, and S. Marsh) Chapter 14 Fighting Phishing at the User Interface (R. Miller and M. Wu) Chapter 29 Usability and Security at Microsoft (C. Nodder) Optional reading: Trust and semantic attacks
Thursday, October 22	User education [student presentations - M. Koushik]	Optional reading: User education, Teaching Johnny Not to Fall for Phish Homework 8 due - Reading summaries from 10/20, 10/22 [+ summary of 1 optional reading]
Tuesday, October 27	Authentication, access control, and policy configuration [slides]	Required reading: Chapter 6 Evaluating Authentication Mechanisms (K. Renaud) Chapter 8 Designing Authentication Systems with Challenge Questions (M. Just) Optional reading: Authentication
Thursday, October 29	Access control and policy configuration [student presentations - M. Mazurek] [slides]	Required reading: R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008. Optional reading: Access control and policy management Homework 9 due - Reading summaries from 10/27, 10/29 [+ summary of 1 optional reading]
Tuesday, November 3 [election day]	Policy management Guest lecture: Lujo Bauer [slides]	Required reading: L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. SOUPS 2007. L. Bauer, L. Cranor, R. W. Reeder, M. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. CHI 2008. Optional reading: Access control and policy management
Thursday, November 5	Text passwords [student presentations - R. Shay] [slides]	Required reading: Chapter 7 The Memorability and Security of Passwords (J. Yan, A. Blackwell, R. Anderson, and A. Grant) Chapter 32 Users are not the Enemy (A. Adams and M.A. Sasse) Optional reading: Authentication Homework 10 due - Reading summaries from 11/3, 11/5 [+ summary of 1 optional reading]
Tuesday, November 10	Progress report presentations	Progress reports due
Thursday, November 12	Progress report presentations	Required reading: S. Schechter Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them, 2009.
Tuesday, November 17	Graphical passwords [student presentations - S. Komanduri] [slides]	Required reading: Chapter 9 Graphical Password Schemes (F. Monrose and M. K. Reiter) Chiasson, S., Biddle, R., and van Oorschot, P. C. 2007. A second look at the usability of click-based graphical passwords. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07. Optional reading: Authentication
Thursday, November 19	Biometrics [student presentations - J. Debner, B. Kennedy, C. Hartman] [Kennedy slides][Debner slides][Hartman slides]	Required reading: Chapter 10 Biometric Authentication (L. Coventry) Chapter 11 Identifying Users from Their Typing Patterns (A. Peacock, X. Ke, and M. Wilkerson) Optional reading: Authentication Homework 11 due - Reading summaries from 11/12, 11/17, 11/19 [+ summary of 1 optional reading]
Tuesday, November 24	Tools for security administration [student presentations - P. Klemperer]	Required reading: Chapter 18 Security Administration Tools and Practices (E. Kandogan and E. Haber) G. Conti, M. Ahamad, and J. Stasko. Attacking Information Visualization System Usability Overloading and Deceiving the Human. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005. Optional reading: Tools for security administration
Thursday, November 26	Thanksgiving break, no class
Tuesday, December 1	PKIs and secure communication [student presentations - B. Pendleton]	Required reading: Chapter 16 Making the Impossible Easy: Usable PKI (D. Balfanz, G. Durfee, and D.K. Smetters) Chapter 30 Embedding Security in Collaborative Applications: A Lotus/Domino Perspective (M.E. Zurko) A. Studer, C. Johns, J. Kase, K. O'Meara, L. Cranor. A Survey to Guide Group Key Protocol Development. Annual Computer Security Applications Conference (ACSAC) 2008. Optional reading: PKIs and secure communication Homework 12 due - Reading summaries from 11/24, 12/1 [+ summary of 1 optional reading]
Thursday, December 3	no class

This class will have no final exam, however, the final exam period December 15, 8:30-11:30 am in GHC5222, will be used for final project presentations. Since we don't actually need a full 3 hours, we'll start at 9 am. Breakfast will be provided. Final project papers will be due at the exam period.

Course Requirements and Grading

You are responsible for being familiar with the university standard for academic honesty and plagiarism. Please see the CMU Student Handbook for information. In order to deter and detect plagiarism, online tools and other resources are used in this class. Students caught cheating or plagiarizing will receive no credit for the assignment on which the cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructor.

Your final grade in this course will be based on:

35% Homework
15% Presentation
50% Project

Homework

Homework assignments for this class will include reading summaries as well as written assignments. All homework is due in printed form in class at 3:00 pm each Thursday (unless otherwise specified). Homework submitted after 3:15 pm will be considered late. Homework will be graded as check-plus (100%), check (80%), check-minus (60%) or 0. If you turn in a complete assignment but provide no interesting insights you will get a check. To earn a check-plus requires that you complete the assignment and demonstrate you have put some thought into your homework. Late homework will receive one grade lower than it would have otherwise received if it is submitted no later than at the beginning of the next class meeting (after that it will not be accepted). Your two lowest homework grades will be dropped from your homework average.

Students are expected to do reading assignments prior to class so that they can participate fully in class discussions. Students must submit a short summary (3-8 sentences) and a "highlight" for each chapter or article in the reading assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Students in 08-734 and 05-836 are expected to include a summary and highlight for one optional reading of their choice each week. All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.

Presentation

Each student will be assigned a class lecture to prepare and present. The lecture should be based on the topics covered in that week's reading assignment, but it should go beyond the materials in the required reading. Do not present a lecture that simply summarizes the assigned reading. For example, you might read and present some of the related work mentioned in the reading or that you find on your own (the HCISec Bibliography is a good starting point for finding papers), you might present some of the relevant optional reading materials (feel free to use relevant materials from other weeks), you might demonstrate software mentioned in the reading, you might critique a design discussed in the reading, or you might design a class exercise for your classmates. If the material you present describes a user study, include a detailed description and critique of the study design. As part of your lecture you should prepare several discussion questions and lead a class discussion. You should also introduce your fellow students to terminology and concepts they might not be familiar with that are necessary to understand the material you are presenting. You should email to the instructor a set of PowerPoint slides including lecture notes and discussion questions. These slides will be posted on the class web site. In addition, the instructor may include all or part of your presentation slides and notes in an instructor's guide for future usable privacy and security courses.

Students in 08-734 and 05-836 will be assigned a time slot of 40-80 minutes for their lecture presentation. Students in 08-534 and 05-436 will be assigned a time slot of no more than 30 minutes.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. Each project group will propose a project. It is expected that most projects will involve the design of a user study to evaluate the design of an existing or proposed privacy- or security-related system or gain insight into users' attitudes or mental models related to some aspect of security or privacy. Groups with ideas for other types of projects should discuss them with the instructor before submitting their project proposals. As part of the project students will:

Submit a one-page project proposal by October 6. The proposal should describe the system you propose to design or evaluate, discuss what you hope to learn from your user study and/or the hypotheses you plan to test, and provide and overview of your preliminary user study plan (what types of tasks will you have participants do? what types of people will you recruit? will you use a finished software product, prototype, paper prototype, etc. in your user study? will this be a between-subjects or within-subjects study?)
Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible.
Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
Develop any prototypes necessary to carry out the user study.
Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
Give a 10-15 minute progress report presentation on November 10 or 12.
Submit a written progress report by November 10. Your written progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. In addition, the written report should include a revised user study plan and the details of your initial pilot user study, including the study design and scripts (and results if you have already completed the initial study)
Conduct a study using the revised protocol with at least 6 subjects. (Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study, and should be positioned as such in your paper.)
Give a 15-minute final project presentation during the final exam period.
Write a paper giving an overview of the proposed study, what you hope to learn from it, what you learned from the pilot study, etc. and submit it by December 15 at 9 am in both electronic and printed form. Your IRB forms, survey forms, etc. should be included as appendices.

Students are encouraged to submit their project to the Symposium On Usable Privacy and Security as either a paper or poster. A paper submission will likely require some additional work after the end of the semester. To submit a poster will require only submitting a 2-page abstract. The instructor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

Students signed up for 05-836 and 08-734 are expected to play a leadership role in a project group and write a project paper suitable for publication. Unless your group has only 08-534 and 05-436 students in it, that means your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the optional readings provide some good examples of what a conference paper looks like and the style in which they are written. In addition to describing what you did in your study, your paper should include a related work section and properly-formatted references. Papers should follow the SOUPS 2009 technical papers formatting instructions, but you may include appendixes that exceed the 12 page limit and do not follow the SOUPS formatting guidelines (indeed, your required appendixes should exceed this limit). If you have identified an alternative relevant conference and would prefer to use that conference's submission format for your paper, please discuss it with the instructor.