05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security

Course readings

The following selected readings are organized by topic area. Students in this course are expected to do the required readings listed in the course syllabus. In addition, the following readings may be used to fulfill optional reading requirements and to find related work when preparing course presentations and projects. Additional readings will be added throughout the semester. [This list also includes the required course readings.]

Topics

• Motivation,models, and approaches
• HCI methods and experimental design
• Security and threat modeling
• Privacy
• Web browser privacy and security
• Warnings
• Trust and semantic attacks
• User education
• Authentication
• Access control and policy management
• Tools for security administration
• PKIs and secure communication
• Other resources

Motivation, models, and approaches

• Security and Usability. Chapter 1 Psychological Acceptability Revisited (M. Bishop)
• Security and Usability. Chapter 2 The Case for Usable Security (M. A. Sasse and I. Flechais)
• Security and Usability. Chapter 3 Design for Usability (B. Tognazzini)
• L. Cranor. A Framework for Reasoning About the Human in the Loop. Usability, Psychology and Security 2008.
• W. K. Edwards, E. Shehan and J. Stoll, Security Automation Considered Harmful? Proceedings of the IEEE New Security Paradigms Workshop (NSPW 2007).
• S. Furnell. Making security usable: Are things improving? Computers & Security Volume 26, Issue 6, September 2007, Pages 434-443
• J. Johnston, J. H. P. Eloff and L. Labuschagne. Security and human computer interfaces. Computers & Security Volume 22, Issue 8, December 2003, Pages 675-684.
• M.E. Kabay, Using Social Psychology to Implement Security Policies, Chapter 35 in Computer Security Handbook, 4th edition, 2002.
• B. Lampson, Usable Security: How to Get It, CACM Vol 52, No. 11, November 2009, pp. 25-27.

HCI methods and experimental design

• Security and Usability. Chapter 4 Usability Design and Evaluation for Privacy and Security Solutions (C.M. Karat, C. Brodie, and J. Karat)
• Designing for Usability: Key Principles and What Designers Think, by John D. Gould and Clayton Lewis, in Communications of the ACM 28, 3 (Mar. 1985), pp. 300 - 311.
• J. Nielsen. Guerrilla HCI: Using Discount Usability Engineering to Penetrate the Intimidation Barrier, 1994.
• J. Nielsen. How to Conduct a Heuristic Evaluation, 1994.
• Lo fidelity Prototyping: Prototyping for Tiny Fingers, by Marc Rettig, in Communications of the ACM, Vol. 37, No. 4, pp. 21-27, April 1994.
• Task Analysis and the Design of Functionality, by David Kieras, in The Computer Science and Engineering Handbook, CRC Press, pp. 1401-1423, 1997.
• James Hom, The Usability Methods Toolbox.
• Nielsen, J. and Molich, R. 1990. Heuristic evaluation of user interfaces. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems: Empowering People (Seattle, Washington, United States, April 01 - 05, 1990). J. C. Chew and J. Whiteside, Eds. CHI '90. ACM, New York, NY, 249-256. DOI= http://doi.acm.org/10.1145/97243.97281
• Brad A. Myers. Challenges of HCI Design and Implementation, ACM Interactions. vol. 1, no. 1. January, 1994. pp. 73-83.
• M. Jakobsson. Experimenting on Mechanical Turk: 5 How Tos. IT World, Sept 3, 2009.
• G. Silverman, Focus Group Information Center, Market Navigation, Inc.
• Mental Models Training Workshop materials from the CMU Center for Risk Perception and Communication

Research papers that describe interview and focus group studies

• Dourish, P., Grinter, E., Delgado de la Flor, J., and Joseph, M. 2004. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal Ubiquitous Comput. 8, 6 (Nov. 2004), 391-401. DOI= http://dx.doi.org/10.1007/s00779-004-0308-5
• S. Gaw, E. W. Felten, and P. Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail. Proceedings of CHI 2006 Conference on Human Factors in Computing Systems, 2006.
• L. Little, E. Sillence and P. Briggs. Ubiquitous Systems and the Family: Thoughts about the Networked Home. SOUPS 2009. [see also the videos used in the study]
• L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. SOUPS 2007.
• L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. In CHI 2009: Conference on Human Factors in Computing Systems, pages 899–908, April 2009.
• M.N. Razavi and L. Iverson. A grounded theory of information shariing behavior in a personal learning space. CSCW 2006.
• Gross, J. B. and Rosson, M. B. 2007. Looking for trouble: understanding end-user security management. In Proceedings of the 2007 Symposium on Computer Human interaction For the Management of information Technology (Cambridge, Massachusetts, March 30 - 31, 2007). CHIMIT '07. ACM, New York, NY, 10.

Research papers that describe field studies

• J.Tsai, P. Kelley, P. Drielsma, L. Cranor, J. Hong, and N. Sadeh. Who's Viewed You? The Impact of Feedback in a Mobile-location System. CHI 2009
• P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. SOUPS 2009.
• Iachello, G., Truong, K. N., Abowd, G. D., Hayes, G. R., and Stevens, M. 2006. Prototyping and sampling experience to evaluate ubiquitous computing privacy in the real world. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 1009-1018

Research papers that describe laboratory studies

Many of the other papers on this page also describe lab studies. These are just a few that do a particularly good job explaining their study methodology or have something particularly interesting about their study methodology.

• S. L. Garfinkel and R. C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. SOUPS 2005.
• The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection
• S. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. 2007 IEEE Symposium on Security and Privacy, May 20-27, 2007, Oakland California. - Also read and comment on Andrew Patrick's Commentary on Research on New Security Indicators
• Security and Usability. Chapter 17: Simple Desktop Security with Chameleon
• A. DeWitt and J. Klujis. Aligning Usability and Security: A usability study of Polaris. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• SOUPS 2006 Security User Studies Workshop User Studies Construction Kits
• S. Schechter and R. Reeder. 1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication. SOUPS 2009.
• R. Chow, I. Oberst, and J. Staddon. Sanitization's Slippery Slope: The Design and Study of a Text Revision Assistant. SOUPS 2009.

Security and threat modeling

• Security and Usability. Chapter 13 Goals and Strategies for Secure Interaction Design (K. Yee)
• Security and Usability. Chapter 27 Creating Usable Security Products for Consumers (J. Berson)
• Security and Usability. Chapter 34 Why Johnny Can't Encrypt (A. Whitten and J. D. Tygar)
• A. Shostack. Experiences Threat Modeling at Microsoft. Modeling Security Workshop, 2008.
• S. Herman, S. Lambert, T. Ostwald, and A. Shostack. Uncover Security Design Flaws Using the STRIDE Approach. MSDN Magazine, November 2006.
• Special Publication 800-12: An Introduction to Computer Security: The NIST Handbook
• A. Avizieniz, J.Laprie, B. Randell, and C. Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing,, IEEE Transactions on Dependable and Secure Computing, Vol 1., No. 1, January-March 2004.
• What is Security Engineering? Chapter 1 of Security Engineering by Ross Anderson
• D. Ferraiolo, D. Gilbert and N. Lyncho. Assessing Federal and Commercial Information Security Needs. NIST Technical Report, November 1992.
• R. Halprin and M. Naor. Games for Extracting Randomness. SOUPS 2009.

Privacy

• Security and Usability. Chapter 19 Privacy Issues and Human-Computer Interaction (M. Ackerman and S. Mainwaring)
• Security and Usability. Chapter 20 A User-Centric Privacy Space Framework (B. Brunk)
• Security and Usability. Chapter 21 Five Pitfalls in the Design for Privacy (S. Lederer, J. Hong, A. Dey, and J. Landay)
• Security and Usability. Chapter 23 Privacy Analysis for the Casual User Through Bugnosis (D. Martin)
• Security and Usability. Chapter 24 Informed Consent by Design (B. Friedman, P. Lin, and J. Miller)
• Security and Usability. Chapter 33 Usability and Privacy: A Study of Kazaa P2P File Sharing (N. Good and A. Krekelberg)
• Lorrie Faith Cranor. 'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. In Clare-Marie Karat, Jan O. Blom, and John, Karat, eds. Designing Personalized User Experiences in eCommerce. Kluwer Academic Publishers, 2004.
• Lorrie Faith Cranor. The Role of Privacy Enhancing Technologies. In Considering Consumer Privacy: A Resource for Policymakers and Practitioners. Center for Democracy and Technology, edited by Paula J. Bruening, March 2003.
• Simson Garfinkel. Database Nation. O'Reilly, 2000.
• Samuel Warren and Louis D. Brandeis, The Right to Privacy, Harvard Law Review, 1890.
• B. Kowitz and L. Cranor. Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, pp. 90-96.
• Iachello, G. and Abowd, G. D. 2005. Privacy and proportionality: adapting legal evaluation techniques to inform design in ubiquitous computing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM Press, New York, NY, 91-100.
• Giovanni Iachello Jason Hong (2007) End-User Privacy in Human-Computer Interaction, Foundations and Trends in Human-Computer Interaction: Vol. 1: No 1, pp 1-137. http:/dx.doi.org/10.1561/1100000004
• Christena Nippert-Eng, Privacy in the United States: Some Implications for Design, International Journal of Design, 1(2), 1-10.
• Khalil, A. and Connelly, K. 2006. Context-aware telephony: privacy preferences and sharing patterns. In Proceedings of the 2006 20th Anniversary Conference on Computer Supported Cooperative Work (Banff, Alberta, Canada, November 04 - 08, 2006). CSCW '06. ACM, New York, NY, 469-478.
• C. Jensen, C. Potts, and C. Jensen. Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies Volume 63, Issues 1-2, July 2005, p. 203-227.
• Microsoft, Privacy Guidelines for Developing Software Products and Services, 2007.

Anonymity

• Security and Usability. Chapter 26 Anonymity Loves Company: Usability and the Network Effect (R. Dingledine and N. Mathewson)
• Tor GUI design competition overview, entries, and judges' comments
• R. Stedman, K. Yoshida, and I. Goldberg. A User Study of Off-the-Record Messaging. SOUPS 2008.

Privacy in mobile and ubiquitous computing

• Consolvo, S., Smith, I. E., Matthews, T., LaMarca, A., Tabert, J., and Powledge, P. 2005. Location disclosure to social relations: why, when, & what people want to share. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 81-90.
• Hong, J.I., J. Ng, and J.A. Landay. Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems. In Proceedings of Designing Interactive Systems (DIS2004). Boston, MA. pp. 91-100 2004.
• Iachello, G., Truong, K. N., Abowd, G. D., Hayes, G. R., and Stevens, M. 2006. Prototyping and sampling experience to evaluate ubiquitous computing privacy in the real world. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 1009-1018
• Tang, K. P., Keyani, P., Fogarty, J., and Hong, J. I. 2006. Putting people in their place: an anonymous and privacy-sensitive approach to collecting sensed data in location-based applications. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 93-102.
• G. Iachello, I. Smith, S. Consolvo, M. Chen, and G. Abowd. Developing Privacy Guidelines for Social Location Disclosure Applications and Services. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• Marc Langheinrich. Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems. In: Gregory D. Abowd, Barry Brumitt, Steven A. Shafer (Eds.): Proceedings of the Third International Conference on Ubiquitous Computing (UbiComp 2001). LNCS No. 2201, Springer-Verlag, pp. 273--291, Atlanta, USA, 2001.

Privacy policies

• Security and Usability. Chapter 22 Privacy Policies and Privacy Preferences (L. Cranor)
• L. Cranor, P. Guduru, and M. Arjula. User Interfaces for Privacy Agents. ACM Transactions on Computer-Human Interaction, June 2006.
• Lorrie Faith Cranor. Introduction to P3P. Chapter 1 of Web Privacy with P3P. O'Reilly, 2002.
• Evolution of a Prototype Financial Privacy Notice - Report by Kleimann Communication Group for the FTC, 28 February, 2006.
• P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009.
• N. Good, R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• C. Brodie, C. Karat, and J. Karat. An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Policy Workbench. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Paper presented at the Workshop on the Economics of Information Security, June 7-8, 2007, Pittsburgh, PA.

Web browser privacy and security

• Security and Usability. Chapter 25 Social Approaches to End-User Security and Privacy Management (J. Goecks and E. Mynatt)
• Security and Usability. Chapter 28 Firefox and the Worry-free Web
• Clark, J., van Oorschot, P. C., and Adams, C. 2007. Usability of anonymous web browsing: an examination of Tor interfaces and deployability. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 41-51. DOI= http://doi.acm.org/10.1145/1280680.1280687

Warnings

• S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
• J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. USENIX Security 2009.
• H. Xia and J. Brustoloni. Hardening Web browsers against man-in-the-middle and eavesdropping attacks. In Proceedings of the 14th international conference on World Wide Web, Chiba, Japan, 2005.
• Brustoloni, J. C. and Villamarin-Salomon, R. 2007. Improving security decisions with polymorphic and audited dialogs. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 76-85. DOI= http://doi.acm.org/10.1145/1280680.1280691
• N. Good, R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• Tec-Ed Whitepaper. Extended Validation and the VeriSign Brand. See also SSL and VeriSign Secured Seal Success Stories
• Biddle, R., van Oorschot, P. C., Patrick, A. S., Sobey, J., and Whalen, T. 2009. Browser interfaces and extended validation SSL certificates: an empirical study. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security (Chicago, Illinois, USA, November 13 - 13, 2009). CCSW '09. ACM, New York, NY, 19-30. DOI= http://doi.acm.org/10.1145/1655008.1655012

Trust and semantic attacks

• Security and Usability. Chapter 5 Designing Secure Systems that People will Trust (A. Patrick, P. Briggs, and S. Marsh)
• Security and Usability. Chapter 14 Fighting Phishing at the User Interface (R. Miller and M. Wu)
• Security and Usability. Chapter 29 Usability and Security at Microsoft (C. Nodder)
• R. Dhamija and J.D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• M. Wu, R. Miller, and S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of CHI 2006, Montreal, Quebec, Canada, April 22-28, 2006.
• R. Dhamija, J.D. Tygar, and M. Hearst. Why Phishing Works. In Proceedings of CHI 2006, Montreal, Quebec, Canada, April 22-28, 2006.
• J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• A. Fu, X. Deng, W. Liu, and G. Little. The Methodology and an Application to Fight Against Unicode Attacks. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell Stronger Password Authentication Using Browser Extensions. Proceedings of the 14th Usenix Security Symposium, 2005.
• Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F. Social Phishing. Commun. ACM. To appear.
• M. Wu. 2006. Fighting Phishing at the User Interface. Thesis submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science and Engineering at the Massachusetts Institute of Technology.

User education

• Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 88-99. DOI= http://doi.acm.org/10.1145/1280680.1280692
• P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. Cranor and J. Hong. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81.
• P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.
• Cormac Herley, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. New Security Paradigms Workshop 2009.

Authentication

• Security and Usability. Chapter 6 Evaluating Authentication Mechanisms (K. Renaud)
• Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. CAPTCHA: Using Hard AI Problems for Security. In Advances in Cryptology, Eurocrypt 2003.
• A. De Luca, M. Denzel, and H. Hussman. Look into my Eyes! Can you guess my Password? SOUPS 2009.
• E. Hayashi, N. Christin, R. Dhamija, and A. Perrig. Use Your Illusion: Secure Authentication Usable Anywhere. SOUPS 2008.
• J. Yan and A. El Ahmad. Usability of CAPTCHAs Or "usability issues in CAPTCHA design." SOUPS 2008.
• Garfinkel, S. L. Email-Based Identification and Authentication: An Alternative to PKI? IEEE Security and Privacy, IEEE Computer Society, 2003, 1, 20-26.

Text Passwords

• Security and Usability. Chapter 7 The Memorability and Security of Passwords (J. Yan, A. Blackwell, R. Anderson, and A. Grant)
• Security and Usability. Chapter 32 Users are not the Enemy (A. Adams and M.A. Sasse)
• K. Yee and K. Sitaker. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• S. Gaw and E. Felten. Password Management Strategies for Online Accounts. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Niklas Frykholm and Ari Juels, Error-Tolerant Password Recovery. In P. Samarati, ed., Eighth ACM Conference on Computer and Communications Security, pp. 1-8. ACM Press. 2001.
• Passwords Chapter 3 of Security Engineering by Ross Anderson
• Kumar, M., Garfinkel, T., Boneh, D., and Winograd, T. 2007. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 13-19. DOI= http://doi.acm.org/10.1145/1280680.1280683
• Bruce Schneier. Real-World Passwords. Crypto-Gram Newsletter, December 15, 2006.
• A. Forget, S. Chiasson, P.C. van Oorschot, and R. Biddle. Improving Text Passwords Through Persuasion. SOUPS 2008.
• C. Herley, P.C. van Oorschot, and A.S. Patrick. Passwords: If We're So Smart, Why Are We Still Using Them? Financial Cryptography and Data Security (FC 2009), 13th International Conference, Rockley, Christ Church, Barbados, Feb. 2009.
• Campbell, J., Kleeman, D., and Ma, W. 2007. The Good and Not So Good of Enforcing Password Composition Rules. Inf. Sys. Sec. 16, 1 (Jan. 2007), 2-8.
• Shay, R., Bhargav-Spantzel, A., and Bertino, E. 2007. Password policy simulation and analysis. In Proceedings of the 2007 ACM Workshop on Digital Identity Management (Fairfax, Virginia, USA, November 02 - 02, 2007). DIM '07. ACM, New York, NY, 1-10. DOI= http://doi.acm.org/10.1145/1314403.1314405
• Allan, A. Passwords Are Near the Breaking Point: Gartner Research Note (2004)
• Zviran, M. & Haga, W. J. Password Security: An Empirical Study. Journal of Management Information Systems 15, 4 (1999), 161-185

Authentication Questions

• Security and Usability. Chapter 8 Designing Authentication Systems with Challenge Questions (M. Just)
• A. Rabkin. Personal knowledge questions for fallback authentication. SOUPS 2008.
• M. Just and D. Aspinall. Personal Choice and Challenge Questions: A Security and Usability Assessment. SOUPS 2009.
• Schechter, S., Egelman, S., and Reeder, R.W. It's Not What You Know, but Who You Know: A Social Approach to Last-Resort Authentication. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '09). 2009.
• S. Schechter and R. Reeder. 1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication. SOUPS 2009.
• S. Schechter, A.J. Brush, and S. Egelman. It's no secret Measuring the security and reliability of authentication via `secret' questions. IEEE Symposium on Security and Privacy 2009.
• M. Jakobsson, L. Yang, and S. Wetzel. Quantifying the Security of Preference-Based Authentication. DIM '08.
• M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and Authentication. In Proceedings of ACM Human/Computer Interaction Conference (CHI), 2008.
• D. Ferguson, Best Practices for Your "Forgot Password" Feature, FishNet Security White Paper, March 2009.

Graphical Passwords

• Security and Usability. Chapter 9 Graphical Password Schemes (F. Monrose and M. K. Reiter)
• S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies Volume 63, Issues 1-2, July 2005, Pages 128-152.
• X. Suo and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of the 21st Annual Computer Security Applications Conference December 5-9, 2005, Tucson, Arizona.
• F. Tari, A. Ozok, and S. Holden. A Comparison of Perceived and Real Shoulder-surfing Risks Between Alphanumeric and Graphical Passwords. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Rachna Dhamija and Adrian Perrig, Deja Vu: A User Study Using Images for Authentication. In Proceedings of the 9th USENIX Security Symposium, August 2000, Denver, Colorado.
• Chiasson, S., Biddle, R., and van Oorschot, P. C. 2007. A second look at the usability of click-based graphical passwords. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 1-12. DOI= http://doi.acm.org/10.1145/1280680.1280682
• Dirik, A. E., Memon, N., and Birget, J. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 20-28. DOI= http://doi.acm.org/10.1145/1280680.1280684
• Moncur, W. and Leplatre, G. 2007. Pictures at the ATM: exploring the usability of multiple graphical passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (San Jose, California, USA, April 28 - May 03, 2007). CHI '07. ACM, New York, NY, 887-894. DOI= http://doi.acm.org/10.1145/1240624.1240758.
• A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies Volume 63, Issues 1-2, July 2005, Pages 128-152.
• X. Suo and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of the 21st Annual Computer Security Applications Conference December 5-9, 2005, Tucson, Arizona.
• F. Tari, A. Ozok, and S. Holden. A Comparison of Perceived and Real Shoulder-surfing Risks Between Alphanumeric and Graphical Passwords. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
• Dunphy, P. and Yan, J. 2007. Do background images improve "draw a secret" graphical passwords?. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 28 - 31, 2007). CCS '07. ACM, New York, NY, 36-47. DOI= http://doi.acm.org/10.1145/1315245.1315252
• P. Dunphy, J. Nicholson, and P. Olivier. Securing Passfaces for Description. SOUPS 2008.
• Oorschot, P. v. and Thorpe, J. 2008. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. 10, 4 (Jan. 2008), 1-33.
• Everitt, K. M., Bragin, T., Fogarty, J., and Kohno, T. 2009. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proceedings of the 27th international Conference on Human Factors in Computing Systems (Boston, MA, USA, April 04 - 09, 2009). CHI '09. ACM, New York, NY, 889-898.

Biometrics

• Security and Usability. Chapter 10 Biometric Authentication (L. Coventry)
• Security and Usability. Chapter 11 Identifying Users from Their Typing Patterns (A. Peacock, X. Ke, and M. Wilkerson)
• Biometrics Chapter 13 of Security Engineering by Ross Anderson
• Papers from the NIST Biometrics and usability web site
• Killourhy, Kevin S. and Maxion, Roy A. Comparing Anomaly-Detection Algorithms for Keystroke Dynamics. In International Conference on Dependable Systems & Networks (DSN-09), pp. 125-134, Estoril, Lisbon, Portugal, 29 June to 02 July 2009. IEEE Computer Society Press, Los Alamitos, California, 2009.
• Killourhy, Kevin S. and Maxion, Roy A. The Effect of Clock Resolution on Keystroke Dynamics. In 11th International Symposium on Recent Advances in Intrusion Detection (RAID-08), 15-17 September 2008, Cambridge, Massachusetts, R. Lippmann, E. Kirda and A. Trachtenberg (Eds.), Lecture Notes in Computer Science (LNCS), Vol. 5230, pp. 331-350, Springer-Verlag, Berlin, Heidelberg.

Access control and policy management

• R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
• L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. SOUPS 2007.
• L. Bauer, L. Cranor, R. W. Reeder, M. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. CHI 2008.
• R. Maxion and R. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies Volume 63, Issues 1-2 , July 2005, p. 25-50.
• C. Kuo, V. Goh, A. Tang, A. Perrig, and J. Walker. Empowering Ordinary Consumers to Securely Configure Their Mobile Devices and Wireless Networks. Carnegie Mellon CyLab Technical Report CMU-CyLab-05-005. December 7, 2005.
• D. Ferraiolo, D. Gilbert and N. Lyncho. Assessing Federal and Commercial Information Security Needs. NIST Technical Report, November 1992.
• K. Vaniea, C.M. Karat, J.B. Gross, J. Karat, and C. Brodie. Evaluating Assistance of Natural Language Policy Authoring. SOUPS 2008.
• P. Inglesant, M.A. Sasse, D. Chadwick, and L.L. Shi. Expressions of Expertness: The Virtuous Circle of Natural Language for Access Control Policy Specification. SOUPS 2008.
• F. Raja, K. Hawkey, K. Beznosov. Revealing Hidden Context: Improving Mental Models of Personal Firewall Users. SOUPS 2009.
• A. Besmer, H. Lipford, M. Shehab, and G. Cheek. Social Applications: Exploring A More Secure Framework. SOUPS 2009.
• J. Goecks, W.K. Edwards, and E.D. Mynatt. Challenges in Supporting End-User Privacy and Security Management with Social Navigation. SOUPS 2009.
• D. Smetters and N. Good. How Users Use Access Control. SOUPS 2009.
• Stevens, G. and Wulf, V. 2009. Computer-supported access control. ACM Trans. Comput.-Hum. Interact. 16, 3 (Sep. 2009), 1-26. DOI=
• M. Johnson, S. Bellovin, R. Reeder, and S. Schechter. Laissez-faire file sharing: Access control designed for individuals at the endpoints. NSPW'09.

Tools for security administration

• Security and Usability. Chapter 18 Security Administration Tools and Practices (E. Kandogan and E. Haber)
• G. Conti, M. Ahamad, and J. Stasko. Attacking Information Visualization System Usability Overloading and Deceiving the Human. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, 2005.
• Almut Herzog, and Nahid Shahmehri. Security and Usability of Personal Firewalls. Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007), 14-16 May 2007, Sandton, South Africa.
• Yurcik, W., Thompson, R. S., Twidale, M. B., and Rantanen, E. M. 2007.If you can't beat 'em, join 'em: combining text and visual interfaces for security-system administration. interactions 14, 1 (Jan. 2007), 12-14.
• Botta, D., Werlinger, R., Gagne, A., Beznosov, K., Iverson, L., Fels, S., and Fisher, B. 2007. Towards understanding IT security professionals and their tools. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 100-111. DOI= http://doi.acm.org/10.1145/1280680.1280693
• R. Werlinger, K. Hawkey, K. Muldner, P. Jaferian and K. Beznosov. The Challenges of Using an Intrusion Detection System: Is It Worth the Effort? SOUPS 2008.

PKIs and secure communication

• Security and Usability. Chapter 16 Making the Impossible Easy: Usable PKI (D. Balfanz, G. Durfee, and D.K. Smetters)
• Security and Usability. Chapter 30 Embedding Security in Collaborative Applications: A Lotus/Domino Perspective (M.E. Zurko)
• A. Studer, C. Johns, J. Kase, K. O'Meara, L. Cranor. A Survey to Guide Group Key Protocol Development. Annual Computer Security Applications Conference (ACSAC) 2008.
• D. Davis. Compliance Defects in Public-Key Cryptography. USENIX Security 1996.
• Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail. Proceedings of CHI 2006 Conference on Human Factors in Computing Systems, 2006.

Device pairing

• N. Saxena, M. B. Uddin, and J. Voris. Universal Device Pairing using an Auxiliary Device. SOUPS 2008.
• A. Kobsa, R. Sonawalla, G. Tsudik, E. Uzun, and Y. Wang. Serial Hook-Ups: A Comparative Usability Study of Secure Device Pairing Methods. SOUPS 2009.
• R. Kainda, I. Flechais, and A. W. Roscoe. Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols. SOUPS 2009.

Other resources

• Ross Anderson's Psychology and Security Resource Page
• HCISec Bibliography