5-899 / 17-500 Usable Privacy and Security

Spring 2006: Wean Hall 5409, Tuesdays and Thursdays 9-10:20 am
Class web site: http://cups.cs.cmu.edu/courses/ups-sp06/
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/ups

Professor: Lorrie Cranor

Professor: Michael Reiter

Professor: Jason Hong

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an important role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user interface problems related to privacy and security and to give them experience in designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do a weekly reading assignment and each week different students will prepare a presentation for the class. Students will also work on a group project throughout the semester. The course is open to all graduate students who have technical backgrounds. Juniors and seniors may enroll with permission of one of the instructors.

Required Texts

Readings will be assigned from the following text (available in the CMU bookstore and from all the usual online stores). Additional readings will be assigned from papers available online or handed out in class.

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Week 1 (January 17, 19): Course overview and introduction to HCI methods

Week 2 (January 24, 26): Introduction to privacy and security

Week 3 (January 31, February 2): User studies

Week 4 (February 7, 9): Introduction to usable privacy and security

Week 5 (February 14, 16): Secure interaction design

Week 6 (February 21, 23): Trust and semantic attacks

Week 7 (February 28, March 2): Design for privacy

Week 8 (March 7, 9): Visualizing privacy

Spring Break

Week 9 (March 21, 23): Web browser privacy and security

Week 10 (March 28, 30): Authentication overview and text passwords

Week 11 (April 4, 6): Project progress report presentations

Week 12 (April 11, 13): Biometrics and graphical passwords

Week 13 (April 18): PKIs and secure communications

Week 14 (April 25, 27): CHI 2006

Week 15 (May 2, 4): Tools for security administration and Final project presentations

This class will have no final exam, however, the final exam period on May 9 at 9 am will be used for final project presentations. Final project papers will be due May 12 at 4pm.

Course Requirements and Grading

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which the cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructors.

Your final grade in this course will be based on:


Homework assignments for this class will include reading summaries and lecture notes. Your two lowest homework grades will be dropped from your homework average.

Students are expected to do reading assignments prior to class so that they can participate fully in class discussions. Students must submit a short summary (3-8 sentences) and a "highlight" for each chapter or article in the reading assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc. Summaries and highlights are due in class at 9:15 am each Tuesday. Summaries and highlights will not be accepted late. If you do not attend class, you will not be permitted to submit your summaries and highlights.

Students will be assigned to take notes during one or more of the class lectures. Each set of notes will count as an additional homework assignment. Notes should be emailed to the instructors as text, HTML, or PDF (with accompanying Word or Latex) within 48 hours of the lecture for which they were taken. These notes will be posted on the class web site. In addition, the instructors may include all or part of your notes in an instructor's guide they are writing for future usable privacy and security courses.


Each student will be assigned a class lecture to prepare and present. The lecture should be based on the topics covered in that week's reading assignment, but it should go beyond the materials in the reading. For example, you might read and present some of the related work mentioned in the reading or that you find on your own (the HCISec Bibliography is a good starting point for finding relevant papers), you might present some of the optional reading materials, you might demonstrate software mentioned in the reading, you might critique a design discussed in the reading, or you might design a class exercise for your classmates. As part of your lecture you should prepare several discussion questions and lead a class discussion. You should also introduce your fellow students to terminology and concepts they might not be familiar with that are necessary to understand the material you are presenting. You should email to the instructors a set of PowerPoint slides including lecture notes and discussion questions. These slides will be posted on the class web site. In addition, the instructors may include all or part of your presentation slides and notes in an instructor's guide they are writing for future usable privacy and security courses.


Students will work on semester projects in small groups that include students with a variety of areas of expertise. Each project group will propose a project. It is expected that most projects will involve the design of a user study to evaluate the design of an existing or proposed privacy- or security-related system or gain insight into users' attitudes or mental models related to some aspect of security or privacy. Groups with ideas for other types of projects should discuss them with the professors before submitting their project proposals. As part of the project students will: