5-899 / 17-500 / 17-800 Usable Privacy and Security

Spring 2007: Porter Hall A22, Tuesdays and Thursdays 3-4:20 pm
Class web site: http://cups.cs.cmu.edu/courses/ups-sp07/
Class mailing list: http://cups.cs.cmu.edu/mailman/listinfo/ups

Professor: Lorrie Cranor

Professor: Jason Hong

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an important role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user interface problems related to privacy and security and to give them experience in designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do a weekly reading assignment and each week different students will prepare a presentation for the class. Students will also work on a group project throughout the semester.

Required Texts

Readings will be assigned from the following text (available in the CMU bookstore and from all the usual online stores). Additional readings will be assigned from papers available online or handed out in class.

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Week 1 (January 16, 18): Course overview / Introduction to HCI methods

Week 2 (January 23, 25): Introduction to privacy and security

Week 3 (January 30, February 1): User studies

Week 4 (February 6, 8): Secure interaction design

Week 5 (February 13, 15): User studies exercises / Project group formation

Week 6 (February 20, 22: Design for privacy

Week 7 (February 27, March 1): Visualizing privacy

Week 8 (March 6, 8): Web browser privacy and security

Spring Break

Week 9 (March 20, 22): Authentication and access control overview / text passwords

Week 10 (March 27, 29): Biometrics / Graphical passwords

Week 11 (April 3, 5): Project progress report presentations

Week 12 (April 10, 12): Trust and semantic attacks

Week 13 (April 17): Trust and semantic attacks

Week 14 (April 24, 26): PKIs and secure communications / Tools for security administration

Week 15 (May 2, 4):

This class will have no final exam, however, the final exam period on May 8, 5:30-8:30 pm (Porter Hall A18A) will be used for final project presentations. Final project papers will be due May 11 at 4pm.

Course Requirements and Grading

Cheating and plagiarism will not be tolerated. Students caught cheating or plagiarizing will receive no credit for the assignment on which the cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructors.

Your final grade in this course will be based on:


Homework assignments for this class will include reading summaries as well as written assignments. All homework is due in class at 3:15 pm each Tuesday. Homework will not be accepted late. If you do not attend class, you will not be permitted to submit your homework. Homework will be graded as check-plus (100%), check (80%), check-minus (60%) or 0. Your two lowest homework grades will be dropped from your homework average.

Students are expected to do reading assignments prior to class so that they can participate fully in class discussions. Students must submit a short summary (3-8 sentences) and a "highlight" for each chapter or article in the reading assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Students in 17-800 and 5-899 are expected to include a summary and highlight for one optional reading of their choice each week (only for weeks when optional readings are provided). All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.


Each student will be assigned a class lecture to prepare and present. The lecture should be based on the topics covered in that week's reading assignment, but it should go beyond the materials in the required reading. For example, you might read and present some of the related work mentioned in the reading or that you find on your own (the HCISec Bibliography is a good starting point for finding relevant papers), you might present some of the optional reading materials, you might demonstrate software mentioned in the reading, you might critique a design discussed in the reading, or you might design a class exercise for your classmates. As part of your lecture you should prepare several discussion questions and lead a class discussion. You should also introduce your fellow students to terminology and concepts they might not be familiar with that are necessary to understand the material you are presenting. You should email to the instructors a set of PowerPoint slides including lecture notes and discussion questions. These slides will be posted on the class web site. In addition, the instructors may include all or part of your presentation slides and notes in an instructor's guide they are writing for future usable privacy and security courses.

Students in 17-800 and 5-899 will be assigned all or most of a class period for their lecture. Other students will be assigned a time slot of no more than 30 minutes.


Students will work on semester projects in small groups that include students with a variety of areas of expertise. Each project group will propose a project. It is expected that most projects will involve the design of a user study to evaluate the design of an existing or proposed privacy- or security-related system or gain insight into users' attitudes or mental models related to some aspect of security or privacy. Groups with ideas for other types of projects should discuss them with the professors before submitting their project proposals. As part of the project students will:

Students signed up for 17-800 and 5-899 are expected to play a leadership role in a project group and write a project paper suitable for publication.