05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security

Spring 2015: GHC 5222, Tuesdays and Thursdays 3:00pm-4:20pm
Class web site: http://cups.cs.cmu.edu/courses/ups-sp15/
Class mailing list: https://mailman.srv.cs.cmu.edu/mailman/listinfo/ups-class

Professor Lorrie Cranor
Email: lorrie AT cmu DOT edu
Web: http://lorrie.cranor.org/
Phone: 412-268-7534
Office: CIC 2207
Office hours: By appointment

Blase Ur
Email: blase AT blaseur DOT com
Web: http://www.blaseur.com/
Phone: --
Office: CIC 2222 (cubicles)
Office hours: By appointment

Rich Shay
Email: rich AT richshay DOT com
Web: http://www.richshay.com/
Phone: --
Office: CIC 2222 (cubicles)
Office hours: By appointment

Students in this course may also be interested in joining the CUPS mailing list.

This course does not use Blackboard.

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an important role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do reading assignments for each class. Students will also work on a group project throughout the semester.

The course is open to all graduate students who have technical backgrounds. The 12-unit course numbers (08-734 and 5-836) are for PhD students and masters students. Students enrolled in these course numbers will be expected to play a leadership role in a group project that produces a paper suitable for publication. The 9-unit 500-level course numbers (08-534 and 05-436) are for juniors, seniors, and masters students. Students enrolled in these course numbers will have less demanding project and presentation requirements.

Readings

Readings will be assigned from the following text (available in the CMU bookstore and from all the usual online stores):

Research Methods in Human-Computer Interaction. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser

Additional readings will be assigned from papers available online or handed out in class. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU VPN).

Course Schedule

Note, this is subject to change. The class web site will have the most up-to-date version of this calendar.

Date	Topics	Assignment To be done before coming to class
Tuesday, January 13	01. Course overview and introductions (Lorrie) [SLIDES]	No readings for this class.
Thursday, January 15	02. Introduction to security; usable encryption (Blase) [SLIDES]	[Required for 9-unit and 12-unit students] Alma Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999. (USENIX '99) Optional reading: Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, and Uwe Sander. Helping Johnny 2.0 to Encrypt His Facebook Conversations. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) [HCI] Shirley Gaw, Edward W. Felten, and Patricia Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06) Sumeet Gujrati and Eugene Y. Vasserman. The usability of Truecrypt, or how I learned to stop whining and fix an interface. In Proceedings of the third ACM Conference on Data and Application Security and Privacy, 2013. (CODASPY '13) [HCI] Scott Ruoti, Nathan Kim, Ben Burgon, Timothy van der Horst, Kent Seamons. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [Security] Mark D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014. (NDSS '14)
Tuesday, January 20	03. Reasoning about the human in the loop (Lorrie) [SLIDES \| Privacy Illustrated]	[Required for 9-unit and 12-unit students] Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, 2008. (UPSEC '08) Optional reading: Anne Adams and Martina Angela Sasse. Users Are Not The Enemy. In Communications of the ACM, Volume 42, Issue 12, pp. 40-46, December 1999. L. Jean Camp. Reconceptualizing the Role of Security User. In Daedalus, Volume 140, Number 4, pp. 93-107, Fall 2011. W. Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. Security Automation Considered Harmful? In Proceedings of the 2007 New Security Paradigms Workshop, 2007. (NSPW '07) Steven Furnell. Making security usable: Are things improving? In Computers & Security, Volume 26, Issue 6, pg. 434-443, September 2007. M.E. Kabay. Using Social Psychology to Implement Security Policies. In Computer Security Handbook, 4th edition, 2002. Butler Lampson. Usable Security: How to Get It. In Communications of the ACM, Volume 52, Issue 11, pp. 25-27, November 2009.
Thursday, January 22	04. Introduction to privacy; the difficulty of measuring privacy (Lorrie) [SLIDES] Homework 1 due	[Required for 9-unit and 12-unit students] Allison Woodruff, Vasyl Pihur, Sunny Consolvo, Lauren Schmidt, Laura Brandimarte, and Alessandro Acquisti. Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) Optional reading: Alex Braunstein, Laura Granka, and Jessica Staddon. Indirect Content Privacy Surveys: Measuring Privacy Without Asking About It. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11) Lorrie Faith Cranor, Adam L. Durity, Abigail Marsh, and Blase Ur. Parents' and Teens' Perspectives on Privacy In a Technology-Filled World. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) Alexei Czeskis, Ivayla Dermendjieva, Hussein Yapit, Alan Borning, Batya Friedman, Brian Gill, and Tadayoshi Kohno. Parenting from the Pocket: Value Tensions and Technical Directions for Secure and Private Parent-Teen Mobile Safety. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) Giovanni Iachello and Jason Hong. End-User Privacy in Human-Computer Interaction. In Foundations and Trends in HCI, Volume 1, Number 1, pp. 1-137, 2007. Scott Lederer, Jason I. Hong, Anind K. Dey, James A. Landay. Personal Privacy through Understanding and Action: Five Pitfalls for Designers. Carnegie Mellon University Technical Report. Human-Computer Interaction Institute. Paper 78. 2004.
Tuesday, January 27	05. Introduction to experimental design: overview of methods, ethics/deception, and ecological validity (Blase) [SLIDES]	[Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 2: Experimental Research [Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 3: Experimental Design [Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 14: Working With Human Subjects [Required only for 12-unit students] Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. In Communications of the ACM, Volume 50, Issue 10, pp. 94-100, October 2007. Optional reading: Lazar et al. Research Methods in Human-Computer Interaction. Chapter 10: Usability Testing [Ethics] Cristian Bravo-Lillo, Serge Egelman, Cormac Herley, Stuart Schechter, and Janice Tsai. You Needn't Build That: Reusable Ethics-Compliance Infrastructure for Human Subjects Research. In Proceedings of the Cyber-security Research Ethics Dialog & Strategy Workshop, 2013. (CREDS '13) Roy A. Maxion. Making Experiments Dependable. In Dependable and Historic Computing, Lecture Notes in Computer Science Volume 6875, pp. 344-357, 2011.
Thursday, January 29	06. Introduction to crowdsourced studies (Rich) [SLIDES] Homework 2 due Discuss course projects in class	[Required for 9-unit and 12-unit students] Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14) [Required for 9-unit and 12-unit students] Manya Sleeper, Justin Cranshaw, Patrick Gage Kelley, Blase Ur, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. "I read my Twitter the next morning and was astonished": A Conversational Perspective on Twitter Regrets. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) [Required only for 12-unit students] Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. Privacy Attitudes of Mechanical Turk Workers and the U.S. Public. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) Optional reading: Michael Buhrmester, Tracy Kwang, and Samuel D. Gosling. Amazon's Mechanical Turk: A New Source of Inexpensive, Yet High-Quality, Data?. In Perspectives on Psychological Science, Volume 6, Number 1, pp. 3-5, 2011. Panagiotis G. Ipeirotis. Demographics of Mechanical Turk. New York University Technical Report, 2010. Panagiotis G. Ipeirotis, Foster Provost, and Jing Wang. Quality Management on Amazon Mechanical Turk. In Proceedings of the ACM SIGKDD Workshop on Human Computation, 2010. (HCOMP '10) Patrick Gage Kelley. Conducting usable privacy and security studies with Amazon's Mechanical Turk. In Proceedings of the Usable Security Experiment Reports Workshop, 2010. (USER '10) Aniket Kittur, Ed H. Chi, and Bongwon Suh. Crowdsourcing User Studies With Mechanical Turk. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08)
Tuesday, February 3	07. Qualitative studies: surveys, interviews, focus groups, and diary studies (Blase) [SLIDES]	[Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 5: Surveys [Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 8: Interviews and Focus Groups [Required for 9-unit and 12-unit students] Xuan Zhao, Niloufar Salehi, Sashi Naranjit, Sara Alwaalan, Stephen Voida, and Dan Cosley. The Many Faces of Facebook: Experiencing Social Media as Performance, Exhibition, and Personal Archive. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) Optional reading: Lazar et al. Research Methods in Human-Computer Interaction. Chapter 6: Diaries Lazar et al. Research Methods in Human-Computer Interaction. Chapter 7: Case Studies
Thursday, February 5	08. Usable privacy and security in the home; analyzing qualitative data (Blase) [SLIDES] Homework 3 due Project preference forms also due	[Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 11: Analyzing Qualitative Data [Required for 9-unit and 12-unit students] Blase Ur, Jaeyeon Jung, and Stuart Schechter. Intruders versus intrusiveness: Teens' and parents' perspectives on home-entryway surveillance . In Proceedings of the 2014 ACM Conference on Ubiquitous Computing, 2014. (UbiComp '14) Optional reading: [HCI] A.J. Brush, Jaeyeon Jung, Ratul Mahajan, and Frank Martinez. Digital Neighborhood Watch: Investigating the Sharing of Camera Data Amongst Neighbors. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13) Eun Kyoung Choe, Sunny Consolvo, Jaeyeon Jung, Beverly Harrison, Julie Kientz, and Shwetak Patel. Investigating Receptiveness to Sensing and Inference in the Home Using Sensor Proxies. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing, 2012. (UbiComp '12) [Security] Tamara Denning, Tadayoshi Kohno, and Henry M. Levy. Computer Security in the Modern Home. In Communications of the ACM, Volume 56, Issue 1, pp. 94-103, January 2013. Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker. Challenges in Access Right Assignment for Secure Home Networks. In Proceedings of the 5th USENIX Workshop on Hot Topics in Security. (HotSec'10) Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10) Stuart Schechter. The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button! In Proceedings of the Workshop on Home Usable Privacy and Security, 2013. (HUPS '13)
Tuesday, February 10	09. Practicalities of research: IRBs and teamwork (Lorrie) Project teams assigned (no written assignment)	No readings for this class.
Thursday, February 12	10. Quantitative data collection; field studies; hypothesis testing; simulating attack scenarios (Rich) [SLIDES] Homework 4 due	[Required for 9-unit and 12-unit students] Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) [Required for 9-unit and 12-unit students] Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, 2007. (Oakland '07) Optional reading: Lazar et al. Research Methods in Human-Computer Interaction. Chapter 12: Automated Data Collection Methods Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13) Alexander De Luca, Marc Langheinrich, and Heinrich Hussmann. Towards Understanding ATM Security - A Field Study of Real World ATM Use. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) Dinei Florêncio and Cormac Herley. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th international conference on World Wide Web, 2007. (WWW '07) Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. A Field Trial of Privacy Nudges for Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)
Tuesday, February 17	11. Security warnings (Lorrie) [SLIDES] Project proposal due	[Required for 9-unit and 12-unit students] Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Robert W. Reeder, Stuart Schechter, and Manya Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) Optional reading: Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri. Bridging the gap in computer security warnings: A mental model approach. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 18-26, March 2011. Cristian Bravo-Lillo, Lorrie Faith Cranor, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Operating system framed in case of mistaken identity. In Proceedings of the 2012 ACM SIGSAC conference on Computer & Communications Security, 2012. (CCS '12) [HCI] Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08) David Modic and Ross J. Anderson. Reading this May Harm Your Computer: The Psychology of Malware Warnings. Available online on SSRN, 2014. [HCI] Na Wang, Jens Grossklags, and Heng Xu. An Online Experiment of Privacy Authorization Dialogues for Social Applications. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)
Thursday, February 19	12. Analyzing quantitative data with statistics (Blase) [SLIDES] Homework 5 due	[Required for 9-unit and 12-unit students] Lazar et al. Research Methods in Human-Computer Interaction. Chapter 4: Statistical Analysis Optional reading: (Various) Mark S. Kaiser. Any one of the chapters on advanced statistical methods. (Factor Analysis) Frank J. Floyd and Keith F. Widaman. Factor Analysis in the Development and Refinement of Clinical Assessment Instruments. (Mixed Models) Donald Hedeker. Generalized Linear Mixed Models. (Mixed Models) Any one of the chapters on mixed-effects models (with R tutorials) (Repeated Measures) Michael Kristensen and Thomas Hansen. Statistical analyses of repeated measures in physiological research: a tutorial (Regression Analysis) Alan O. Sykes. An Introduction to Regression Analysis. (Regression Analysis) Robert Kieschnick and B.D. McCullough. Regression analysis of variates observed on (0, 1): percentages, proportions and fractions
Tuesday, February 24	13. Text passwords; graphical passwords (Rich) [SLIDES]	[Required for 9-unit and 12-unit students] Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Optional reading: Robert Biddle, Sonia Chiasson, and P.C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. In ACM Computing Surveys, Volume 44, Issue 4, August 2012. [Security] Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12) Joseph Bonneau and Stuart Schechter. Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14) Sonia Chiasson, Alain Forget, Elizabeth Stobert, P.C. van Oorschot, and Robert Biddle. Multiple password interference in text and click-based graphical passwords. In Proceedings of the 2009 ACM SIGSAC conference on Computer & Communications Security, 2009. (CCS '09) [Security] Darren Davis, Fabian Monrose, and Michael K. Reiter. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04) Eiji Hayashi, Jason Hong, and Nicolas Christin. Security through a different kind of obscurity: Evaluating Distortion in Graphical Authentication Schemes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) [Security] Ari Juels and Ronald L. Rivest. Honeywords: Making Password-Cracking Detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14) [HCI] Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, Paul C. van Oorchot. Tapas: Design, Implementation, and Usability Evaluation of a Password Manager. In Proceedings of the 28th Annual Computer Security Applications Conference, 2012. (ACSAC '12) [HCI] Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber. Exploring the Design Space of Graphical Passwords on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) [Security] David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. Password Managers: Attacks and Defenses. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14) [HCI] Elizabeth Stobert and Robert Biddle. The Password Life Cycle: User Behaviour in Managing Passwords. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)
Thursday, February 26	14. Authentication in practice: challenge questions, two-factor auth, and biometrics (Rich) [SLIDES] Homework 6 due IRB applications must be submitted to the IRB no later than this date	[Required for 9-unit and 12-unit students] Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. It's No Secret: Measuring the Security and Reliability of Authentication via 'Secret' Questions. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, 2009. (S&P '09 / Oakland '09) Optional reading: Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. In Proceedings of the NDSS Workshop on Usable Security, 2015. (USEC '15) [Application] Eric Grosse and Mayank Upadhyay, Authentication at Scale, IEEE Security & Privacy (magazine), vol. 11, no. 1, pp. 15-22, January-Febuary 2013. Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, Ian Oakley. CASA: Context-Aware Scalable Authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) Anil K. Jain, Arun Ross, and Salil Prabhakar. An introduction to biometric recognition. In IEEE Transactions on Circuits and Systems for Video Technology, Volume 14, Issue 1, pp. 4-20, 2004. [HCI] Mike Just and David Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09) Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and M. Angela Sasse. "They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking. In Proceedings of the NDSS Workshop on Usable Security, 2015. (USEC '15) [Security] Tey Chee Meng, Payas Gupta, and Debin Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13) Saurabh Panjwani and Edward Cutrell. Usably Secure, Low-Cost Authentication for Mobile Banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10) Robert W. Reeder and Stuart Schechter. When the Password Doesn't Work: Secondary Authentication for Websites. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 43-49, March 2011. Stuart Schechter, Serge Egelman, and Robert W. Reeder. It's not what you know, but who you know: A social approach to last-resort authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2009. (CHI '09)
Tuesday, March 3	15. SSL, PKIs, and secure communication (Blase) [SLIDES]	[Required for 9-unit and 12-unit students] Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th USENIX Security Symposium, 2009. (USENIX '09) Optional reading: Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, and Robin Sommer. Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web. In Proceedings of the 22nd international conference on World Wide Web, 2013. (WWW '13) [Economics] Hadi Asghari, Michel J.G. van Eeten, Axel M. Arnbak, and Nico A.N.M. van Eijk. Security Economics in the HTTPS Value Chain. In Workshop on the Economics of Information Security, 2013. (WEIS '13). [Security] Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13) [Security] Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. The Matter of Heartbleed. In Proceedings of the 14th ACM Internet Measurement Conference, 2014. (IMC '14) Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. Rethinking SSL Development in an Appified World. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Simson L. Garfinkel and Robert C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05). Also go through the The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection. Michael Kranch and Joseph Bonneau. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning. In Proceedings of The 2015 Network and Distributed System Security Symposium, 2015. (NDSS '15) Christopher Soghoian and Sid Stamm. Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. In Proceedings of the 15th international conference on Financial Cryptography and Data Security, 2011. (FC '11) [HCI] Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov. On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11) Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. PoliCert: Secure and Flexible TLS Certificate Management. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
Thursday, March 5	16. In-class midterm exam 1	No readings for this class.
Tuesday, March 10	No class due to spring break	No readings for this class.
Thursday, March 12	No class due to spring break	No readings for this class.
Tuesday, March 17	17. Usability of privacy policies and the dimensions of privacy notice (Joint lecture by Lorrie and special guest Florian Schaub) [SLIDES]	[Required for 9-unit and 12-unit students] Lorrie Faith Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. In Journal of Telecommunications and High Technology Law, Volume 10, Number 2, 2012. Optional reading: [HCI] Rebecca Balebako, Richard Shay, and Lorrie Faith Cranor. Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice Categories. Carnegie Mellon University Technical Report CMU-CyLab-13-011, 2013. Travis D. Breaux and Florian Schaub. Scaling Requirements Extraction to the Crowd: Experiments with Privacy Policies. In 22nd IEEE International Requirements Engineering Conference, 2014. (RE '14) Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. User interfaces for privacy agents. In ACM Transactions on Computer-Human Interaction (TOCHI), Volume 13, Issue 2, pp. 135-178, June 2006. Pedro G. Leon, Justin Cranshaw, Lorrie Faith Cranor, Jim Graves, Manoj Hastak, Blase Ur, and Guzi Xu. What Do Online Behavioral Advertising Disclosures Communicate to Users? In Proceedings of the 11th annual ACM Workshop on Privacy in the Electronic Society, 2012. (WPES '12) [HCI] Aleecia McDonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. A Comparative Study of Online Privacy Policies and Formats. In Proceedings of the 9th International Symposium on Privacy Enhancing Technologies, 2009. (PETS '09) Joel R. Reidenberg, Travis D. Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James T. Graves, Fei Liu, Aleecia M. McDonald, Thomas B. Norton, Rohan Ramanath, N. Cameron Russell, Norman Sadeh, Florian Schaub. Disagreeable Privacy Policies: Mismatches between Meaning and Users' Understanding. In Berkeley Technology Law Journal, vol. 30, 2015 (forthcoming).
Thursday, March 19	18. Designing a usable, short-form privacy notice (Blase) [SLIDES] Homework 7 due	[Required for 9-unit and 12-unit students] Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10) [Required only for 12-unit students] Lorrie Faith Cranor, Pedro G. Leon, and Blase Ur. A Large-Scale Evaluation of U.S. Financial Institutions' Standardized Privacy Notices. (Under review).
Tuesday, March 24	19. Progress report presentations (Lorrie) Project progress report due	[Required for 9-unit and 12-unit students] Stuart Schechter. Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them, 2009.
Thursday, March 26	20. Progress report presentations (Lorrie)	No readings for this class.
Tuesday, March 31	21. Privacy and security for mobile and ubicomp devices (Lorrie) [SLIDES]	[Required for 9-unit and 12-unit students] Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) [Required for 9-unit and 12-unit students] Jason Hong. Considering privacy issues in the context of Google Glass. In Communications of the ACM, Volume 56, Issue 11, pp. 10-11, November 2013. Optional reading: [HCI] Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Cranor, and Carolyn Nguyen. "Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13) Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14) [HCI] Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) [Security] Benjamin Livshits and Jaeyeon Jung. Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13) [Security] Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, and Angelos D. Keromytis. Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14) [Security] Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)
Thursday, April 2	22. Making privacy and anonymity tools usable (Blase) [SLIDES] Homework 8 due	[Required for 9-unit and 12-unit students] Greg Norcie, Jim Blythe, Kelly Caine, and L. Jean Camp. Why Johnny Can't Blow the Whistle: Identifying and Reducing Usability Issues in Anonymity Systems. In Proceedings of the NDSS Workshop on Usable Security, 2014. (USEC '14) Optional reading: [Security] Simurgh Aryan, Homa Aryan, and J. Alex Halderman. Internet Censorship in Iran: A First Look. In Proceedings of the 3rd USENIX Workshop on Free and Open Communications on the Internet, 2013. (FOCI '13) [Security] Roger Dingledine, Nick Matthewson, and Paul Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04) [Security] Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) [Security] Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. A Critical Evaluation of Website Fingerprinting Attacks. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14) [Security] Prateek Mittal, Matthew Wright, and Nikita Borisov. Pisces: Anonymous Communication Using Social Networks. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13) [Security] Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. Effective Attacks and Provable Defenses for Website Fingerprinting. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14) [Security] Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. Telex: Anticensorship in the Network Infrastructure. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11)
Tuesday, April 7	23. Designing privacy tools for web browsing (Guest lecture by Pedro Leon) [SLIDES]	[Required for 9-unit and 12-unit students] Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12) Optional reading: [Security] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14) Gaurav Aggarwal, Elie Bursztein, Collin Jackson, and Dan Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Security Symposium, 2010. (USENIX '10) Rachna Dhamija and J.D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05) Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13) Franziska Roesner, Christopher Rovillos, Tadayoshi Kohno, and David Wetherall. ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets. In USENIX ;login: magazine, Volume 37, Number 4, August 2012. Blase Ur, Pedro G. Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
Thursday, April 9	24. Social networks and privacy (Guest lecture by Manya Sleeper) [SLIDES] Homework 9 due	[Required for 9-unit and 12-unit students] Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and Privacy: It's Complicated. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12) Optional reading: Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur. The Post Anachronism: The Temporal Dimension of Facebook Privacy. In Proceedings of the 12th annual ACM Workshop on Privacy in the Electronic Society, 2013. (WPES '13) Michael S. Bernstein, Eytan Bakshy, Moira Burke, and Brian Karrer. Quantifying the Invisible Audience in Social Networks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13) Sanjay Kairam, Michael J. Brzozowski, David Huffaker, and Ed H. Chi. Talking in Circles: Selective Sharing in Google+. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12) Huina Mao, Xin Shuai, and Apu Kapadia. Loose Tweets: An Analysis of Privacy Leaks on Twitter. In Proceedings of the 10th annual ACM Workshop on Privacy in the Electronic Society, 2011. (WPES '11) Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor. The Post that Wasn't: Exploring Self-Censorship on Facebook. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13) Fred Stutzman, Ralph Gross, and Alessandro Acquisti. Silent Listeners: The Evolution of Privacy and Disclosure on Facebook. In Journal of Privacy and Confidentiality, Volume 4, Number 2, pp. 7-41, 2012. Yang Wang, Saranga Komanduri, Pedro Giovanni Leon, Gregory Norcie, Alessandro Acquisti, and Lorrie Faith Cranor. "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11) Jason Watson, Andrew Besmer, Heather Richter Lipford. +Your Circles: Sharing Behavior on Google+. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
Tuesday, April 14	25. User education/training; anti-phishing; behavioral economics (Lorrie) [SLIDES]	[Required for 9-unit and 12-unit students] Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06) Optional reading: Alessandro Acquisti and Jens Grossklags. Privacy and rationality in individual decision making. In IEEE Security and Privacy magazine, Volume 3, Issue 1, pp. 26-33, January 2005. Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14) Serge Egelman, David Molnar, Nicolas Christin, Alessandro Acquisti, Cormac Herley, and Shriram Krishnamurthi. Please Continue to Hold: An empirical study on user tolerance of security delays. In Workshop on the Economics of Information Security, 2010. (WEIS '10). Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14) Cormac Herley. Why do Nigerian Scammers say they are from Nigeria? In Workshop on the Economics of Information Security, 2012. (WEIS '12). Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Teaching Johnny Not to Fall for Phish. In ACM Transactions on Internet Technology (TOIT), Volume 10, Issue 2, May 2010. Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, Anil Somayaji. A Clinical Study of Risk Factors Related to Malware Infections. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13) Sören Preibusch, Kat Krol, and Alastair R. Beresford. The Privacy Economics of Voluntary Over-disclosure in Web Forms. In Workshop on the Economics of Information Security, 2012. (WEIS '12).
Thursday, April 16	No class due to Carnival	No readings for this class.
Tuesday, April 21	26. In-class midterm exam 2	No readings for this class.
Thursday, April 23	27. Access control and policy configuration (Lorrie) [SLIDES] Homework 10 due	[Required for 9-unit and 12-unit students] Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the Third Symposium on Usable Privacy and Security, 2007. (SOUPS '07) Optional reading: Serge Egelman, Andrew Oates, and Shriram Krishnamurthi. Oops, I Did It Again: Mitigating Repeated Access Control Errors on Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) Pooya Jaferian, Hootan Rashtian, and Konstantin Beznosov. To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12) Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11) [Security] Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12) Diana Smetters and Nathan Good. How Users Use Access Control. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09) Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter. Studying access control usability in the lab: Lessons learned from four studies. In Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, 2012. (LASER '12)
Tuesday, April 28	28. Mental models and folk models of security; non-US perspectives in research; the usability of software updates (Rich) [SLIDES]	[Required for 9-unit and 12-unit students] Kami Vaniea, Emilee Rader, and Rick Wash. Betrayed By Updates: How Negative Experiences Affect Future Security. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14) Optional reading: [HCI] Jay Chen, Michael Paik, and Kelly McCabe. Exploring Internet Security Perceptions and Practices in Urban Ghana. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14) [Economics] Cormac Herley. So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. In Proceedings of the 2009 New Security Paradigms Workshop, 2009. (NSPW '09) [HCI] Rick Wash. Folk Models of Home Computer Security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
Thursday, April 30	29. Usable privacy and security in safety-critical devices (Blase) [SLIDES]	[Required for 9-unit and 12-unit students] Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel. Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10) Optional reading: [Security] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11) [Security] Shane S. Clark, Benjamin Ransford, and Kevin Fu. Potentia est Scientia: Security and Privacy Implications of Energy-Proportional Computing. In Proceedings of the 7th USENIX conference on Hot Topics in Security, 2012. (HotSec '12) [Security] Tamara Denning, Kevin Fu, and Tadayoshi Kohno. Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security. In Proceedings of the 3rd USENIX conference on Hot Topics in Security, 2008. (HotSec '08) Kevin Fu and James Blum. Inside Risks: Controlling for Cybersecurity Risks of Medical Device Software. In Communications of the ACM, Volume 56, Issue 10, pp. 21-23, October 2013. [Economics] Martin S. Gaynor, Muhammad Zia Hydari, and Rahul Telang. Is Patient Data Better Protected in Competitive Healthcare Markets? In Workshop on the Economics of Information Security, 2012. (WEIS '12). [Security] Masoud Rostami, Ari Juels, and Farinaz Koushanfar. Heart-to-Heart (H2H): Authentication for Implanted Medical Devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
Monday, May 11th, 1:00pm - 4:00pm (Final exam period)	FINAL PROJECT PRESENTATIONS in GHC 4211	---

Course Requirements and Grading

You are responsible for being familiar with the university standard for academic honesty and plagiarism. Please see the CMU Student Handbook for information. In order to deter and detect plagiarism, online tools and other resources may be used in this class. Students caught cheating or plagiarizing will receive no credit for the assignment on which the cheating occurred. Additional actions -- including assigning the student a failing grade in the class or referring the case for disciplinary action -- may be taken at the discretion of the instructors.

Your final grade in this course will be based on:

20% Homework
20% Quizzes
20% Midterms
40% Project

This class will have no final exam. However, the scheduled final exam period (Monday, May 11th, 1:00pm - 4:00pm) will be used for final project presentations. You are required to be present for your group's final presentation during the exam period.

Homework

All homework is due in printed form in class at 3:00 PM each Thursday, unless specified otherwise on the schedule above. Homework may not be submitted after 3:05 pm, and we do not accept late homework. Your single lowest homework grade will be dropped from your homework average.

Students taking the 12-unit version of the course will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your single lowest quiz grade will be dropped.

Students taking the 12-unit version of this course are expected to do additional readings each week. In some cases, we will specify which extra reading(s) to do. In other cases, we will specify that students can choose from any of the optional readings for the week. All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.

Midterms

We will hold two in-class midterms during the course. These midterms will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the semester.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructors early in the semester. As part of the project students will:

Return their project preference form by Thursday, February 5th so that they can be assigned to a project team by Tuesday, February 10th.
Submit a one-page project proposal by Tuesday, February 17th. The proposal should describe the system you propose to design or evaluate, discuss what you hope to learn from your user study and/or the hypotheses you plan to test, and provide an overview of your preliminary user study plan (what types of tasks will you have participants do? what types of people will you recruit? will you use a finished software product, prototype, paper prototype, etc. in your user study? will this be a between-subjects or within-subjects study? will you conduct your study online, in a lab, with paper surveys?)
Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than Thursday, February 26th.
Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
Develop any prototypes necessary to carry out the user study.
Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
Submit a written progress report by Tuesday, March 24th. Your written progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. In addition, the written report should include a revised user study plan and the details of your initial pilot user study, including the study design and scripts (and results if you have already completed the initial study)
Give a 10-15 minute progress report presentation on March 24 or March 26.
Conduct a study using the revised protocol with at least 6 subjects (or more if this is not a lab study). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
Give a 15-minute final project presentation during the final exam period (Monday, May 11th, 1:00pm - 4:00pm in GHC 4211).
Write a paper giving an overview of the proposed study, what you hoped to learn from it, what you learned from the pilot study, etc. and submit it by 1:00 pm on Monday, May 11th in both electronic and printed form (to Professor Cranor's office). Your IRB forms, survey forms, etc. should be included as appendices.

Students are encouraged to submit their project as a poster to the 2015 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2016 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will only require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

Students signed up for the 12-unit version of this course are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. In addition to describing what you did in your study, your paper should include a related work section and properly-formatted references. Papers should follow the SOUPS 2015 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should not be a blind submission; please include the names of the authors for the purposes of the class project.