05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734
Usable Privacy and Security

Spring 2017: GHC 4102, Mondays and Wednesdays 3:00pm-4:20pm

Professor Lorrie Cranor lorrie AT cmu DOT edu http://lorrie.cranor.org/ Office: CIC 2207 Office hours: By appointment

Javed Ramjohn, Teaching Assistant jramjohn AT andrew. DOT cmu DOT edu Office hours: By appointment

• Class web site: http://cups.cs.cmu.edu/courses/ups-sp17/
• Class mailing list: https://mailman.srv.cs.cmu.edu/mailman/listinfo/ups-class (we will subscribe you with your andrewID)
• Students in this course may also be interested in joining the CyLab Usable Privacy and Security Lab (CUPS) mailing list to get seminar announcements and discussion
• This course does not use Blackboard

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Much of the course will be taught in a graduate seminar style in which all students will be expected to do reading assignments for each class. Students will also work on a group project throughout the semester.

The course is open to all students who have technical backgrounds. The 12-unit course numbers (8-734, 5-836, 19-734) are for PhD students and masters students. Students enrolled in these course numbers will be expected to play a leadership role in a group project that produces a paper suitable for publication. The 9-unit 500-level course numbers (8-534, 5-436, 19-534) are for juniors, seniors, and masters students. Students enrolled in these course numbers will have less demanding project and presentation requirements.

Readings will be assigned from the following text (available from all the usual online stores, and in ebook form via the CMU library)

• Research Methods in Human-Computer Interaction. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser

Additional readings will be assigned from papers available online or handed out in class. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU EZproxy or library VPN).

Note, schedule is subject to change. The class web site will have the most up-to-date version. Links to slides and homework assignments will not work until the slides and assignments are posted. Slides will usually be posted the day after each lecture. Homework assignments will usually be posted on the day the previous assignment is due.

Wednesday, January 18

01. Course overview and introductions [SLIDES]

No readings for this class

Monday, January 23

02. Introduction to security; usable encryption [SLIDES]

Required reading:

• Alma Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999. (USENIX '99)

Optional reading:

• Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, and Uwe Sander. Helping Johnny 2.0 to Encrypt His Facebook Conversations. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
• [HCI] Shirley Gaw, Edward W. Felten, and Patricia Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06)
• Sumeet Gujrati and Eugene Y. Vasserman. The usability of Truecrypt, or how I learned to stop whining and fix an interface. In Proceedings of the third ACM Conference on Data and Application Security and Privacy, 2013. (CODASPY '13)
• [HCI] Scott Ruoti, Nathan Kim, Ben Burgon, Timothy van der Horst, Kent Seamons. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
• [Security] Mark D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014. (NDSS '14)

Wednesday, January 25

03. Reasoning about the human in the loop [SLIDES | Privacy Illustrated]

Required reading:

• Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, 2008. (UPSEC '08)

Optional reading:

• Anne Adams and Martina Angela Sasse. Users Are Not The Enemy. In Communications of the ACM, Volume 42, Issue 12, pp. 40-46, December 1999.
• L. Jean Camp. Reconceptualizing the Role of Security User. In Daedalus, Volume 140, Number 4, pp. 93-107, Fall 2011.
• W. Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. Security Automation Considered Harmful? In Proceedings of the 2007 New Security Paradigms Workshop, 2007. (NSPW '07)
• Steven Furnell. Making security usable: Are things improving? In Computers & Security, Volume 26, Issue 6, pg. 434-443, September 2007.
• M.E. Kabay. Using Social Psychology to Implement Security Policies. In Computer Security Handbook, 4th edition, 2002.
• Butler Lampson. Usable Security: How to Get It. In Communications of the ACM, Volume 52, Issue 11, pp. 25-27, November 2009.

Monday, January 30

04. Introduction to privacy [SLIDES]

Assignment: Homework 1 due

Required reading:

• Allison Woodruff, Vasyl Pihur, Sunny Consolvo, Lauren Schmidt, Laura Brandimarte, and Alessandro Acquisti. Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)

Optional reading:

• Alex Braunstein, Laura Granka, and Jessica Staddon. Indirect Content Privacy Surveys: Measuring Privacy Without Asking About It. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11)
• Lorrie Faith Cranor, Adam L. Durity, Abigail Marsh, and Blase Ur. Parents' and Teens' Perspectives on Privacy In a Technology-Filled World. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
• Alexei Czeskis, Ivayla Dermendjieva, Hussein Yapit, Alan Borning, Batya Friedman, Brian Gill, and Tadayoshi Kohno. Parenting from the Pocket: Value Tensions and Technical Directions for Secure and Private Parent-Teen Mobile Safety. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
• Giovanni Iachello and Jason Hong. End-User Privacy in Human-Computer Interaction. In Foundations and Trends in HCI, Volume 1, Number 1, pp. 1-137, 2007.
• Scott Lederer, Jason I. Hong, Anind K. Dey, James A. Landay. Personal Privacy through Understanding and Action: Five Pitfalls for Designers. Carnegie Mellon University Technical Report. Human-Computer Interaction Institute. Paper 78. 2004.

Wednesday, February 1

05. Introduction to experimental design: overview of methods, ethics/deception, and ecological validity [SLIDES]
Guest lecturer: Abby Marsh

Required reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 2: Experimental Research
• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 3: Experimental Design
• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 14: Working With Human Subjects
• [Required only for 12-unit students] Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. In Communications of the ACM, Volume 50, Issue 10, pp. 94-100, October 2007.

Optional reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 10: Usability Testing
• [Ethics] Cristian Bravo-Lillo, Serge Egelman, Cormac Herley, Stuart Schechter, and Janice Tsai. You Needn't Build That: Reusable Ethics-Compliance Infrastructure for Human Subjects Research. In Proceedings of the Cyber-security Research Ethics Dialog & Strategy Workshop, 2013. (CREDS '13)
• Roy A. Maxion. Making Experiments Dependable. In Dependable and Historic Computing, Lecture Notes in Computer Science Volume 6875, pp. 344-357, 2011.

Monday, February 6

06. Introduction to crowdsourced studies [SLIDES]

Assignment: Homework 2 due
Project: Discuss course projects in class

Required reading:

• Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)
• Manya Sleeper, Justin Cranshaw, Patrick Gage Kelley, Blase Ur, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. "I read my Twitter the next morning and was astonished": A Conversational Perspective on Twitter Regrets. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)
• [Required only for 12-unit students] Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. Privacy Attitudes of Mechanical Turk Workers and the U.S. Public. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)

Optional reading:

• Michael Buhrmester, Tracy Kwang, and Samuel D. Gosling. Amazon's Mechanical Turk: A New Source of Inexpensive, Yet High-Quality, Data?. In Perspectives on Psychological Science, Volume 6, Number 1, pp. 3-5, 2011.
• Panagiotis G. Ipeirotis. Demographics of Mechanical Turk. New York University Technical Report, 2010.
• Panagiotis G. Ipeirotis, Foster Provost, and Jing Wang. Quality Management on Amazon Mechanical Turk. In Proceedings of the ACM SIGKDD Workshop on Human Computation, 2010. (HCOMP '10)
• Patrick Gage Kelley. Conducting usable privacy and security studies with Amazon's Mechanical Turk. In Proceedings of the Usable Security Experiment Reports Workshop, 2010. (USER '10)
• Aniket Kittur, Ed H. Chi, and Bongwon Suh. Crowdsourcing User Studies With Mechanical Turk. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08)

Wednesday, February 8

07. Participant recruitment and surveys [SLIDES]

Required reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 5: Surveys
• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 8: Interviews and Focus Groups
• Xuan Zhao, Niloufar Salehi, Sashi Naranjit, Sara Alwaalan, Stephen Voida, and Dan Cosley. The Many Faces of Facebook: Experiencing Social Media as Performance, Exhibition, and Personal Archive. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)

Optional reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 6: Diaries
• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 7: Case Studies

Monday, February 13

08. Interviews, focus groups, and diary studies + analyzing qualitative data [SLIDES]

Assignment: Homework 3 due
Project: preference forms due

Required reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 11: Analyzing Qualitative Data
• B. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, L Cranor. "I Added '!' At The End To Make It Secure": Observing Password Creation in the Lab. SOUPS2015.
• A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L. Cranor, S. Egelman, M. Harbach, R. Telang. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. SOUPS2016.

Optional reading:

• Blase Ur, Jaeyeon Jung, and Stuart Schechter. Intruders versus intrusiveness: Teens' and parents' perspectives on home-entryway surveillance . In Proceedings of the 2014 ACM Conference on Ubiquitous Computing, 2014. (UbiComp '14)
• [HCI] A.J. Brush, Jaeyeon Jung, Ratul Mahajan, and Frank Martinez. Digital Neighborhood Watch: Investigating the Sharing of Camera Data Amongst Neighbors. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)
• Michelle L. Mazurek, J.P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10)
• Stuart Schechter. The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button! In Proceedings of the Workshop on Home Usable Privacy and Security, 2013. (HUPS '13)

Wednesday, February 15

09. Practicalities of research: IRBs and teamwork [SLIDES]
Guest lecturer: Abby Marsh

Project: teams assigned in class

No readings for this class

Monday, February 20

10. Quantitative data collection, lab and field studies, simulating attacks [SLIDES]

Assignment: Homework 4 due

Required reading:

• Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
• Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, 2007. (Oakland '07)

Optional reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 12: Automated Data Collection Methods
• Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13)
• Alexander De Luca, Marc Langheinrich, and Heinrich Hussmann. Towards Understanding ATM Security - A Field Study of Real World ATM Use. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
• Dinei Florêncio and Cormac Herley. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th international conference on World Wide Web, 2007. (WWW '07)
• Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. A Field Trial of Privacy Nudges for Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)

Wednesday, February 22

11. Analyzing quantitative data with statistics [SLIDES]
Guest lecturers: Hana Habib and Jessica Colnago

Project: proposal due

Required reading:

• Lazar et al. Research Methods in Human-Computer Interaction. Chapter 4: Statistical Analysis

Optional reading:

• (Various) Mark S. Kaiser. Any one of the chapters on advanced statistical methods.
• (Factor Analysis) Frank J. Floyd and Keith F. Widaman. Factor Analysis in the Development and Refinement of Clinical Assessment Instruments.
• (Mixed Models) Donald Hedeker. Generalized Linear Mixed Models.
• (Mixed Models) Any one of the chapters on mixed-effects models (with R tutorials)
• (Repeated Measures) Michael Kristensen and Thomas Hansen. Statistical analyses of repeated measures in physiological research: a tutorial
• (Regression Analysis) Alan O. Sykes. An Introduction to Regression Analysis.
• (Regression Analysis) Robert Kieschnick and B.D. McCullough. Regression analysis of variates observed on (0, 1): percentages, proportions and fractions

Monday, February 27

12. Security warnings [SLIDES]

Assignment: Homework 5 due

Required reading:

• Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Robert W. Reeder, Stuart Schechter, and Manya Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)

Optional reading:

• Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking Connection Security Indicators. SOUPS 2016.
• Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri. Bridging the gap in computer security warnings: A mental model approach. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 18-26, March 2011.
• Cristian Bravo-Lillo, Lorrie Faith Cranor, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
• Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. Operating system framed in case of mistaken identity. In Proceedings of the 2012 ACM SIGSAC conference on Computer & Communications Security, 2012. (CCS '12)
• [HCI] Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2008. (CHI '08)
• David Modic and Ross J. Anderson. Reading this May Harm Your Computer: The Psychology of Malware Warnings. Available online on SSRN, 2014.
• [HCI] Na Wang, Jens Grossklags, and Heng Xu. An Online Experiment of Privacy Authorization Dialogues for Social Applications. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)

Wednesday, March 1

13. Passwords [SLIDES]

Required reading:

• Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)

Optional reading:

• Robert Biddle, Sonia Chiasson, and P.C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. In ACM Computing Surveys, Volume 44, Issue 4, August 2012.
• [Security] Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12)
• Joseph Bonneau and Stuart Schechter. Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
• Sonia Chiasson, Alain Forget, Elizabeth Stobert, P.C. van Oorschot, and Robert Biddle. Multiple password interference in text and click-based graphical passwords. In Proceedings of the 2009 ACM SIGSAC conference on Computer & Communications Security, 2009. (CCS '09)
• [Security] Darren Davis, Fabian Monrose, and Michael K. Reiter. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04)
• Eiji Hayashi, Jason Hong, and Nicolas Christin. Security through a different kind of obscurity: Evaluating Distortion in Graphical Authentication Schemes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
• [Security] Ari Juels and Ronald L. Rivest. Honeywords: Making Password-Cracking Detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
• Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
• [HCI] Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
• Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, Paul C. van Oorchot. Tapas: Design, Implementation, and Usability Evaluation of a Password Manager. In Proceedings of the 28th Annual Computer Security Applications Conference, 2012. (ACSAC '12)
• [HCI] Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber. Exploring the Design Space of Graphical Passwords on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
• [Security] David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. Password Managers: Attacks and Defenses. In Proceedings of the 23rd USENIX Security Symposium, 2014. (USENIX '14)
• [HCI] Elizabeth Stobert and Robert Biddle. The Password Life Cycle: User Behaviour in Managing Passwords. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
• Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
• Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)

Monday, March 6

14. Authentication beyond text passwords [SLIDES]

Assignment: Homework 6 due
Project: IRB applications must be submitted to the IRB no later than this date

Required reading:

• Shrirang Mare, Mary Baker, Jeremy Gummeson. A study of authentication in daily life. SOUPS 2016.

Optional reading:

• J. Bonneau, C. Herley, P. C. van Oorschot and F. Stajano. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. IEEE Security & Privacy (Oakland) 2012.
• Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. It's No Secret: Measuring the Security and Reliability of Authentication via 'Secret' Questions. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, 2009. (S&P '09 / Oakland '09)
• Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. In Proceedings of the NDSS Workshop on Usable Security, 2015. (USEC '15)
• [Application] Eric Grosse and Mayank Upadhyay, Authentication at Scale, IEEE Security & Privacy (magazine), vol. 11, no. 1, pp. 15-22, January-Febuary 2013.
• Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, Ian Oakley. CASA: Context-Aware Scalable Authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
• Anil K. Jain, Arun Ross, and Salil Prabhakar. An introduction to biometric recognition. In IEEE Transactions on Circuits and Systems for Video Technology, Volume 14, Issue 1, pp. 4-20, 2004.
• [HCI] Mike Just and David Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09)
• Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and M. Angela Sasse. "They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking. In Proceedings of the NDSS Workshop on Usable Security, 2015. (USEC '15)
• [Security] Tey Chee Meng, Payas Gupta, and Debin Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13)
• Saurabh Panjwani and Edward Cutrell. Usably Secure, Low-Cost Authentication for Mobile Banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
• Robert W. Reeder and Stuart Schechter. When the Password Doesn't Work: Secondary Authentication for Websites. In IEEE Security and Privacy magazine, Volume 9, Issue 2, pp. 43-49, March 2011.
• Stuart Schechter, Serge Egelman, and Robert W. Reeder. It's not what you know, but who you know: A social approach to last-resort authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2009. (CHI '09)

Wednesday, March 8

15. In-class midterm exam 1

No readings for this class

Monday, March 13

spring break

Wednesday, March 15

spring break

Monday, March 20

16. Privacy notice and choice [SLIDES]

Required reading:

• Florian Schaub, Rebecca Balebako, Adam Durity, Lorrie Cranor. A Design Space for Effective Privacy Notices. SOUPS 2015.

Optional reading:

• Travis D. Breaux and Florian Schaub. Scaling Requirements Extraction to the Crowd: Experiments with Privacy Policies. In 22nd IEEE International Requirements Engineering Conference, 2014. (RE '14)
• Joel R. Reidenberg, Travis D. Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James T. Graves, Fei Liu, Aleecia M. McDonald, Thomas B. Norton, Rohan Ramanath, N. Cameron Russell, Norman Sadeh, Florian Schaub. Disagreeable Privacy Policies: Mismatches between Meaning and Users' Understanding. In Berkeley Technology Law Journal, vol. 30, 2015 (forthcoming).
• Lorrie Faith Cranor, Pedro Giovanni Leon, and Blase Ur. 2016. A Large-Scale Evaluation of U.S. Financial Institutions' Standardized Privacy Notices. ACM Trans. Web 10, 3, Article 17 (August 2016), 33 pages.

Wednesday, March 22

17. Evaluating disclosures [SLIDES]

Required reading:

• Lorrie Faith Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. In Journal of Telecommunications and High Technology Law, Volume 10, Number 2, 2012.

Optional reading:

• Rebecca Balebako, Richard Shay, and Lorrie Faith Cranor. Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice Categories. Carnegie Mellon University Technical Report CMU-CyLab-13-011, 2013.
• Pedro G. Leon, Justin Cranshaw, Lorrie Faith Cranor, Jim Graves, Manoj Hastak, Blase Ur, and Guzi Xu. What Do Online Behavioral Advertising Disclosures Communicate to Users? In Proceedings of the 11th annual ACM Workshop on Privacy in the Electronic Society, 2012. (WPES '12)
• Aleecia McDonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. A Comparative Study of Online Privacy Policies and Formats. In Proceedings of the 9th International Symposium on Privacy Enhancing Technologies, 2009. (PETS '09)
• Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10)
• S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. 2009. Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators. CHI 2009.

Monday, March 27

18. Progress report presentations

Project: progress report due

Required reading:

• Stuart Schechter. Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them, 2009.

Wednesday, March 29

19. Progress report presentations

No required reading

Monday, April 3

20. Privacy and anonymity tools [SLIDES]

Assignment: Homework 7 due

Required reading:

• Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12)

Optional reading:

• Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. User interfaces for privacy agents. In ACM Transactions on Computer-Human Interaction (TOCHI), Volume 13, Issue 2, pp. 135-178, June 2006.
• W. Melicher, M. Sharif, J. Tan, L. Bauer, M. Christodorescu, P. Leon. (Do Not) Track Me Sometimes: Users' Contextual Preferences for Web Tracking. Proceedings on Privacy Enhancing Technologies, Volume 2016, Issue 2 (Apr 2016).
• [Security] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
• Gaurav Aggarwal, Elie Bursztein, Collin Jackson, and Dan Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Security Symposium, 2010. (USENIX '10)
• Rachna Dhamija and J.D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05)
• Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13)
• Franziska Roesner, Christopher Rovillos, Tadayoshi Kohno, and David Wetherall. ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets. In USENIX ;login: magazine, Volume 37, Number 4, August 2012.
• Blase Ur, Pedro G. Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)
• Greg Norcie, Jim Blythe, Kelly Caine, and L. Jean Camp. Why Johnny Can't Blow the Whistle: Identifying and Reducing Usability Issues in Anonymity Systems. In Proceedings of the NDSS Workshop on Usable Security, 2014. (USEC '14)
• [Security] Roger Dingledine, Nick Matthewson, and Paul Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the 13th USENIX Security Symposium, 2004. (USENIX '04)
• [Security] Prateek Mittal, Matthew Wright, and Nikita Borisov. Pisces: Anonymous Communication Using Social Networks. In Proceedings of the 20th Annual Network & Distributed System Security Symposium, 2013. (NDSS '13)

Wednesday, April 5

21. Social networks and privacy [SLIDES]
Guest lecturer: Abby Marsh

• Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and Privacy: It's Complicated. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)

Optional reading:

• Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur. The Post Anachronism: The Temporal Dimension of Facebook Privacy. In Proceedings of the 12th annual ACM Workshop on Privacy in the Electronic Society, 2013. (WPES '13)
• Michael S. Bernstein, Eytan Bakshy, Moira Burke, and Brian Karrer. Quantifying the Invisible Audience in Social Networks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)
• Sanjay Kairam, Michael J. Brzozowski, David Huffaker, and Ed H. Chi. Talking in Circles: Selective Sharing in Google+. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12)
• Huina Mao, Xin Shuai, and Apu Kapadia. Loose Tweets: An Analysis of Privacy Leaks on Twitter. In Proceedings of the 10th annual ACM Workshop on Privacy in the Electronic Society, 2011. (WPES '11)
• Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber Lynn McConahy, Jason Wiese, and Lorrie Faith Cranor. The Post that Wasn't: Exploring Self-Censorship on Facebook. In Proceedings of the 2013 conference on Computer Supported Cooperative Work, 2013. (CSCW '13)
• Fred Stutzman, Ralph Gross, and Alessandro Acquisti. Silent Listeners: The Evolution of Privacy and Disclosure on Facebook. In Journal of Privacy and Confidentiality, Volume 4, Number 2, pp. 7-41, 2012.
• Yang Wang, Saranga Komanduri, Pedro Giovanni Leon, Gregory Norcie, Alessandro Acquisti, and Lorrie Faith Cranor. "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11)
• Jason Watson, Andrew Besmer, Heather Richter Lipford. +Your Circles: Sharing Behavior on Google+. In Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012. (SOUPS '12)

Monday, April 10

22. Privacy and security for mobile devices and IoT [SLIDES]

Assignment: Homework 8 due

Required reading:

• Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. Android Permissions: User Attention, Comprehension, and Behavior. SOUPS 2012

Optional reading:

• [HCI] Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Cranor, and Carolyn Nguyen. "Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013. (SOUPS '13)
• Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
• [HCI] Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013. (CHI '13)
• [Security] Benjamin Livshits and Jaeyeon Jung. Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications. In Proceedings of the 22nd USENIX Security Symposium, 2013. (USENIX '13)
• [Security] Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, and Angelos D. Keromytis. Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
• [Security] Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Security Symposium, 2012. (USENIX '12)

Wednesday, April 12

23. SSL, PKIs, and secure communication [SLIDES]

Required reading:

• Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, ax Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking conneciton security indicators. SOUPS 2016.

Optional reading:

• Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th USENIX Security Symposium, 2009. (USENIX '09)
• Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, and Robin Sommer. Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web. In Proceedings of the 22nd international conference on World Wide Web, 2013. (WWW '13)
• [Economics] Hadi Asghari, Michel J.G. van Eeten, Axel M. Arnbak, and Nico A.N.M. van Eijk. Security Economics in the HTTPS Value Chain. In Workshop on the Economics of Information Security, 2013. (WEIS '13).
• [Security] Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. (S&P '13 / Oakland '13)
• [Security] Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. The Matter of Heartbleed. In Proceedings of the 14th ACM Internet Measurement Conference, 2014. (IMC '14)
• Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. Rethinking SSL Development in an Appified World. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
• Simson L. Garfinkel and Robert C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the First Symposium on Usable Privacy and Security, 2005. (SOUPS '05). Also go through the The Johnny 2 Construction Kit for Testing Email Security from the SOUPS 2006 Security User Studies Workshop User Studies Construction Kits collection.
• Michael Kranch and Joseph Bonneau. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning. In Proceedings of The 2015 Network and Distributed System Security Symposium, 2015. (NDSS '15)
• Christopher Soghoian and Sid Stamm. Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. In Proceedings of the 15th international conference on Financial Cryptography and Data Security, 2011. (FC '11)
• [HCI] Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov. On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In Proceedings of the Seventh Symposium on Usable Privacy and Security, 2011. (SOUPS '11)
• Pawel Szalachowski, Stephanos Matsumoto, and Adrian Perrig. PoliCert: Secure and Flexible TLS Certificate Management. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)

Monday, April 17

24. Mental models and folk models of security and privacy [SLIDES]

• Kami Vaniea, Emilee Rader, and Rick Wash. Betrayed By Updates: How Negative Experiences Affect Future Security. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)

Optional reading:

• Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. "My Data Just Goes Everywhere:" User Mental Models of the Internet and Implications for Privacy and Security. SOUPS 2015.
• [HCI] Jay Chen, Michael Paik, and Kelly McCabe. Exploring Internet Security Perceptions and Practices in Urban Ghana. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
• [Economics] Cormac Herley. So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. In Proceedings of the 2009 New Security Paradigms Workshop, 2009. (NSPW '09)
• [HCI] Rick Wash. Folk Models of Home Computer Security. In Proceedings of the Sixth Symposium on Usable Privacy and Security, 2010. (SOUPS '10)
• Y. Yao, D. Lo Re, Y. Wang. Folk Models of Online Behavioral Advertising. Proceedings of the ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW 2017).
• B. Ur, J. Bees, S. Segreti, L. Bauer, N. Christin, and L. F. Cranor. CHI'16. Do users' perceptions of password security match reality? CHI 2016.

Wednesday, April 19

25. In-class midterm exam 2

No readings for this class

Monday, April 24

26. User education/training; anti-phishing [SLIDES]

Required reading:

• Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. (CHI '06)

Optional reading:

• Alessandro Acquisti and Jens Grossklags. Privacy and rationality in individual decision making. In IEEE Security and Privacy magazine, Volume 3, Issue 1, pp. 26-33, January 2005.
• Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. In Proceedings of the 2014 ACM SIGSAC conference on Computer & Communications Security, 2014. (CCS '14)
• Serge Egelman, David Molnar, Nicolas Christin, Alessandro Acquisti, Cormac Herley, and Shriram Krishnamurthi. Please Continue to Hold: An empirical study on user tolerance of security delays. In Workshop on the Economics of Information Security, 2010. (WEIS '10).
• Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2014. (CHI '14)
• Cormac Herley. Why do Nigerian Scammers say they are from Nigeria? In Workshop on the Economics of Information Security, 2012. (WEIS '12).
• Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Teaching Johnny Not to Fall for Phish. In ACM Transactions on Internet Technology (TOIT), Volume 10, Issue 2, May 2010.
• Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, Anil Somayaji. A Clinical Study of Risk Factors Related to Malware Infections. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)
• Sören Preibusch, Kat Krol, and Alastair R. Beresford. The Privacy Economics of Voluntary Over-disclosure in Web Forms. In Workshop on the Economics of Information Security, 2012. (WEIS '12).
• Nicolas Christin, Serge Egelman, Timothy Vidas, and Jens Grossklags. It's All About the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice. In Proceedings of the 15th International Conference on Financial Cryptography and Data Security, 2011. (FC '11)

Wednesday, April 26

27. Access control and policy configuration [SLIDES]

• Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. Lessons Learned From the Deployment of a Smartphone-Based Access-Control System. In Proceedings of the Third Symposium on Usable Privacy and Security, 2007. (SOUPS '07)

Optional reading:

• Serge Egelman, Andrew Oates, and Shriram Krishnamurthi. Oops, I Did It Again: Mitigating Repeated Access Control Errors on Facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
• Pooya Jaferian, Hootan Rashtian, and Konstantin Beznosov. To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations. In Proceedings of the Tenth Symposium on Usable Privacy and Security, 2014. (SOUPS '14)
• Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2012. (CHI '12)
• Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. (CHI '11)
• [Security] Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. (S&P '12 / Oakland '12)
• Diana Smetters and Nathan Good. How Users Use Access Control. In Proceedings of the Fifth Symposium on Usable Privacy and Security, 2009. (SOUPS '09)
• Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter. Studying access control usability in the lab: Lessons learned from four studies. In Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, 2012. (LASER '12)

Monday, May 1

28. Usable privacy and security in safety-critical devices [SLIDES]

Assignment: Homework 9 due

• Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel. Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2010. (CHI '10)

Optional reading:

• [Security] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Security Symposium, 2011. (USENIX '11)
• [Security] Shane S. Clark, Benjamin Ransford, and Kevin Fu. Potentia est Scientia: Security and Privacy Implications of Energy-Proportional Computing. In Proceedings of the 7th USENIX conference on Hot Topics in Security, 2012. (HotSec '12)
• [Security] Tamara Denning, Kevin Fu, and Tadayoshi Kohno. Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security. In Proceedings of the 3rd USENIX conference on Hot Topics in Security, 2008. (HotSec '08)
• Kevin Fu and James Blum. Inside Risks: Controlling for Cybersecurity Risks of Medical Device Software. In Communications of the ACM, Volume 56, Issue 10, pp. 21-23, October 2013.
• [Economics] Martin S. Gaynor, Muhammad Zia Hydari, and Rahul Telang. Is Patient Data Better Protected in Competitive Healthcare Markets? In Workshop on the Economics of Information Security, 2012. (WEIS '12).
• [Security] Masoud Rostami, Ari Juels, and Farinaz Koushanfar. Heart-to-Heart (H2H): Authentication for Implanted Medical Devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013. (CCS '13)

Wednesday, May 3

29. Final project presentations

No required reading

Your final grade in this course will be based on:

• 30% Homework
• 20% Quizzes
• 20% Midterms
• 30% Project

This class will have no final exam. Final projects presentations will be held on the last day of class. You are required to be present for your group's final presentation.

Homework

All homework is due in printed form in class at 3:00 PM on the due date, unless specified otherwise on the schedule above. Homework may not be submitted after 3:05 pm, and we do not accept late homework. Your single lowest homework grade will be dropped from your homework average.

Students taking the 12-unit version of the course will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your single lowest quiz grade will be dropped.

Students taking the 12-unit version of this course are expected to do additional readings each week. In some cases, we will specify which extra reading(s) to do. In other cases, we will specify that students can choose from any of the optional readings for the week. All other students are encouraged to review some of the optional readings that they find interesting, but they need not submit summaries or highlights of the optional readings.

Midterms

We will hold two in-class midterms during the course. These midterms will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. The best way to prepare for these exams is to critically read all of the assigned papers for the course and to be an engaged participant in class discussions and in-class design assignments throughout the semester.

Project

Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructors early in the semester. As part of the project students will:

• Return their project preference form by Monday, February 13 so that they can be assigned to a project team by Wednesday, February 15.
• Submit a brief project proposal (2 to 3 pages) by Wednesday, February 22. The proposal should state your research questions; hypotheses (if any); general type of study (lab, online, interview, survey, etc.); overview of the types of questions and/or tasks, scenarios, etc. that will be included; quantitative metrics and/or qualitative analysis approach; number and type of study participants you plan to recruit and how you will recruit them; study design (between subjects, within subjects); equipment, software, other resources, and/or payments needed and preliminary budget.
• Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than Monday, March 6. Include the professor, TA, and any mentor you are working with as co-PIs and send them a draft by March 3 to get their feedback.
• Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
• Develop any prototypes necessary to carry out the user study.
• Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
• Submit a written progress report by Monday, March 27. Your written progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. Your written report should include your research questions and any hypotheses, draft related work section, study methodology, results and lessons learned from your initial pilot study (or any other data collection that you have done already), unresolved issues or challenges, and complete survey or interview questions, scripts, etc.
• Give a brief (7-10 minutes) progress report presentation on March 27 or 29.
• Conduct a study using the revised protocol with at least 6 subjects (or more if this is not a lab study). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
• Give a 10-minute final project presentation in class on Wednesday, May 3.
• Write a paper including an abstract, introduction (including research questions), related work, methodology, results, discussion (or lessons learned), references, etc. and submit it by 8 am on Monday, May 15 in electronic form. Please email a PDF version of your paper to the professor and the TA. Your IRB forms, survey forms, etc. should be included as appendices.

Students are encouraged to submit their project as a poster to the 2017 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2018 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will only require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

Students signed up for the 12-unit version of this course are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the SOUPS 2017 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should not be a blind submission; please include the names of the authors for the purposes of the class project.

Copyright Policy

All teaching materials in this class, including course slides, homeworks, assignments, practice exams and quizzes, are copyrighted; reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered as an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.

Collaboration Policy

You are permitted to talk to the instructor, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the homeworks. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and is considered cheating. If you have any question about whether some activity would constitute cheating, please feel free to ask. Cheating on an assignment/exam will result in failure of the course, and the university administration (department, college) will be notified per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Cheating and Plagiarism (http://www.cmu.edu/policies/documents/Cheating.html); Undergraduate Academic Discipline (http://www.cmu.edu/policies/documents/AcadRegs.html); and Graduate Academic Discipline (http://www.cmu.edu/policies/documents/GradDisc.html). In addition to the terms of the Graduate Academic Discipline policy, it is INI and ECE's policy that an INI or an ECE graduate student may not drop a course in which a disciplinary action is assessed or pending without the course instructor's explicit approval.

Take Care of Yourself

Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:

• Counseling and Psychological Services (CaPS): 412-268-2922
• Re:solve Crisis Network: 888-796-8226

If the situation is life threatening, call the police:

• On campus - CMU Police: 412-268-2323
• Off campus: 911