July 23-25, 2008
Pittsburgh, PA


Call for participation





Symposium On Usable Privacy and Security


The following is a preliminary program, subject to change.

Wednesday, July 23

8 - 9 am: Breakfast and registration (CIC atrium)

9 am - noon:
Workshop on Usable IT Security Management (CIC DEC)
The Symposium on Accessible Privacy and Security (Newell-Simon Hall Room 3305)

Noon - 1pm: Lunch (Newell-Simon Hall Atrium)

1 - 3:45 pm:
Workshop on Usable IT Security Management (CIC DEC)
The Symposium on Accessible Privacy and Security (Newell-Simon Hall Room 3305)

4 - 6 pm: Poster session and reception (Newell-Simon Hall Atrium)

Thursday, July 24

Thursday's and Friday's events will be held in the Distributed Education Center (DEC) on the L level of the Carnegie Mellon Collaborative Innovation Center (CIC), unless otherwise noted. Lunches will be held in Newell-Simon Hall room 3305.

8 - 9 am: Breakfast and registration (CIC atrium)

9 am - 10:15 am: Opening session

10:15 - 10:45 am: Break

10:45 am - 12:15 pm: Technical paper session: Authentication I, Chair: Jose Brustoloni

12:15 - 1:15 pm: Lunch (Newell-Simon Hall Room 3305)

1:15 - 2:45 pm: Technical paper session: Authentication II, Chair: Rob Miller

2:45 - 3:15 pm: Break

3:15 - 4:45 pm: Panel: Testing for Usable Security - What Relationship, If Any, Does It Have To Product Design?

5:30 - 9:30 pm: Reception and dinner at Phipps Conservatory (walking distance from CMU and Holiday Inn)

Friday, July 25

8 - 9 am: Breakfast and registration (CIC atrium)

9 - 10:30 am: Technical paper session: Configuration and Policies, Chair: John Karat

10:30 - 10:45 am: Break and move to discussion session rooms

10:45 am - noon: Discussion Sessions (CIC 1301, CIC 2101, CIC DEC, NSH 3001)

Noon - 1 pm: Lunch (Newell-Simon Hall Room 3305)

1 - 2:30 pm: Technical paper session: Usable Privacy and Security in Practice, Chair: Carl Ellison

2:30 - 3:00 pm: Closing session

3:00 pm: Ice cream social


Ross Anderson - Towards a science of security and human behaviour

Ross Anderson photo

During the twentieth century, security - and particularly information security - was seen as a technical problem, to be tackled using crypto, access controls and so on. We now know that purely technical approaches don't work. Recent years have seen the emergence at least two research communities that mine the social sciences for ideas: security economists who analyse incentives, and security usability experts who work with psychology.

In this talk, I will try to sketch out a still broader research programme. Economics can give us insights into usability failures; research at the borders between economics and psychology teaches us about attitudes towards risk, and can inform research on subjects from privacy to terrorism; and the growing importance of phishing suggests we should try to understand deception better. A lot of interesting cross-disciplinary work remains to be done.


Ross Anderson is Professor of Security Engineering at Cambridge University. He is one of the founders of a vigorously-growing new discipline: the economics of information security. Many security failures can be traced to wrong incentives rather than technical errors, and the application of microeconomic theory has shed new light on many problems that were previously considered intractable. This work is particularly important for understanding auctions, fraud, and online liability. It is also giving insights into system safety and dependability, and into more traditional security problems of interest to law enforcement and the insurance industry.

Recently security economics has started to spill over into other social sciences, with ideas being imported from anthropology, primatology and above all psychology. Ross was an organiser of the first workshop on security and human behaviour, on which he will report in this keynote talk. The interaction between security and psychology is not limited to the usability of protection mechanisms: it ranges from the misperceptions of risk that make our societies vulnerable to terrorism, to quite basic questions such as the extent to which we evolved intelligence in order to deceive, and to detect deception in others.

Ross has also made seminal contributions to peer-to-peer systems; hardware tamper-resistance; emission security; copyright marking; crypto protocols; and the security of APIs. He was a coauthor of Serpent, a finalist in the AES competition. Other papers document the failures of real world systems, including automatic teller machines, prepayment meters and medical record systems. His team currently monitors online fraud, the subject of a tech talk at Google. He also chairs the Foundation for Information Policy Research, the main UK think-tank on internet and technology policy issues. He is a Fellow of the IET and the IMA, and wrote the definitive book `Security Engineering -- A Guide to Building Dependable Distributed Systems', whose second edition just appeared in April 2008.


Testing for Usable Security - What Relationship, If Any, Does It Have To Product Design?

The CHI community has had long debates about the place of usability testing during product design. Recently, Greenberg and Buxton published an article titled "Usability Evaluation Considered Harmful (Some of the Time)", where they concluded that usability evaluation is appropriate some of the time, and non-empirical methods ("design critiques, design alternatives, case studies, cultural probes, reflection, design rationale") are appropriate other times. In addition, they state that a combination of methods will "triangulate and enrich the discussion of a system's validity". More specifically, they state that evaluation done too early can kill promising design ideas, and that it ignores cultural adoption and use.

This panel moves beyond these conclusions to specifically discuss usable security. The kinds of questions panelists will address questions such as:

  • What are the appropriate ways to validate one's work when the work is usable security? When the goal is something other than published research, such as product or standards, how do the validation methods change?
  • What is the roll, and limitation, for laboratory based usability research and other design techniques when making real-life design and standards decisions?

Each panelist will take a specific position on the topic and include at least one specific recommendation for future changes in this area.

Moderator: Mary Ellen Zurko, IBM [slides]


  • Stuart Schechter, Microsoft
  • Phil Hallam-Baker, Verisign [slides]
  • Jon Callas, PGP [slides]
  • Tyler Close, HP


Social Circles: Tackling Privacy in Social Networks
Fabeah Adu-Oppong, Casey Gardiner, Apu Kapadia and Patrick Tsang

A Survey to Guide Group Key Protocol Development
Ahren Studer, Christina Johns, Jaanus Kase and Kyle O'Meara

Can eye gaze reveal graphical passwords?
Daniel LeBlanc, Sonia Chiasson, Alain Forget and Robert Biddle

Design of a Privacy Label for P3P Policies
Patrick Kelley, Steve Won and Lorrie Cranor

Privacy Perceptions of Photo Sharing in Facebook
Andrew Besmer and Heather Lipford

Toward Web Browsers that Make or Break Trust
Hazim Almuhimedi, Amit Bhan, Dhruv Mohindra and Joshua Sunshine

Investigating how everyday people experience security
Niels Raabjerg Mathiasen

Understanding Security Administrators: Granting Access in Academic, Start-up, and Enterprise Environments
Luke Kowalski

Mental Models of Home Computer Security
Rick Wash

Usable Authentication for Electronic Healthcare Systems
Qihua Wang and Hongxia Jin

RUST: The Reusable Security Toolkit
Chaitanya Atreya, Adam Aviv, Maritza Johnson, Mariana Raykova, Steven M. Bellovin and Gail Kaiser

Enhancements to the Anti-Phishing Browser Toolbar
Bruno Lorentin and Kristiina Karvonen

Testing PhishGuru in the Real World
Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Cranor and Jason Hong

Enforcing POLA on Desktop Applications Through Dynamic Input Monitoring
Brett Cannon and Eric Wohlstadter

Usable Persona Interface: Persona-Bookmark
Nachi Ueno, Kei Karasawa and Kenji Takahashi

Privacy Rights Management for Mobile Applications
A. K. Bandara, B. A. Nuseibeh, B. A. Price, Y. Rogers, N. Dulay, E. C. Lupu, A.Russo, M. Sloman, A. N. Joinson

Posters Showcasing Usable Privacy and Security Papers Published in the Past Year at Other Conferences

Expandable Grids for Visualizing and Authoring Computer Security Policies
Robert Reeder, Lujo Bauer, Lorrie Cranor, Michael Reiter, Kelli Bacon, Keisha How and Heather Strong

You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Serge Egelman, Lorrie Cranor and Jason Hong

Undercover: Authentication Usable in Front of Prying Eyes
Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi

Towards understanding user perceptions of authentication technologies
Laurie Jones, Annie Antón and Julia Earp

A User Study of Policy Creation in a Flexible Access-Control System
Lujo Bauer, Lorrie F. Cranor, Robert W. Reeder, Michael K. Reiter and Kami Vaniea

Behavioral response to phishing risk
Julie S. Downs, Mandy B. Holbrook and Lorrie Faith Cranor

Love and Authentication
Markus Jakobsson, Erik Stolterman, Susanne Wetzel and Liu Yang

Private Web Search
Felipe Saint-Jean, Aaron Johnson, Joan Feigenbaum and Dan Boneh

Where's The Beep? Security, Privacy, and User Misunderstandings of RFID
Jennifer King and Andrew McDiarmid

IRBs and Security Research: Myths, Facts and Mission Creep
Simson Garfinkel

A Framework for Reasoning About the Human in the Loop
Lorrie Cranor

Human, Organizational, and Technological Factors of IT Security
Kirstie Hawkey, David Botta, Rodrigo Werlinger, Kasia Muldner, Andre Gagne and Konstantin Beznosov


Understanding PCI Regulations and Applying Strategies to Ensure Cardholder Privacy

Moderator: Eric Offenberg, IBM

The PCI DSS (Payment Card Industry Data Security Standard) is hailed as one of the most specific privacy guidelines for protecting the sensitive information held by corporations that store, process or transmit cardholder data. However, to fully comply with PCI 12 multi-faceted requirements, companies need to implement strategies and technologies to ensure that effective privacy safeguards are in place. Join this interactive panel discussion on how companies are addressing PCI requirements, and learn about solutions that support compliance initiatives. Discussion topics will include:

  • Understanding how safeguarding customer data protects a company‚Äôs bottom line
  • Assessing the impact of PCI requirements on retailers, merchants, banks, and other affected corporations.
  • Overcoming the fears associated with implementing technologies to become/remain compliant with PCI
  • Discovering how PCI compliance can be leveraged to reduce costs and improve operational efficiency

Eric Offenberg, CIPP and Product Marketing Manager at IBM, has established himself as a thought leader on data governance, database archiving, enterprise data management and data privacy. With nearly 10 years of technology marketing experience across industries, Eric is a regular speaker in live Webinars, industry events and with media and analysts on behalf of IBM. He holds an MBA with a concentration in marketing from Rider University and a BA degree in communications with a concentration in public relations from Rutgers University.

Metrics for Characterizing Research Participants' Technical Knowledge

Moderators: Serge Egelman and Ponnurangam Kumaraguru, Carnegie Mellon University

User studies can only contribute to human knowledge if they are generalizable across a known population. Thus, the sample for a given user study needs to be describable so that it can be generalized to a larger population. In many user studies, a user's technical prowess can have a profound impact on the results of the study. The ability to quantify (or at least classify) a user's technical knowledge is becoming increasingly necessary in order to generalize studies across populations as well as compare the results of one study to another. Some examples that researchers have used in the past are: (1) Educational background, (2) Internet usage, (3) Computer usage, and (4) Security knowledge. But, these metrics are not consistently used in all the studies. In this discussion session we plan to examine various metrics that can be used to quantify or classify technical knowledge. We plan to present the metrics that have been used in previous studies and plan to get some consensus on the metrics during the session.

Serge Egelman is a PhD candidate in the School of Computer Science at Carnegie Mellon University. His research is on usable privacy and security, and his dissertation focuses on creating more effective web browser security indicators. His recent paper, "You've Been Warned: An Empirical Study of The Effectiveness of Web Browser Phishing Warnings," received an honorable mention at CHI this year. Serge has interned at Xerox PARC and Microsoft Research. His hobbies include building things, taking things apart, and trying to graduate.

Ponnurangam Kumaraguru (PK) is a Ph.D. candidate in the COS (Computation Organization and Society) program within the School of Computer Science at Carnegie Mellon University. His research interests include building system to educate users to make better trust decisions, trust modeling and international cyber security and privacy issues (specifically in India). PK is currently working on a NSF funded project - Supporting Trust Decisions. PK's current research aims at modeling trust behavior of users while using the Internet and making use of the model to build training systems such as "PhishGuru" and "Anti-Phishing Phil."

HCI-SEC Research, Private Data, and complying with the Common Rule

Moderator: Simson Garfinkel, Naval Postgraduate School

Even if you aren't working with living breathing human subjects, your work into security and usability could easily require that you involve your organization's Institutional Review Board (IRB). That's because 45 CFR 46, the Common Rule, covers not just the use of humans in experimental research but the use of data generated by humans under many circumstances. In this discussion we will explore some of the ways that federal regulations may read on research, alternative interpretations, and formulate an agenda for change.

Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School in Monterey, California, and a fellow at the Center for Research on Computation and Society at Harvard University. His research interests include computer forensics, the emerging field of usability and security, personal information management, privacy, information policy and terrorism. He is also a member of the NPS IRB.

Balancing Security, Usability and Cost

Moderator: Ehab Al-Shaer, DePaul University

The main objective of deploying security in IT networks is to minimize risks of compromising or interrupting network services. However, deploying effective security requires dealing with number of critical trade offs including risk, flexibility, performance and cost. For instance, unbalanced security may cause unnecessary restriction in service deployment or user accessibility, high increase of networks delay and/or unjustified budget cost. Thus, due to lack of theoretical foundations, experimentations in this area, achieving cost-effective security configuration is very challenging. As a result, most of the existing practice by even expert IT administrator is ad hoc, causing errors and instability. This panel will address many of important related issues and others in this area:

  • What are the main factors of security risk? How to define and measure them objectively?
  • How to consider exiting counter measures in estimating residual risk? - Although performance is well-defined, defining metrics for flexibility and cost are not far from being realized.
  • How to optimize security configuration to achieve balanced cost-effective security? Is there a scalability issues here? - How security configuration can be automatically optimized to track dynamic changing in risk?
  • How a solution will be envision in a multi-domain networks where they often have conflicting objectives and independent administration?
  • How this framework will be interfaced to end-user to enable easy to use and manage?

Ehab Al-Shaer is an Associate Professor and the Director of the Security & Multimedia Networking Research Lab (SMNLAB) in the School of Computer Science, Telecommunications and Information System at DePaul University. His primary research areas are Firewalls, configuration management, and fault diagnosis. Prof. Al-Shaer is Co-Editor of 6 books in the area of automated configuration management, multimedia networking, and end-to-end monitoring. He has published more than 80 refereed chapters, journal articles, and conference papers. Prof. Al-Shaer has served as a Program Co-chair for number of well-established conferences in his research area including Automated Network Management (ANM-INFOCOM 2008), POLICY 2008, Integrated Management (IM 2007), MMNS 2001, and E2EMON 2004-2005. He is also the General Chair for 16th ACM Conference on Computer and Communication Security (CCS) held in Chicago 2009 and 2010. Prof. Al-Shaer has been actively involved in many conferences in his area including CCS, INFOCOM, ICNP, IM/NOMS, POLICY, and others. His research is supported by NSF, Intel, Cisco and Sun Microsystems.


SOUPS is sponsored by Carnegie Mellon CyLab.