CUPS - CyLab Usable Privacy
					  and Security Laboratory -
					  Carnegie Mellon University,
					  5000 Forbes Ave.,
					  Pittsburgh, PA 15213


The CyLab Usable Privacy and Security Laboratory (CUPS) brings together researchers working on a diverse set of projects related to understanding and improving the usability of privacy and security software and systems. Our research employs a combination of three high-level strategies to make secure systems more usable: building systems that "just work" without involving humans in security-critical functions; making secure systems intuitive and easy to use; and teaching humans how to perform security-critical tasks.

CUPS is affiliated with Carnegie Mellon CyLab. CUPS students come from several CMU PhD programs including the programs in Societal Computing, Engineering and Public Policy, Human Computer Interaction, Computer Science, Electrical and Computer Engineering, and Public Policy and Management. We also work with masters students from several CMU programs including MSIT-Privacy Engineering. Prospective students should apply directly to these programs.

Follow @cups_cryptocorn on twitter

News!

People

Director: Lorrie Cranor

Current members: Alessandro Acquisti, Omer Akgul, Yuvraj Agrawal, Eman Alashwali, Lujo Bauer, Wendy Bickersteth, Elijah Bouma-Sims, Nicolas Christin, Andrea Gallardo, Hanan Hibshi, Jason Hong, Lily Klucinec, Alexandra Li, Megan Li, McKenna McCall, Alexandra Nisenoff, Sarah Pearman, Norman Sadeh, Ellie Young

Alumni and former lab members

Current Projects and Selected Publications

Privacy decision making | Passwords and authentication | Security behavior | User controllable security and privacy | Usable cyber trust indicators

Privacy
    Finder logo

Privacy decision making

While most people claim to be very concerned about their privacy, they do not consistently take actions to protect it. Web retailers detail their information practices in their privacy policies, but most of the time this information remains invisible to consumers. Our research focuses on understanding how individuals make privacy-related decisions, finding ways to make privacy information more usable to consumers, and using soft-paternalism to provide privacy nudges. CUPS researchers developed a "nutrition label" for privacy and a search engine for bank privacy policies. We are also studying user attitudes about privacy on social networks, privacy for mobile apps, and as the usability and effectiveness of online tracking opt-out tools. Our Personalized Privacy Assistant Project aims to develop intelligent agents capable of learning the privacy preferences of their users over time, semi-automatically configuring many settings, and making many privacy decisions on their behalf. Our Usable Privacy Policy Project is developing approaches to extracting information from natural-language privacy policies and displaying that information in useful ways for users.

We have been working on several projects related to privacy choices and opt-outs, including a project related to the CCPA icon.

We have also developed an IoT Security and Privacy Label.

Recent papers

Shikun Zhang, Lily Klucinec, Kyerra Norton, Norman Sadeh, and Lorrie Faith Cranor. Exploring Expandable-Grid Designs to Make iOS App Privacy Labels More Usable. Twentieth Symposium on Usable Privacy and Security (SOUPS 2024).

Xiaoxin Shen, Eman Alashwali, and Lorrie Cranor. What do Privacy Advertisements Communicate to Consumers? Proceedings on Privacy Enhancing Technologies, 2024 (4) 466-502. DOI https://doi.org/10.56553/popets-2024-0126

Soha Jiwani, Rachna Sasheendran, Adhishree Abhyankar, Elijah Bouma-Sims, and Lorrie Cranor. Crumbling Cookie Categories: Deconstructing Common Cookie Categories to Create Categories that People Understand. Proceedings on Privacy Enhancing Technologies, 2024 (3) 561-588. DOI https://doi.org/10.56553/popets-2024-0093

Yanzi Lin, Jaideep Juneja, Eleanor Birrell, Lorrie Faith Cranor. Data Safety vs. App Privacy: Comparing the Usability of Android and iOS Privacy Labels. Proceedings on Privacy Enhancing Technologies, 2024 (2) 182-210. DOI https://doi.org/10.56553/popets-2024-0047

Elijah Bouma-Sims, Sanjnah Ananda Kumar, Lorrie Faith Cranor. Exploring the Privacy Experiences of Closeted Users of Online Dating Services in the US. Proceedings on Privacy Enhancing Technologies, 2024 (2) 160-181. DOI https://doi.org/10.56553/popets-2024-0046

Claire C Chen, Dillon Shu, Hamsini Ravishankar, Xinran Li, Yuvraj Agarwal, and Lorrie Faith Cranor. 2024. Is a Trustmark and QR Code Enough? The Effect of IoT Security and Privacy Label Information Complexity on Consumer Comprehension and Behavior. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI '24). Association for Computing Machinery, New York, NY, USA, Article 832, 1–32. https://doi.org/10.1145/3613904.3642011

Tianshi Li, Lorrie Faith Cranor, Yuvraj Agarwal, and Jason I. Hong. 2024. Matcha: An IDE Plugin for Creating Accurate Privacy Nutrition Labels. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 8, 1, Article 33 (March 2024), 38 pages. https://doi.org/10.1145/3643544 [sofware download]

Pardis Emami-Naeini, Janarth Dheenadhayalan, Yuvraj Agarwal, and Lorrie Faith Cranor. 2023. Are consumers willing to pay for security and privacy of IoT devices? In Proceedings of the 32nd USENIX Conference on Security Symposium (SEC '23). USENIX Association, USA, Article 85, 1505–1522.

Andrea Gallardo, Chris Choy, Jaideep Juneja, Efe Bozkir, Camille Cobb, Lujo Bauer, and Lorrie Cranor. Speculative Privacy Concerns About AR Glasses Data Collection. Proceedings on Privacy Enhancing Technologies 2023(4).

Jessica Colnago, Lorrie Cranor, and Alessandro Acquisti. Is There a Reverse Privacy Paradox? An Exporatory Analysis of Gaps Between Privacy Perspectives and Priavcy-Seeking Behaviors. Proceedings on Privacy Enhancing Technologoes, 2023(1).

Elijah Robert Bouma-Sims, Megan Li, Yanzi Lin, Adia Sakura-Lemessy, Alexandra Nisenoff, Ellie Young, Eleanor Birrell, Lorrie Faith Cranor, and Hana Habib. 2023. A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile. CHI 2023. Article 163, 1–36. https://doi.org/10.1145/3544548.3580725

Jane Im, Ruiyi Wang, Weikun Lyu, Nick Cook, Hana Habib, Lorrie Faith Cranor, Nikola Banovic, and Florian Schaub. 2023. Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising. CHI 2023. Article 661, 1–33. https://doi.org/10.1145/3544548.3580773

Hana Habib and Lorrie Faith Cranor. Evaluating the Usability of Privacy Choice Mechanisms. SOUPS 2022.

Jessica Colnago, Lorrie Faith Cranor, Alessandro Acquisti, and Kate Hazel Jain. Is it a concern or a preference? An investigation into the ability of privacy scales to capture and distinguish granular privacy constructs. SOUPS 2022.

Tianshi Li, Kayla Reiman, Yuvraj Agarwal, Lorrie Faith Cranor, and Jason I. Hong. 2022. Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI '22). Association for Computing Machinery, New York, NY, USA, Article 588, 1–24. https://doi.org/10.1145/3491102.3502012

Hana Habib, Megan Li, Ellie Young, and Lorrie Cranor. 2022. "Okay, whatever": An Evaluation of Cookie Consent Interfaces. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI '22). Association for Computing Machinery, New York, NY, USA, Article 621, 1–27. https://doi.org/10.1145/3491102.3501985

Hana Habib, Sarah Pearman, Ellie Young, Ishika Saxena, Robert Zhang, and Lorrie FaIth Cranor. 2022. Identifying User Needs for Advertising Controls on Facebook. Proc. ACM Hum.-Comput. Interact. 6, CSCW1, Article 59 (April 2022), 42 pages. https://doi.org/10.1145/3512906

Shikun Zhang, Yuanyuan Feng, Yaxing Yao, Lorrie Faith Cranor, and Norman Sadeh. How Usable Are iOS App Privacy Labels? Proceedings on Privacy Enhancing Technologies 2022(4).

Sarah Pearman, Ellie Young, and Lorrie Faith Cranor. User-friendly yet rarely read: A case study on the redesign of an online HIPAA authorization. Proceedings on Privacy Enhancing Technologies 2022(3):558-581.

Peter Story, Daniel Smullen, Rex Chen, Yaxing Yao, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. Increasing adoption of Tor browser using informational and planning nudges. Proceedings on Privacy Enhancing Technologies 2022(2):152-183.

Yucheng Li, Deyuan Chen, Tianshi Li, Yuvraj Agarwal, Lorrie Faith Cranor, and Jason I. Hong. 2022. Understanding iOS Privacy Nutrition Labels: An Exploratory Large-Scale Analysis of App Store Data. In CHI Conference on Human Factors in Computing Systems Extended Abstracts (CHI EA '22). Association for Computing Machinery, New York, NY, USA, Article 356, 1–7. https://doi.org/10.1145/3491101.3519739

Habib, Hana (2021): Evaluating the Usability of Privacy Choice Mechanisms. Carnegie Mellon University. Thesis. https://doi.org/10.1184/R1/17105468.v1

Hana Habib, Yixin Zou, Yaxing Yao, Alessandro Acquisti, Lorrie Cranor, Joel Reidenberg, Norman Sadeh, and Florian Schaub. 2021. Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI '21). Association for Computing Machinery, New York, NY, USA, Article 63, 1–25.

Peter Story, Daniel Smullen, Yaxing Yao, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. Awareness, adoption, and misconceptions of web privacy tools. Proceedings on Privacy Enhancing Technologies, 2021 (3) 308-333. DOI 10.2478/popets-2021-0049.

Shikun Zhang, Yuanyuan Feng, Lujo Bauer, Lorrie Faith Cranor, Anupam Das, and Norman Sadeh. "Did you know this camera tracks your mood?": Understanding privacy expectations and preferences in the age of video analytics. Proceedings on Privacy Enhancing Technologies, 2021 (2) 282-304. DOI 10.2478/popets-2021-0028.

Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. "It’s a scavenger hunt": Usability of Websites' Opt-Out and Data Deletion Choices. CHI 2020.

Jessica Colnago, Yuanyuan Feng, Tharangini Palanivel, Sarah Pearman, Megan Ung, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. Informing the Design of a Personalized Privacy Assistant for the Internet of Things. CHI 2020.

Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites. SOUPS 2019.

Pardis Emami-Naeini, Henry Dixon, Yuvraj Agarwal, and Lorrie Faith Cranor. 2019. Exploring How Privacy and Security Factor into IoT Device Purchase Behavior. CHI 2019.

Cynthia E Schairer Cynthia Cheung Caryn Kseniya Rubanovich Mildred Cho Lorrie Faith Cranor Cinnamon S Bloss. Disposition toward privacy and information disclosure in the context of emerging health technologies. Journal of the American Medical Informatics Association, ocz010, 02 April 2019.

Pardis Emami Naeini, Martin Degeling, Lujo Bauer, Richard Chow, Lorrie Faith Cranor, Mohammad Reza Haghighat, and Heather Patterson. 2018. The Influence of Friends and Experts on Privacy Decision Making in IoT Scenarios. CSCW 2018.

Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 159-175.

Maggie Oates, Yama Ahmadullah, Abigail Marsh, Chelse Swoopes, Shikun Zhang, Rebecca Balebako, and Lorrie Cranor. Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration. Proceedings on Privacy Enhancing Technologies ; 2018 (4):5–32.

A. Acquisti, I. Adjerid, R. Balebako, L. Brandimarte, L.F. Cranor, S. Komanduri, P.G. Leon, N. Sadeh, F. Schaub, M. Sleeper, Y. Wang, S. Wilson. Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online. ACM Computing Surveys (CSUR) 50(3), article no. 44, August 2017.

Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Cranor, and Norman Sadeh. Privacy Expectations and Preferences in an IoT World. SOUPS 2017, Santa Clara, CA, July 12-14, 2017.

>> More privacy decision making papers ...

Passwords and authentication

To combat both the inherent and user-induced weaknesses of text-based passwords, administrators and organizations typically institute a series of rules – a password policy – to which users must adhere when choosing a password. There is consensus in the literature that a properly-written password policy can provide an organization with increased security. There is, however, less accord in describing just what such a well-written policy would be, or even how to determine whether a given policy is effective. Although it is easy to calculate the theoretical password space that corresponds to a particular password policy, it is difficult to determine the practical password space. Users may, for example, react to a policy rule requiring them to include numbers in passwords by overwhelmingly picking the same number, or by always using the number in the same location in their passwords. There is little published empirical research that studies the strategies used by actual users under various password policies. In addition, some password policies, while resulting in stronger passwords, may make those passwords difficult to remember or type. This may cause users to engage in a variety of behaviors that might compromise the security of passwords, such as writing them down, reusing passwords across different accounts, or sharing passwords with friends. Other undesirable side effects of particular password policies may include frequently forgotten passwords. In fact, the harm caused by users following an onerously restrictive password policy may be greater than the harm prevented by that policy. In this project, we seek to advance understanding of the factors that make creating and following appropriate password policies difficult, collect empirical data on password entropy and memorability under various password policies, and propose password policy guidelines to simultaneously maximize security and usability of passwords. We also explore the security and usability of some new types of passwords.

Recent papers

Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements, CCS 2020, November 9-13, 2020.

Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Why people (don’t) use password managers effectively. SOUPS 2019.

Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. User Behaviors and Attitudes Under Password Expiration Policies. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 13-20.

Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. Let’s go in for a closer look: Observing passwords in their natural habitat. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS’17). 2017.

J. Colnago, S. Devlin, M. Oates, C. Swoopes, L. Bauer, L. Cranor, and N. Christin. "It's Not Actually That Horrible": Exploring Adoption of Two-Factor Authentication at a University, CHI 2018 pages 456:1--456:11, 2018.

Sean Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Cranor, and Michelle Mazurek. Diversify to Survive: Making Passwords Stronger with Adaptive Policies. SOUPS 2017, Santa Clara, CA, July 12-14, 2017.

Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and Evaluation of a Data-Driven Password Meter. CHI 2017. [video preview] [BEST PAPER AWARD!]

H. Habib, J. Colnago, W. Melicher, B. Ur, S. Segreti, L. Bauer, N. Christin, and L. Cranor. Password Creation in the Presence of Blacklists. USEC 2017, February 26, 2017, San Diego, CA.

>> More passwords papers ...

Security behavior

We aim to better understand the challenges that everyday people face when using their home computers over both the short- and long-term. Towards this goal, we are building and deploying data collection software that participants install on their computers, which provides metrics on a variety of computer and user behaviors.This data is then sent to our "Security Behavior Observatory." With this data, we hope to identify the causes and effects of usable privacy and security problems users encounter in daily everyday computing. This will provide insights to multiple research areas (e.g., behavioral economics, computer security, human-computer interaction, privacy, social sciences) on what areas most urgently need additional research as well as how we can better help users, developers, and organizations resolve these problems. (See our SBO website for information about participating in our studies.)

Recent papers

Akira Yamada, Kyle Crichton, Yukiko Sawaya, Jin-Dong Dong, Sarah Pearman, Ayumu Kubota, and Nicolas Christin. On recruiting and retaining users for security-sensitive longitudinal measurement panels. In Proceedings of the 18th Symposium on Usable Privacy and Security (SOUPS'22). Boston, MA. August 2022.

Kyle Crichton, Nicolas Christin, and Lorrie Faith Cranor. 2021. How Do Home Computer Users Browse the Web? ACM Trans. Web 16, 1, Article 3 (February 2022), 27 pages.

Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing. SOUPS 2018.

Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. Let’s go in for a closer look: Observing passwords in their natural habitat. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS’17). 2017.

C. Canfield, A. Davis, B. Fischhoff, A. Forget, S. Pearman and J. Thomas Replication: Challenges in Using Data Logs to Validate Phishing Detection Ability Metrics. SOUPS 2017.

A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L. Cranor, S. Egelman, M. Harbach, and R. Telang. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. SOUPS 2016, Denver, CO, June 22-24, 2016, 97-111.

A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, and R. Telang. Security Behavior Observatory: Infrastructure for long-term monitoring of client machines. Technical Report CMU-CyLab-14-009, CyLab, Carnegie Mellon University, July 2014.

>> More security behavior papers ...

User controllable security and privacy

Managing security and privacy policies is known to be a difficult problem. It is important that new user interfaces be developed to effectively and efficiently support lay users in understanding and managing security and privacy policies - their own as well as those implemented by systems and individuals with whom they interact. Solutions in this area have traditionally taken a relatively narrow view of the problem by limiting the expressiveness of policy languages or the number of options available in templates, restricting some decisions to specific roles within the enterprise, etc. As systems grow more pervasive and more complex, and as demands for increasing flexibility and delegation continue to grow, it is imperative to take a more fundamental view that weaves together issues of security, privacy and usability to systematically evaluate key tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance; and develop novel mechanisms and technologies that help mitigate these tradeoffs, maximizing accuracy and trustworthiness while minimizing the time and effort required by end users. The objective of this project is to develop new interfaces that combine user-centered design principles with dialog, explanation and learning technologies to assist users in specifying and refining policies. One new policy authoring interface we have developed is a visualization technique for displaying policies in a two-dimensional "expandable grid". (See also the User controllable security and privacy project page, the Expandable grids project, Grey project, Usable security for digital home storage and Locaccino.)

Recent papers

Manya Sleeper, Lorrie Faith Cranor, and Sarah K. Pearman. 2017. Exploring Topic-Based Sharing Mechanisms. CHI 2017.

P. Klemperer, Y. Liang, M. Mazurek, M. Sleeper, B. Ur, L. Bauer, L.F. Cranor, N. Gupta, and M. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. CHI 2012.

K. Vaniea, L. Bauer, L.F. Cranor, and M.K. Reiter. Studying access control usability in the lab: Lessons learned from four studies. In LASER 2012–Learning from Authoritative Security Experiment Results, July 2012.

K. Vaniea, L. Bauer, L.F. Cranor, and M.K. Reiter. Out of sight, out of mind: Effects of displaying access-control information near the item it controls. In Proceedings of the Tenth Annual Conference on Privacy, Security and Trust, July 2012.

M. Mazurek, J.P. Arsenault, J. Bresee, N. Gupta, I. Ion, C. Johns, D. Lee, Y. Liang, J. Olsen, B. Salmon, R. Shay, K. Vaniea, L. Bauer, L.F. Cranor, G.R. Ganger, and M.K. Reiter. Access Control for Home Data Sharing: Attitudes, Needs and Practices. CHI 2010.

>> More user-controllable security and privacy papers ...

Usable Cyber Trust Indicators

When systems rely on a "human in the loop" to carry out a security-critical function, cyber trust indicators are often employed to communicate when and how to perform that function. Cyber trust indicators typically serve as warnings or status indicators that communicate information, remind users of information previously communicated, and influence user behavior. They include a variety of security- and privacy-related symbols in the operating system status bar or browser chrome, pop-up alerts, security control panels, or symbols embedded in web content. However, a growing body of literature has found the effectiveness of many of these indicators to be rather disappointing. It is becoming increasingly apparent that humans are a major cause of computer security failures and that security warnings and other cyber trust indicators are doing little to prevent humans from making security errors. In some cases, it may be possible to redesign systems to minimize the need for humans to perform security-critical functions, thus reducing or eliminating the need for security warnings. However, in many cases it may be too expensive or difficult to automate security-critical tasks, and systems may need to rely on human judgment. In these cases, it is important to situate security indicators both spatially and temporally to maximize their effectiveness, and to design them to communicate clearly to users. The goal of this research is to systematically study the effectiveness of cyber trust indicators and develop approaches to making these indicators most effective and usable. We are currently focusing on security warning dialogs. See also our work on privacy indicators on our privacy decision making research page.

Recent papers

C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, M. Sleeper. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. SOUPS 2014.

C. Bravo-Lillo. Improving Computer Security Dialogs: An Exploration of Attention and Habituation PhD Thesis, Engineering & Public Policy Department, Carnegie Mellon University, Pittsburgh, PA, May 2014.

C. Bravo-Lillo, L.F. Cranor, J. Downs, S. Komanduri, R.W. Reeder, S. Schechter, and M. Sleeper. Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Eight Symposium On Usable Privacy and Security (SOUPS ’13), Newcastle, United Kingdom, 2013.

L. Bauer, C. Bravo-Lillo, L. Cranor, and E. Fragkaki. Warning Design Guidelines. CMU-CyLab-13-002. February 5, 2013.

C. Bravo-Lillo, L. Cranor, J. Downs, S. Komanduri, S. Schechter, and M. Sleeper, Operating system framed in case of mistaken identity: Measuring the success of web-based spoofing attacks on OS password-entry dialogs, in Proceedings of the 19th ACM Conference on Computer and Communications Security, ACM, 18 October 2012.

C. Bravo-Lillo, L.F. Cranor, J.S. Downs, S. Komanuri. Bridging the Gap in Computer Security Warnings: A Mental Model Approach. IEEE Security & Privacy, 2011: 18-26.

>> More usable cyber trust indicators papers ...

Earlier Projects

Looking for some of our work that you can't find under "current projects"? Check here for our past projects.

Supporting trust decisions

When Internet users are asked to make "trust" decisions they often make the wrong decision. Implicit trust decisions include decisions about whether or not to open an email attachment or provide information in response to an email that claims to have been sent by a trusted entity. Explicit trust decisions are decisions made in response to specific trust- or security-related prompts such as pop-up boxes that ask the user whether to trust an expired certificate, execute downloaded software, or allow macros to execute. Attackers are able to take advantage of most users' poor trust decision-making skills through a class of attacks known as "semantic attacks." It is not always possible for systems to make accurate trust decisions on a user's behalf, especially when those decisions require knowledge of contextual information. The goal of this research is not to make trust decisions for users, but rather to develop approaches to support users when they make trust decisions. Our research began with a mental models study aimed at understanding and modeling how people make trust decisions in the online context and ultimately resulted in the development of anti-phishing training tools and filtering software. The tools developed by this project our being commercialized by Wombat Security. For our publications, see the Supporting trust decisions project page.

Usable anonymity tools

A variety of tools have been developed to provide anonymity for various types of online interactions. Most of the work in this area has focused on improving the anonymity properties of these tools, and little has been done to improve their usability. We have been working on developing more usable interfaces for Tor.

FoxTor design document, our entry for the Tor GUI competition (selected as the phase 1 winner)

FoxTor download and FAQ

Other Selected Publications

Elijah Bouma-Sima, Lily Klucinec, Mandy Lanyon, Lorrie Faith Cranor, and Julie Downs. Recruiting Teenage Participants for an Online Security Experiment: A Case Study Using Peachjar. 9th Workshop on Inclusive Privacy and Security (WIPS). August 9, 2024.

Elijah Bouma-Sims, Hiba Hassan, Alexandra Nisenoff, Lorrie Faith Cranor, and Nicolas Christin. "It was honestly just gambling": Investigating the Experiences of Teenage Cryptocurrency Users on Reddit. Twentieth Symposium on Usable Privacy and Security (SOUPS 2024).

Andrea Gallardo, Robert Erbes, Katya Le Blanc, Lujo Bauer, and Lorrie Faith Cranor. 2024. Interdisciplinary Approaches to Cybervulnerability Impact Assessment for Energy Critical Infrastructure. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI '24). Association for Computing Machinery, New York, NY, USA, Article 828, 1–24. https://doi.org/10.1145/3613904.3642493

Maggie Oates, Kyle Crichton, Lorrie Cranor, Storm Budwig, Erica J.L. Weston, Brigette M. Bernagozzi, Julie Pagaduan. Audio, video, chat, email, or survey: How much does online interview mode matter? PLOS ONE. February 22, 2022. https://doi.org/10.1371/journal.pone.0263876

Verena Distler, Matthias Fassl, Hana Habib, Katharina Krombholz, Gabriele Lenzini, Carine Lallemand, Lorrie Faith Cranor, and Vincent Koenig. 2021. A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security Research. ACM Trans. Comput.-Hum. Interact. 28, 6, Article 43 (December 2021), 50 pages.

Kentrell Owens, Camille Cobb, and Lorrie Cranor. 2021. "You Gotta Watch What You Say": Surveillance of Communication with Incarcerated People. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI '21). Association for Computing Machinery, New York, NY, USA, Article 62, 1–18.

Abigail Marsh. An Examination of Parenting Strategies for Children's Online Safety. Carnegie Mellon Dissertation, Societal Computing, CMU-ISR-18-106. August 2018.

Joshua Tan, Lujo Bauer, Joseph Bonneau, Lorrie Faith Cranor, Jeremy Thomas, and Blase Ur. 2017. Can Unicorns Help Users Compare Crypto Key Fingerprints? CHI 2017. [video preview]

M. Sleeper, A. Acquisti, L. Cranor, P. Kelley, S. Munson, NM. Sadeh. I Would Like To..., I Shouldn't..., I Wish I...: Exploring Behavior-Change Goals for Social Networking Sites. CSCW 2015: 1058-1069, Vancouver, BC, CA, March 14-18, 2015.

J. Wiese, A.J. Brush, T. Scott Saponas. Phoneprioception: enabling mobile phones to infer where they are kept. CHI 2013.

T. Vidas, E. Owusu, S. Wang, C. Zeng, and L. Cranor. QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks, USEC 2013 [originally published as CyLab Technical Report CMU-CyLab-12-022, November 2012].

M. Sleeper, D. Sharma, and L. Cranor. I Know Where You Live: Analyzing Privacy Protection in Public Databases. cmu-cylab-11-015, October 2011. [Extended version of paper presented at WPES 2011]

H. Hibshi, T. Vidas, and L. Cranor. Usability of Forensics Tools: A User Study. IT Security Incident Management and IT Forensics (IMF), 10-12, May 2011.

Janne Lindqvist, Justin Cranshaw, Jason Wiese, Jason Hong, and John Zimmerman. I'm the Mayor of My House: Examining Why People Use foursquare - a Social-Driven Location Sharing Application. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.

Timothy Vidas, Nicolas Christin, Lorrie Cranor. Curbing Android Permission Creep. Web 2.0 Security & Privacy 2011. Oakland, CA, May 26, 2011.

S. Garfinkel and L. Cranor. Institutional Review Boards and Your Research. Communications of the ACM, June 2010, p. 38-40. DOI = http://doi.acm.org/10.1145/1743546.1743563

J. Downs, M. Holbrook, S. Sheng, and L. Cranor. Are Your Participants Gaming the System? Screening Mechanical Turk Workers. CHI 2010.

Sarah Spiekermann and Lorrie Faith Cranor. Engineering Privacy. IEEE Transactions on Software Engineering. Vo. 35, No. 1, January/February, 2009, pp. 67-82.

Ahren Studer, Christina Johns, Jaanus Kase, Kyle O'Meara, Lorrie Cranor. A Survey to Guide Group Key Protocol Development. Annual Computer Security Applications Conference (ACSAC) 2008, December 8-12, 2008, Anaheim, CA.

A. McDonald and L. Cranor. How Technology Drives Vehicular Privacy. I/S: A Journal of Law and Policy for the Information Society Volume 2, Issue 3 (2006).

X. Sheng and L. Cranor. An Evaluation of the Effectiveness of US Financial Privacy Legislation Through the Analysis of Privacy Policies. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 3, Fall 2006, pp. 943-979.

L. Cranor. 'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization. Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, October 30, 2003, Washington, DC.

L. Cranor, J. Hong, and M. Reiter. Teaching Usable Privacy and Security: A guide for instructors. 2007.

S. Egelman and L. Cranor. The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 1, Winter 2006, pp. 149-183.

M. Geiger and L. Cranor, Counter-Forensic Privacy Tools: A Forensic Evaluation. ISRI Technical Report. CMU-ISRI-05-119, 2005.

Romanosky, S., Acquisti, A., Hong, J., Cranor, L. F., and Friedman, B. 2006. Privacy patterns for online interactions. In Proceedings of the 2006 Conference on Pattern Languages of Programs (Portland, Oregon, October 21 - 23, 2006). PLoP '06. ACM, New York, NY, 1-9.


Security and Usability
		   book cover

Resources

Join our cups-friends mailing list for announcements about our papers and events and discussions about usable privacy and security

Security and Usability: Designing Secure Systems that People Can Use, edited by Lorrie Cranor and Simson Garfinkel, is now available

L. Cranor, J. Hong, and M. Reiter. Teaching Usable Privacy and Security: A guide for instructors. 2007.

The HCISec Bibliography contains a good list of CUPS-related publications.

HCISEC mailing list

Slides are available from the July 2004 Workshop on Usable Privacy and Security Software

Usability, Psychology, and Security workshop

Vizsec - a research and development community interested in applying information visualization techniques to the problems of computer security


Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or any of our other funders.

Privacy policy