Date |
Topic |
Readings/Assignments |
Week 1 |
|
|
02/02 |
Introductions and Course Overview |
|
02/04 |
Human Factors in Security and Privacy Overview |
Required Reading:
Optional Reading:
Textbook Reading:
|
Week 2 |
|
|
02/09 |
HCI Methods Overview and Validity |
Required Reading:
- (interview) Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, Matthew Smith. Obstacles to the Adoption of Secure Communication Tools. In Proceedings of IEEE SP 2017.
- (diary) Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber McConahy, Jason Wiese, Lorrie Faith Cranor. The Post that Wasn't: Exploring Self-Censorship on Facebook. In Proceedings of CSCW 2013.
Optional Reading:
- (how-to for qual analysis) Moira Maguire and Brid Delahunt. Doing a thematic analysis: A practical, step-by-step guide for learning and teaching scholars.
- (mixed-methods) Yang Wang, Saranga Komanduri, Pedro Giovanni Leon, Gregory Norcie, Alessandro Acquisti, and Lorrie Faith Cranor. "I regretted the minute I pressed share":A Qualitative Study of Regrets on Facebook. In Proceedings of SOUPS '11.
- (mixed-method) Lerner, Ada, Eric Zeng, and Franziska Roesner. Confidante: Usable encrypted email: A case study with lawyers and journalists. 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017.
- (interview) Rick Wash. Folk Models of Home Computer Security. SOUPS 2010.
- (focus group/grounded-theory) Alexandra Mai, Katharina Pfeffer, Edgar Weippl, Katharina Krombholz. User Mental Models of Cryptocurrency Systems - A Grounded Theory Approach. SOUPS 2020.
Textbook Reading:
Due:
|
02/11 |
Qualitative Methods |
Required Reading:
Optional Reading:
- Kumaraguru, Ponnurangam, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Lessons from a real world evaluation of anti-phishing training. In 2008 eCrime Researchers Summit, pp. 1-12. IEEE, 2008.
- Redmiles, Elissa M., Sean Kross, and Michelle L. Mazurek. How well do my results generalize? Comparing security and privacy survey results from MTurk, web, and telephone samples. In 2019 IEEE Symposium on Security and Privacy.
- Kang, Ruogu, et al. Privacy attitudes of Mechanical Turk workers and the US public. Symposium on Usable Privacy and Security (SOUPS). 2014.
- Mazurek, Michelle L., et al. Measuring password guessability for an entire university. Proceedings of ACM CCS, 2013.
Textbook:
|
Week 3 |
|
|
02/16 |
Presidents' Day (No Class) |
|
02/18 |
Usable Encryption |
Required Reading:
Optional Reading:
- Scott Ruoti, Jeff Andersen, Tyler Monson, Daniel Zappala, and Kent Seamons. A Comparative Usability Study of Key Management in Secure Email. In proceedings of 2018 SOUPS (SOUPS'18).
- Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O'Neill, Elham Vaziripour, Justin Wu, Daniel Zappala, and Kent Seamons. "We're on the Same Page": A Usability Study of Secure Email Using Pairs of Novice Users. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16).
|
Week 4 |
|
|
02/23 |
Usable Encryption (Continued) + Pitch Day! |
Required Reading:
- Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, and Matthew Smith. Obstacles to the Adoption of Secure Communication Tools. In proceedings of 2017 IEEE S&P (S&P '17).
- Wei Bai, Doowon Kim, Moses Namara, Yichen Qian, Patrick Gage Kelley, and Michelle L. Mazurek. An Inconvenient Trust: User Attitudes Toward Security and Usability Tradeoffs for Key-Directory Encryption Systems. In Proceedings of the 2016 USENIX Symposium on Usable Privacy and Security (SOUPS '16).
Optional Reading:
- Wenley Tong, Sebastian Gold, Samuel Gichohi, Mihai Roman, and Jonathan Frankle. Why King George III Can Encrypt.
- Joshua Tan, Lujo Bauer, Joseph Bonneau, Lorrie Faith Cranor, Jeremy Thomas, and Blase Ur. Can Unicorns Help Users Compare Crypto Key Fingerprints?. In Proceedings of the 2017 ACM Conference on Human Factors in Computer Systems (CHI '17).
- Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acar, Elisabeth Morant, and Sunny Consolvo.Rethinking Connection Security Indicators. In Proceedings of the 2016 Symposium on Usable Security and Privacy (SOUPS '16).
- Elham Vaziripour, Devon Howard, Jake Tyler, Mark O'Neill, Justin Wu, Kent Seamons, and Daniel ZappalaI Don't Even Have to Bother Them!: Using Social Media to Automate the Authentication Ceremony in Secure Messaging. In Proceedings of the 2019 ACM Conference on Human Factors in Computer Systems (CHI '19).
Due:
|
02/25 |
Quantitative Methods |
Required Reading:
Textbook:
|
Week 5 |
|
|
03/02 |
Quantitative Methods (Continued) |
|
03/04 |
Ethics |
Required Reading:
- Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer. Social Phishing. Communications of the ACM 50(10), pp. 94-100, 2007.
- Narayanan, A., & Zevenbergen, B. No Encore for Encore? Ethical questions for web-based censorship measurement. SSRN. 2015.
- Vitak, J., Shilton, K., & Ashktorab, Z. Beyond the Belmont principles: Ethical challenges, practices, and beliefs in the online data research community. In ACM CSCW, 2016.
Optional Reading:
- The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Departmnet of Homeland Security. 2012.
- Casey Fiesler and Nicholas Proferes. “Participant” Perceptions of Twitter Research Ethics. Social Media and Society. 2018.
- Adam D. I. Kramer, Jamie E. Guillory, and Jeffrey T. Hancock. Experimental evidence of massive-scale emotional contagion through social networks. PNAS. 2014.
- Stuart E. Schechter, Rachna Dhamija, Andy Ozment, Ian Fischer. The Emperor's New Security Indicators: An Evaluation of Website Authentication and the Effect of Role Playing on Usability Studies. In Proceedings of IEEE SP 2007.
- Tarun Parwani, Ramin Kholoussi, and Panagiotis Karras. How to hack into Facebook without being a hacker. In Second International Workshop on Privacy and Security in Online Media (PSOSM). 2013.
- Sam Burnett, Nick Feamster. Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests. In ACM SIGCOMM, 2015.
- Simson L. Garfinkel. IRBs and Security Research: Myths, Facts, and Mission Creep. Naval Postgraduate School. 2008.
- Vitak, J., Proferes, N., Shilton, K., & Ashktorab, Z. Ethics Regulation in Social Computing Research: Examining the Role of Institutional Review Boards. Journal of Empirical Research on Human Research Ethics, 12(5), 372-382. 2017.
- Huahong Tu, Adam Doupé, Ziming Zhao,Gail-Joon Ahn. Users Really Do Answer Telephone Scams. In proceedings of USENIX Security, 2019.
- Cristian Bravo-Lillo, Serge Egelman, Cormac Herley, Stuart Schechter, and Janice Tsai. You needn’t build that: Reusable ethics-compliance infrastructure for human subjects research. In Cyber-security Research Ethics Dialog & Strategy Workshop. 2013.
|
Week 6 |
|
|
03/09 |
Passwords |
Required Reading:
- Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
- Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of CCS 2013.
- Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher.Design and Evaluations of a Data-Driven Password Meter. In Proceedings of the 2017 ACM Conference on Human Factors in Computer Systems (CHI '17).
Optional Reading:
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. In the proceedings of SOUPS 2015.
- Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites. In Proceedings of the SOUPS 2016.
- Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements. In Proceedings of the 2020 ACM Conference on Computer and Communications Security (CCS '20).
- Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Why people (don’t) use password managers effectively. SOUPS 2019.
- Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes and Sven Bugiel. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. In proceedings of SOUPS 2018.
Due:
|
03/11 |
Mobile Authentication |
Required Reading:
Optional Reading:
|
Week 7 |
|
|
03/16 |
Phising and Security Training |
Required Reading:
- Rick Wash and Molly M. Cooper. Who Provides Phishing Training? Facts, Stories, and People Like Me. In Proceedings of CHI 2018.
- Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., & Savage, S. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the CCS. 2008.
Optional Reading:
|
03/18 |
Privacy |
Required Reading:
Optional Reading:
- Nithya Sambasivan, Garen Checkley, Amna Batool, Nova Ahmed, David Nemer, Laura Sanely Gaytán-Lugo, Tara Matthews, Sunny Consolvo, Elizabeth Churchill. "Privacy is not for me, it's for those rich women": Performative Privacy Practices on Mobile Phones by Women in South Asia. In Proceedings of SOUPS 2018.
- Pardis Emami-Naeini, Yuvraj Agarwal, Lorrie Cranor, and Henry Dixon. Exploring How Privacy and Security Factor into IoT Device Purchase Behavior. CHI ’19.
|
03/19 |
|
Due:
|
Week 8 |
|
|
03/23 |
Permissions |
Required Reading
- Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12).
- Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David A. Wagner. Android permissions demystified. ACM Conference on Computer and Communications Security 2011.
- Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David A. Wagner, Konstantin Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In proceedings USENIX Security Symposium 2015.
Optional Reading:
- Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. 2015. Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging. In Proceedings of the 2015 ACM Conference on Human Factors in Computing Systems (CHI '15).
- Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, Serge Egelmanc. 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System. In Proceedings of USENIX Security 2019.
- Kristopher Micinski, Daniel Votipka, Rock Stevens, Nikolas Kofinas, Michelle L. Mazurek, and Jeffrey S. Foster. User Interactions and Permission Use on Android. In Proceedings of the 2017 ACM Conference on Human Factors in Computer Systems (CHI '17).
Due:
|
03/25 |
Spring Break (No Class) |
Due:
|
Week 9 |
|
|
03/30 |
Lightning Talks! -- 3 minute presentations about your project |
|
04/01 |
Security Warnings |
Required Reading:
Due:
|
Week 10 |
|
|
04/06 |
Online Tracking |
Required Reading:
Optional Reading:
- Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, Florian Schaub. An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites. SOUPS 2019.
- Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, Thorsten Holz. (Un)informed Consent: Studying GDPR Consent Notices in the Field. Proceedings CCS'19.
|
04/08 |
Breach Notifications |
Required Reading:
- Yixin Zou, Shawn Danino, Kaiwen Sun, and Florian Schaub. 2019. You `Might' Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (CHI '19).
- Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxon. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In Proceedings of the 2016 USENIX Security Symposium (USENIX Sec '16).
Optional Reading:
|
Week 11 |
|
|
04/13 |
Developer Studies |
Required Readings:
Optional Readings:
- Michael Coblenz, Gauri Kambhatla, Paulette Koronkevich, Jenna L. Wise, Celeste Barnaby, Joshua Sunshine, Jonathan Aldrich, Brad A. Myers. PLIERS: A Process that Integrates User-Centered Methods into Programming Language Design.
- Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Matthew Smith. Deception Task Design in Developer Password Studies: Exploring a Student Sample. SOUPS 2018
- Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, Sascha Fahl. Stack Overflow Considered Harmful? The Impact of Copy & Paste on Android Application Security. In Proceedings of the 2017 IEEE Symposium on Seucirty and Privacy (S&P '17).
- Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, Sascha Fahl. Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. SOUPS 2018.
- Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, Michael Hicks. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. USENIX Security Symposium 2020.
|
04/15 |
Other Security Professionals |
Required Reading
- Khaled Yakdan, Sergej Dechand, Elmar Gerhards-Padilla, and Matthew Smith. Helping Johnny to Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (S&P '16).
- Yan Shoshitaishvili, Michael Weissbacher, Lukas Dresel, Christopher Salls, Ruoyu Wang, Christopher Kruegel, and Giovanni Vigna. Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance In Proceedings of the 2017 ACM Conference on Computer and Communications Security (CCS '17).
- Rock Stevens, Daniel Votipka, Elissa M. Redmiles, Colin Ahern, Patrick Sweeney, and Michelle L. Mazurek. The Battle for New York: A Case Study of Applied Digital Threat Modeling at the Enterprise Level. In Proceedings of the 2018 USENIX Security Symposium (USENIX Sec '18).
Optional reading:
- Daniel Votipka, Seth M. Rabin, Kristopher Micinski, Jeffrey S. Foster, and Michelle L. Mazurek. An Observational Investigation of Reverse Engineers’ Processes. In Proceedings of the 2020 USENIX Security Symposium (USENIX Sec '20).
- Faris Bugra Kokulu, Ananta Soneji, Tiffany Bao, Yan Shoshitaishvili, Ziming Zhao, Adam Doupe, and Gail-Joon Ahn. Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues. In Proceedings of the 2019 ACM Conference on Computer and Communications Security (CCS '19).
Due:
|
Week 12 |
|
|
04/20 |
Vulnerable Populations |
Required Readings:
- Susan E. McGregor, Elizabeth Anne Watkins, Mahdi Nasrullah Al-Ameen, Kelly Caine, Franziska Roesner. When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers. In Proceedings of USENIX Security 2017.
- Tamy Guberek, Allison McDonald, Sylvia Simioni, Abraham H Mhaidli, Kentaro Toyama, Florian Schaub. Keeping a Low Profile? Technology, Risk and Privacy among Undocumented Immigrants. In Proceedings of CHI 2018.
- Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, and Nicola Dell. "A Stalker's Paradise": How Intimate Partners Abuse Technology. In proceedings of CHI'18.
Optional Readings:
|
04/22 |
Vulnerable Populations (Continued) |
Required Reading:
- Emily Tseng, Rosanna Bellini, Nora McDonald, Matan Danos, Rachel Greenstadt, Damon McCoy, Nicola Dell and Thomas Ristenpart. The Tools and Tactics Used in Intimate Partner Surveillance: An Analysis of Online Infidelity Forums. In proceedings of USENIX Security 2020.
- Tara Matthews, Kathleen O'Leary, Anna Turner, Manya Sleeper, Jill Palzkill Woelfer, Martin Shelton, Cori Manthorne, Elizabeth F. Churchill, and Sunny Consolvo. Stories from Survivors: Privacy & Security Practices when Coping with Intimate Partner Abuse In Proceedings of the 2017 ACM Conference on Human Factors in Computing Systems (CHI '17).
- Kurt Thomas, Devdatta Akhawe, Michael Bailey, Dan Boneh, Elie Bursztein, Sunny Consolvo, Nicola Dell, Zakir Durumeric, Patrick Gage Kelley, Deepak Kumar, Damon McCoy, Sarah Meiklejohn, Thomas Ristenpart, and Gianluca Stringhini. SoK: Hate, Harassment, and the Changing Landscape of Online Abuse. In Proceedings of the 2021 IEEE Symposium on Security and Privacy (S&P '21).
Due:
|
Week 13 |
|
|
04/27 |
Accessibility |
Required Reading:
- Tousif Ahmed, Patrick Shaffer, Kay Connelly, David Crandall, Apu Kapadia. Addressing Physical Safety, Security, and Privacy for People with Visual Impairments. In Proceedings of SOUPS 2016.
- Jake Reichel, Fleming Peck, Mikako Inaba, Bisrat Moges, Brahmnoor Singh Chawla, and Marshini Chetty. 'I have too much respect for my elders': Understanding South African Mobile Users' Perceptions of Privacy and Current Behaviors on Facebook and WhatsApp. In Proceedings of the 2020 USENIX Security Symposium (USENIX Sec '20).
- Ogbonnaya-Ogburu, Ihudiya Finda, Angela DR Smith, Alexandra To, and Kentaro Toyama. Critical Race Theory for HCI. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1-16. 2020.
Optional Readings:
- Alisa Frik, Leysan Nurgalieva, Julia Bernd, Joyce S. Lee, Florian Schaub, Serge Egelman. Privacy and Security Threat Models and Mitigation Strategies of Older Adults. In proceedings of SOUPS 2019.
- Taslima Akter, Bryan Dosono, Tousif Ahmed, Apu Kapadia, and Bryan Semaan. "I am uncomfortable sharing what I can't see": Privacy Concerns of the Visually Impaired with Camera Based Assistive Applications. In the proceedings of USENIX Security 2020.
- Bryan Dosono, Jordan Hayes, Yang Wang. "I'm Stuck!": A Contextual Inquiry of People with Visual Impairments in Authentication. In Proceedings of SOUPS 2015.
- Hirak Ray, Flynn Wolf, Ravi Kuber, Adam J. Aviv. Why Older Adults (Don't) Use Password Managers. In the proceedings of the 2021 USENIX Security Symposium. Aug. 2021.
- Valerie Fanelle, Sepideh Karimi, Aditi Shah, Bharath Subramanian, and Sauvik Das. Blind and Human: Exploring More Usable Audio CAPTCHA Designs. SOUPS 2020.
|
04/29 |
Project Presentations |
|
Week 14 |
|
|
05/04 |
Project Presentations |
|
05/14 |
Final project reports due (submission link)
|
|