Usable Security and Privacy

BCCS 3997, Fall 2024

Tentative schedule

The schedule may change based on class pacing + interest.

You can find readings on CourseWorks in the "files" tab, or you can probably also find them for free if you search on scholar.google.com. Don't pay for papers. Let me know if you can't find them.

In addition to homework and project assignments, there is a participation quiz for every class. You can find these on CourseWorks, and I'll often leave time to complete them at the end of class. The quizzes are graded on effort rather than correctness. They are always due at 8am the day before the next class.

Week # (class #) Date Topic(s) Required readings (see CourseWorks for optional readings; there are many) Need discussion leader (DL)? Assignments due (8am unless otherwise stated) Project stuff due (8am unless otherwise stated)
1 (1) September 3 (T) What is Usable S&P, Syllabus
1 (2) September 5 (Th) Project explanation, genAI co-agreement, contextual integrity No DL HW0: class pre-survey
2 (3) September 10 (T) Gen AI discussion, Threat modeling, encryption No DL
2 (4) September 12 (Th) Secure messaging Reading response required for (1)
1. Alma Whitten and J.D. Tygar. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of USENIX Security 1999
2. https://www.wired.com/story/efail-pgp-vulnerability-outlook-thunderbird-smime/

No DL
3 (5) September 17 (T) Secure messaging II Reading response required for one of:
1a. Warford, Noel, et al. "Strategies and perceived risks of sending sensitive documents." 30th USENIX Security Symposium (USENIX Security 21). 2021.
1b. Lerner, Ada, Eric Zeng, and Franziska Roesner. "Confidante: Usable encrypted email: A case study with lawyers and journalists." 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017.
1c. Ruoti, Scott, et al. "Why Johnny still, still can't encrypt: Evaluating the usability of a modern PGP client." 2015.
Yes, 3 DL HW1 due: Send an encrypted email + reflect
3 (6) September 19 (Th) Authentication I ( passwords) Optional (no response required) and really funny:
This World of Ours, James Mickens, 2014.

Reading response required for:
1. Mazurek, Michelle L., et al. "Measuring password guessability for an entire university." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 2013.
Yes, 1 DL
4 (7) September 24 (T) Authentication II (what do we do about passwords?!) Reading response required for one of the following:
1a. Bonneau, Joseph, et al. "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes." 2012 IEEE symposium on security and privacy. IEEE, 2012.
1b. Reynolds, Joshua, et al. "A tale of two studies: The best and worst of yubikey usability." 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018.
Yes, 2 DL
4 (8) September 26 (T) YubiKeys and project brainstorming No reading response required, but I encourage you to watch the video for paper 1b from Tuesday if you didn't read the paper. HW2: Security Review (S&P in your daily life)
5 (9) October 1 (T) Phishing Reading response required for both of the following:
1. Lain, Daniele, et al. "Phishing in organizations: Findings from a large-scale and long-term study." 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022.
2. Simko, Lucy, et al. "Computer security and privacy for refugees in the United States." 2018 IEEE symposium on security and privacy (SP). IEEE, 2018.
5 (10) October 3 (Th) Privacy policies/notices Reading response required for:
Emami-Naeini, Pardis, et al. "Exploring how privacy and security factor into IoT device purchase behavior." Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 2019.
Yes, 1 DL Project proposals due
6 (11) October 8 (Th) Interviews, Social media analysis
Guest Lecture Dr. Eric Zeng
6 (12) October 10 (T) Measuring people’s S&P behaviors + understanding Reading response required for both of the following:
1. Redmiles, Elissa M., et al. "A summary of survey methodology best practices for security and privacy researchers." (2017).
2. Sawaya, Yukiko, et al. "Self-confidence trumps knowledge: A cross-cultural study of security behavior." Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. 2017.
Yes, 2 DL
7 (13) October 15 (T) Developers as users tbd tbd
7 (14) October 17 (Th) Ethics in Usable S&P tbd tbd HW3: Human subjects training due
HW4: mid-term check-in
8 (15) October 22 (T) US&P for specific groups (I) tbd Yes, DL Annotated bibliography draft due
8 (16) October 24 (Th) US&P for specific groups (II) tbd Yes, DL Study design due (e.g., interview guide, survey draft, social media data collection protocol & sample data)
9 (17) October 29 (T) Project workday - pilot someone else’s study, give feedback
9 (18) October 31 (Th) Usable S&P for democracy Reading response required :
1. Boyd, Maia J., et al. "Understanding the security and privacy advice given to black lives matter protesters." Proceedings of the 2021 CHI conference on human factors in computing systems. 2021.
2. tbd
Reflection from pilot study due
10 (-) November 5 (T) no class
10 (19) November 7 (Th) Tentative: project work day
11 (20) November 12 (T) Check-in about study design; data collection logistics how-tos. tbd No DL Revised study design due
11 (21) November 14 (Th) IoT and Usable S&P tbd tbd [data collection in progress]
12 (22) November 19 (T) Privacy policy, potential guest lecture tbd tbd [data collection in progress]
12 (23) November 21 (Th) Data collection check-in
13 (24) November 26 (T) tbd
13 (-) November 28 (Th) no class
14 (25) December 3 28 (T) Mis/Disinformation tbd Yes, DL (but tentative) Data analysis draft
14 (26) December 5 (Th) Reflection: what have we learned about how to develop usable security mechanisms???
Final exam period Final paper / presentation due
.

Powered by w3.css