Clicking the print icon in the upper right will concatinate all the Lecture pages onto one page.
Lecture pages are designed around self study. They include required readings, points you should understand from the lecture, and one or more questions you can think about. Some lectures contain lecture note text. They also include links to additional materials if you find the topic intersting. As well as links to news articles and other materials referred to in the lecture.
Usable Security and Privacy is a field that looks at how people currently use security and privacy technologies as well as how to make those technologies more usable. USEC touches on many topic areas including: Human-Computer Interaction, Cybersecurity, Privacy, Law, Public Policy, Psychology, and Social Science.
Security and privacy tools that cannot be used are, well, useless. In fact they can be worse than useless because people will work very hard to circumvent the “annoying” technology potentially putting themselves in more danger.
Lecture looking at how we assess approaches like tools, policies, practices, and regulations from the perspective of security.
Helen Nissenbaum on Ad Nauseum, resistance through obfuscation, and weapons of the weak
Nouwens, Midas, et al. “A Cross-Country Analysis of GDPR Cookie Banners and Flexible Methods for Scraping Them.” arXiv preprint arXiv:2503.19655 (2025).
Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users by Rick Wash and Emilee Rader
Read one of:
Daniel J. Solove. “The Limitations of Privacy Rights”. 98 Notre Dame Law Review 975 (2023), GWU Legal Studies Research Paper No. 2022-30, GWU Law School Public Law Research Paper No. 2022-30
Lederer, Scott, et al. “Five pitfalls in the design for privacy.” Security and Usability_ (2005): 421-445.
The cost of reading privacy policies by McDonald, Aleecia M., and Lorrie Faith Cranor.
Kelley, Patrick Gage, et al. “Standardizing privacy notices: an online study of the nutrition label approach.”
Keküllüoğlu, Dilara, Kami Vaniea, and Walid Magdy. “Understanding Privacy Switching Behaviour on Twitter.” Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems. 2022.
Keküllüoğlu, Dilara, Walid Magdy, and Kami Vaniea. “From an authentication question to a public social event: Characterizing birthday sharing on Twitter.” Proceedings of the International AAAI Conference on Web and Social Media. Vol. 16. 2022.
Ullah, Imdad, Roksana Boreli, and Salil S. Kanhere. “Privacy in targeted advertising on mobile devices: a survey.” International journal of information security 22.3 (2023): 647-678.
Warning Design Guidelines by Lujo Bauer, Cristian Bravo-Lillo, Lorrie Cranor, and Elli Fragkaki
Reeder, Rob, Ellen Cram Kowalczyk, and Adam Shostack. “Poster: Helping engineers design NEAT security warnings.” SOUPS, 2011.
Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection by Nicholson, James, Lynne Coventry, and Pam Briggs
Riegelsberger, Jens, M. Angela Sasse, and John D. McCarthy. “The mechanics of trust: A framework for research and design.”
So long and no thanks for the Externalities: The rational rejection of security advice by end users by Cormac Herley
"… No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices by Ion, Iulia, Rob Reeder, and Sunny Consolvo
Tran, Mindy, et al. “Security, Privacy, and Data-sharing Trade-offs When Moving to the United States: Insights from a Qualitative Study.” 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 2023.
Maia J. Boyd, Jamar L. Sullivan Jr., Marshini Chetty, and Blase Ur. 2021. Understanding the Security and Privacy Advice Given to Black Lives Matter Protesters. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (CHI ‘21). Association for Computing Machinery, New York, NY, USA, Article 549, 1–18.
Redmiles, Elissa M., Sean Kross, and Michelle L. Mazurek. “How I learned to be secure: a census-representative survey of security advice sources and behavior.” Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 2016.
Mentioned in class
Handouts
Not required - a good more modern similar study of encryption:
Why Johnny Can’t Encrypt is so famous.
Encryption is only helpful if its security assumptions are met AND the properties it provides meet users needs.
Research often requires several rounds of study and the early rounds can be informal.
What a hard problem looks like in Usable Security and Privacy and what makes it so hard to solve.
How USEC relates to general security research.
HCI methodologies: think aloud, cognitive walkthrough
Public private key encryption
Why Johnny Can’t Encrypt is one of the most famous studies in Usable Privacy and Security. It showed that even PhD students at Carnegie Mellon University could not accurately send and receive encrypted email messages without making very serious errors.
Ranking Digital Rights - Ranks digital and telecom companies on their privacy and consumer rights.
Many studies that all start with “Why Johnny still can’t encrypt” and a few entitled “Johnny can finally encrypt” that look at E2E encryption in IM.
Telegram security and usability: http://dx.doi.org/10.14722/eurousec.2017.23006
Norman Group Think Aloud video: https://www.nngroup.com/videos/think-aloud/
McDonald, Aleecia M., and Lorrie Faith Cranor. “Americans’ attitudes about internet behavioral advertising practices.” Proceedings of the 9th annual ACM workshop on Privacy in the electronic society. 2010.
Micah Lee. Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
We will continue discussing Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0
Writing good survey questions requires careful thought and a good knowledge of the information you are trying to measure. Some concepts are also challenging to measure like “security attitude”. To solve this problem, research teams create what are known as “survey scales”. A scale is a set of questions that are well written and have been shown to reliably measure a concept.
Scales have several useful properties. First off, writing good survey questions is challenging, so a pre-written scale is just easier to use. Secondly, if multiple researchers all ask the exact same questions, it becomes possible to compare answers across research studies. Finally, researchers using a scale can assume (and cite) that it reliably measures a concept.
Below are four scales from usable privacy and security. Each measures a different set of concepts.
IUIPC
SSDSES
SeBIS
SE-6
One of:
Also, one of:
Dinei Florencio et al. Pushing on String: The “Don’t Care” Region of Password Strength. Commun. ACM 59, 11 (November 2016), 66–74.
Adams, Anne, and Martina Angela Sasse. “Users are not the enemy.” Communications of the ACM 42.12 (1999): 40-46.
Bonneau, Joseph, et al. “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes.” _2012 IEEE Symposium on Security and Privacy. IEEE, 2012.
Ur, Blase, et al. “How does your password measure up? The effect of strength meters on password creation.” _21st USENIX security symposium (USENIX Security 12). 2012.
Ur, Blase, et al. “Do users’ perceptions of password security match reality?.” _Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. 2016.
Wolf, Flynn, Ravi Kuber, and Adam J. Aviv. ““Pretty Close to a Must-Have” Balancing Usability Desire and Security Concern in Biometric Adoption.” Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 2019.
How to Lose a Fortune with Just One Bad Click - Attacker was able to send an email from google.com which was correctly signed by Google. Getting an email fron Google caused the victim to feel safe and like the represenative on the phone was real.
The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger I never thought I was the kind of person to fall for a scam. - Account from a journalist who fell for an Amazon scam.
Pluralistic: How I got scammed - account of Cory Doctorow who is a security researcher and was successfully scammed by someone pretending to be his bank
Timeshare fraud run by Mexican cartels - provides details about how much money is to be made, and how some of these scams are run
How digital detectives deciphered Stuxnet, the most menacing malware in history - account of how (presumably) the US caused Iran’s uranium enrichment plants to become very expensive to run
KnowBe4 video story of someone who fell for a very convincing phishing scam - Video, Blog Post
“Why phishing works.” by Dhamija, Rachna, J. Doug Tygar, and Marti Hearst.
Warning Design Guidelines by Lujo Bauer, Cristian Bravo-Lillo, Lorrie Cranor, and Elli Fragkaki
Egelman, Serge, Lorrie Faith Cranor, and Jason Hong. “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings.”
Bravo-Lillo, Cristian, et al. “Your attention please: Designing security-decision UIs to make genuine risks harder to ignore.”
Arduin, Pierre‐Emmanuel. “A cognitive approach to the decision to trust or distrust phishing emails. " International Transactions in Operational Research 30.3 (2023): 1263-1298.
Access Control is how security systems control what resources can be acted upon by which entities.
None
For this module you will start by thinking about how you yourself think about and act in regards to security. People rarely take the time to think about their security and therefore you may find yourself forming opinions as you think. The various activities in this module are inteded to ellicit preferences, attitudes, opinions, knowledge, and intended behavior from people.
Security is known as a “secondary task” that is something that has to be done in order to complete other tasks. For example, people rarely have the goal of unlocking the door to their home, instead they have a goal like “go inside” which has a sub-task of “unlock the door”. Similarly people rarely go to the Facebook homepage to login, instead they go to view their feed or post. Logging in is a sub-task of gaining further access.
Staying safe online Online safety is a deceptively complex task for most users. It involves everything from their understanding of the threats, to their models of how computers work, and even their expectations around how effective different mitigation strategies are. In this module we will be discussing how people go about keeping themselves safe and what they define “safe” as. Towards the end of the module we will also discuss the widely accepted definiton of security and how that aligns with what we have learned about people.
Eliciting views and preferences Asking people about security views, preferences, attitudes, and behaviors can be supprisingly complex. There are two main problems. 1) There is a known “correct” answer which is that they are as secure as possible. People like to look like they are doing the right thing, so when you ask them they may answer as if they are doing the best thing even if they are not. 2) People don’t think about security very often and as people we develop opinions by talking and thinking about things. So when you ask them about security they start thinking about the problem and generate opinons as they are talking. For example, most Canadians can easily answer questions like “what is your favorite type of music” or “which hocky team do you support” because they have thought about these issues before. Compare that to “What door in Davis Center do you most enjoy walking through?” You probably never thought about the issue of Davis Center doors before, but you are now thinking about the issue and developing an opinion. Perhapse you are recalling the experience of walking through the door nearest the Tim Hortons and smelling the coffee. Or the sound of library wispers when you walk through the library entrance door. Asking about security is somewhat similar to asking about Davis Center doors. Most people have at best a vauge opinion before being asked and then develop an opinion as they answer the question.
Elliciting views and preferences in security can be challenging but there are a range of ways to do it that minimize bias. There are also a range of methods meant to help with self-reflection that allows people to assess and possibly improve their own security approaches.
Boyd, M. J., Sullivan Jr, J. L., Chetty, M., & Ur, B. (2021, May). Understanding the security and privacy advice given to black lives matter protesters. In Proceedings of the 2021 CHI conference on human factors in computing systems (pp. 1-18).
Are you using cookies? Then this Ultimate Guide is for you. by Frank Moraes
Kami Vaniea, Yasmeen Rashidi (2016). Tales of Software Updates: The process of updating software. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.
Sara S. Albakry, Kami Vaniea, Maria K. Wolters (2020). What is this URL’s Destination? Empirical Evaluation of Users’ URL Reading. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems.
Kholoud Althobaiti, Nicole Meng-Schneider, Kami Vaniea (2021). I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems.
Paper on computing agreement for qualitative coding: Assessing agreement on classification tasks: the kappa statistic (arxiv.org)**
Serge Egelman and Eyal Peer. 2015. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI ‘15). Association for Computing Machinery, New York, NY, USA, 2873–2882. https://doi.org/10.1145/2702123.2702249
Serge Egelman, Marian Harbach, and Eyal Peer. 2016. Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ‘16). Association for Computing Machinery, New York, NY, USA, 5257–5261. https://doi.org/10.1145/2858036.2858265