NJIT IS/CS 698 - Human Factors in Security & Privacy - Spring 2024

This course covers how human factors lead to real-world security & privacy failures, how to design systems to avoid these pitfalls, and how to evaluate the usable security properties of systems.
Instructor

Nathan Malkin

Course Description
When real-world cybersecurity incidents occur, the root cause is often not the technology on its own but the way people interact with it. Understanding and accounting for these human factors is crucial if we want to achieve meaningful security and privacy. This course will cover a range of user-interface and human-computer interaction problems experienced by real users. It will teach a variety of empirical research methods for evaluating the usable security properties of systems, as well as techniques for designing systems to avoid usability issues. In addition to learning from the latest research in the field of human-centered security, students will have many opportunities to gain hands-on experience applying methods from the literature, culminating in a major research and development project that students can add to their portfolios.
Note for undergrads

This course is aimed at graduate students and is offered at the graduate (600) level. However, it may be appropriate for some undergrads with a strong background and motivation. If that is you, please email me, far in advance, with your rationale, and we can explore available options.

Logistics

We will meet Mondays and Thursday, 11:30–12:50, at Faculty Memorial Hall (FMH) 307.

The CRN for the IS section of this course is 15977; for CS it’s 15978.

Learning outcomes

Students completing this course will:

  • Learn concrete instances of security and privacy failures in common technologies
  • Be able to explain how human factors contributed to these issues
  • Read and understand current research in usable privacy and security
  • Learn and practice methodologies for evaluating the usability of systems
  • Be able to practice human-centered design for security and privacy systems

Topics overview

The course will cover topics including:

Methods

  • Experimental design
  • Statistics
  • Surveys
  • User studies
  • Interviews

Security

  • Warnings and phishing
  • Mobile permissions
  • Authentication
  • Access control

Privacy

  • Definitions of privacy
  • Deceptive design patterns
  • Privacy policies
  • Social media privacy
  • Smart home privacy

Special populations

  • At-risk users
  • Developers
  • Children
  • Accessibility in security
  • Anonymity needs and tools

Prerequisites

Students enrolling in this course are expected to have a background in security and foundational computer science skills. Experience with statistics and user experience research or design is welcome but not required. You can read a more detailed explanation of the course’s prerequisites here.

Calendar

Subject to change

Please keep in mind that the schedule may change as the course progresses, so please regularly check the course website for any changes.

Week Day Date Class Lecture Discussion Reading Due
0 Thu 1/18 1 Usable security overview
 Security None
1 Mon 1/22 2 Privacy and context Privacy mental models
 - (Optional) Renaud et al. Why Doesn’t Jane Protect Her Privacy?
Thu 1/25 3 - Introduction to usability
 None H1: ethics
2 Mon 1/29 4 - Usable encryption
- Methods: cognitive walkthroughs		 - Usable encryption Whitten and Tygar, Why Johnny Can’t Encrypt P1: project ideas
Thu 2/1 5 - Passwords Ur et al., “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab
3 Mon 2/5 6 Two-factor authentication - Two-factor authentication
- Password alternatives
 Reese et al., A Usability Study of Five Two-Factor Authentication Methods P2: project groups
Tue 2/6 H2: cognitive walkthrough
Thu 2/8 7 - Reflections: cognitive walkthrough
- Password managers		 Pearman et al., Why people (don’t) use password managers effectively
4 Mon 2/12 8 Phishing prevention - Petelka et al., Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings
- (Optional) Egelman et al., You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Thu 2/15 9 Phishing Security warnings and indicators - Felt et al., Improving SSL Warnings: Comprehension and Adherence
- (Optional) Kaiser et al., Adapting Security Warnings to Counter Online Disinformation
5 Mon 2/19 10 Mobile permissions Cao et al., A Large Scale Study of User Behavior, Expectations and Engagement with Android Permissions
Tue 2/20 P3: project related work
Thu 2/22 11 Breach and compliance notifications Stock et al., Didn’t You Hear Me? - Towards More Successful Web Vulnerability Notifications
6 Mon 2/26 12 Privacy in social media Liu et al., Analyzing Facebook privacy settings: user expectations vs. reality
Tue 2/27 P4: project proposal
Thu 2/28 13 Web tracking Wei et al., What Twitter Knows: Characterizing Ad Targeting Practices, User Perceptions, and Ad Explanations Through Users’ Own Twitter Data
7 Mon 3/4 14 Privacy policies and controls Im et al., Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising
Thu 3/7 15 Deceptive design - Mathur et al., Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites
- (Optional) Mathur et al., What Makes a Dark Pattern… Dark?: Design Attributes, Normative Considerations, and Measurement Methods		 P5: project methods
8 Mon 3/11 Spring Break
Thu 3/14 Spring Break
9 Mon 3/18 16 Smart home privacy - Zeng & Roesner, Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study
- (Optional) Emami-Naeini et al., Privacy Expectations and Preferences in an IoT World
Thu 3/21 17 AR/VR privacy
 Gallardo et al., Speculative Privacy Concerns about AR Glasses Data Collection
10 Mon 3/25 18 Usable anonymity and censorship circumvention - Forte et al., Privacy, Anonymity, and Perceived Risk in Open Collaboration: A Study of Tor Users and Wikipedians
- (Required! No write-up) review of Roberts, Censored: Distraction and Diversion Inside China’s Great Firewall
Tue 3/26 H3: usability test
Thu 3/28 19 Software developers Palombo et al., An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development
11 Mon 4/1 20 Security professionals Alahmadi et al., 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms
Tue 4/2 H4: interview
Thu 4/4 21 Vulnerable populations Simko et al., Computer Security and Privacy for Refugees in the United States
12 Mon 4/8 22 Work period
Tue 4/9
Thu 4/11 23 Accessibility Dosono et al., “I’m Stuck!”: A Contextual Inquiry of People with Visual Impairments in Authentication H5: design exercise
13 Mon 4/15 24 Children and teens Kumar et al., Co-Designing Online Privacy-Related Games and Stories with Children
Thu 4/18 25 Older adults Frik et al., Privacy and Security Threat Models and Mitigation Strategies of Older Adults H6: survey
14 Mon 4/22 26 International & multicultural perspectives Sambasivan et al., “They Don’t Leave Us Alone Anywhere We Go”: Gender and Digital Abuse in South Asia
Thu 4/25 27 Project work period
15 Mon 4/29 28 Final project presentations P7: project final presentations
Thu 5/2 Reading day
16 Mon 5/6 Exam week P8: project final report
Thu 5/9 Exam week