IS/CS 698 - Human Factors in Security & Privacy - Spring 2024

This course covers how human factors lead to real-world security & privacy failures, how to design systems to avoid these pitfalls, and how to evaluate the usable security properties of systems.
Course Description
When real-world cybersecurity incidents occur, the root cause is often not the technology on its own but the way people interact with it. Understanding and accounting for these human factors is crucial if we want to achieve meaningful security and privacy. This course will cover a range of user-interface and human-computer interaction problems experienced by real users. It will teach a variety of empirical research methods for evaluating the usable security properties of systems, as well as techniques for designing systems to avoid usability issues. In addition to learning from the latest research in the field of human-centered security, students will have many opportunities to gain hands-on experience applying methods from the literature, culminating in a major research and development project that students can add to their portfolios.
Note for undergrads

This course is aimed at graduate students and is offered at the graduate (600) level. However, it may be appropriate for some undergrads with a strong background and motivation. If that is you, please email me, far in advance, with your rationale, and we can explore available options.


We will meet Mondays and Thursday, 11:30–12:50, at Faculty Memorial Hall (FMH) 307.

The CRN for the IS section of this course is 15977; for CS it’s 15978.

Peer courses

This course is inspired by courses including:

Learning outcomes

Students completing this course will:

  • Learn concrete instances of security and privacy failures in common technologies
  • Be able to explain how human factors contributed to these issues
  • Read and understand current research in usable privacy and security
  • Learn and practice methodologies for evaluating the usability of systems
  • Be able to practice human-centered design for security and privacy systems

Topics overview

Under development

This course (and website) are under development. The content may change before the beginning of the course.

The course will cover topics including:


  • Experimental design
  • Statistics
  • Surveys
  • User studies
  • Interviews


  • Warnings and phishing
  • Mobile permissions
  • Authentication
  • Access control


  • Definitions of privacy
  • Deceptive design patterns
  • Privacy policies
  • Social media privacy
  • Smart home privacy

Special populations

  • At-risk users
  • Developers
  • Children
  • Accessibility in security
  • Anonymity needs and tools


Students enrolling in this course are expected to have a background in security and foundational computer science skills. Experience with statistics and user experience research or design is welcome but not required. You can read a more detailed explanation of the course’s prerequisites here.