IS/CS 698 - Human Factors in Security & Privacy - Spring 2024

This course covers how human factors lead to real-world security & privacy failures, how to design systems to avoid these pitfalls, and how to evaluate the usable security properties of systems.

Course Description

When real-world cybersecurity incidents occur, the root cause is often not the technology on its own but the way people interact with it. Understanding and accounting for these human factors is crucial if we want to achieve meaningful security and privacy. This course will cover a range of user-interface and human-computer interaction problems experienced by real users. It will teach a variety of empirical research methods for evaluating the usable security properties of systems, as well as techniques for designing systems to avoid usability issues. In addition to learning from the latest research in the field of human-centered security, students will have many opportunities to gain hands-on experience applying methods from the literature, culminating in a major research and development project that students can add to their portfolios.

Note for undergrads

This course is aimed at graduate students and is offered at the graduate (600) level. However, it may be appropriate for some undergrads with a strong background and motivation. If that is you, please email me, far in advance, with your rationale, and we can explore available options.

Logistics

We will meet Mondays and Thursday, 11:30–12:50, at Faculty Memorial Hall (FMH) 307.

The CRN for the IS section of this course is 15977; for CS it’s 15978.

Peer courses

This course is inspired by courses including:

• UC Berkeley Cybersecurity 215
• Brown University CS 1360
• University of Chicago CMSC 23210/33210
• Carnegie Mellon University 17-334
• Duke COMPSCI 590
• George Washington University CSCI 3907/6907
• University of Illinois Urbana-Champaign CS 598-CAC
• University of Maryland CMSC 732
• UNC Charlotte ITIS 6420/8420
• Pomona College CS181W
• Tufts University COMP 152

Learning outcomes

Students completing this course will:

• Learn concrete instances of security and privacy failures in common technologies
• Be able to explain how human factors contributed to these issues
• Read and understand current research in usable privacy and security
• Learn and practice methodologies for evaluating the usability of systems
• Be able to practice human-centered design for security and privacy systems

Topics overview

Under development

This course (and website) are under development. The content may change before the beginning of the course.

The course will cover topics including:

Methods

• Experimental design
• Statistics
• Surveys
• User studies
• Interviews

Security

• Warnings and phishing
• Mobile permissions
• Authentication
• Access control

Privacy

• Definitions of privacy
• Deceptive design patterns
• Privacy policies
• Social media privacy
• Smart home privacy

Special populations

• At-risk users
• Developers
• Children
• Accessibility in security
• Anonymity needs and tools

Prerequisites

Students enrolling in this course are expected to have a background in security and foundational computer science skills. Experience with statistics and user experience research or design is welcome but not required. You can read a more detailed explanation of the course’s prerequisites here.