Human Factors in Security & Privacy

CS/IS 698


January 18, 2024


  • Introductions
  • What is usable security & privacy?
  • What will you need to do in this course?


Usable security and privacy

What is usable security & privacy?

  • What is usable?
  • What is security?
  • What is privacy?

Why do I care about definitions?

If we can’t agree on our objectives, it will be hard to achieve them.

How would you define security?

  • protection of any resource
  • prevention of unauthorized access to any resource
  • not being vulnerable to unauthorized access / misuse
  • being able to rules so that the system isn’t breachable

One definition of (cyber)security

any technology, measure or practice for preventing cyberattacks or mitigating their impact

Another definition for security

Systems that do what they intend and not more

= functional requirements + security goals

Sample system: Learning Management System

What are the functional requirements?

  • access coursework
  • communicate with peers / profs
  • calendar, see schedule of assignments
  • integrations with tools like Lockdown Browser

What are the security goals?

  • only registered student can access their own work
  • confidentiality of assignments
    • data segregation
    • can only see each other’s work if intended
    • role-based management
  • integrity
  • availability = shouldn’t go down

Security goals

  • Confidentiality
  • Integrity
  • Availability


Information is not shared unless authorized


Information and functionality cannot be changed except by authorized parties or processes


The system should be responsive to requests

How do we achieve the security goals?

The science of security

Security techniques

  • Encryption
  • Abstraction
    • programming languages
  • Validation
    • data sanitization
    • control flow integrity
  • Verification
    • fuzzing

Security domains

  • Cryptography
  • Memory safety
  • Network security
  • Web security
  • AI security

Security roadblocks

We have the technology…but struggle to use it.

Real-world failure examples

  • Target data breach (2013)
    • didn’t change default password
  • Podesta emails (2016)
    • spear-phishing
  • Equifax data breach (2017)
    • didn’t patch servers

Users are the enemy!

Users are not the enemy!

There’s a human in the loop

What factors might affect people’s decisions?

  • carelessness
  • mood
  • urgency
  • trusting the system
  • laziness
  • personality
  • curiosity

Human-in-the-loop framework

Communication-Human Information Processing Model

C-HIP from warnings science

Taking into account human factors can ensure better security outcomes

How can we make security/privacy better for humans?

Examples of more usable solutions

  • encryption that’s built in
  • not having to remember passwords
  • not having to read privacy policies

Questions about usable security

Course overview


  • Security
  • Privacy mental models
  • Usable encryption
  • Passwords
  • Two-factor authentication
  • Password alternatives
  • Authorization / access control
  • Mobile permissions
  • Phishing prevention
  • Security warnings and indicators
  • Breach and compliance notifications
  • Privacy in social media
  • Privacy policies
  • Online tracking
  • Usable anonymity
  • Smart home privacy
  • AR/VR privacy
  • Deceptive design patterns
  • Security professionals
  • Software developers
  • Vulnerable populations
  • Accessibility
  • Children and teens
  • Older adults
  • International & multicultural perspectives

Course goals

  • Learn about existing research
  • Learn to evaluate research
  • Learn to do research
  • Learn to apply research

Course components

  • Reading and discussing research papers
  • Lecture and practice research methods
  • Research/development and presenting project


  • Current events
  • Reading reflections
  • Class presentations & discussions
  • Methods practice
  • Project

To do

  • Homework 1 out soon, due next Thursday
  • No reading reflections & presentations next week
  • Start thinking about project ideas

Questions about course

What we covered today

  • What is usable security?
  • What will you need to do in this course?

What’s next?

  • What’s privacy?