Readings

This page contains relevant readings for the topics covered in this course. It is not expected that students read all of them.

This reading list is based on a syllabus from Michelle Mazurek. Thanks, Michelle!

Migration in progress

This page is slowly being replaced by this Zotero library. Please check there first and then here.

Usable Security

• Simson Garfinkel and Heather Richter Lipford. Usable Security: History, Themes, and Challenges. Synthesis Lectures on Information Security, Privacy, and Trust, 2014. Chapters 1 and 2 required; rest optional.

• Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of UPSEC 2008.

Security

• Anderson, Ross. Why information security is hard -- an economic perspective. In Computer security applications conference (ACSAC), 2001.

• Bruce Schneier. The Psychology of Security. In International Conference on Progress in Cryptology in Africa (AFRICACRYPT), 2008.

• Ross Anderson. Security Engineering.

Privacy

• Arvind Narayanan. Data Privacy: The Story of a Paradigm Shift, February 2010.

• Daniel Solove. 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy. San Diego Law Review 44, 2007.

• Giovanni Iachello and Jason Hong. End-User Privacy in Human-Computer Interaction. Foundations and Trends in HCI 1(1), pp. 1-137, 2007.

Qualitative Methods, Diary Studies

• Manya Sleeper, Rebecca Balebako, Sauvik Das, Amber McConahy, Jason Wiese, Lorrie Faith Cranor. The Post that Wasn't: Exploring Self-Censorship on Facebook . In Proceedings of CSCW 2013.

• Consolvo, S., Smith, I. E., Matthews, T., LaMarca, A., Tabert, J., & Powledge, P. Location disclosure to social relations: why, when, & what people want to share. In ACM CHI, 2005.

• Elissa M. Redmiles, Ziyun Zhu, Sean Kross, Dhruv Kuchhal, Tudor Dumitras, and Michelle L. Mazurek. Asking for a friend: Evaluating response biases in security user studies. In CCS 2018: ACM Conference on Computer and Communications Security. 2018.

• Kovila P.L. Coopamootoo and Thomas Groß. Evidence-Based Methods for Privacy and Identity Management. 2016 IFIP Summerschool on Privacy and Identity Management

Ethics

• Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer. Social Phishing. Communications of the ACM 50(10), pp. 94-100, 2007.

• Simson L. Garfinkel. IRBs and Security Research: Myths, Facts, and Mission Creep. Naval Postgraduate School. 2008.

Usable Encryption

• Alma Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of USENIX Security 1999.

• Abu-Salma, R., Sasse, M. A., Bonneau, J., Danilova, A., Naiakshina, A., & Smith, M. Obstacles to the Adoption of Secure Communication Tools. In IEEE Security and Privacy, 2017.

• Christian Stransky, Dominik Wermke, Johanna Schrader, Nicolas Huaman, Yasemin Acar, Anna Lena Fehlhaber, Miranda Wei, Blase Ur, and Sascha Fahl. On the Limited Impact of Visualizing Encryption: Perceptions of E2E Messaging Security. SOUPS 2021.

• Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O'Neill, Elham Vaziripour, Justin Wu, Daniel Zappala, and Kent Seamons. 2016. “We’re on the Same Page”: A Usability Study of Secure Email Using Pairs of Novice Users. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ’16).

International and Multicultural Perspectives

• Lucy Simko, Ada Lerner, Samia Ibtasam, Franziska Roesner, Tadayoshi Kohno. Computer Security and Privacy for Refugees in the United States. In Proc. IEEE S&P, 2018.

• Alghamdi, Deena, Ivan Flechais, and Marina Jirotka. Security Practices for Households Bank Customers in the Kingdom of Saudi Arabia. In SOUPS, 2015.

• Daffalla, Simko, Kohno, and Bardas. Defensive Technology Use by Political Activists During the Sudanese Revolution. IEEE S&P 2021.

• Ponnurangam Kumaraguru and Niharika Sachdeva. Privacy in India: Attitudes and Awareness V 2.0. Precog-TR-12-001, 2012

Notice and Choice

• Lorrie Faith Cranor. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law 10(2), 2012.

• Florian Schaub, Rebecca Balebako, Adam L. Durity, Lorrie Faith Cranor. A Design Space for Effective Privacy Notices. In Proceedings of SOUPS 2015.

• Joel R. Reidenberg , N. Cameron Russell , Alexander J. Callen, Sophia Qasir & Thomas B. Norton, Privacy Harms and the Effectiveness of the Notice and Choice Framework, 11 ISJLP 485 (2015).

Other

• Emilee Rader and Anjali Munasinghe. 2019. “Wait, Do I Know This Person?“: Understanding Misdirected Email. In Proc. CHI, 2019.

• Matthew Tischer, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, Michael Bailey. Users Really Do Plug In USB Drives They Find. In Proc. IEEE S&P, 2016.

• Rebecca S. Portnoff, Linda N. Lee, Serge Egelman, Pratyush Mishra, Derek Leung, and David Wagner. 2015. Somebody’s Watching Me? Assessing the Effectiveness of Webcam Indicator Lights. In Proc. CHI, 2015.