Syllabus for CS/IS 698 (Spring 2024)

This is the official course syllabus. You can find its latest version as well as most of the same information in a more accessible format elsewhere on the course website.

Course information

Course number

IS/CS 698

The CRN for the IS section of this course is 15977; for CS it’s 15978.

Course title

Human Factors in Security & Privacy

Detailed description

When real-world cybersecurity incidents occur, the root cause is often not the technology on its own but the way people interact with it. Understanding and accounting for these human factors is crucial if we want to achieve meaningful security and privacy. This course will cover a range of user-interface and human-computer interaction problems experienced by real users. It will teach a variety of empirical research methods for evaluating the usable security properties of systems, as well as techniques for designing systems to avoid usability issues. In addition to learning from the latest research in the field of human-centered security, students will have many opportunities to gain hands-on experience applying methods from the literature, culminating in a major research and development project that students can add to their portfolios.



The following knowledge and skills are required for success in this course.

Computer and network security

Students should have a strong understanding of computer and network security concepts including:

  • Network security
    • Example: How does the TLS protocol work?
  • Encryption
    • Example: How do different block cipher modes of operation work?
  • Memory safety
    • Example: How does a buffer overflow happen and what protections exist against it and similar attacks?
  • Web security
    • Example: How does FIDO U2F protect against phishing?
Suggested courses

Any of the following courses will likely provide the necessary background:

  • IT 230. Computer and Network Security
  • CS 351. Introduction to Cybersecurity
  • CS 608. Cryptography and Security
  • CS 645. Security and Privacy in Computer Systems
  • Equivalent courses at other institutions
  • Equivalent computer security experience
Programming and software development experience
  • Students should be comfortable completing programming tasks using unfamiliar programming languages and APIs
  • A large component of the course is a semester-long project that is likely to feature significant programming components. Students should be prepared to undertake these tasks.
    • Examples:
      • Create a mobile app
      • Implement a prototype of an interface
      • Perform data analysis and compute statistics
Suggested courses
  • IS 513. Programming Foundations for IS
  • Undergrad major in computer science
  • Equivalent computer programming experience

Learning outcomes

Students completing this course will:

  • Learn concrete instances of security and privacy failures in common technologies
  • Be able to explain how human factors contributed to these issues
  • Read and understand current research in usable privacy and security
  • Learn and practice methodologies for evaluating the usability of systems
  • Be able to practice human-centered design for security and privacy systems

Meeting-by-meeting outline

Subject to change

Please keep in mind that the schedule may change as the course progresses, so please regularly check the course website for any changes.

Week Day Date Class Lecture Discussion Reading Due
0 Thu 1/18 1 - Usable security overview
Security None
1 Mon 1/22 2 - Privacy and context Privacy mental models
- (Optional) Renaud et al. Why Doesn’t Jane Protect Her Privacy?
Thu 1/25 3 - Introduction to usability
None H1: ethics
2 Mon 1/29 4 - Usable encryption
- Methods: cognitive walkthroughs
- Usable encryption Whitten and Tygar, Why Johnny Can’t Encrypt P1: project ideas
Thu 2/1 5 - Methods: user studies - Passwords Ur et al., “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab
3 Mon 2/5 6 - Two-factor authentication
- Two-factor authentication
- Password alternatives
Reese et al., A Usability Study of Five Two-Factor Authentication Methods P2: project groups
Tue 2/6 H2: cognitive walkthrough
Thu 2/8 7 - Reflections: cognitive walkthrough
- Password managers
Pearman et al., Why people (don’t) use password managers effectively
4 Mon 2/12 8 - Methods: interviews Phishing prevention - Petelka et al., Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings
- (Optional) Egelman et al., You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Thu 2/15 9 - Methods: qualitative analysis
Security warnings and indicators - Felt et al., Improving SSL Warnings: Comprehension and Adherence
- (Optional) Kaiser et al., Adapting Security Warnings to Counter Online Disinformation
5 Mon 2/19 10 - Methods: surveys Mobile permissions Cao et al., A Large Scale Study of User Behavior, Expectations and Engagement with Android Permissions
Tue 2/20 P3: project related work
Thu 2/22 11 - Methods: statistics Breach and compliance notifications Stock et al., Didn’t You Hear Me? - Towards More Successful Web Vulnerability Notifications
6 Mon 2/26 12 - Methods: experiment design and validity Privacy in social media TBA
Tue 2/27 P4: project proposal
Thu 2/28 13 Privacy policies TBA
7 Mon 3/4 14 Online tracking TBA
Tue 3/5 P5: project methods
Thu 3/7 15 - Reflections: interview
- Usable anonymity
8 Mon 3/11 Spring Break
Thu 3/14 Spring Break
9 Mon 3/18 16 - How-to: writing a paper (overview) Smart home privacy TBA H3: user study
Thu 3/21 17 - How-to: writing related work AR/VR privacy
10 Mon 3/25 18 - How-to: writing methods section Deceptive design patterns TBA
Tue 3/26 H4: interview
Thu 3/28 19 - How-to: writing results - Reflections: survey
- Security professionals
11 Mon 4/1 20 - How-to: writing the discussion Software developers TBA P6: project progress report
Tue 4/2 H5: survey
Thu 4/4 21 - How-to: writing the introduction Vulnerable populations TBA
12 Mon 4/8 22 Guest lecture
Tue 4/9 H6: design exercise
Thu 4/11 23 Accessibility TBA
13 Mon 4/15 24 Children and teens TBA
Thu 4/18 25 Older adults TBA
14 Mon 4/22 26 - How-to: giving a research talk
International & multicultural perspectives TBA
Thu 4/25 27 Project work period
15 Mon 4/29 28 Final project presentations P7: project final presentations
Thu 5/2 Reading day
16 Mon 5/6 Exam week P8: project final report
Thu 5/9 Exam week


Grade weights

Current events assignment 5%
Reading responses 5%
In-class presentations 10%
Project 45%
P1: ideas 1%
P2: group 1%
P3: proposal 5%
P4: methods 5%
P5: progress report 3%
P6: related work 5%
P7: presentation 5%
P8: report 10%
overall project quality and participation 10%
Homework 30%
H1: ethics 5%
H2: cognitive walkthrough 5%
H3: user study 5%
H4: interview 5%
H5: survey 5%
H6: design 5%
Participation 5%

Late policies

Each assignment will specify its own late policy.

Grading scale

The course will be graded using the standard absolute scale, converting numerical scores to letter grades; i.e., this course is not curved.

Instructor information

Nathan Malkin

Office hours

There will be two types of office hours in this course. Both will be held in GITC 3803.

Open office hours

These will be Thursdays, 2–3 PM.

  • These are unscheduled, so please come without any prior notice.
  • If multiple people show up, I will try to accommodate everyone, for example by answering questions in a group or focusing on topics that the plurality of those in attendance are interested in.
  • If you have a question about course topics or assignments or anything else you think might be of interest to others, please try to come to these office hours.

Individual office hours

These will be Mondays, 2–3 PM, in 15-minute slots.
To reserve a slot, follow this link.

  • These office hours are for questions you’re more comfortable discussing one-on-one, such as grading issues, career advice, etc.
  • I’ll prioritize anyone who has a reservation, but if a slot is unscheduled, I’ll treat it like the open office hours above (so come on by!).

Course materials


No required textbooks. All required readings will be linked from the course website.


Any optional readings will be linked from the course website.

Examination details

This course will not have midterms or a final exam.

Make-up exam policies


Course, department, and university policies

Collaboration policy

Except where otherwise noted, submitted assignments must be completed individually. You may discuss the topics and materials with other students, but any write-up you submit must be fully and completely your own work.

If you’re not sure whether something would be considered acceptable collaboration, please proactively contact the course staff.

Course policy on the use of artificial intelligence

AI tools can be very helpful, but they come with many flaws and limitations. In the context of this course, I believe that the use of AI tools will hurt rather than help the educational objectives, and therefore the use of AI tools is discouraged.

If you choose to use an AI tool, you must clearly specify which one, how it was used, and specifically identify its outputs and other contributions in any work you submit. You are responsible for the correctness of your work and are therefore expected to take steps to verify that you are not including or citing any hallucinated information. Failure to follow this policy will be treated as a violation of academic integrity.

Because programming and algorithms are not the focus of this course, there are no restrictions on the use of AI tools for software development (for example if you develop a prototype for your final project).

If you’re not sure whether something would be considered acceptable use, please proactively contact the course staff.

If you’re sick

If you’re not feeling well, please stay home. You’re likely to feel better more quickly, and you’ll be protecting everyone from getting infected. Please reach out to your peers for class notes or, if those are not available, contact me. If you do choose to come to class while not feeling 100%, then please wear a well-fitting N95 or KN95 mask. Please keep in mind that everyone responds to illness differently, and what for some can be a simple cold can manifest in others as serious medical issues. Thank you for protecting your peers and me!

Mental health and wellness

The academic environment can be stressful. Your well-being should always come first. NJIT’s Center for Counseling and Psychological Services offers a variety of resources. Please reach out to them if you need to, and I will do my best to support you with appropriate accommodations.

Academic integrity

“Academic Integrity is the cornerstone of higher education and is central to the ideals of this course and the university. Cheating is strictly prohibited and devalues the degree that you are working on. As a member of the NJIT community, it is your responsibility to protect your educational investment by knowing and following the academic code of integrity policy that is found at: NJIT Academic Integrity Code.

Please note that it is my professional obligation and responsibility to report any academic misconduct to the Dean of Students Office. Any student found in violation of the code by cheating, plagiarizing or using any online software inappropriately will result in disciplinary action. This may include a failing grade of F, and/or suspension or dismissal from the university. If you have any questions about the code of Academic Integrity, please contact the Dean of Students Office at  

Class recordings

“Class sessions may be recorded by the instructor. These recordings shall only be used as an educational resource and are not to be distributed or used outside of this class. Information on how to access recorded lectures will be made available by your instructor. Any recordings that contain identifiable information about students will not be used beyond this semester. 

Students are expected to respect their fellow students’ privacy and freedom to learn without disruption. Students are not allowed to capture or reproduce anyone’s name, image, or voice without permission. They must be polite and respectful in the online chat. Informal chat is okay, but typing is restricted to things that one would say out loud in front of the entire class. Students must always conduct themselves on their webcam video as they would in person in a classroom.”

Extenuating circumstance & other situations

“When a student invokes extenuating circumstances for any reason (late withdrawal from a course, request for a make-up exam, request for an Incomplete grade, request for accommodation due to illness) the student should be referred to the Dean of Students Office. The Dean of Students will make the determination of whether extenuating circumstances exist and will notify the instructor accordingly. Instructors should never request or accept medical or other documents from students; all documents should be submitted by the student to the Dean of Students Office. Except for cases determined by law, an instructor is not required to accommodate student requests even when extenuating circumstances are certified by the Dean of Students; however, all efforts should be made to ensure a student-friendly environment.”

Sexual discrimination or harassment

According to federal and university Title IX policy, all instructional staff are “required to report any Prohibited Conduct involving students to the Title IX Coordinator that they witness or become aware of.”

“Any observed, experienced or known discrimination on the basis of sex, gender identity, or sexual orientation, including the following forms of sexual harassment: sexual violence, dating violence, domestic violence and stalking involving any member of our university community, must be reported.”