Syllabus for CS/IS 698 (Spring 2024)

Table of contents

• Course information
  • Course number
  • Course title
  • Detailed description
  • Prerequisites
  • Learning outcomes
• Meeting-by-meeting outline
• Grading
  • Grade weights
  • Late policies
  • Grading scale
• Instructor information
• Office hours
  • Open office hours
  • Individual office hours
• Course materials
  • Required
  • Optional
• Examination details
  • Make-up exam policies
• Course, department, and university policies
  • Collaboration policy
  • Course policy on the use of artificial intelligence
  • If you’re sick
  • Mental health and wellness
  • Academic integrity
  • Class recordings
  • Extenuating circumstance & other situations
  • Sexual discrimination or harassment

This is the official course syllabus. You can find its latest version as well as most of the same information in a more accessible format elsewhere on the course website.

Course information

Course number

IS/CS 698

The CRN for the IS section of this course is 15977; for CS it’s 15978.

Course title

Human Factors in Security & Privacy

Detailed description

When real-world cybersecurity incidents occur, the root cause is often not the technology on its own but the way people interact with it. Understanding and accounting for these human factors is crucial if we want to achieve meaningful security and privacy. This course will cover a range of user-interface and human-computer interaction problems experienced by real users. It will teach a variety of empirical research methods for evaluating the usable security properties of systems, as well as techniques for designing systems to avoid usability issues. In addition to learning from the latest research in the field of human-centered security, students will have many opportunities to gain hands-on experience applying methods from the literature, culminating in a major research and development project that students can add to their portfolios.

Prerequisites

Required

The following knowledge and skills are required for success in this course.

Computer and network security

Concepts

Students should have a strong understanding of computer and network security concepts including:

• Network security
  • Example: How does the TLS protocol work?
• Encryption
  • Example: How do different block cipher modes of operation work?
• Memory safety
  • Example: How does a buffer overflow happen and what protections exist against it and similar attacks?
• Web security
  • Example: How does FIDO U2F protect against phishing?

Suggested courses

Any of the following courses will likely provide the necessary background:

• IT 230. Computer and Network Security
• CS 351. Introduction to Cybersecurity
• CS 608. Cryptography and Security
• CS 645. Security and Privacy in Computer Systems
• Equivalent courses at other institutions
• Equivalent computer security experience

Programming and software development experience

Concepts

• Students should be comfortable completing programming tasks using unfamiliar programming languages and APIs
  • Example: use the Web Permissions API to request access to a certain resource
• A large component of the course is a semester-long project that is likely to feature significant programming components. Students should be prepared to undertake these tasks.
  • Examples:
    • Create a mobile app
    • Implement a prototype of an interface
    • Perform data analysis and compute statistics

Suggested courses

• IS 513. Programming Foundations for IS
• Undergrad major in computer science
• Equivalent computer programming experience

Recommended

The following experiences and background are not required, but students who have them may get more out of the course.

User experience research or design

Concepts

• Experience designing and/or evaluating user interfaces

Suggested courses

• IS 661. User Experience Design

Statistics

Concepts

• Experience selecting and calculating statistics
  • Examples:
    • t-tests
    • ANOVA
    • Regressions
    • Bootstrapping

Suggested courses

• IS 333. Probability and Statistics

Learning outcomes

Students completing this course will:

• Learn concrete instances of security and privacy failures in common technologies
• Be able to explain how human factors contributed to these issues
• Read and understand current research in usable privacy and security
• Learn and practice methodologies for evaluating the usability of systems
• Be able to practice human-centered design for security and privacy systems

Meeting-by-meeting outline

Subject to change

Please keep in mind that the schedule may change as the course progresses, so please regularly check the course website for any changes.

Week	Day	Date	Class	Lecture	Discussion	Reading	Due
0	Thu	1/18	1	Usable security overview	Security	None
1	Mon	1/22	2	Privacy and context	Privacy mental models	- (Optional) Renaud et al. Why Doesn’t Jane Protect Her Privacy?
	Thu	1/25	3	- Introduction to usability		None	H1: ethics
2	Mon	1/29	4	- Usable encryption - Methods: cognitive walkthroughs	- Usable encryption	Whitten and Tygar, Why Johnny Can’t Encrypt	P1: project ideas
	Thu	2/1	5		- Passwords	Ur et al., “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab
3	Mon	2/5	6	Two-factor authentication	- Two-factor authentication - Password alternatives	Reese et al., A Usability Study of Five Two-Factor Authentication Methods	P2: project groups
	Tue	2/6					H2: cognitive walkthrough
	Thu	2/8	7		- Reflections: cognitive walkthrough - Password managers	Pearman et al., Why people (don’t) use password managers effectively
4	Mon	2/12	8		Phishing prevention	- Petelka et al., Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings - (Optional) Egelman et al., You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
	Thu	2/15	9	Phishing	Security warnings and indicators	- Felt et al., Improving SSL Warnings: Comprehension and Adherence - (Optional) Kaiser et al., Adapting Security Warnings to Counter Online Disinformation
5	Mon	2/19	10		Mobile permissions	Cao et al., A Large Scale Study of User Behavior, Expectations and Engagement with Android Permissions
	Tue	2/20					P3: project related work
	Thu	2/22	11		Breach and compliance notifications	Stock et al., Didn’t You Hear Me? - Towards More Successful Web Vulnerability Notifications
6	Mon	2/26	12		Privacy in social media	Liu et al., Analyzing Facebook privacy settings: user expectations vs. reality
	Tue	2/27					P4: project proposal
	Thu	2/28	13		Web tracking	Wei et al., What Twitter Knows: Characterizing Ad Targeting Practices, User Perceptions, and Ad Explanations Through Users’ Own Twitter Data
7	Mon	3/4	14		Privacy policies and controls	Im et al., Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising
	Thu	3/7	15		Deceptive design	- Mathur et al., Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites - (Optional) Mathur et al., What Makes a Dark Pattern… Dark?: Design Attributes, Normative Considerations, and Measurement Methods	P5: project methods
8	Mon	3/11		Spring Break
	Thu	3/14		Spring Break
9	Mon	3/18	16		Smart home privacy	- Zeng & Roesner, Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study - (Optional) Emami-Naeini et al., Privacy Expectations and Preferences in an IoT World
	Thu	3/21	17		AR/VR privacy	Gallardo et al., Speculative Privacy Concerns about AR Glasses Data Collection
10	Mon	3/25	18		Usable anonymity and censorship circumvention	- Forte et al., Privacy, Anonymity, and Perceived Risk in Open Collaboration: A Study of Tor Users and Wikipedians - (Required! No write-up) review of Roberts, Censored: Distraction and Diversion Inside China’s Great Firewall
	Tue	3/26					H3: usability test
	Thu	3/28	19		Software developers	Palombo et al., An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development
11	Mon	4/1	20		Security professionals	Alahmadi et al., 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms
	Tue	4/2					H4: interview
	Thu	4/4	21		Vulnerable populations	Simko et al., Computer Security and Privacy for Refugees in the United States
12	Mon	4/8	22		Work period
	Tue	4/9
	Thu	4/11	23		Accessibility	Dosono et al., “I’m Stuck!”: A Contextual Inquiry of People with Visual Impairments in Authentication	H5: design exercise
13	Mon	4/15	24		Children and teens	Kumar et al., Co-Designing Online Privacy-Related Games and Stories with Children
	Thu	4/18	25		Older adults	Frik et al., Privacy and Security Threat Models and Mitigation Strategies of Older Adults	H6: survey
14	Mon	4/22	26		International & multicultural perspectives	Sambasivan et al., “They Don’t Leave Us Alone Anywhere We Go”: Gender and Digital Abuse in South Asia
	Thu	4/25	27		Project work period
15	Mon	4/29	28	Final project presentations			P7: project final presentations
	Thu	5/2			Reading day
16	Mon	5/6			Exam week		P8: project final report
	Thu	5/9			Exam week

Grading

Grade weights

Current events assignment		5%
Reading responses		5%
In-class presentations		10%
Project		45%
	P1: ideas	1%
	P2: group	1%
	P3: proposal	5%
	P4: methods	5%
	P5: progress report	3%
	P6: related work	5%
	P7: presentation	5%
	P8: report	10%
	overall project quality and participation	10%
Homework		30%
	H1: ethics	5%
	H2: cognitive walkthrough	5%
	H3: user study	5%
	H4: interview	5%
	H5: survey	5%
	H6: design	5%
Participation		5%

Late policies

Each assignment will specify its own late policy.

Grading scale

The course will be graded using the standard absolute scale, converting numerical scores to letter grades; i.e., this course is not curved.

Instructor information

Nathan Malkin

Office hours

There will be two types of office hours in this course. Both will be held in GITC 3803.

Open office hours

These will be Thursdays, 2–3 PM.

• These are unscheduled, so please come without any prior notice.
• If multiple people show up, I will try to accommodate everyone, for example by answering questions in a group or focusing on topics that the plurality of those in attendance are interested in.
• If you have a question about course topics or assignments or anything else you think might be of interest to others, please try to come to these office hours.

Individual office hours

These will be Mondays, 2–3 PM, in 15-minute slots.
To reserve a slot, follow this link.

• These office hours are for questions you’re more comfortable discussing one-on-one, such as grading issues, career advice, etc.
• I’ll prioritize anyone who has a reservation, but if a slot is unscheduled, I’ll treat it like the open office hours above (so come on by!).

Course materials

Required

No required textbooks. All required readings will be linked from the course website.

Optional

Any optional readings will be linked from the course website.

Examination details

This course will not have midterms or a final exam.

Make-up exam policies

N/A

Course, department, and university policies

Collaboration policy

Except where otherwise noted, submitted assignments must be completed individually. You may discuss the topics and materials with other students, but any write-up you submit must be fully and completely your own work.

If you’re not sure whether something would be considered acceptable collaboration, please proactively contact the course staff.

Course policy on the use of artificial intelligence

AI tools can be very helpful, but they come with many flaws and limitations. In the context of this course, I believe that the use of AI tools will hurt rather than help the educational objectives, and therefore the use of AI tools is discouraged.

If you choose to use an AI tool, you must clearly specify which one, how it was used, and specifically identify its outputs and other contributions in any work you submit. You are responsible for the correctness of your work and are therefore expected to take steps to verify that you are not including or citing any hallucinated information. Failure to follow this policy will be treated as a violation of academic integrity.

Because programming and algorithms are not the focus of this course, there are no restrictions on the use of AI tools for software development (for example if you develop a prototype for your final project).

If you’re not sure whether something would be considered acceptable use, please proactively contact the course staff.

If you’re sick

If you’re not feeling well, please stay home. You’re likely to feel better more quickly, and you’ll be protecting everyone from getting infected. Please reach out to your peers for class notes or, if those are not available, contact me. If you do choose to come to class while not feeling 100%, then please wear a well-fitting N95 or KN95 mask. Please keep in mind that everyone responds to illness differently, and what for some can be a simple cold can manifest in others as serious medical issues. Thank you for protecting your peers and me!

Mental health and wellness

The academic environment can be stressful. Your well-being should always come first. NJIT’s Center for Counseling and Psychological Services offers a variety of resources. Please reach out to them if you need to, and I will do my best to support you with appropriate accommodations.

Academic integrity

“Academic Integrity is the cornerstone of higher education and is central to the ideals of this course and the university. Cheating is strictly prohibited and devalues the degree that you are working on. As a member of the NJIT community, it is your responsibility to protect your educational investment by knowing and following the academic code of integrity policy that is found at: NJIT Academic Integrity Code.

Please note that it is my professional obligation and responsibility to report any academic misconduct to the Dean of Students Office. Any student found in violation of the code by cheating, plagiarizing or using any online software inappropriately will result in disciplinary action. This may include a failing grade of F, and/or suspension or dismissal from the university. If you have any questions about the code of Academic Integrity, please contact the Dean of Students Office at dos@njit.edu”  

Class recordings

“Class sessions may be recorded by the instructor. These recordings shall only be used as an educational resource and are not to be distributed or used outside of this class. Information on how to access recorded lectures will be made available by your instructor. Any recordings that contain identifiable information about students will not be used beyond this semester. 

Students are expected to respect their fellow students’ privacy and freedom to learn without disruption. Students are not allowed to capture or reproduce anyone’s name, image, or voice without permission. They must be polite and respectful in the online chat. Informal chat is okay, but typing is restricted to things that one would say out loud in front of the entire class. Students must always conduct themselves on their webcam video as they would in person in a classroom.”

Extenuating circumstance & other situations

“When a student invokes extenuating circumstances for any reason (late withdrawal from a course, request for a make-up exam, request for an Incomplete grade, request for accommodation due to illness) the student should be referred to the Dean of Students Office. The Dean of Students will make the determination of whether extenuating circumstances exist and will notify the instructor accordingly. Instructors should never request or accept medical or other documents from students; all documents should be submitted by the student to the Dean of Students Office. Except for cases determined by law, an instructor is not required to accommodate student requests even when extenuating circumstances are certified by the Dean of Students; however, all efforts should be made to ensure a student-friendly environment.”

Sexual discrimination or harassment

According to federal and university Title IX policy, all instructional staff are “required to report any Prohibited Conduct involving students to the Title IX Coordinator that they witness or become aware of.”

“Any observed, experienced or known discrimination on the basis of sex, gender identity, or sexual orientation, including the following forms of sexual harassment: sexual violence, dating violence, domestic violence and stalking involving any member of our university community, must be reported.”