Research Project

Due Dates

• Proposals: Due Oct 18 (10%)
• Ethics Review: Due Nov 8 (10%)
• Annotated Bibliography: Due Nov 15 (10%)
• Project Status Report: Due Nov 22 (10%)
• Presentation: Due Dec 2 or Dec 9 (30%)
• Final Report: Due Dec 13 (30%)

All submissions should occur via blackboard as a single PDF for each of the due dates above.

Assignment Descriptions

You will complete a semester long project related to usability security and privacy. If you are registered for CSCI 4533, you are encouraged to work on the project in groups of 2 or individually. If you are in CSCI 6533, you must work individually on your project. While it is not necessarily required, it is expected that all projects have a user study that can either be qualitative or quantitative in nature, but you may also do a measurement or large/mid-scale comparison.

Historically, these small class projects can develop into real research projects and publications, so if you are interested in this research area, this is a great opportunity to explore an area that you are excited about. At the bottom are some sample research projects, but you are not required to use any of these. You can propose your own idea, if you want.

At the end of this project you will have conducted a small research project, provided a written description of the research, and produce a short video describing your work.

Projects Proposal

Your proposal should include the following information, approximately one paragraph per-point.

1. What research questions/hypothesis do you plan to address?
2. What methods will you use in your investigate?
3. What is your recruitment plan and target demographic?
4. What is a timeline for your work?
5. What are the ethical considerations? (see below)
6. What is your analysis plan for any data you collect?

Following submission of your proposal, your group will schedule meetings with the instructor to get feedback and provide updates. Once the topic is approved, you are expected to make edits on your initial proposals for a final proposal.

Ethics Review

As this research project is for the purpose of training and education students on how to conduct research and not to produce generalized knowledge research results, it is the general standard that this research does not require an ethics review. However, that does not mean you can conduct research unethically.

You are required to submit a preliminary draft of your study methods/protocol along with a justification that it meets ethical standards of treating participants fairly. Your ethics report should include the following section prompts with appropriate responses. The entire report should be 2-3 pages, not included attachments.

Ethics Report

• Research Goals/Hypothesis and Questions
  • 1-2 paragraphs of the research goals
• Detailed Description of Protocol
  • Details of the entire protocol, what will be asked (~1 page)
• Informed Consent
  • How will participants be informed that they are participating in research (1 paragraph)
• Risks and Benefits
  • What are the assocaited benefits (1 paragraph)
  • What are the associated risks (1 paragraph) (EVERY STUDY HAS RISKS! You cannot say none.)
  • How are those risks mitigated (1 paragraph)
  • What is your plan to ensure participant confidentiality? (1 paragraph)
• Recruitment (1-2 paragraph)
  • What is the recruitment plan?
  • How many participants are needed?
  • How are you going to ensure that all participants are treated fairly?

Attachment

• Survey/Interview Instrument
  • A copy of the questions/instrument you plan to use in completing the study
• Recruitment
  • A copy of any recruitment material
• Informed Consent
  • A copy of your informed consent you will use

Annotated Bibliography

You will be expected to reference at least 10 research papers for your report. Of those, only half (5) can be papers included in the reading list for the class. To find relevant research papers, you should use Goolge Scholar as a starting point. However, you should try and cite papers from the following venues (below), and if you find articles not in these venues, consult the instructor to determine if they are appropriate for inclusion.

• USENIX Security (Sec) (USENIX)
• Symposium on Usable Security and Privacy (SOUPS)
• IEEE Symposium on Security and Privacy (S&P) (Oakland)
• ACM Conference on Communication Systems (CCS)
• ACM Conference on Human Factors in Computing (CHI)
• ISOC Network and Distributed System Symposium (NDSS)
• Proceedings on Privacy Enhancing Technologies (PETS)
• Annual Computer Applications Conference (ACSAC)
• IEEE European Symposium on Security and Privacy (EuroSP)
• Symposium on Usable Security and Privacy (USEC)
• European Symposium on Usable Security and Privacy (EuroUSEC)

For your annotated bibliography, you should include the complete reference to the article, a brief summary of the research results (1 paragraph), and a description of how it relates to your current research project (1 paragraph).

Project Status Report

You should submit a report indicating your progress on completing your project or any changes that need to be made in adjusting the project’s goal. Your report should include the following sections:

• Research Summary (1-2 paragraphs)
  • Summary of the research questions and goals
• Progress Summary (3-5 paragraphs)
  • For each of the research questions and goals, indicate your current progress. This include data collection, data preparation, etc.
• Results Preview (1-2 paragraphs)
  • Based on your preliminary work, provide a preview of your expect results. This could be visuals/data/graphs or exerps from interviews.
• Changes and Modifications (1-2 paragraphs)
  • Describe any changes or modifications to your project from your proposal.

Project Presentation

Each team will give a 10-minute presentation in class on either Dec 2 or 9, in class. Your presentation should cover the following topics.

• Motivation
  • Why this research?
  • What has been done before? What is the gap?
• Methods
  • What did you do?
  • How did you analyze the data?
• Results
  • What did you find?
• Implications/Discussion
  • What do the results mean?
• Future Work
  • What would you do next?

Project Final Report

Your final report should be between 6-8 pages, not including bibliography and appendix. It should be formatted as ACM, two column format. You can easily find this on overleaf. You should use the \documentclass[sigconf]{acmart} header for the two-column format.

Your paper should have the following outline (and descriptions):

• Abstract
  • One paragraph description of your research questions and motivations and a brief summary of the conclusion
• Introduction (containing the following details)
  • Motivation (one/two-paragraph)
  • Related work doesn’t cover this!
  • Research Question (…)
  • Method (…)
  • Results (…)
  • Conclusions/Contributions (…)
• Related Work
  • Enumerate what’s come before but also(!) include how that related work matters to this research
• Methodology
  • What was the method of investigation (survey/interview)
  • Description of the survey
  • Who do you recruit and from where
  • Limitations
  • Ethical Considerations
• Results
  • How did you analyze it?
  • What did you find?
  • Address each hypothesis/research question, what is their answer?
• Discussion
  • Interpretation and place in the context
  • Now that you know the answer to a RQ, what doe that mean…
  • What does this mean and how do we apply
  • Future work/future directions
• Conclusion
  • Rehashing of the motivations/research-question/methods/results/contributions
• Bibliography
  • Your paper should cite at least 10 other papers!
• Appendix
  • Entire survey/interview instrument
  • Codebook (qualitative)
  • Any additional figures and material is relevant for me to review

Resources

As this is a class project, you will likely rely on friends and family to be your research participants – or your class mates :) If you wnat, you can explore using paneling platforms like Prolific or Qualtrics, but this costs money to you. Alternatively, you can post your survey or requests to r/SampleSize subreddit which is a easy, but somewhat unreliable way to recruit participants for surveys. Crowdsourcing on twitter (X) or other social media is also a good choice.

If you are running a survey, you can use a number of free-ish survey platforms to host your survey. Many of these do have fees, but have a free version. This includes SurveyJS, LimeSurvey, Qualtrics, and, of course, Google Forms. Additionally, Microsoft also has forms through their Office 365 account that could be used to complete this project.

If you are conducting interviews, you may want to consider using audio transcription tools. However, I strongly caution against trusting these transcriptions completely as there is significant errors. There are a number of products that link to Zoom and Google Meets to do transcriptions you can use, as well as a number of smartphone apps.

Grading

We will use the following grading scheme for all project topics:

• Beyond Expectations: 100%
  • Meets all requirements with high quality details and descriptions beyond expectations
• Meets Expectations: 95%
  • Meets all requirements at a high level
• Satisfactory: 90%
  • Meets all requirements with minor areas for improvement.
• Needs Improvement: 85%
  • Significant portions should be improved
• Needs Significant Improvement: 75%
  • Notable portions are incomplete and require significant improvement
• Unsatisfactory: 50%
  • Does not meaningful satisfy the requirements of the assignment

For project proposal, ethics review, and annotated bibliography, for grades at or below 95%, you can resubmit.

Presentation

For this part of the project, you will be graded by four reviewers. Three (including the instructor) will be experts in the area, and the fourth will be the average of your classmates reviews. Your grade for the presentation will be the average sum of the following items using the scale outlined above.

• Content (30%)
  • Are all aspects of the presentation covered, included motivation, methods, results, implications, and future work?
• Organization (20%)
  • Are the details presented in a reasonable way with logical flow from one section to the next?
• Conclusions/Summaries (20%)
  • Are the results properly summarized and implications given?
• Visual Aids (20%)
  • Are there sufficient visual aids to enhance the understanding of the presentation without distracting?
• Q&A Session (10%)
  • Are the presenters able to properly answer questions about their project?

Final Report

For this part of the project, we will use the grading scheme applied to each expected portion of the report.

• Motivation/Introduction/Abstrcated (20%)
  • Is the motivation and goals of the project properly articulated?
  • Are the results and conclusions properly summarized?
• Related Work (10%)
  • Are related work presented clearly?
  • Is the related work offering context to this result?
• Methodology (20%)
  • Are the methods of the research clearly explained?
  • Are recruitment and participant background discussed?
  • Are ethical considerations discussed?
  • Are limitations discussion?
• Results (20%)
  • Are the results presented clear?
  • Is there sufficient visual aids used and referenced?
• Discussion/Conclusion (20%)
  • Are the results properly and meaningfully interpreted?
  • Are conclusions offered?
• Bibliography/Appendices (5%)
  • Are their sufficient resources cited
  • Are additional material provided as needed, such as the survey instrument, qualitative codebook?

Project Topics

Below is a non-exhaustive list of topics and some general research questions that you can use to build a proposal. You may also propose your own topics. Note that you will need to develop your own more specific research question and methods of investigation for your research.

• Authentication

  • Biometric Authentication
    • As more and more devices use biometrics, how does this new convenient method of authentication impact knowledge based methods of authentication choices and the perceptions therein?
    • Do people choose weaker PINs/Passwords if they have a biometric? What are people’s opinions comparing biometrics with knowledge based authentication?
  • Mobile Authentication
    • How do users manage passwords on their mobile devices, how does that differ than how they manage them in traditional settings? Does it differ between applications and browsing?
    • Some secure messaging services, like Signal, ask users to select a PIN, do users do this? Do they understand how the PINs are used? Also there was a lot o reminders about entering your PIN on signal, did they work or annoy?
  • Password Managers
    • Why do users or why do they not use a password manager in different settings? Mobile vs. Desktop?
    • What are users preferences and features for password managers?
    • How well do Password Managers actually work at auto filling? Can you empirically measure auto-filling success and failures of password managers in different settings?
    • Many password managers have features for users to review and update passwords. How well do these work? Do users user them? If they do use them, do they understand them?
    • What if we asked users who weren’t previously using a password manager to set one up? What do they do? How does it affect them?
    • There’s a lot of discussion of passwords managers on online forums, like Reddit, what problems do people report on and what advice is given?
• Digital Sharing
  • Users want/need to share secrets online, such as a password or PII. If so tasked, how would they do it? Would they use email or text message or something else? What are the threat models and security understanding of users when they share secrets online?
  • We share a lot of documents in the cloud, how often have you gone back to actually review all of that sharing? If users were to reflect on documents they previously shared, would they change anything by adding more restrictions, or just leave it be? What are the threat models of sharing documents this way?
• Security of Signal/Whatsapp/SMS
  • More and more users are using texting applications that provide end-to-end encryption. Do users user all these features? How do they understand the security provided?
  • Can two users properly establish secure channels using these apps?
  • (see the mobile authentication one for PINs in signal)
• Voice Assistants
  • Creepy or necessary? How do people understand and use voice assistant technology?
  • Voice assistants often record conversations even when users are not aware, but you can go a look at these recordings. How do people feel about these un-aware recordings?
• Two Factor Authentication
  • It’s clearly better, but what might stop users from using it? How many accounts do ussrs actually have 2fa installed on?
  • If there is two-factor, do people end up making worse choices elsewhere because they have a false sense of security?
• Video Conferencing Privacy and Security
  • So many more people are using video conferencing, what are their concerns? How do they mitigate them?
  • How do users manage private spaces in their home. Do they choose remote backgrounds, yes or no?
• Private Browsing Mode
  • What do people actually use this for and what is their expectations of privacy when using private browsing mode?
• VPNs
  • VPNs are very common for people to use but misunderstand. What are the common reasons for people using VPNs compared to the actually security and privacy they provide.
  • There is a lot of VPN advertising on YouTube – how does the claims of the advertisers compare to the actually features that VPNs provide
• Developer Studies
  • So much development happens in the open on github—that’s public information!—so take a look at all the open issues for security related issues. How quickly are they closed? Do developers care about them?
• LLMS and Generative AI
  • If you were seeking security and privacy advice from an AI systems, is it good? What kind of variety of advice?
  • How do users compare the advice from a LLM compared to that of an actual security and privacy expert
• Breaches and Identify Theft
  • We have all probably been a part of a breach, but how do we understand what happens when we are a pat of breach? Do we do anything about it? You can study participants responses after looking up their information in a breach database.
  • You may have signed up for identify theft, perhaps in response to a breach or other notification— what then? How often do you use? Is it helpful? How usable are these services in the first place?
• Phone Shops
  • Small mobile phone shops and their workers offer technical support to customers about their devices. What questions are they asked about security and privacy and what answers do they provide? Are they good?