Meeting 1 - Usable Encryption and Secure Messaging #

• Readings covered in lecture
  • Alma Whitten and J.D. Tygar. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of USENIX Security 1999]
  • Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, Matthew Smith. Obstacles to the Adoption of Secure Communication Tools In Proceedings of IEEE SP 2017.
  • Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (December 1999), 40-46.
  • James Mickens. This World of Ours. USENIX ;login:, January 2014.
• Additional Readings (choose one of these for your response)
  • Omer Akgul, Ruba Abu-Salma, Wei Bai, Elissa M. Redmiles, Michelle L. Mazurek, and Blase Ur. From Secure to Military-Grade: Exploring the Effect of App Descriptions on User Perceptions of Secure Messaging. In WPES 2021: Workshop on Privacy in the Electronic Society. November 2021.
  • Noel Warford, Collins W. Munyendo, Ashna Mediratta, Adam J. Aviv and Michelle L. Mazurek. Strategies and Perceived Risks of Sending Sensitive Documents. 30th USENIX Security Symposium (USENIX Security 21) (Sec’21). 2021
  • Scott Ruoti, Jeff Andersen, Tyler Monson, Daniel Zappala, and Kent Seamons. A Comparative Usability Study of Key Management in Secure Email. In proceedings of 2018 SOUPS (SOUPS’18).
  • Ada Lerner, Eric Zeng, and Franziska Roesner. Confidante: Usable encrypted email: A case study with lawyers and journalists. 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017.
  • Matthias Fassl and Katharina Krombholz. Why I Can’t Authenticate — Understanding the Low Adoption of Authentication Ceremonies with Autoethnography. In Proceedings of CHI 2023.

Meeting 2 - Methods and Experimental Design #

• Readings Covered in Class
  • Lazar et al. Chapter 3: Experimental Design
  • Lazer et al. Chapter 4: Statistical Analysis
  • Lazer et al. Chapter 5: Surveys
  • Lazar et al. Chapter 8: Interviews and Focus Groups
  • Lazer et al. Chapter 11: Analyzing Qualitative Data
• There are no additional readings or responses required

Meeting 3 - Privacy Measurement #

• Readings Covered in Class
  • S. Warren and L. Brandeis. The Right to Privacy. Harver Law Review. 1890.
  • Daniel Solove. I’ve got nothing to hide and other misunderstandings of privacy. San Diego Law Review. 2007.
  • Naresh K. Malhotra, Sung S. Kim, James Agarwal. Internet Users’ Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information Systems Research. Vol 15. No 4. 2004.
• Additional Readings (choose one of these for your response)
  • Oshrat Ayalon and Eran Toch. Evaluating Users’ Perceptions about a System’s Privacy: Differentiating between Social and Institutional Aspects. SOUPS 2019.
  • Maggie Oates, Yama Ahmadullah, Abigail Marsh, Chelse Swoopes, Shikun Zhang, Rebecca Balebako, Lorrie Faith Cranor. Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration. PETS 2018.
  • Allison Woodruff, Vasyl Pihur, Sunny Consolvo, Lauren Schmidt, Laura Brandimarte and Alessandro Acquisti. Would a Privacy Fundamentalist Sell Their DNA for $1000…If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences. SOUPS 2014.
  • Rakibul Hasan, Rebecca Weil, Rudolf Siegel, Katharina Krombholz. A Psychometric Scale to Measure Individuals’ Value of Other People’s Privacy (VOPP). CHI 2023.

Meeting 4 - Passwords #

• Topic: Passwords and Password Managers
• Readings Covered in Lecture
  • Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. Passwords and the evolution of imperfect authentication. Communications of the ACM 58, 7 (July 2015), 78–87.
  • Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
  • Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of CCS 2013.
  • Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. In the proceedings of SOUPS 2015.
  • Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes and Sven Bugiel. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. USENIX 2018.
  • Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Why people (don’t) use password managers effectively. SOUPS 2019.
• Additional Readings (choose one of these for your response)
  • Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites. Proceedings of the SOUPS 2016.
  • Peter Mayer, Collins W. Munyendo, Michelle L. Mazurek, and Adam J. Aviv. Why Users (Don’t) Use Password Managers at a Large Educational Institution. USENIX 2022
  • Collins W. Munyendo, Philipp Markert, Alexandra Nisenoff, Miles Grant, Elena Korkes, Blase Ur, and Adam J. Aviv. “The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 Digits. USENIX 2022.
  • Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. 2015. Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android’s Pattern Unlock. In Proceedings of ACSAC 2015.
  • P. Markert, D. V. Bailey, M. Golla, M. Duermuth, and A. J. Aviv. On the Security of Smartphone Unlock PINs. ACM Transactions on Privacy and Security. Volume 24. Issue 4. September 2021.
  • Kevin Lee, Sten Sjöberg, and Arvind Narayanan. Password policies of most top websites fail to follow best practices. In SOUPS 2022.
  • ~~Suood Alroomi and Frank Li. Measuring Website Password Creation Policies At Scale. In CCS 2023. ~~
  • Collins W. Munyendo, Peter Mayer and Adam J. Aviv. “I Just Stopped Using One and Started Using the Other”: Motivations, Techniques, and Challenges When Switching Password Managers. CCS 2023.

Meeting 5 - Developers as Users #

• Readings covered in class:
  • Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, Sascha Fahl. Stack Overflow Considered Harmful? The Impact of Copy & Paste on Android Application Security
  • Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle Mazurek, Christian Stransky. You Get Where You’re Looking For - The Impact of Information Sources on Code Security
  • Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, Matthew Smith. Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study . ACM Conference on Computer and Communications Security 2017: 311-328
  • Pearce, Hammond, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. “Asleep at the keyboard? assessing the security of github copilot’s code contributions.” In 2022 IEEE Symposium on Security and Privacy (SP), pp. 754-768. IEEE, 2022.
• Additional Readings (choose one of these for your response)
  • Klemmer, Jan H., Stefan Albert Horstmann, Nikhil Patnaik, Cordelia Ludden, Cordell Burton Jr, Carson Powers, Fabio Massacci et al. “Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns.” To appear at CCS 2024.

  • Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, Michael Hicks. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. USENIX Security, 2020.

  • Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, Matthew Smith: “If you want, I can store the encrypted password”: A Password-Storage Field Study with Freelance Developers. CHI 2019
  • Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, Sascha Fahl. Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. SOUPS’18

Meeting 6 - Security Warnings and Permissions #

• Readings Covered in Class
  • Rob Reeder, Ellen Cram Kowalczyk, and Adam Shostack. Poster: Helping engineers design NEAT security warnings. SOUPS Poster 2011.
  • Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. CHI 2008.
  • Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolv. Rethinking Connection Security Indicators. SOUPS 2016.
  • Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David A. Wagner:
    Android permissions demystified. ACM Conference on Computer and Communications Security 2011.
  • Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ‘12).
  • Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David A. Wagner, Konstantin Beznosov: Android Permissions Remystified: A Field Study on Contextual Integrity. In proceedings USENIX Security Symposium 2015
• Additional Readings (choose one of these for your response)
  • Prange, Sarah, Pascal Knierim, Gabriel Knoll, Felix Dietz, Alexander De Luca, and Florian Alt. “I do (not) need that Feature!”–Understanding Users’ Awareness and Control of Privacy Permissions on Android Smartphones. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 453-472. 2024.

  • Tahaei, Mohammad, Ruba Abu-Salma, and Awais Rashid. “Stuck in the Permissions With You: Developer & End-User Perspectives on App Permissions & Their Privacy Ramifications.”. CHI 2023.

  • Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Proceedings of USENIX Security 2013.
  • Lynn Tsai, Primal Wijesekera, Joel Reardon, Irwin Reyes, Serge Egelman, David Wagner, Nathan Good and Jung-Wei Chen. Turtle Guard: Helping Android Users Apply Contextual Privacy Preferences. SOUPS 2017.
  • Daniel Smullen*, Yuanyuan Feng, Shikun (Aerin) Zhang, and Norman Sadeh. The Best of Both Worlds: Mitigating Trade-offs Between Accuracy and User Burden in Capturing Mobile App Privacy Preferences. PoPETS 2020.
  • Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, Serge Egelmanc. 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System. In proceedings of USENIX Security 2019.

Meeting 7 - Spam, Phishing, and Ethics #

• Readings Covered in Class
  • The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Departmnet of Homeland Security. 2012. (No need to write a report, but MUST read)
  • Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., & Savage, S. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the CCS. 2008.
  • Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. CHI 2006.
  • Rick Wash and Molly M. Cooper. Who Provides Phishing Training? Facts, Stories, and People Like Me. In Proceedings of CHI 2018.
• Additional Readings (choose one of these for your response)
  • Daniele Lain, Kari Kostiainen, Srdjan Čapkun. Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE S&P 2022.

  • Tabassum, Sarah, Cori Faklaris, and Heather Richter Lipford. What Drives {SMiShing} Susceptibility? A {US}. Interview Study of How and Why Mobile Phone Users Judge Text Messages to be Real or Fake. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 393-411. 2024.

  • Chris Kanich, Nicholas Weaver, Damon McCoy, Tristan Halvorson, Christian Kreibich, Kirill Levchenko, Vern Paxson, Geoffrey M. Voelker, and Stefan Savage. Show Me the Money: Characterizing Spam-advertised Revenue. USENIX Sec’ 2011.
  • Amber van der Heijden and Luca Allodi. Cognitive Triaging of Phishing Attacks. In proceedings of USENIX Sec’ 2019.
  • Huahong Tu, Adam Doupé, Ziming Zhao,Gail-Joon Ahn. Users Really Do Answer Telephone Scams. In proceedings of USENIX Sec’ 2019.
  • Kholoud Althobaiti, Adam D G Jenkins, and Kami Vaniea. A Case Study of Phishing Incident Response in an Educational Organization. CSCW 2021.

Meeting 8 - Data Breaches and Compliance #

To be updated

Meeting 9 - Bias in AI #

To be updated

Meeting 10 - Non-Standard and Unique Groups #

These are not final. They will be announced at or soon afer class

• Readings Covered in Class
  • Greg Norcie, Jim Blythe, Kelly Caine, and L Jean Camp. Why Johnny Can’t Blow the Whistle: Identifying and Reducing Usability Issues in Anonymity Systems. In proceedings of USEC 2014.
  • Susan E. McGregor, Polina Charters, Tobin Holliday, and Franziska Roesner. Investigating the Computer Security Practices and Needs of Journalists. In USENIX Security 2015.
  • Tamy Guberek, Allison McDonald, Sylvia Simioni, Abraham H Mhaidli, Kentaro Toyama, Florian Schaub. Keeping a Low Profile? Technology, Risk and Privacy among Undocumented Immigrants. In Proceedings of CHI 2018.
  • Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, and Nicola Dell. “A Stalker’s Paradise”: How Intimate Partners Abuse Technology. In proceedings of CHI’18.
• Additional Readings (choose one of these for your response)
  • Susan E. McGregor. Elizabeth Anne Watkins. Mahdi Nasrullah Al-Ameen, Kelly Caine, Franziska Roesner.When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers
  • Alaa Daffalla, Lucy Simko, Tadayoshi Kohno, and Alexandru G. Bardas. Defensive Technology Use by Political Activists During the Sudanese Revolution in IEEE S&P 2021.
  • Maia J. Boyd, Jamar L. Sullivan Jr., Marshini Chetty, and Blase Ur. Understanding the Security and Privacy Advice Given to Black Lives Matter Protesters
  • Emily Tseng, Rosanna Bellini, Open Lab, Nora McDonald, Matan Danos, Rachel Greenstadt, Damon McCoy, Nicola Dell and Thomas Ristenpart. The Tools and Tactics Used in Intimate Partner Surveillance: An Analysis of Online Infidelity Forums. In USENIX Security 2020.
  • Miranda Wei, Eric Zeng, Tadayoshi Kohno, Franziska Roesner. Anti-Privacy and Anti-Security Advice on TikTok: Case Studies of Technology-Enabled Surveillance and Control in Intimate Partner and Parent-Child Relationships. In IEEE Security and Privacy 2022.

Meeting 11 - Dashboards, Labels, and Privacy Policies #

These are not final. They will be announced at or soon afer class

• Readings Covered in Class
  • Florian Farke, David G. Balash, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google’s My Activity. USENIX 2021.
  • Florian M. Farke, David G. Balash, Maximilian Golla, Adam J. Aviv. How Does Connecting Online Activities to Advertising Inferences Impact Privacy Perceptions?. PoPETS 2024.
  • David G. Balash, Mir Masood Ali, Chris Kanich and Adam J. Aviv. “I would not install an app with this label”: Privacy Label Impact on Risk Perception and Willingness to Install iOS Apps. Twentieth Symposium on Usable Privacy and Security (SOUPS 2024). Pgs. 413–432. August 2024.
• Additional Readings
  • Yanzi Lin, Jaideep Juneja, Eleanor Birrell, Lorrie Faith Cranor. Data Safety vs. App Privacy: Comparing the Usability of Android and iOS Privacy Labels. PoPETS 2024.
  • Mir Masood Ali, David G. Balash, Chris Kanich, Adam J. Aviv. Honesty is the Best Policy: On the Accuracy of Apple Privacy Labels Compared to Apps’ Privacy Policies. PoPETS 2024.
  • Nathan Reitinger, Bruce Wen, Michelle Mazurek, and Blase Ur.What Does It Mean to Be Creepy? Responses to Visualizations of Personal Browsing Activity, Online Tracking, and Targeted Ads. PoPETS 2024.
  • Mainack Mondal, Günce Su Yilmaz, Noah Hirsch, Mohammad Taha Khan, Michael Tang, Christopher Tran, Chris Kanich, Blase Ur, and Elena Zheleva. Moving Beyond Set-It-And-Forget-It Privacy Settings on Social Media. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019
  • Serge Egelman and Eyal Peer. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). CHI 2015.
  • Emilee Rader, Samantha Hautea, and Anjali Munasinghe, Michigan State University. “I Have a Narrow Thought Process”: Constraints on Explanations Connecting Inferences and Self-Perceptions. SOUS 2020.

Meeting 12 - Accessibility #

To be updated