Reading 1 - Usable Encryption and Secure Messaging #

• Readings covered in lecture
  • Alma Whitten and J.D. Tygar. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of USENIX Security 1999]
  • Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, Matthew Smith. Obstacles to the Adoption of Secure Communication Tools In Proceedings of IEEE SP 2017.
  • Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (December 1999), 40-46.
  • James Mickens. This World of Ours. USENIX ;login:, January 2014.
• Additional Readings (choose one of these for your response)
  • Omer Akgul, Ruba Abu-Salma, Wei Bai, Elissa M. Redmiles, Michelle L. Mazurek, and Blase Ur. From Secure to Military-Grade: Exploring the Effect of App Descriptions on User Perceptions of Secure Messaging. In WPES 2021: Workshop on Privacy in the Electronic Society. November 2021.
  • Matthias Fassl and Katharina Krombholz. Why I Can’t Authenticate — Understanding the Low Adoption of Authentication Ceremonies with Autoethnography. In Proceedings of CHI 2023.

Resources - Methods and Experimental Design #

• Readings Covered in Class
  • Lazar et al. Chapter 3: Experimental Design
  • Lazer et al. Chapter 4: Statistical Analysis
  • Lazer et al. Chapter 5: Surveys
  • Lazar et al. Chapter 8: Interviews and Focus Groups
  • Lazer et al. Chapter 11: Analyzing Qualitative Data
  • Thematic analysis: https://www.tandfonline.com/doi/epdf/10.1191/1478088706qp063oa?needAccess=true
• There are no additional readings or responses required

Reading 2 - Introduction to Privacy #

• Readings Covered in Class
  • S. Warren and L. Brandeis. The Right to Privacy. Harver Law Review. 1890.
  • Daniel Solove. I’ve got nothing to hide and other misunderstandings of privacy. San Diego Law Review. 2007.
  • Naresh K. Malhotra, Sung S. Kim, James Agarwal. Internet Users’ Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information Systems Research. Vol 15. No 4. 2004.
• Additional Readings (choose one of these for your response)
  • Oshrat Ayalon and Eran Toch. Evaluating Users’ Perceptions about a System’s Privacy: Differentiating between Social and Institutional Aspects. SOUPS 2019.
  • Maggie Oates, Yama Ahmadullah, Abigail Marsh, Chelse Swoopes, Shikun Zhang, Rebecca Balebako, Lorrie Faith Cranor. Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration. PETS 2018.

Reading 3 - Security Warnings and Permissions #

• Readings Covered in Class
  • Rob Reeder, Ellen Cram Kowalczyk, and Adam Shostack. Poster: Helping engineers design NEAT security warnings. SOUPS Poster 2011.
  • Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. CHI 2008.
  • Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolv. Rethinking Connection Security Indicators. SOUPS 2016.
  • Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David A. Wagner:
    Android permissions demystified. ACM Conference on Computer and Communications Security 2011.
  • Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ‘12).
  • Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David A. Wagner, Konstantin Beznosov: Android Permissions Remystified: A Field Study on Contextual Integrity. In proceedings USENIX Security Symposium 2015
• Additional Readings (choose one of these for your response)
  • Prange, Sarah, Pascal Knierim, Gabriel Knoll, Felix Dietz, Alexander De Luca, and Florian Alt. “I do (not) need that Feature!”–Understanding Users’ Awareness and Control of Privacy Permissions on Android Smartphones. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 453-472. 2024.
  • Tahaei, Mohammad, Ruba Abu-Salma, and Awais Rashid. “Stuck in the Permissions With You: Developer & End-User Perspectives on App Permissions & Their Privacy Ramifications.”. CHI 2023.

Reading 4 - Passwords and Password Managers #

• Readings Covered in Lecture
  • Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. Passwords and the evolution of imperfect authentication. Communications of the ACM 58, 7 (July 2015), 78–87.
  • Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
  • Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of CCS 2013.
  • Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. In the proceedings of SOUPS 2015.
  • Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes and Sven Bugiel. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. USENIX 2018.
  • Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Why people (don’t) use password managers effectively. SOUPS 2019.
• Additional Readings (choose one of these for your response)
  • Collins W. Munyendo, Philipp Markert, Alexandra Nisenoff, Miles Grant, Elena Korkes, Blase Ur, and Adam J. Aviv. “The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6. USENIX Security. 2022.
  • Collins W. Munyendo, Peter Mayer and Adam J. Aviv. “I Just Stopped Using One and Started Using the Other”: Motivations, Techniques, and Challenges When Switching Password Managers. CCS 2023.

Reading 5 - Spam, Phishing, and Ethics #

• Readings Covered in Class
  • The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Departmnet of Homeland Security. 2012. (No need to write a report, but MUST read)
  • Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., & Savage, S. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the CCS. 2008.
  • Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. CHI 2006.
  • Rick Wash and Molly M. Cooper. Who Provides Phishing Training? Facts, Stories, and People Like Me. In Proceedings of CHI 2018.
• Additional Readings (choose one of these for your response)
  • Daniele Lain, Kari Kostiainen, Srdjan Čapkun. Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE S&P 2022.
  • Tabassum, Sarah, Cori Faklaris, and Heather Richter Lipford. What Drives {SMiShing} Susceptibility? A {US}. Interview Study of How and Why Mobile Phone Users Judge Text Messages to be Real or Fake. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 393-411. 2024.

Reading 6 - Deep Dive Presentations 1 #

• Topics and reading TBD

Reading 7 - Deep Dive Presentations 2 #

• Topics and reading TBD

Reading 8 - Deep Dive Presentations 3 #

• Topics and reading TBD

Reading 9 - Guest Lecture TBD #

• Topics and reading TBD

Reading 10 - Guest Lecture TBD #

• Topics and reading TBD