NJIT IS/CS 698 - Human Factors in Security & Privacy - Spring 2025

This course covers how human factors lead to real-world security & privacy failures, how to design systems to avoid these pitfalls, and how to evaluate the usable security properties of systems.

Course Description

When real-world cybersecurity incidents occur, the root cause is often not the technology on its own but the way people interact with it. Understanding and accounting for these human factors is crucial if we want to achieve meaningful security and privacy. This course will cover a range of user-interface and human-computer interaction problems experienced by real users. It will teach a variety of empirical research methods for evaluating the usable security properties of systems, as well as techniques for designing systems to avoid usability issues. In addition to learning from the latest research in the field of human-centered security, students will have many opportunities to gain hands-on experience applying methods from the literature, culminating in a major research and development project that students can add to their portfolios.

Logistics

We will meet Mondays and Wednesdays, 11:30–12:50, at Central King Building (CKB) 120.

The CRN for the IS section of this course is 13652; for CS it’s 11950.

Learning outcomes

Students completing this course will:

• Learn concrete instances of security and privacy failures in common technologies
• Be able to explain how human factors contributed to these issues
• Read and understand current research in usable privacy and security
• Learn and practice methodologies for evaluating the usability of systems
• Be able to practice human-centered design for security and privacy systems

Topics overview

The course will cover topics including:

Methods

• Experimental design
• Statistics
• Surveys
• User studies
• Interviews

Security

• Warnings and phishing
• Mobile permissions
• Authentication
• Access control

Privacy

• Definitions of privacy
• Deceptive design patterns
• Privacy policies
• Social media privacy
• Smart home privacy

Special populations

• At-risk users
• Developers
• Children
• Accessibility in security
• Anonymity needs and tools

Prerequisites

This course does not have formally enforced prerequisites, but I strongly recommend anyone enrolling to have background knowledge or experience with security, for example through having taken introductory (graduate or undergraduate) security courses. Prior exposure to topics in human-computer interactions, for example user experience research and design, is also not required but welcome.

Calendar

TipSubscribe to calendar

Thanks to Al Simpson, you can track assignments in your calendar:
Add to default system calendar Add to Google Calendar Copy .ics URL

CautionSubject to change

Please keep in mind that the schedule may change as the course progresses, so please regularly check the course website for any changes.

Week	Day	Date	Class	Lecture	Discussion	Reading	Due
0	Wed	1/22	1	Usable security overview		None
1	Mon	1/27	2	Introduction to usability		(No reading responses or presentations) - When to Use Which User-Experience Research Methods by Christian Rohrer
	Wed	1/29	3	Passwords		(Reading required but no write-up) Ur et al., “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab
	Thu	1/30					H1: ethics
2	Mon	2/3	4	Password managers	Password managers	Pearman et al., Why people (don’t) use password managers effectively	P1: project ideas
	Wed	2/5	5	MFA	Two-factor authentication	Reese et al., A Usability Study of Five Two-Factor Authentication Methods
	Thu	2/6					H2: cognitive walkthrough
3	Mon	2/10	6	Passkeys and phishing	Passkeys	- Lassak et al., Why Aren’t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication - (Optional) Petelka et al., Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings - (Optional) Egelman et al., You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
	Wed	2/12	7	Security warnings	Security warnings and indicators	- Felt et al., Improving SSL Warnings: Comprehension and Adherence - (Optional) Kaiser et al., Adapting Security Warnings to Counter Online Disinformation	P2: project groups
	Thu	2/13					H3: usability test
4	Mon	2/17	8	Mobile permissions	Mobile permissions	Cao et al., A Large Scale Study of User Behavior, Expectations and Engagement with Android Permissions
	Wed	2/19	9		Breach and compliance notifications	Stock et al., Didn’t You Hear Me? - Towards More Successful Web Vulnerability Notifications
	Thu	2/20					P3: project proposal
5	Mon	2/24	10	Encrypted messaging	Encrypted messaging	- Abu-Salma et al., Obstacles to the Adoption of Secure Communication Tools - (Optional) Whitten and Tygar, Why Johnny Can’t Encrypt
	Wed	2/26	11	Privacy in social media	Privacy in social media	Liu et al., Analyzing Facebook privacy settings: user expectations vs. reality
	Thu	2/27					H4: interview
6	Mon	3/3	12	Contextual integrity	Privacy mental models	- Renaud et al. Why Doesn’t Jane Protect Her Privacy? - (Optional) Contextual Integrity, Explained
	Wed	3/5	13	Notice & choice	Privacy controls	Im et al., Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising
	Thu	3/6					P4: project related work
7	Mon	3/10	14	Web tracking	Web tracking	Wei et al., What Twitter Knows: Characterizing Ad Targeting Practices, User Perceptions, and Ad Explanations Through Users’ Own Twitter Data
	Wed	3/12	15	Deceptive design	Deceptive design	- Mathur et al., Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites - (Optional) Mathur et al., What Makes a Dark Pattern… Dark?: Design Attributes, Normative Considerations, and Measurement Methods
	Thu	3/13					P5: project methods
8	Mon	3/17		Spring Break
	Wed	3/19		Spring Break
9	Mon	3/24	16	IoT security and privacy	Smart home privacy	- Zeng & Roesner, Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study - (Optional) Emami-Naeini et al., Privacy Expectations and Preferences in an IoT World
	Wed	3/26	17		AR/VR privacy	Gallardo et al., Speculative Privacy Concerns about AR Glasses Data Collection
	Thu	3/27					H5: design exercise
10	Mon	3/31	18	Anonymity and PETS	Usable anonymity and censorship circumvention	- Forte et al., Privacy, Anonymity, and Perceived Risk in Open Collaboration: A Study of Tor Users and Wikipedians - (Required! No write-up) review of Roberts, Censored: Distraction and Diversion Inside China’s Great Firewall
	Wed	4/2	19		Software developers	Palombo et al., An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development
	Thu	4/3
11	Mon	4/7	20	Software developers & security professionals	Security professionals	Alahmadi et al., 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms
	Wed	4/9	21	Survey development	Vulnerable populations	Simko et al., Computer Security and Privacy for Refugees in the United States
	Thu	4/10					H6: survey (part 1)
12	Mon	4/14	22	Vulnerable populations	Accessibility	Dosono et al., “I’m Stuck!”: A Contextual Inquiry of People with Visual Impairments in Authentication
	Wed	4/16	23	Accessibility + children & teens	Children and teens	Kumar et al., Co-Designing Online Privacy-Related Games and Stories with Children
	Thu	4/17					H6: survey (part 2)
13	Mon	4/21	24	Older adults	Older adults	Frik et al., Privacy and Security Threat Models and Mitigation Strategies of Older Adults
	Wed	4/23	25	At-risk users Trust	International & multicultural perspectives	Sambasivan et al., “They Don’t Leave Us Alone Anywhere We Go”: Gender and Digital Abuse in South Asia
	Thu	4/24					H6: survey (part 3)
14	Mon	4/28	26	OSINT workshop by Al & Noah		(No write-up) Reflections on trusting trust by Ken Thompson
	Wed	4/30	27	Guest lecture: Alaa Daffalla		(No write-up) Daffalla et al., Defensive Technology Use by Political Activists During the Sudanese Revolution
15	Mon	5/5		Project work period
	Wed	5/7		Project work period
	Thu	5/8					Project final report
16	Mon	5/12		Final project presentations	Exam week		Project final presentations
	Wed	5/14			Exam week