NJIT IS/CS 485 - Usable Security & Privacy - Fall 2024

This course covers how security and privacy decisions are made in the real world, why mistakes and failures happen so often, and what we can do about it.

Course Description

Cybersecurity and privacy incidents are often blamed on people’s choices, but what led to these decisions? If we understand the reasons for these failures and how the systems themselves contributed to them, we can create better technologies that help improve people’s security and privacy. In this course, we will study how security and privacy decisions are made in the real world, how incomplete or faulty assumptions may cause mistakes to be made, and what it takes to design and develop systems that overcome these issues. The course will synthesize and present important research in security, privacy, and human-computer interaction. In addition, students will learn and practice techniques, which are commonly used by user experience researchers, that will help them independently evaluate the usability of systems.

Logistics

This course is scheduled to meet at Mechanical and Industrial Engineering Center (ME) 221 on Tuesdays and Thursdays, 4:00 PM – 5:20 PM.

The CRN for the IS section of this course is 95790; for CS it’s 95792.

Prerequisites

Enrolling students are expected to have passed one of the following courses:

• IT 230. Computer and Network Security
• CS 351. Introduction to Cybersecurity
• CS 608. Cryptography and Security
• CS 645. Security and Privacy in Computer Systems

Additionally, the following courses are recommended:

• IS 247 - Designing the user experience
• IS 375 - Discovering user needs for UX
• IS 448 - Usability & measuring UX
• IT 331 - Privacy & information technology

If you have a strong interest in the topic but lack the formal prerequisites, please contact me in advance.

Topic overview

The course will cover the following topics:

Security

• Passwords and potential alternatives
• Multi-factor authentication
• Warnings and phishing
• Mobile permissions
• Authentication
• Access control

Privacy

• Social media privacy
• Online tracking
• Privacy policies
• AR/VR privacy
• Smart home privacy
• Deceptive design patterns

Special populations

• At-risk users
• Software developers and system administrators
• Children
• Accessibility in security
• Anonymity needs and tools

Learning outcomes

Students completing this course will:

• Discuss concrete instances of security and privacy failures in common technologies
• Be able to explain how human factors contributed to these issues
• Learn about research findings in a variety of domains in usable privacy and security
• Practice methodologies for evaluating the usability of systems
• Understand how to apply human-centered design for security and privacy systems

NoteHow this course differs from IS/CS 698

IS/CS 698, Human Factors in Security and Privacy, is a graduate, research-oriented seminar course, enrolling a mix of masters and PhD students. Its goal is to help students understand, evaluate, and contribute to cutting-edge research. To that end, a major focus of that course is reading, discussing, and analyzing research papers; students also work on a semester-long research project. In IS/CS 485, the focus will be on learning the lessons from the research field’s findings and how to apply them. The course will be primarily centered around lectures (though with significant active learning components), which will synthesize takeaways from state of the art research. However, students will still gain practical experience with research methods used in the human-computer interaction field through several hands-on projects.

Calendar

CautionSubject to change

Please keep in mind that the schedule may change as the course progresses, so please regularly check the course website for any changes.

Week	Day	Date	Class	Lecture	Reading	Due
1	Tue	9/3	1	Security	“A Story About Jessica” by SwiftOnSecurity
	Thu	9/5	2	Usable encryption: encrypted email	Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You. by Micah Lee
2	Tue	9/10	3	Usable encryption: E2E messengers
	Wed	9/11				Homework 1
	Thu	9/12	4	Usability	- Evaluate Interface Learnability with Cognitive Walkthroughs by Kim Flaherty - User Interviews 101 by Maria Rosala and Kara Pernice
3	Tue	9/17	5	Selecting research methods	- When to Use Which User-Experience Research Methods by Christian Rohrer - 28 Tips for Creating Great Qualitative Surveys by Susan Farrell
	Wed	9/18				Homework 2
	Thu	9/19	6	Experiment design & ethics	No Encore for Encore? Ethical questions for web-based censorship measurement by Arvind Narayanan & Bendert Zevenbergen
4	Tue	9/24	7	Passwords	The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!1 by Robert McMillan
	Wed	9/25				Homework 3
	Thu	9/26	8	Password managers	Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach by Brian Krebs	Project: partners
5	Tue	10/1	9	Password alternatives
	Wed	10/2				Homework 4
	Thu	10/3	10	Multi-factor authentication	A Guide to Common Types of Two-Factor Authentication on the Web by Jacob Hoffman-Andrews and Gennie Gebhart
6	Tue	10/8	11	2FA, continued
	Wed	10/9				Homework 5
	Thu	10/10	12	Phishing	How I Fell for an Amazon Scam Call and Handed Over $50,000 by Charlotte Cowles	Project: proposal
7	Tue	10/15	13	Phishing & security warnings	What Does the Brain Tell Us about Usable Security? (talk video) by Anthony Vance
	Wed	10/16				Homework 6
	Thu	10/17	14	Mobile permissions	How to Ask For Permission by Adrienne Porter Felt et al.
8	Tue	10/22	15	Web tracking	Is Your Smartphone Secretly Listening to You? from Consumer Reports
	Thu	10/24	16	Tracking ecosystem	The Global Surveillance Free-for-All in Mobile Ad Data by Brian Krebs
	Fri	10/25				Homework 7
9	Tue	10/29	17	Notice & choice Deceptive design
	Thu	10/31	18	Election security	Elections, Technology, and Trust in 2024 and Beyond talk by Matt Blaze
	Fri	11/1				Homework 8
	Sun	11/3				Project: background
10	Tue	11/5		Election day
	Thu	11/7	19	Privacy in social media	I tweet honestly, I tweet passionately: Twitter users, context collapse, and the imagined audience by Alice Marwick and danah boyd
	Fri	11/8				Homework 9
11	Tue	11/12	20	Contextual Integrity	Contextual Integrity, Explained
	Thu	11/14	21	Contextual Integrity, continued
	Fri	11/15				Homework 10
12	Tue	11/19	22	Software developers and security professionals
	Thu	11/21	23	Privacy-enhancing technologies	Review of Roberts, Censored: Distraction and Diversion Inside China’s Great Firewall
	Fri	11/22				Homework 11
	Sun	11/24				Project: artifact
13	Tue	11/26	24	Vulnerable populations
	Thu	11/28		Thanksgiving
14	Tue	12/3	25	Project presentations		Project: presentation
	Thu	12/5	26	Project presentations
	Fri	12/6				Homework 12
15	Tue	12/10	27	Reflections on trusting trust	Reflections on trusting trust by Ken Thompson
	Thu	12/12		Reading day (no class)
	Fri	12/13				Project: report
16	Tue	12/17		Final exam	2:30PM-5:00PM @ CKB 341
	Thu	12/19

Footnotes

1. Access this article through this link if you are on campus, using the VPN, or after authenticating with your NJIT credentials. Or you can use the free WSJ subscription NJIT provides.