Usable Privacy and Security

Usable Privacy and Security

05-436 / 05-836 / 08-534 / 08-734 / 19-534 / 19-734
Usable Privacy and Security

Spring 2018: GHC 4211, Mondays and Wednesdays 3:00pm-4:20pm

Professor Lorrie Cranor
Office: CIC 2207
Office hours: By appointment

Javed Ramjohn, Teaching Assistant
Office hours: By appointment

While we don't have set office hours, we do encourage you to contact us for appointments. We can often arrange a meeting the same day you contact us. In addition, we are usually available to answer questions after each class. 

This term we will be using Piazza for class discussion. Rather than emailing questions about the homework and exams to the professor and TA, we encourage you to post your questions on Piazza. You may also post links to relevant articles and papers in Piazza for your classmates to see. Find our class page at:

Course Description

There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. Students will also work on a group project throughout the semester. 

The course is open to all students who have technical backgrounds. The 12-unit course numbers (8-734, 5-836, 19-734) are for PhD students and masters students. Students enrolled in these course numbers will have extended homework assignments and will be expected to play a leadership role in a group project that produces a paper suitable for publication. The 9-unit 500-level course numbers (8-534, 5-436, 19-534) are for juniors, seniors, and masters students. 

Course goals

  • Gain an appreciation for the importance of usability within security and privacy
  • Learn about current research in usable privacy and security
  • Learn how to conduct usability studies
  • Learn how to critically examine UPS studies 

Interested in learning more about usable privacy and security beyond this course?

Students in this course may also be interested in joining the CyLab Usable Privacy and Security Lab (CUPS) mailing list to get seminar announcements and discussion.

If you are interested in doing more usable privacy and security research after taking this course, please talk to the professor. The CUPS Lab often has opportunities for students to do research for course credit or pay, during the academic year and over the summer. In addition, the professor is happy to talk about graduate programs you might consider.

Course Schedule

See course schedule below. Note, schedule is subject to change. Canvas will have the most up-to-date version. Homework assignments will usually be posted on the day the previous assignment is due.

Lecture slides will usually be posted in the calendar entry and in the Files menu (see link on left)  following each lecture. 

Course Requirements and Grading

Your final grade in this course will be based on:

  • 20% Readings and Quizzes
  • 30% Homework
  • 20% Exams
  • 30% Project

This class will have no final exam. Final projects presentations will be held on the last day of class. You are required to be present for your group's final presentation.

Readings and Quizzes

Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions. To verify that students have completed the assigned reading, each class will begin with a short quiz. Quizzes will generally be collected at 3:05 pm. The quizzes will cover major points of the readings, including methodological techniques, findings, high-level takeaways, and major recommendations the authors made. Your single lowest quiz grade will be dropped.

If you know you will be absent from class, you may submit summary and highlights for the assigned readings to the TA prior to the start of class. These will be graded and this grade will be used in place of the missed quiz grade. In the event of an emergency situation that prevents you from attending class, please contact the instructor as soon as possible to arrange for an extended deadline for submitting your reading summary and highlights.

Students taking the 12-unit version of this course are expected to do additional readings each week. In some cases, we will specify which extra reading(s) to do. In other cases, we will specify that students can choose from any of the additional readings for the week. All other students are encouraged to review some of the additional readings that they find interesting, but they need not submit summaries or highlights.

Readings will be assigned from the following text (available for purchase from all the usual online book stores, and free of charge in ebook form via the CMU library):

Additional readings will be assigned from papers available online or handed out in class. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or via CMU EZproxy or library VPN).


This course includes nine homework assignments. All homework is to be submitted in PDF format via Canvas and is due at 3:00 pm on the due date, unless specified otherwise. Homework is considered one day late if it is submitted after 3 pm on the due date. You will be penalized 10% for every late day. Your single lowest homework grade will be dropped from your homework average. In extenuating circumstances, please contact the professor to arrange for an extended deadline.

Students taking the 12-unit version of the course will be asked to submit a short summary (3-7 sentences) and a "highlight" for particular readings specified in each homework assignment. The highlight may be something you found particularly interesting or noteworthy, a question you would like to discuss in class, a point you disagree with, etc.


We will hold two in-class exams during the course. These exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. However, you will be expected to remember key terms and definitions discussed in class. The best way to prepare for these exams is to critically read all of the assigned readings for the course and to be an engaged participant in class discussions throughout the semester. Then review the course slides prior to each exam. 


Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructor  early in the semester. As part of the project students will:

  • Return their project preference form by Monday, February 12 so that they can be assigned to a project team by Wednesday, February 14.
  • Submit a brief project proposal (2 to 3 pages) by Wednesday, February 21. The proposal should state your research questions; hypotheses (if any); general type of study (lab, online, interview, survey, etc.); overview of the types of questions and/or tasks, scenarios, etc. that will be included; quantitative metrics and/or qualitative analysis approach; number and type of study participants you plan to recruit and how you will recruit them; study design (between subjects, within subjects); equipment, software, other resources, and/or payments needed and preliminary budget.
  • Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than Monday, March 5. Include the professor, TA, and any mentor you are working with as co-PIs and send them a draft by March 1 to get their feedback.
  • Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
  • Develop any prototypes necessary to carry out the user study.
  • Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
  • Submit a progress report by Monday, March 26. Your progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. Your report should include your research questions and any hypotheses, draft related work section, study methodology, results and lessons learned from your initial pilot study (or any other data collection that you have done already), unresolved issues or challenges, and complete survey or interview questions, scripts, etc.
  • Give a brief (7-10 minutes) progress report presentation on March 26 or 28 and submit the slides online.
  • Conduct a study using the revised protocol with at least 6 subjects (or more if this is not a lab study). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
  • Give a 10-minute final project presentation in class on Monday, April 30 or Wednesday, May 2 and submit the slides online.
  • Write a paper including an abstract, introduction (including research questions), related work, methodology, results, discussion (or lessons learned), references, etc. and submit it by 9 am on Monday, May 10. Your IRB forms, survey forms, etc. should be included as appendices. Papers should follow the SOUPS 2018 technical papers formatting instructions. However, your report for the class need not adhere to the SOUPS page limits and should not be a blind submission; please include the names of the authors for the purposes of the class project. 
  • Submit a peer evaluation by 9 am on Monday, May 10. Submitting a peer evaluation is required in order to receive your grade for this class.

The final paper will count for 80% of your project grade. The other project deliverables will collectively count for the remaining 20% of your project grade. If your project team is having trouble at any stage, please contact the professor for help!

Students are encouraged to submit their project as a poster to the 2018 Symposium On Usable Privacy and Security, and/or as a full paper to SOUPS 2019 or another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will require submitting a 2-page abstract. Professor Cranor will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted.

Students signed up for the 12-unit version of this course are expected to play a leadership role in a project group that writes a project paper suitable for publication. Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. 

Collaboration Policy

You are permitted to talk to the instructor, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out his or her own solutions to the homework, unless collaboration is explicitly authorized as part of the assignment. Consulting another student's solution or a solution found on the Internet is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and is considered cheating. If you have any question about whether some activity would constitute cheating, please feel free to ask. Cheating on an assignment/exam will result in failure of the course, and the university administration (department, college) will be notified per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Cheating and Plagiarism (; Undergraduate Academic Discipline (; and Graduate Academic Discipline ( In addition to the terms of the Graduate Academic Discipline policy, it is INI and ECE's policy that an INI or an ECE graduate student may not drop a course in which a disciplinary action is assessed or pending without the course instructor's explicit approval.

Take Care of Yourself and Ask for Help

Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:

  • Counseling and Psychological Services (CaPS): 412-268-2922
  • Re:solve Crisis Network: 888-796-8226

If the situation is life threatening, call the police:

  • On campus - CMU Police: 412-268-2323
  • Off campus: 911

Course Summary:

Date Details
CC Attribution Non-Commercial This course content is offered under a CC Attribution Non-Commercial license. Content in this course can be considered under this license unless otherwise noted.