Usable Privacy and Security
05-436 / 05-836 / 17-334 / 17-734 / 19-534 / 19-734
Spring 2024 - available online at
Mondays and Wednesdays 2-3:20 pm
Hamerschlag Hall HH B103
Professor Lorrie Cranor
pronouns: she/her (Feel free to address me as Professor Cranor, Dr. Cranor, or Lorrie)
Office hours: I don't have set office hours, but I do encourage you to contact me via email for in-person or Zoom appointments! I can often arrange a meeting the same day or the next business day. Generally I will schedule meetings between 8:30 am and 5 pm on weekdays in my office in CIC 2107.
Professor Yuvraj Agarwal
pronouns: he/him (Feel free to address me as Professor Agarwal, Dr. Agarwal, or Yuvraj)
Office hours: Fridays 1pm - 2pm, TCS 327.
Elijah Bouma-Sims, teaching assistant
pronouns: he/him
Office hours: Wednesdays 10AM to 11:30AM (First office hours on 1/24, No OH on any university holidays) at CIC 2206 or by Zoom. Please let me know ahead of time if you plan to join office hours on Zoom. In person students do not have to let me know in advance. I have limited availability outside of my office hours. Contact me to setup a meeting at a different time.
OH Zoom:
Andrea ("Andy") Gallardo, teaching assistant
pronouns: she/her
Office hours: Monday 10:00-11:00AM on Zoom (except for 2/19 and any university holidays)
Andy's OH Zoom:
Meeting ID: 935 9743 3413
Passcode: 630075
Sudershan Boovaraghavan, teaching assistant
pronouns: he/him/his
Office hours: Fridays 11:00AM-Noon at TCS 235 or by Zoom. Please let me know ahead of time if you plan to join office hours on Zoom.
Sudershan's OH Zoom:
Meeting ID: 927 3192 6110
Passcode: 734576
Project consultant: Mandy Lanyon
pronouns: she/her
Mandy will consult on projects and assist with IRB forms and human subject payments, please email her for assistance. IRB reviews and Project funding
Email response times: We are generally available by email 9am-5pm Monday-Friday (Pittsburgh time) and respond quickly during those times. If you email after 5pm, or on the weekend, you might not get a response until the next working day.
We will be using Piazza for class discussion. Rather than emailing questions about the homework and exams to the professor and TA, we encourage you to post your questions on Piazza. You may also post links to relevant articles and papers in Piazza for your classmates to see. Use the Piazza menu in Canvas to access our class Piazza discussions.
We also have a class Slack. This is optional to join, and Piazza and email will still be preferable for any important questions directed at the instructor or TAs. However, this is a great place to discuss things with other students, post interesting links about topics relevant to the class, find group members for group homework, and so forth. You can join using this link: Usable Privacy and Security Slack
Course Description
There is growing recognition that technology alone will not provide all of the solutions to security and privacy problems. Human factors play an essential role in these areas, and it is important for security and privacy experts to have an understanding of how people will interact with the systems they develop. This course is designed to introduce students to a variety of usability and user-interface problems related to privacy and security and to give them experience in understanding and designing studies aimed at helping to evaluate usability issues in security and privacy systems. The course is suitable both for students interested in privacy and security who would like to learn more about usability, as well as for students interested in usability who would like to learn more about security and privacy. All students will work in small teams on a group project throughout the semester.
The course is open to all students who have at least some technical background (e.g. an undergraduate computer programming course). The 12-unit course numbers (17-734, 5-836, 19-734) are for PhD students and masters students (but open to undergrads). Students enrolled in these course numbers will be required to read and comment on a research paper each week in addition to the other assignments. The 9-unit course numbers (8-534, 5-436, 19-534) are for undergraduates and masters students.
Course goals
- Gain an appreciation for the importance of usability within security and privacy
- Learn about current research in usable privacy and security
- Learn how to conduct usability studies
- Learn how to critically examine UPS studies
How this course fits into various programs
This course is required for the Privacy Engineering masters program. It can count as an elective in many other undergraduate and graduate programs.
Undergraduate Concentration in Security and Privacy. This course is part of the undergraduate concentration in security and privacy in both Computer Science and in Electrical & Computer Engineering. In particular, this courses satisfies the "Context Course Area" requirement of the concentration.
Undergraduate minor in Information Security, Privacy, and Policy. This course is part of the Undergraduate Minor in Information Security, Privacy, and Policy for undergraduate students across the university who are interested in policy issues related to security and privacy. This course can satisfy the privacy elective or additional approved elective requirement.
Interested in learning more about usable privacy and security beyond this course?
Students in this course may also be interested in joining the CyLab Usable Privacy and Security Lab (CUPS) mailing list to get seminar announcements and discussion.
If you are interested in doing more usable privacy and security research after taking this course, please talk to the professor. The CUPS Lab often has opportunities for students to do research for course credit or pay, during the academic year and over the summer. In addition, the professor is happy to talk about graduate programs you might consider.
Course Schedule
See course schedule below. Note, schedule is subject to change. Canvas will have the most up-to-date version. Homework assignments will usually be posted on the day the previous assignment is due.
Lecture slides will be posted in the Files menu (see link on left) following each lecture.
Course Requirements and Grading
Your final grade in this course will be based on:
- 5% Class participation
- 15% Quizzes (22 assigned, 3 lowest dropped)
- 30% Homework assignments (7+IRB training, all required, 100 points each)
- 12-unit students only: Additional reading commentaries (12 assigned, 2 lowest dropped, 30 points each)
- 20% Exams (2)
- 30% Project (many components)
We have set up deadlines for all graded elements in the course and have set policies to help keep students accountable for meeting these deadlines and not getting behind. However, our goal is for everyone to do well in the course and we want to help you succeed. If you have been granted accommodations by the Office of Disability Resources that are relevant to this class, please bring those to our attention as soon as possible. If a health or personal issue should arise during the semester that will prevent you from meeting deadlines or attending class for an extended period, please let us know so we can work out alternative deadlines or make other adjustments.
Regrade requests must be submitted within one week of as assignment being graded. Please refrain from requesting regrades unless you believe there is a major problem with the way your assignment was graded. Do not haggle with the TAs over the amount of partial credit awarded. We reserve the right to regraded the entire assignment (which may cause you to lose points) or deny all subsequent regrade requests from students who abuse the regrade mechanism.
See below for more information about how late work and deadline extensions will be handled for different assignment types.
Students are expected to complete the assigned reading prior to class so that they can participate fully in class discussions.
Where to find readings
Readings will be assigned from the following text (available for purchase from all the usual online book stores, and free of charge in ebook form via the CMU library):
- Research Methods in Human-Computer Interaction, 2nd edition. Jonathan Lazar, Jinjuan Heidi Feng, Harry Hochheiser, 2017.
Additional readings will be assigned from papers available online. In cases where a subscription is required for access, access should be available for free when you are coming from a CMU IP address (on campus or using CMU EZproxy or library VPN).
To verify that students have completed the assigned reading prior to class, students will be asked to take a 5-minute quiz on Canvas before class. The quizzes will cover major points of the readings, including methods, findings, high-level takeaways, and recommendations. You are expected to do the quiz independently and not consult with other people or any materials other than the assigned readings. You are also not permitted to request information from an AI assistant or to use an AI assistant to help answer quiz questions.The quizzes for the week will be available on Canvas at least three days in advance and up to the start of class. You will have 5 minutes to take the quiz from the time you begin.
Your three lowest quiz grades will be dropped. Generally, makeup quizzes will not be offered except in the case of prolonged absence. If extenuating circumstances cause you to miss multiple quizzes, please contact us to arrange for accommodations.
Reading Commentaries
Students taking the 12-unit version of this course are expected to read and submit commentaries on one additional research paper that describes a user study each week, selected from the research papers listed under "additional readings" for the lectures that week (occasionally there are additional readings listed that are news articles, videos, or materials other than research papers: these do not count). When no additional readings are listed for a given lecture you may choose any research paper from the additional readings list for any of this course's lectures.
These reading commentaries should consist of a short summary (3-7 sentences), a "highlight" (3-5 sentences) showcasing critical thinking about the study, and a completed UPS user study template (see links in reading commentary assignment). Please keep your reading commentaries short (but insightful) and make sure you also include a complete bibliographic citation for each paper. Commentaries should be submitted in PDF format via Canvas by the deadline specified.
9-unit students are encouraged to review some of the additional readings that they find interesting, but they need not submit commentaries.
Reading commentaries are due every Wednesday from the second week of classes through the second-to-last week of classes, excluding spring break (12 commentaries total).
Your two lowest reading commentary grades will be dropped. If you need an extension on a reading commentary, please submit an extension request via this form. Please submit this before the deadline (unless there is an emergency that makes this impossible). If you ask for multiple extensions (two in a row, or three total), we may reach out to discuss the situation further and explore possible solutions. You will not be penalized for requesting extensions, but we do not want work to pile up in a way that becomes unmanageable.
This course includes seven homework assignments. All homework is to be submitted in PDF format via Gradescope and is due at 2 pm on the due date, unless specified otherwise.
No homework grades will be dropped. If you need an extension on a homework, please submit an extension request via this form. Please submit this before the homework deadline (unless there is an emergency that makes this impossible). If you ask for extensions on multiple homework assignments (two in a row, or three total), we may reach out to discuss the situation further and explore possible solutions. You will not be penalized for requesting extensions, but we do not want work to pile up in a way that becomes unmanageable.
We will hold two in-class exams that are weighted equally in your final grade. The second exam will be scheduled during the final exam period. These exams will be centered around designing experiments, interpreting results, and analyzing research claims related to usable privacy and security. In essence, performing well on these exams will require that you apply the skills you learn in this course, rather than remembering trivia. However, you will be expected to remember and understand key terms and definitions discussed in class. The best way to prepare for these exams is to critically read all of the assigned readings for the course and to be an engaged participant in class discussions throughout the semester. Then review the course slides prior to each exam. Example questions from past exams (without answers) will be made available to all students. You will be permitted to use course notes, readings, and other written materials during the exams, but you must not request, give, or receive help from your classmates or anyone other than the course instructor and TAs. You are also not permitted to request information from an AI assistant or to use an AI assistant to help answer exam questions.
In the event of an extenuating circumstance that prevents you from completing an exam as scheduled, please contact the instructor as soon as possible. Students who need disability-related exam accommodations should contact the instructor early in the semester to make arrangements.
Students will work on semester projects in small groups that include students with a variety of areas of expertise. A choice of projects will be provided, and students will be given an opportunity to indicate their preferences before projects are assigned. Students who have their own ideas for projects should discuss them with the instructors early in the semester (No later than February 1). As part of the project students will:
- Return their project preference form by February 7 so that they can be assigned to a project team by February 12.
- Submit a brief project proposal with their team by February 28. Detailed instructions are in the project proposal assignment.
- Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible, and no later than March 20. Include the professor, project consultant, and any mentors you are working with as co-PIs and send them a draft by March 13 to get their feedback.
- Design all questionnaires, scripts, scenarios, interview protocols, etc. necessary to carry out the user study.
- Develop any prototypes necessary to carry out the user study.
- Pilot test the user study protocol on at least two people (can be members of the class from other project groups) and refine it based on these tests.
- Submit a progress report by April 1. Detailed instructions are in the progress report assignment.
- Attend a meeting to get feedback on your progress report on April 3.
- Conduct a study using the revised protocol with at least 8 participants (or at least 30 if this is a survey). Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 8 participants, likely this will be useful mostly as a pilot study and should be positioned as such in your paper.
- Give a final project presentation in class on April 22 or April 24 and submit the slides online on April 22. Instructions for final presentation may be adjusted based on number of project teams.
- Write a final project report and submit it by 11:59 pm on Friday, May 3. Detailed instructions are in the final project report assignment. Your final paper should be written using the SOUPS 2024 template in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written.
- Submit a peer/self evaluation on February 28, April 1, and May 6. Submitting these evaluations is required in order to receive your grade for this class.
The final paper will count for 80% of your project grade. The other project deliverables will collectively count for the remaining 20% of your project grade. If your project team is having trouble at any stage, please contact us for help!
Students are encouraged to submit their project as a poster to the 2024 Symposium On Usable Privacy and Security, and/or as a full paper to another conference. A paper submission will likely require additional work after the end of the semester. To submit a poster will require submitting a 2-page abstract. We will provide funds for one student from each project team to attend the SOUPS conference if their paper or poster is accepted. In addition, the conference itself makes scholarships available for students to attend, so please apply for these if you want to attend!
Class participation
All students except those registered for the remote (B) sections are expected to regularly attend class in person, arrive on time, and participate in class activities and discussions. Random check-ins will be given in order to spot-check class attendance and participation. If you are in class at the time of a random check-in you will be asked to login to Canvas and answer a question whose answer has just been revealed in class. In-class students are prohibited from sharing the check-in answer with students not physically in class -- this will be considered an academic integrity violation and handled accordingly. Generally, there will not be any opportunity to make up missed class participation grades. However, students with extenuating circumstances leading to frequent absences should contact the instructor for accommodation.
Remote students
Remote students are those students who have been approved for remote attendance and registered for the B section of this course. Those students are strongly encouraged to attend synchronously over Zoom, but may alternatively watch the recorded course lectures within 24 hours after each course session. Zoom links and recordings are available through the Zoom menu on Canvas. Remote students are expected to work on class activities on their own and will be asked to submit evidence of their remote work for their class participation grade within 48 hours of class (e.g. you might be asked to submit ideas you brainstormed in response to a class discussion prompt; these will not be graded but you will be given credit for participating in the activity).
All other students are expected to attend class in person unless they are ill, traveling, etc. In the event of an occasional absence, in-person students may attend class remotely or review recorded lectures. This should NOT be a regular occurrence (and in-person students will not be given the opportunity to receive class participation credit remotely except in exceptional circumstances).
The recorded lectures are available to all students as a study aid.
Group Work
This course involves a large group project as well as some homework assignments that may optionally be completed in a small group. It is important that all members of a group participate fully. If there are circumstances that are going to make your participation in a group difficult, please bring them to our attention as soon as possible. Once groups are setup, if your group is experiencing difficulties working together and would like assistance in working them out, please let us know.
Collaboration and Academic Integrity Policy
You are permitted to talk to the instructor, TA, or to anyone else about any of the homework assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write out their own solutions to the homework unless collaboration is explicitly authorized as part of the assignment. Consulting another student's solution or a solution found on the Internet or generated by an AI tool is prohibited, and submitted solutions may not be copied from any source. These and any other form of collaboration on assignments constitute cheating. Any form of collaboration is strictly prohibited on the exams and quizzes and is considered cheating. If you have any question about whether some activity would constitute cheating, please ask.
You must cite any sources you use to prepare all homework and project-related assignments using an inline reference (number or author name and date in parentheses or a footnote) and an accompanying full citation (not just a URL). This includes papers, news articles, textbook chapters (including the assigned reading), videos, and any other sources that you quote or use ideas from. If you consult with any sort of AI assistant you must cite that as your source. You are permitted to use an AI assistant to gather or analyze information or to improve your writing for homework assignments and projects, but you should use it with exterme caution. You are NOT permitted to use an AI assistant in any way for quizzes and exams.
Cheating may result in failure of the course, and the university administration will be notified of all cheating incidents per the appropriate procedures. Simply stated, feel free to discuss problems with each other, but do not cheat. It is not worth it, and you will get caught. In addition to the above, please also review fully and carefully Carnegie Mellon University's policies regarding Academic Integrity at and
Treat People With Respect
We are diverse in many ways, and this diversity is fundamental to building and maintaining an equitable and inclusive campus community. Diversity can refer to multiple ways that we identify ourselves, including but not limited to race, color, national origin, language, sex, disability, age, sexual orientation, gender identity, religion, creed, ancestry, belief, veteran status, or genetic information. Each of these diverse identities, along with many others not mentioned here, shape the perspectives our students, faculty, and staff bring to our campus. At CMU we work to promote diversity, equity and inclusion not only because diversity fuels excellence and innovation, but because we want to pursue justice. We acknowledge our imperfections while we also fully commit to the work, inside and outside of our classrooms, of building and sustaining a campus community that increasingly embraces these core values. Each of us is responsible for creating a safer, more inclusive environment. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups.
Unfortunately, incidents of bias or discrimination do occur, whether intentional or unintentional. They contribute to creating an unwelcoming environment for individuals and groups at the university. Therefore, the university encourages anyone who experiences or observes unfair or hostile treatment on the basis of identity to speak out for justice and support, within the moment of the incident or after the incident has passed. The university has also setup channels for reporting bias incidents.
Take Care of Yourself and Ask for Help
Take care of yourself. Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress. All of us benefit from support during times of struggle. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is almost always helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help. If you have questions about this or your coursework, or if there is anything else we can do to help you, please let us know. Thank you, and have a great semester!
Course Summary:
