CS 6204 - Fall 2009

CS 6204 - Usable Security
Fall, 2009

The "Readings" shown for each topic are required. The "References" are optional resources for further study.

1. Introduction
August 25	Topic: Course and topic overview (PDF, PPT) Readings Weiser, M., The Computer for the 21st Century. Scientific American, 1991. 265(3): p. 94-104. Reprinted in: SIGMOBILE Mob. Comput. Commun. Rev. 3, 3 (Jul. 1999), 3-11. Computer Research Association (CRA), 2003. Four Grand Challenges in Trustworthy Computing, CRA Conference on Grand Research Challenges in Information Security and Assurance, Airlie House, Warrenton, Virginia, November 16–19, 2003. Berners-Lee, T. Hendler, J., and Lassila, O., The Semantic Web, Scientific American, May 2001. Schilit,B.N., N.I. Adams, and R. Want, Context-aware Computing Applications, in Workshop on Mobile Computing Systems and Applications. 1994, IEEE Computer Society: Santa Cruz, CA, USA p. 85-90. References
August 27	Topics: Usability Studies (PDF, PPT) Description of possible term projects -Denis Gracanin: (PDF, PPT) Readings Whitten, A. and J.D. Tygar, Why Johnny can't encrypt: a usability evaluation of PGP 5.0, in Proceedings of the 8th conference on USENIX Security Symposium - Volume 8. 1999, USENIX Association: Washington, D.C. Garfinkel, S.L. and R.C. Miller, Johnny 2: a user test of key continuity management with S/MIME and Outlook Express, in Proceedings of the 2005 Symposium on Usable Privacy and Security. 2005, ACM: Pittsburgh, Pennsylvania. References Good, N.S. and A. Krekelberg, Usability and privacy: a study of Kazaa P2P file-sharing, in Proceedings of the SIGCHI conference on Human factors in computing systems. 2003, ACM: Ft. Lauderdale, Florida, USA.
September 1	Topics: Designing for Privacy: Human Factors and System's Engineering (PDF, PPT) Description of possible term project (Laurian Vega) (PDF, Project Handout) Readings Adams, A. and M.A. Sasse, Users are not the enemy. Communications of the ACM, 1999. 42(12): p. 40-46. Spiekermann, S. and L.F. Cranor, Engineering Privacy. IEEE Transactions on Software Engineering, 2009. 35(1): p. 67-82. References
September 3	Topic: Privacy in an Interactive and Ubiquitous World (PDF, PPT) Description of possible term project: slides (PPT, PDF), short paper (PDF) Additional information on SecurePlace projects (PPT, PDF) Readings Iachello, G. and J. Hong, End-user privacy in human-computer interaction. Foundations and Trends in Human-Computer Interaction, 2007. 1(1): p. 1-137. (pages 18-34 only required for class) Bohn, J.C., V. Langheinrich, M. Mattern, F. Rohs, M., Living in a World of Smart Everyday Objects-Social, Economic, and Ethical Implications. Human And Ecological Risk Assessment, 2004. 10(5): p. 763-786. References
2. Web Privacy and Security
September 8	Topic: Privacy Preferences (PDF, PPTX) Description of possible term project: slides (PPT, PDF) Readings Cranor, L.F., Introduction to P3P, in Web Privacy with P3P. 2002, O'Reilly and Associates. p. 3-11. Cranor, L. F., Guduru, P., and Arjula, M. 2006. User interfaces for privacy agents. ACM Trans. Comput.-Hum. Interact. 13, 2 (Jun. 2006), 135-178.
September 10	Topic: Policy Authoring (PDF, PPT) Readings Brodie, C., Karat, C., Karat, J., and Feng, J. 2005. Usable security and privacy: a case study of developing privacy management tools. In Proceedings of the 2005 Symposium on Usable Privacy and Security Pittsburgh, Pennsylvania, July 06 - 08, 2005). SOUPS '05, vol. 93. ACM, New York, NY, 35-43. Brodie,C.A., C.-M. Karat, and J. Karat, An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench, in Proceedings of the second Symposium on Usable Privacy and Security. 2006, ACM: Pittsburgh, Pennsylvania.
September15	Topic: Privacy and Trust/Frameworks and Systems Policy Framework (PDF, PPT) PRIME (PDF, PPT) Readings Karat, J., et al., A Policy Framework for Security and Privacy Management. IBM Journal of Research and Development, To Appear. p. 25. Andersson, C., et al., Trust in PRIME, in 2005 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2005). 2005, IEEE: Athens, Greece. p. 552-559.
September 17	Topic: Automatic Trust Negotiation (PDF, PPTX) Readings De Coi, J. L. and Olmedilla, D. 2007. A Flexible Policy-Driven Trust Negotiation Model. In Proceedings of the 2007 IEEE/WIC/ACM international Conference on intelligent Agent Technology (November 02 - 05, 2007). IAT. IEEE Computer Society, Washington, DC, 450-453. Gavriloaie, R., et al., No registration needed: How to use declarative policies and negotiation to access sensitive resources on the semantic web, in 1st European Semantic Web Symposium (ESWS 2004). 2004: Heraklion, Greece. p. 342-356. References Bonatti, P. and Samarati, P. 2000. Regulating service access and information release on the Web. In Proceedings of the 7th ACM Conference on Computer and Communications Security (Athens, Greece, November 01 - 04, 2000). P. Samarati, Ed. CCS '00. ACM, New York, NY, 134-143. Bonatti, P.A. and D. Olmedilla, Driving and monitoring provisional trust negotiation with metapolicies, in 6th IEEE Policies for Distributed Systems and Networks (POLICY 2005). 2005, IEEE Computer Society: Stockholm, Sweden. p. 14-23.
September 22 September 24	Topic: Semantic Web Foundation (PDF, PPT) Semantic Web Reasoning (PDF, Handout) Readings Nardi, Daniele and Brachman, Ronald, J., "An Introduction to Description Logics," in The Description Logic Handbook: Theory, Implementation, and Applications, F. Baader, et al., Editors. 2003, Cambridge University Press: Cambridge, UK. (key material: pages 5-27) Baader, F. and W. Nutt, Basic Description Logics, in The Description Logic Handbook: Theory, Implementation, and Applications, F. Baader, et al., Editors. 2003, Cambridge University Press: Cambridge, UK. (key material: pages 47-74). Donini, F., et al., Reasoning in description logics, in Foundation of Knowledge Representation, G. Brewka, Editor. 1996, CSLI-Publications. (key material: pages 1-17).
September 29	Topic: Semantic web standards Presentation 1 (PDF, PPT) Presentation 2 (PDF, PPT) Readings Chowdhury, M.M.R.; Noll, J.; Gomez, J.M., Enabling Access Control and Privacy through Ontology, 4th International Conference on Innovations in Information Technology (Innovations '07), 18-20 Nov. 2007 Page(s):168 - 172 Avanes, A.; Freytag, J.-C.; Bornhovd, C., Distributed Service Deployment in Mobile Ad-Hoc Networks, Fourth Annual International Conference on Mobile and Ubiquitous Systems: Networking & Services (MobiQuitous 2007), 6-10 Aug. 2007 Page(s):1 - 8 Zilora, S.J., and S.S. Ketha, Thinking inside the box! optimizing web services performance today, IEEE Communications Magazine, 46(3), March 2008, p. 112-117.
October 1	Topic: Semantic web policy systems (PDF, PPT) Presentation 1 (PDF, PPT) Presentation 2 (PDF, PPT) Readings L. Kagal, T. Berners-Lee, D. Connolly, D. Weitzner, Using semantic web technologies for open policy management on the web, in: 21st National Conference on Artificial Intelligence (AAAI 2006), 2006. Rao, J., Sardinha, A., and Sadeh, N. 2009. A meta-control architecture for orchestrating policy enforcement across heterogeneous information sources. Web Semant. 7, 1 (Jan. 2009), 40-56.
3. Ubiquitous Systems
October 6 October 8	Topic: Smart phones Presentation 1 (PDF, PPTX) Presentation 2 (PDF, PPT) Readings Bauer, L., Cranor, L. F., Reiter, M. K., and Vaniea, K. 2007. Lessons learned from the deployment of a smartphone-based access-control system. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18 - 20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 64-75. L. Bauer, S.Garriss, J. M. McCune, M. K. Reiter, J. Rouse, and P. Rutenbar. Device-enabled authorization in the Grey system. in 8th Information Security Conference. 2005. Singapore: Springer Verlag LNCS. Bauer, L., Cranor, L. F., Reeder, R., Reiter, M. K., and Vaniea, K. 2008. A user study of policy creation in a flexible access-control system. In Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems (Florence, Italy, April 05 - 10, 2008). CHI '08. ACM, New York, NY, 543-552. J. M. McCune, A.P., and M. K. Reiter, Seeing-is-believing: Using camera phones for human-verifiable authentication, in 2005 IEEE Symposium on Security and Privacy. 2005.
October 15	Topic: Principles of context-aware systems (PDF, PPT) Readings Baldauf, M., S. Dustdar, and F. Rosenberg, A Survey On Context-Aware Systems. International Journal of Ad Hoc and Ubiquitous Computing, 2007. 2(4): p. 263-277. Dey, A.K., G.D. Abowd, and D. Salber, A conceptual framework and a toolkit for supporting the rapid prototyping of context-aware applications. Hum.-Comput. Interact., 2001. 16(2): p. 97-166. Dey, A. and G.D. Abowd, Towards a better understanding of context and context-awareness, in Proceedings of the Workshop on the What, Who, Where, When and How of Context-Awareness. 2000, ACM Press.
October 22	Topic: Context-aware toolkits (PDF, PPT) Readings Salber, D., Dey, A. K., and Abowd, G. D. 1999. The context toolkit: aiding the development of context-enabled applications. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems: the CHI Is the Limit (Pittsburgh, Pennsylvania, United States, May 15 - 20, 1999). CHI '99. ACM, New York, NY, 434-441. Sousa, J. P. and Garlan, D. 2002. Aura: an Architectural Framework for User Mobility in Ubiquitous Computing Environments. In Proceedings of the IFIP 17th World Computer Congress - Tc2 Stream / 3rd IEEE/IFIP Conference on Software Architecture: System Design, Development and Maintenance (August 25 - 30, 2002). J. Bosch, W. M. Gentleman, C. Hofmeister, and J. Kuusela, Eds. IFIP Conference Proceedings, vol. 224. Kluwer B.V., Deventer, The Netherlands, 29-43.
October 27	Topic: Location disclosure (PDF, PPT) Readings Sadeh, N., J. Hong, L. Cranor, I. Fette, P. Kelley, M. Prabaker, J. Rao, Understanding and capturing people's privacy policies in a mobile social networking application. Personal and Ubiquitous Computing, 2009. 13(6): p. 401-412. Iachello, G., et al., Developing privacy guidelines for social location disclosure applications and services, in Proceedings of the 2005 Symposium on Usable Privacy and Security. 2005, ACM: Pittsburgh, Pennsylvania. References Cornwell, J.; Fette, I.; Hsieh, G.; Prabaker, M.; Rao, J.; Tang, K.; Vaniea, K.; Bauer, L.; Cranor, L.; Hong, J.; McLaren, B.; Reiter, M.; Sadeh, N., "User-Controllable Security and Privacy for Pervasive Computing," Eighth IEEE Workshop on Mobile Computing Systems and Applications, 2007. HotMobile 2007. pp.14-19, 8-9 March 2007 Fabien L. Gandon and Norman M. Sadeh, Semantic web technologies to reconcile privacy and context awareness, Web Semantics J. 1 (3) (2004).
October 29	Topic: Medical applications (PDF, PPT) Readings Bardram, J. E. 2004. Applications of context-aware computing in hospital work: examples and design principles. In Proceedings of the 2004 ACM Symposium on Applied Computing (Nicosia, Cyprus, March 14 - 17, 2004). SAC '04. ACM, New York, NY, 1574-1579. Bardram, Jakob, E., Security in Context - Lessons Learned from Security Studies in Hospitals, In Proceedings of the CHI 2007 Workshop on Security User Studies: Methodologies and Best Practices, Jan Jose, California, USA, April 28, 2007, 4 pages. Bardram, J.E., R.E. Kjær, and M.Ø. Pedersen, Context-Aware User Authentication – Supporting Proximity-Based Login in Pervasive Computing, in Proceedings of Ubicomp 2003: Ubiquitous Computing, A. Dey, J. McCarthy, and A. Schmidt, Editors. 2003, Springer, Lecture Notes in Computer Science,: Seattle, Washington, USA. p. 107-123. References Choudhri, A., Kagal, L, Joshi, A., Finin, T. and Yesha, Y., PatientService: Electronic Patient Record Redaction and Delivery in Pervasive Enviornments, in Fifth IEEE International Workshop on Enterprise Networking and Computing in Health Care (Healthcom 2003). Santa Monica, CA, USA, June 5-6, 2003. p. 41-47. Munõz, M.A., Gonzalez, V.M., Rodriguez, M. and Fa vela, J. (2003) ‘Supporting context-aware collaboration in a hospital: an ethnographic informed design’, Proceedings of Workshop on Artificial Intelligence, Information Access, and Mobile Computing, 9th International Workshop on Groupware, CRIWG 2003, Grenoble, France, pp.330–334.
4. Privacy and Trust
November 3	Topic: Multimedia communication (PDF, PPT) Readings Adams, A. 1999. Users' perception of privacy in multimedia communication. In CHI '99 Extended Abstracts on Human Factors in Computing Systems, (Pittsburgh, Pennsylvania, May 15 - 20, 1999). CHI '99. ACM, New York, NY, 53-54. Adams, A. and A. Sasse, Privacy in Multimedia Communications: Protecting Users, Not Just Data, in People and computers XV - Interaction without frontiers, Joint Proceedings of HCI2001 and ICM2001, A. Blandford, J. Vanderedonkt, and P. Gray, Editors. 2001, Springer: Lille. p. 49-64.
November 5	Topic: Context and Place - Part 1 (PDF, PPT) Readings Dourish, P. 2001. Seeking a foundation for context-aware computing. Human-Computer Interaction, 16, 2 (Dec. 2001), 229-241. Dourish, P. 2004. What we talk about when we talk about context. Personal Ubiquitous Comput. 8, 1 (Feb. 2004), 19-30. Harrison, S. and Dourish, P. 1996. Re-place-ing space: the roles of place and space in collaborative systems. In Proceedings of the 1996 ACM Conference on Computer Supported Cooperative Work (Boston, Massachusetts, United States, November 16 - 20, 1996). M. S. Ackerman, Ed. CSCW '96. ACM, New York, NY, 67-76.
November 10	Topic: Context and Place - Part 2 (PDF, PPT) Readings Barth, A.; Datta, A.; Mitchell, J.C.; Nissenbaum, H., "Privacy and contextual integrity: framework and applications," IEEE Symposium on Security and Privacy, Oakland, California, pp. 15, May 21-24, 2006 Nissenbaum, H., Privacy as Contextual Integrity. Washington Law Review, 2004. 79(1): p. 119-158.
November 12	Topic: Social Factors Social Navigation (PDF, PPT) Collective Information Practice (PDF, PPT) Social Representations (PDF) Readings DiGioia, P. and Dourish, P. 2005. Social navigation as a model for usable security. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 06 - 08, 2005). SOUPS '05, vol. 93. ACM, New York, NY, 101-108. Dourish, P., and Anderson, K., Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena. Human-Computer Interaction, 2006. 21(3) Vaast, E. 2007. Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare. J. Strateg. Inf. Syst. 16, 2 (Jun. 2007), 130-152.
November 17	Topic: Social Factors: Privacy and Trust(PDF, PPT) Social Factors: Information Flows(PDF, PPT) Readings Jiang, X., J.I. Hong, and J.A. Landay, Approximate Information Flows: Socially-Based Modeling of Privacy in Ubiquitous Computing, in Proceedings of the 4th International Conference on Ubiquitous Computing (Ubicomp 2002). 2002, Springer-Verlag: Goumlteborg, Sweden. p. 176-193. Nguyen, D.H. and E.D. Mynatt, Privacy Mirrors: Making Ubicomp Visible, in Human Factors in Computing Systems: CHI 2001 (Workshop on Building the User Experience in Ubiquitous Computing). 2001, ACM Press: Seattle, WA. Palen, L. and Dourish, P. 2003. Unpacking "privacy" for a networked world. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Ft. Lauderdale, Florida, USA, April 05 - 10, 2003). CHI '03. ACM, New York, NY, 129-136.
5. Design
November 19	Topic: Guidelines (PDF, PPT) Readings Bellotti, V. and Sellen, A. 1993. Design for privacy in ubiquitous computing environments. In Proceedings of the Third Conference on European Conference on Computer-Supported Cooperative Work (Milan, Italy, September 13 - 17, 1993). G. de Michelis, C. Simone, and K. Schmidt, Eds. ECSCW. Kluwer Academic Publishers, Norwell, MA, 77-92. Dourish, P., Grinter, E., Delgado de la Flor, J., and Joseph, M. 2004. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Comput. 8, 6 (Nov. 2004), 391-401. M. Langheinrich. Privacy by Design – Principles of Privacy-Aware Ubiquitous Systems. In G. D. Abowd, B. Brumitt, and S. Shafer, editors, Proceedings of Ubicomp 2001: Ubiquitous Computing, Volume 2201 of Lecture Notes in Computer Science, pages 273–291, Atlanta, Georgia, USA, Sept. 2001. Springer Verlag. Lederer, S., et al., Personal privacy through understanding and action: five pitfalls for designers. Personal Ubiquitous Computing, 2004. 8(6): p. 440-454. References Wolf, G. and A. Pfitzmann, Properties of protection goals and their integration into a user interface. Computer Networks, 2000. 32(6): p. 685-699.
November 24	Thanksgiving Week Break No class meeting this week
December 1	Topic: Spatial interfaces (PDF, PPT) Readings Pettersson, J.S., et al., Making PRIME usable, in Proceedings of the 2005 Symposium on Usable Privacy and Security. 2005, ACM: Pittsburgh, Pennsylvania. Bergmann, M., M. Rost, and J.S. Pettersson, Exploring the Feasibility of a Spatial User Interface Paradigm for Privacy-Enhancing Technology, in Advances in Information Systems Development, A. Nilsson, et al., Editors. 2006, Springer. p. 437-448.
December 3	Topic: Visualization (PDF) Readings de Paula, R., Ding, X., Dourish, P., Nies, K., Pillet, B., Redmiles, D. F., Ren, J., Rode, J. A., and Filho, R. S. 2005. In the eye of the beholder: a visualization-based approach to information system security. Int. J. Hum.-Comput. Stud. 63, 1-2 (Jul. 2005), 5-24. Reeder, R. W., Bauer, L., Cranor, L. F., Reiter, M. K., Bacon, K., How, K., and Strong, H. 2008 Expandable Grids for Visualizing and Authoring Computer Security Policies. In Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems (Florence, Italy, April 05 - 10, 2008). CHI '08. ACM, New York, NY, 1473-1482. Rode, J., Johansson, C., DiGioia, P., Filho, R. S., Nies, K., Nguyen, D. H., Ren, J., Dourish, P., and Redmiles, D., Seeing further: extending visualization as a basis for usable security, in Second Symposium on Usable Privacy and Security (SOUPS'06). 2006, ACM: Pittsburgh, Pennsylvania. p. 145-155. References dePaula, R., et al., Two experiences designing for effective security, in Proceedings of the 2005 Symposium on Usable Privacy and Security. 2005, ACM: Pittsburgh, Pennsylvania. p. 25-34.
December 8 December 12 December 15	Topic: Project Presentations To be scheduled.