CSC 491/591

Human-Centered Security

Level:
[Undergrad] [Grad]
Number:
CSC 491, CSC 591
Title:
Human-Centered Security
Format:
In-person, recorded lectures
Credits:
3
Offerings:
2024 Fall, 2026 Spring
Special topics computer security course for advanced undergraduate and graduate students focusing on the concepts and methods of human-centered cybersecurity research.

Overview #

Human-centered security (closely related: Usable Security) is an area of computer science that aims to incorporate human behavior, needs, and interactions into the design and implementation of security systems.

This course covers related topics such as the design, planning, execution, and statistical analysis of research studies. The course meets in-person twice a week, attendance is usually not tracked, and lecture recordings are provided on Panopto. The content is primarily delivered through lectures that integrate learning activities. Evaluations of learning progress include a midterm and final exam, along with take-home assignments typically due within two weeks.

Connection to Other Courses #

This course is designed to be self-contained and accessible without much prior security knowledge. It approaches security from a human-centered perspective and therefore provides only brief introductions to selected technical topics, focusing instead on how these areas intersect with human challenges in security. For comprehensive coverage of security fundamentals in your academic journey, I would recommend pairing this course with a foundational lecture (such as CSC 474 or CSC 574) taken before, concurrently, or afterward.

Topics #

  1. Introduction: Human-Centered Cyber Security, Key Concepts & Terms, Usable Security, Earlier Research Examples, Foundations, Research Approaches, Quantitative vs. Qualitative, Lab vs. Field studies, Population vs. Samples, Intro to Biases
  2. Ethics: Ethical Considerations, Trolley Problems in Security, Guidelines for Security Research, Belmont Report, Menlo Report, Respect for Person, Beneficence, Justice, Informed Consent, Institutional Review Boards (IRB), Human Subject Research
  3. Experiment Design: Controlled Experiments, Research Questions, Internal Validity, External Validity, Variables, Conditions, Tasks, Group Designs, Counterbalancing, Errors, Bias, Populations, Sampling, Data Scales, Likert Scales, SUScale, Types of Sampling, Demographics
  4. Data Handling: Data Collection, Preprocessing, De Identification
  5. Research without Users: Literature Review, Cognitive Walkthrough, Heuristic Evaluation, Model Based Evaluation
  6. Qualitative Methods: Silent Observation, Think Alouds, Retrospective Testing, Constructive Interaction, Focus Groups, Interviews, Qualitative Coding, Codebook, Inter Coder Agreement
  7. Quantitative Methods: Surveys, Piloting, Participant Filtering, Descriptive Statistics, Inferential Statistics, Distributions, Visualization, Correlations, Simpson Paradox, Multiple Testing, Correction Procedures, Visualizations
  8. Usable Authentication and Passwords: Authentication Methods, Passwords, Policies, Meters, Multi Factor Authentication
  9. TLS and Email: Alice and Bob, Secure Channels, TLS Warnings, SSL Misconfiguration, HTTPS Warnings, Lets Encrypt, Certbot, State of Email Encryption, Johnny Today
  10. Secure Messaging: Messengers, Secure Messenger Concepts, Infrastructure, Double Ratchet, Key Exchange, Key Transparency, Mental Models
  11. Developer Centered Security: Motivation, Recruitment, Interviewing Developers, Information Sources, Copy Paste Code, Secret Leakage, Unsafe Code, Supply Chain Security, Software Bill of Materials, Attack Taxonomy, Confusion Attacks, Malicious Commits, Reproducible Builds, Distribution Attacks, Commercial Frameworks, OpenSSF
  12. Usable Cryptography: Cryptographic Goals, Usability Challenges, Developers and Crypto, Heartbleed, Libraries, Improvements, Constant Time Crypto, Product Integration, Post Quantum Crypto
  13. Enterprise Security: Researcher Assumptions, Corporate Recruitment, Software Updates, Risk Based Authentication, FIDO2 in Enterprises, Vulnerability Prioritization, Cyber Incident Insurance
  14. Human Centered Security Culture: VPNs, Tor, Institutional VPNs, Commercial VPNs, Endpoint Security, Academic VPNs, User Motivations, Onion Routing, Tor Usability Issues
  15. Phishing: Types, Baiting, SMiShing, Vishing, Business Email Compromise, Spear Phishing, Whaling, Interventions, Training, Simulations
  16. Usable AI Security: CRISP ML(Q), Threat Models, NIST Taxonomy, Box Attack Concept, Poisoning, Tampering, Prompt Injection, Inference Attacks
  17. Adversarial Machine Learning: AML Mental Models
  18. Usable VR Security: Immersive Technology, VR, HMDs, AR, Continuum, MR, Extended Reality Security, VR Authentication, AR or VR Sidechannel Attacks, Physical Safety
  19. Warnings and Permissions: Link Notifications, Warnings, Permissions, Habituation, Warning Fatigue, C HIP Model, Human In The Loop Framework, Nudges, MFA Fatigue Attack, Notification Requests, Install Time Permissions, Runtime Permissions, Rationals