Teaching Usable Privacy and Security
July 14, 2006 by shengxModerators: Lorrie Cranor and Jason Hong, CMU
Participants of this breakout session (about 20) are mostly teachers and graduate students. They have either taught or are planning to teach HCI and security courses, and wonder how to combine these two worlds together. For students, they are interested in learning about this course.
Jason started the discussion by giving out information of the course, here is a brief summary:
Curricula:
Three professors who taught this course come from different backgrounds. Lorrie’s background is in policy and privacy. Jason is a professor in HCI, and Mike taught security at CMU. (see http://cups.cs.cmu.edu/courses/ups.html). Students (about 15) also come from diverse backgrounds(HCI, Public Policy, and computer science).
Course formats:
In the first few lectures faculty took turns to introduce each of the three disciplines: HCI, privacy, and security.
The rest of the lectures were student taught. Each student chose a topic from a list given at the beginning of the semester. He/she then prepared a 60 minute lecture and a 15 minute class exercise. Lectures were to cover the required and optional readings, the exercises ware to provide an opportunity to practice and explore the issue further.
Readings:
Security and Usability: Designing Secure Systems that People Can Use. By Lorrie Cranor and Simson Garkfinkel
The lectures are organized in research topics. For each topic, a few chapters in the book were assigned as mandatory readings, with additional research papers posted as optional readings.
Assignments and projects:
Students read the assigned reading each week before hand, and wrote a one paragraph summary and one paragraph comments/critiques or questions.
A semester long group project is also part of the course. Faculties helped students define and refine project ideas. Because of the diverse background of the student, projects groups required at least one 1 HCI master student, and 2 PH.D students. Students taught each other a lot in the project. Projects generally involved a user study design, a complete IRB application, and pilot/full user tests. All the groups did the pilot user study, and one of them did the full study. The result of their work is submitted to SOUPS as technical papers or posters.
What worked well?
- Student felt the breath of the course appropriate.
- Group projects with people from diverse background helped student to learn from each other.
- Student prepared lectures and exercises help students to learn.
- The project provided opportunity to practice of what they learned.
What can be improved?
- Student struggled most in the HCI part, like how to do a good user study? One way to improve this is to have small scale user studies as class assignments.
- Maybe assign fewer paper readings, but more methodological readings and associating exercises would also help.
- Students also want more lectures. One way to improve is to have a few more guest lectures. They really enjoyed the guests talking about their studies from behind the scene (like the SOUP tutorial on user studies)
Similar courses at other universities:
Rob Miller mentioned that MIT have HCI and security course. He was wondering if there is anyway that the two can somehow combined? Panelists and participants suggested that maybe requiring students take both courses either as a sequence or together would help. Also some incentive such as project together would also help.
Rachna taught a similar course on usable privacy and security at Harvard this past Spring. The class had 15 students, it is divided into three parts: 1/3: reading papers (students have to read a paper and post summary). 1/3 critical evaluation of user studies, and the last 1/3 in class projects such as performing heuristic evaluation. For more information, please go to (http://www.deas.harvard.edu/courses/cs279/)
June 16th, 2007 at 11:12
Waiter, there’s a fly in my SOUPS!
http://www.cmu-fraud.com