Conducting Usable Security Studies: It's Complicated

User studies are critical to understanding how users perceive and interact with security and privacy software and features. However, conducting usable privacy and security studies is complicated. In some studies, researchers recruit participants to perform tasks not directly related to security so that they can observe how participants respond to security-related prompts or cues that occur while users are focused on primary tasks. Researchers also try to put users in situations where they believe their security or privacy is at risk, while at the same time making sure that participants will not actually suffer harm. When conducting usable security studies there are a lot of methodological details to get right, and studies don't always go quite as planned. In this talk I will offer a behind-the-scenes look at usable privacy and security study design and present lessons learned from over a decade of user studies at the CyLab Usable Privacy and Security Lab at Carnegie Mellon University.

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. Cranor has authored over 150 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine, and in 2014 she was named an ACM Fellow for her contributions to usable privacy and security research and education. She was previously a researcher at AT&T Labs Research and taught in the Stern School of Business at New York University. In 2012–13, Cranor spent her sabbatical year as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University, where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.