CSD Home | Faculty By Interest | Faculty by Projects | Research Home

 

 

Adamchik
Ailamaki
Aldrich
Andersen
Bar
Blelloch
Blum, A.
Blum, L.
Blum, M.
Brookes
Bryant
Cagan
Carbonell
Christel
Clarke
Corbett
Cranor
Crary
Datta
 Dannenberg
 Durand
Efros
Erdmann
Fahlman
Faloutsos
Falsafi
Fink
Ganger
Garlan
Gao
Goldstein
Guestrin
Gunawardena
Gupta
Harchol-Balter
Harper
Hauptmann
Hodgins
Hoe
Hudson
James
John
Kanade
Lafferty
Lee, P.
Lee, T.
Lewicki
Maggs

Mason
Maxion
Miller
Mitchell
Moore
Morris
Mowry
Myers
Ng
O'Donnell
O'Hallaron
Olston
Pausch
Perrig
Pfenning
Pollard
Reddy
Reiter
Reynolds
Rosenfeld
Rudich
Rudnicky
Sandholm
Satyanarayanan
Scherlis
Schmerl
Seshan
Sharygina
Shaw
Siewiorek
Simmons
Sleator
Smith
Song
Statman
Steenkiste
Stern
Touretzky
Veloso
Von Ahn
Wactlar
Waibel
Wing
 Xing
Yang
Zhang
 

LORRIE FAITH CRANOR
Associate Research Professor, Institute for Software Research, Engineering & Public Policy
 www

My research focuses on the human aspects of information technology, especially as they relate to privacy and security. I am interested in the interaction between the social, cultural, psychological, organizational, economic, legal, business, and public policy aspects of privacy and security. These interactions influence technology design decisions that, in turn, shape the possibilities for our social and business interactions. Through a multi-disciplinary approach to privacy and security research, I am working to gain a holistic understanding of privacy and security needs, to develop solutions that address these needs, and to scientifically validate these solutions.

My current research clusters around three overlapping areas within the "usable privacy and security" (also known as HCISEC) umbrella: privacy policies, supporting trust decisions, and user-controllable privacy and security.

We have observed three types of approaches to making secure systems more usable. The first approach is to hide the security from the user and build systems that "just work" without requiring user intervention. This approach is quite appealing when it can be made to work, but is sometimes unworkable in practice. It may also leave users completely unprepared to protect themselves in the event that the software they are depending on is unavailable. The second approach is to make security visible, rather than invisible, and to find ways of making it understandable to users. However, users tend not to want to be bothered with security, and making security understandable can be very difficult. The third approach is to educate users about security. This is difficult because most users do not want to spend time learning about security, and they do not have the technical background necessary to understand complicated security concepts. In practice a combination of these approaches is generally needed. Our usable privacy and security research takes an interdisciplinary approach, relying heavily on empirical user studies to gain insights into users' mental models and to test our hypotheses about how users will behave when interacting with security and privacy software.


PRIVACY POLICIES

Although there are a variety of definitions of privacy, many of them center around the notion of individuals controlling the use and dissemination of their personal information. In order to realize this notion of control, individuals must actively engage in a process in which they first decide what to reveal and under what circumstances, and then take steps to reveal or hide themselves or their information. Although we have become so adept at making such decisions in the physical world that people often do not notice they are making them, in practice many such privacy decisions are uninformed. We often do not have very good information about the privacy consequences of our actions. We're currently working on ways to communicate clearly about privacy with end users and to make privacy policies more useful. We're developing automated tools for providing privacy policy summaries and comparisons. We are also conducting user studies to determine how accessible privacy information impacts behavior.


SUPPORTING TRUST DECISIONS

The Supporting Trust Decisions project aims to develop ways to support Internet users when they make trust decisions, especially in the context of phishing. Our approach is to first reduce the number of situations in which users are called on to make trust decisions through the use of automated detection tools, and second to support users when they must make trust decisions. We are developing several novel approaches to automating phishing email and website detection. When detection cannot be completely automated, we are developing ways to present the unverified results of automated tools to users in meaningful and effective ways, as well as ways to educate users so that they are prepared to make trust decisions on their own. Despite claims by other researchers that anti-phishing education will not work, we have demonstrated that when done well, anti-phishing education can be effective. We are currently developing and testing a system to deliver anti-phishing education as part of users' normal use of email.

USER CONTROLABLE PRIVACY AND SECURITY

End users are increasingly being asked to configure their computing devices and services to adjust their privacy and security settings; however, managing privacy and security policies can be a daunting task, even for experts. It is difficult for end users to anticipate their security and privacy needs, formulate them into rules, and understand the overall effect of the rules they have put in place. We are working on a series of projects aimed at developing better interfaces for end user privacy and security policy management.  For example, we are working to understand how users think about and use a deployed discretionary access control system and develop interfaces to allow end users to manage access control policies for their office doors and other resources. We are also working to develop ways to help users create, maintain, and visualize rules specifying when each of their friends can access information about their location.

Home page: http://lorrie.cranor.org/

CMU Usable Privacy and Security Laboratory (CUPS) website:

http://cups.cs.cmu.edu/
      CSD Home   Webteam  ^ Top   SCS Home