EPP Faculty :: Lorrie Faith Cranor

Lorrie Faith Cranor

CyLab Usable Privacy and Security Laboratory
Carnegie Mellon University
5000 Forbes Avenue
CIC 2207
Pittsburgh, PA 15213

Email:lorrie@cs.cmu.edu
Phone: (412) 268-7534
Secretary: Tiffany M. Todd (412) 268-6367

Professor, Computer Science / Engineering and Public Policy; Director, CyLab Usable Privacy and Security Laboratory (CUPS)

Online privacy issues, privacy enhancing technology, usability of privacy and security software, technology policy, social impact of computers.

Education

  • B.S. (Engineering and Public Policy) 1992, Washington University in St. Louis
  • M.S. (Technology and Human Affairs) 1993, Washington University in St. Louis
  • M.S. (Computer Science) 1996, Washington University in St. Louis M
  • D.Sc. (Engineering and Policy) 1996, Washington University in St. Louis

Positions Held

  • Associate Professor, Carnegie Mellon, 2008-
  • Associate Research Professor, Carnegie Mellon 2003-2008
  • Adjunct Assistant Professor of Information Systems, New York University Stern School of Business, 2003

Bio

Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS). She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University.

Research Interests

My research focuses on usable privacy and security. My current projects fall into several overlapping areas: privacy decision making (including applications of P3P), user-controllable security and privacy (including location-sharing privacy and file access control in the home), and usable cyber trust indicators, and and usable and secure passwords. Prior to coming to CMU I did research on P3P, electronic voting, security vulnerabilities in the movie production and distribution proces, and other topics.

Selected Publications

  1. B. Ur, P.G. Leon, L.F. Cranor, R. Shay, and Y. Wang, "Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising", Technical Report CMU-CyLab-12-007, April 2, 2012, SOUPS 2012.
  2. R. Balebako, P.G. Leon, R. Shay, B. Ur, L.F. Cranor, "Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising.", W2SP, 2012.
  3. P.G. Leon, J. Cranshaw, L.F. Cranor, J. Graves, M. Hastak, B. Ur, "What Do Online Behavioral Advertising Disclosures Communicate to Users?", Technical Report CMU-CyLab-12-008, April 2, 2012. WPES, 2012.
  4. L.F. Cranor, "Can Users Control Online Behavioral Advertising Effectively?", IEEE Security & Privacy, March/April 2012 (vol. 10 no. 2)pp. 93-96.
  5. P.G. Leon, B. Ur, R. Balebako, L.F. Cranor, R. Shay, and Y. Wang, "Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising", CHI 2012 [Extended version available as CyLab tech report]
  6. B. Ur, P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T.Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L.F. Cranor, "How does your password measure up? The effect of strength meters on password creation.", USENIX Security, 2012.
  7. R. Shay, P.G. Kelley, S. Komanduri, M. Mazurek, B. Ur, T. Vidas, L.Bauer, N. Christin, L.F. Cranor, "Correct horse battery staple: Exploring the usability of system-assigned passphrases.", SOUPS, 2012.
  8. Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez, "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms.", IEEE Symposium on Security and Privacy (Oakland), 2012 [CyLab Technical Report cmu-cylab-11-008, August 21, 2011.]
  9. Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L.Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman, "Of passwords and people: Measuring the effect of password-composition policies.", In CHI 2011: Conference on Human Factors in Computing Systems, May 2011. CHI 2011 Honorable Mention.
  10. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness.", USENIX Security, 2009.
  11. A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor, "A comparative study of online privacy policies and formats.", Privacy Enhancing Techonologies Symposium, 2009.
  12. P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham, "School of Phish: A Real-Word Evaluation of Anti-Phishing Training.", SOUPS, 2009.
  13. L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea, "Real life challenges in access-control management.", In CHI 2009: Conference on Human Factors in Computing Systems, pages 899-908, April 2009.
  14. L. Cranor, P. Guduru, and M. Arjula, "User Interfaces for Privacy Agents", ACM Transactions on Computer-Human Interaction, June 2006, pp 135-178.
  15. L. Cranor, "Web Privacy with P3P", Sebastopol, CA: O'Reilly & Associates, Inc, 2002.
  16. J. Gideon, S. Egelman, L. Cranor, and A. Acquisti, "Power Strips, Prophylactics, and Privacy, Oh My!", In Proceedings of the 2006 Symposium On Usable Privacy and Security, Pittsburgh, 12-14 July 2006.
  17. J. Tsai, S. Egelman, L. Cranor, and A. Acquisti, "The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study.", Paper presented at the Workshop on the Economics of Information Security, Pittsburgh, June 7-8, 2007.
  18. L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury, "P3P Deployment on Websites.Electronic Commerce Research and Applications, 2008.
  19. S. Egelman, L. Cranor, and J. Hong, "You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings.", CHI 2008.
  20. J. Downs, M. Holbrook, and L. Cranor, "Behavioral Response to Phishing Risk", Proceedings of the 2nd Annual eCrime Researchers Summit, Pittsburgh, PA, October 4-5, 2007, p. 37-44.
  21. P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. Cranor and J. Hong, "Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer", Proceedings of the 2nd Annual eCrime Researchers Summit, Pittsburgh, PA, October 4-5, 2007, p. 70-81.
  22. S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge, "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish.", In Proceedings of the 2007 Symposium On Usable Privacy and Security,Pittsburgh, PA, July 18-20, 2007.
  23. P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge, "Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System", In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April - May 3, 2007, 905-914
  24. J. Downs, M. Holbrook, and L. Cranor, "Decision Strategies and Susceptibility to Phishing.", In Proceedings of the 2006 Symposium On Usable Privacy and Security, Pittsburgh, PA, 12-14 July 2006.
  25. Y. Zhang, J. Hong, and L. Cranor, "CANTINA: A content-based approach to detecting phishing web sites", In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.
  26. Y. Zhang, S. Egelman, L. Cranor, and J. Hong, "Phinding Phish: Evaluating Anti-Phishing Tools", In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007.
  27. R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong, "Expandable Grids for Visualizing and Authoring Computer Security Policies.", ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
  28. M. Prabaker, J. Rao, I. Fette, P. Kelley, L. Cranor, J. Hong, and N. Sadeh, "Understanding and Capturing People's Privacy Policies in a People Finder Application", 2007 Ubicomp Workshop on Privacy, Austria, Sept. 2007.
  29. L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea, "A User Study of Policy Creation in a Flexible Access-Control System.", ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
  30. L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea, "Lessons Learned from the Deployment of a Smartphone-Based Access- Control System", In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
  31. L. Cranor, "A Framework for Reasoning About the Human in the Loop", Usability, Psychology and Security, 2008.
  32. X. Sheng and L. Cranor, "An Evaluation of the Effectiveness of US Financial Privacy Legislation Through the Analysis of Privacy Policies.", I/S: A Journal of Law and Policy for the Information Society, Volume 2, Number 3, Fall 2006, pp. 943-979.
  33. L. Cranor, "'I Didn't Buy it for Myself': Privacy and Ecommerce Personalization.", Proceedings of the 2nd ACM Workshop on Privacy in the Electronic Society, Washington, DC, October 30, 2003.
  34. B. Kowitz and L. Cranor., "Peripheral Privacy Notifications for Wireless Networks", In Proceedings of the 2005 Workshop on Privacy in the Electronic Society,Alexandria, VA, 7 November 2005.
  35. C. Kuo, S. Romanosky, and L. Cranor., "Human Selection of Mnemonic Phrase-Based Passwords.", In Proceedings of the 2006 Symposium On Usable Privacy and Security, Pittsburgh, 12-14 July 2006.

CV   |   Personal webpage