Privacy and Security Research

CyLab Usable Privacy and Security Laboratory (CUPS) 

CUPS"I founded the Carnegie Mellon [CyLab] Usable Privacy and Security Laboratory, or CUPS, when I joined the faculty about four years ago," said Lorrie Cranor in an interview for CyLab Chronicles. Dr. Cranor is the Director of CUPS and an Associate Professor of Computer Science and Engineering & Public Policy. "I had started designing privacy tools for end users a few years earlier at AT&T Labs, and I realized there just wasn't a whole lot known about how to make security and privacy tools usable. When I decided to come to CMU it seemed like a great opportunity to build a research program in this area, taking advantage of all the CMU expertise in privacy, security and human-computer interaction."

CUPS is a CyLab-affiliated lab that brings together Carnegie Mellon researchers to collaborate on issues related to privacy and security software and systems. CUPS researchers are particularly focused on usability issues in these fields. The lab's three main concentrations are anti-phishing filtering and education, privacy decision-making, and user-controllable privacy and security.

Just some of the applications CUPS' has developed include an online game called Anti-Phishing Phil, an "embedded training" system that teaches users how to protect themselves from phishing (, a search engine that annotates results with privacy meter icons so that people can find the web sites that will best protect their privacy (, and a user-friendly visual interface for setting Windows file permissions.

CUPS also organizes the Symposium on Usable Privacy and Security (SOUPS). This annual seminar brings together an interdisciplinary group of researchers and practitioners in human-computer interaction, security, and privacy.

"I organized a workshop on usable privacy and security in 2004, and the people who attended were eager for more. I realized there was a growing community interested in this research area and a need for a high-quality, peer-reviewed conference," said Professor Cranor. "The conference program includes technical paper presentations, workshops, a keynote speaker, and a poster session.

With all of the breakthroughs that CUPS has made since its inception, there are still many issues to be examined. Cranor expresses this attitude concerning a current project, which resonates with research in the fields of privacy and security as a whole: "We have some preliminary ideas, but there are a lot of wide-open research questions here, and I think this problem will keep us busy for some time to come."