Norman Sadeh and Lorrie Cranor, Carnegie Mellon University
Recent privacy regulations impose increasingly stringent requirements on the collection and use of data. This includes more specific obligations to disclose various data practices and the need to provide data subjects with more comprehensive sets of choices or controls. There is also an increasing emphasis on user-centric criteria. Failure to offer usable notices and choices that people can truly benefit from has become a significant privacy threat, whether one thinks in terms of potential regulatory penalties, consumer trust and brand reputation, or privacy-by-design best practices. This presentation will provide an overview of UsersFirst, a Privacy Threat Modeling framework intended to supplement existing privacy threat modeling frameworks and to support organizations in their analysis and mitigation of risks associated with the absence or ineffectiveness of privacy notices and choices. Rather than treating privacy notices and choices as mere checkboxes, UsersFirst revolves around user-centric interpretations of these requirements. It is intended to reflect an emerging trend in privacy regulations where perfunctory approaches to notices and choices are no longer sufficient, and where instead notices and choices are expected to be noticeable, usable, unambiguous, devoid of deceptive patterns, and more. The presentation will include results of a detailed evaluation of the UsersFirst user-centric threat taxonomy with people working and/or trained in privacy.
Norman Sadeh is a Professor in the School of Computer Science at Carnegie Mellon University (CMU), where he co-founded and co-directs Privacy Engineering Program. Norman served as lead principal investigator on two of the largest domestic research projects in privacy, the Usable Privacy Policy Project and the Personalized Privacy Assistant Project. He was also founding CEO and, until its acquisition by Proofpoint, chairman and chief scientist of Wombat Security Technologies, a company that defined the multi-billion dollar user-oriented cybersecurity market. Technologies Norman developed with colleagues at CMU and Wombat are used to protect tens of millions of users around the world against cybersecurity attacks such as phishing. Earlier in his career, he also served at the European Commission as Chief Scientist of the 550M Euro eWork and eCommerce initiative, which included all pan-European research in cybersecurity and privacy and related policy activities.
Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems University Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the Privacy Engineering masters program. In 2016 she served as Chief Technologist at the US Federal Trade Commission. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company that was acquired by Proofpoint. She founded the Symposium On Usable Privacy and Security (SOUPS) and co-founded the Conference on Privacy Engineering Practice and Respect (PEPR). She currently serves on the board of directors of the Computing Research Association and the Center for Democracy and Technology. She is a fellow of ACM, IEEE, and AAAS. She received the 2018 International Association of Privacy Professionals Privacy Leadership Award
author = {Norman Sadeh and Lorrie Cranor},
title = {{UsersFirst}: A {User-Centric} Threat Modeling Framework for Privacy Notice and Choice},
year = {2025},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jun
}
