For the exam:

Adams and Sasse: Users are not the enemy

Good and Krekelberg: Usability and privacy: a study of Kazaa P2P file-sharing

Tygar and Whitten: Why Johnny Can't Encrypt

Cranor et al: Beyond Concern:  Understanding Net Users' Attitudes About Online Privacy

Cheskin: eCommerce Trust Study

Nielsen: Trust or Bust: Communicating Trustworthiness in Web Design

Norman: When Security Gets in the Way

Additional reading:

Schehter et al: The Emperor's New Security Indicators

Smetters and Good: How Users Use Access Control

Ackerman et al: Privacy Issues and Human-Computer Interaction

Dhamija: Why Phishing Works

Chiasson et al: A Second Look at the Usability of Click-Based Graphical Passwords. Symposium On Usable Privacy and Security

Camp: Mental models of privacy and security

Lindgaard: Attention Web Designers: You have 50 milliseconds to make a good first impression!