Spontaneous interactions between end users and devices are generally secured by human actions. Evaluating whether end users are able to perform these actions correctly can be challenging. Basic, textbook-style user study methods make assumptions that may not hold for security applications. In this piece, we outline five major user study assumptions. Using 802.11 network configuration as a case study, we also show how to adapt existing user study methods for evaluating security applications. We model how security experts might approach the configuration of their own home networks. Next, we combine several methods to design a study that pinpoints where end users encounter difficulties during configuration. Finally, we discuss the findings from our user study.