Empirical Security & Privacy, for Humans

Home Syllabus Schedule Resources Canvas

SYLLABUS

Description

The goal of this course is to explore how to assess the technology and practices that aim to enhance computer security and privacy. A key theme of the course is to understand how to measure whether security and privacy goals have been achieved. We will learn about promising work in this area, including relevant measurement and data analysis techniques. In studying it we aim to surface gaps and find opportunities to do better.

This is a seminar course. Our main activity will be to read and discuss papers from the research literature, as well as blog posts, whitepapers, and the occasional textbook chapter. Students will be expected to read 1-2 papers per class and to submit a short review on each paper prior to class, to set the table for discussion.

Students will also have the opportunity to present papers to the class (how many depends in part on the class size), and receive feedback. We will also have guest lectures from experts in the field. The culmination of the course's work will be a deep-dive, final project.

Prerequisites

There are no specific course prerequisites for this course, but participants are expected to have a technical background in computer science or a related field. Knowledge of computer security is a benefit, but is not required. Permission to enroll is granted by the instructor (as per usual with CIS 7000-level courses).

List of topics (tentative)

This course covers a variety of topics, including (but not limited to)
  • Economic view of cybersecurity
  • End users and cybersecurity
  • Cybersecurity as a scientific pursuit
  • Cybersecurity investment as risk assessment
  • Cybersecurity game theory
  • Cyberattack economics
  • Cybersecurity public health
  • Developers' and operators' actions, and security
  • Ethics in computer security experimentation
  • Network-based security measurement
  • Definitions of privacy, and how to assess them

Online resources

Website Various course materials will be made available on the class website, which can be accessed at https://mhicks.me/courses/CIS-7000-Fall2025
Canvas Students enrolled in the class will have access to the course canvas site. Use this site to access the Zoom link for remote attendance, to submit course assignments, and to see the gradebook.

Grading

The final grade will consist of two main parts:

Class participation (55%). This consists of
  1. (20%) a written 2-3 paragraph review for each paper we read, due prior to the discussion date;
  2. (14%) participation during class;
  3. (20%) a presentation the student will give about a particular topic; and
  4. (1%) a one-on-one meeting with the course instructor
Final project (45%). The grade consists of
  1. (30%) project report
  2. (15%) project presentation

Class activities

Paper reviews

For most papers that we read in the class, students must submit a review of each paper.  These will be used to drive discussion of the paper during class -- we cannot discuss what we do not read! Each review should consist of two parts: (1) a paragraph with key takeaways gleaned from the paper; (2) a few questions on topics that merit deep-dive discussion, or clarification. Note that part (1) should almost certainly not be complete (i.e., not an at-a-distance summary) but rather should be used to set up sufficient context and justification for the questions in part (2). Doing so ensures the questions are not surface-level, but rather are thought-through and engaging. You are writing a review, which means I want to see your opinion and your evidence for it. Reviews are due 3pm the day before the class, to avoid a late penalty of 20%. Reviews are graded on a score of 1-5, where
  • 0: missing or showing no evidence of having read the paper
  • 1-3: minimal effort or non-insightful summary (anybody can copy an abstract)
  • 4: insightful, but not particularly crisp or incisive; oftentimes too long
  • 5: actively insightful, with interesting and well-sourced discussion points (it often takes  students a couple stabs at it to get to consistent 5's)

Participating and presenting in class

There is an expectation to attend class and participate in discussions. The participation score will be based in large part on attendance (which we will start noting during the second week), but also on the instructor's assessment of the thoughtfulness and insight of comments made during class.

Each student will be expected to present a paper and lead a discussion about it. The presentation should be about 25-30 minutes, with the ensuring discussion about 15 minutes. The goal is to learn to deep-dive into a relevant topic, and develop good presentation skills. Doing well will require reading your paper(s) early and to be sure you fully understand them. Consider practicing your presentation beforehand.

Presentations will be judged based on the following criteria:
  • understanding: does the presenter understand the material?
  • thoughtfulness: does the presenter have insights and opinions beyond what was in the paper?
  • background/perspective: did the presenter read background papers?
  • clarity: can the audience understand the presentation? is the "big picture" clear? are there useful examples?
  • materials: do the slides or use of blackboard illustrate and support the talk? are there diagrams to help convey the technicalities? (when your talk gets into deep territory, a diagram is worth 10K words)
  • delivery: has the the presenter practiced?
  • non-regurgitation: did the presenter do something beyond simply typing sections of the paper as bullet points? did the presenter motivate the ideas in their own words or just state ideas from the paper verbatim?
  • answering questions: can the presenter handle questions from the audience?
Remember that you will likely be able to explain more detail than you can hope to cover in a single lecture. This is one reason that it's hard work to prepare a good presentation: not only do you need to understand the paper, but you need to filter out the irrelevant details and amplify the key arguments. You'll probably have omit entire sections of the paper from your talk -- don't worry about it. Simply mimicking the structure of the paper ("regurgitating it") tends to produce a disconnected sequence of boring facts. A good talk should tell a story; every idea should be motivated, and all facts should fit together in a coherent picture. Telling such a story in a short time often requires creating your own explanations, motivation, and examples.

Projects

Each student will propose a project idea roughly 1/3 of the way through the semester, to be finalized 1/2 of the way through, and then completed by the end of the semester. Students may work alone, or in groups of 2 or 3 (with a greater expectation on the result).

The final deliverables for each project are a project report due during finals week, and a project presentation, to be given in the last two weeks of class.

The project report will be graded by content -- how insightful, useful, and complete is the work covered -- as well as adherence to format and content guidelines from the class, including, for example, whether the introduction answers key questions about the motivation for the project, whether the results section provides and interprets a key result, whether the related work section distinguishes current effort from prior work, and so on.

The project presentation, like the report, will be scored based on format and content matching guidelines given in class (one of the things you'll be learning is what it means to give a good talk, write a good report, and so on). Presentations should be about 20 minutes long, with 5 minutes for questions.

The project report will be due 11:59:59pm EST of the day given in the project description for full credit. Project reports (and code, if relevant) may be submitted up to 24 hours late for a 10% penalty. (For example, a project that would have earned 90 points for an on-time submission will earn 81, that is, 90 times 0.90.) If you submit both on-time & late, your project will received the maximum of the penalty-adjusted scores.

Meet the professor

At least one time during the semester, you get a "free" 1% to meet with me at an arranged time. It doesn't have to be for class/project help: we can chat about research, future plans, whatever!

Excused absences

You are not required to come to class, but not coming will affect your class participation grade. There are several justifications for excused absences from class: illness, religious observation, participation in required university activities, or a family or personal emergency. We will work with you to make sure that you have a fair amount of time to make up for excused absences. The best way that we can help is if we know about absences as well in advance as possible.
  • Provide a request for absence in writing.
  • Provide appropriate documentation that shows the absence qualifies as excused.
  • Provide as much advance notice as is possible, safe, and appropriate.

One self-signed note is permitted, during the semester.

The policies for excused absences do not apply to project assignments. Projects will be assigned with sufficient time to be completed by students who have a reasonable understanding of the necessary material and begin promptly. In cases of extremely serious documented illness of lengthy duration or other protracted, severe emergency situations, the instructor may consider extensions on project assignments, depending upon the specific circumstances.

Besides the policies in this syllabus, the University's policies apply during the semester.

Right to change information

Although every effort has been made to be complete and accurate, unforeseen circumstances arising during the semester could require the adjustment of any material given here. Consequently, given due notice to students, the instructor reserves the right to change any information on this syllabus or in other course materials.