Schedule

Empirical Security & Privacy, for Humans

By Mike Hicks

November 7, 2025

Date	Topic / Speaker	Readings & handouts
Aug 26	Introduction and syllabus	S. Keshav. How to Read a Paper. ACM SIGCOMM Computer Communication Review, Volume 37, Number 3, July 2007.
Aug 28	Economic view of cybersecurity - Alex Gantman, VP Security Engineering, Qualcomm	Ross Anderson. Why information security is hard - an economic perspective. Seventeenth annual computer security applications conference (ACSAC). IEEE, 2001. Ian Griggs, The Market for Silver Bullets, 2008.
Sep 2	End users and cybersecurity	Ho, Grant, et al. Understanding the efficacy of phishing training in practice. 2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025. Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of UPSEC 2008.
Sep 4	Cybersecurity as a scientific pursuit - Cormac Herley, Principal Researcher, Microsoft	Cormac Herley and P.C. van Oorschot. SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit, IEEE S&P 2017.
Sep 9	Cybersecurity and risk assessment	Andrew Simpson. Into the unknown: The need to reframe risk analysis. Journal of Cybersecurity, Volume 10, Issue 1, 2024. John Downer. The Aviation Paradox: Why We Can ‘Know’ Jetliners But Not Reactors. Minerva 55.2 (2017): 229-248.
Sep 11	Passwords	Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. Do Users’ Perceptions of Password Security Match Reality? In Proceedings of CHI 2016. Optional: Nisenoff, Alexandra, Maximilian Golla, Miranda Wei, Juliette Hainline, Hayley Szymanek, Annika Braun, Annika Hildebrandt, Blair Christensen, David Langenberg, and Blase Ur. A Two-Decade Retrospective Analysis of a University’s Vulnerability to Attacks Exploiting Reused Passwords. In USENIX Security 2023.
Sep 16	The business of attacks, and paying attackers for defense	Huang, Keman, Michael Siegel, and Stuart Madnick. Systematically understanding the cyber attack business: A survey. ACM Computing Surveys (CSUR) 51.4 (2018): 1-36. Dirk Goehmann. Vulnerability Reward Program: 2024 in Review, Google Security Blog, March 2025. See also: Matthew Finifter, Devdatta Akhawe, and David Wagner. An Empirical Study of Vulnerability Rewards Programs. USENIX Security 2013.
Sep 18	LLMs and their impact on cyberattacks	Nicholas Carlini, Milad Nasr, Edoardo Debenedetti, Barry Wang, Christopher A. Choquette-Choo, Daphne Ippolito, Florian Tramer, Matthew Jagielski. LLMs unlock new paths to monetizing exploits. arXiv preprint arXiv:2505.11449 (2025). Oege de Moor and Albert Ziegler. XBOW Unleashes GPT-5’s Hidden Hacking Power, Doubling Performance. XBOW blog, August 15, 2025. (On August 18, XBOW became #1 ranked, better than all human teams, on HackerOne.)
Sep 23	Measuring secure software development practices	Ruef, Andrew, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. Build it, break it, fix it: Contesting secure development. CCS 2016. See also: Long version (with an additional contest, fuller descriptions) in ACM TOPS 2020. Votipka, Daniel, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. Understanding security mistakes developers make: Qualitative analysis from build it, break it, fix it. USENIX Security 2020.
Sep 25	Project pitches	Individual students, or groups who wish to work together, should prepare project pitches. See the syllabus for details.
Sep 30	Empirical evaluations: Fuzz testing	Klees, G., Ruef, A., Cooper, B., Wei, S. and Hicks, M., 2018, October. Evaluating fuzz testing. In CCS 2018. Schloegel, Moritz, et al. Sok: Prudent evaluation practices for fuzzing. In S&P 2024. Optional: Blackburn, Steve, et al. SIGPLAN Empirical Evaluation guidelines. 2018.
Oct 2	Statistical tests: Pitfalls	Jenny Tang, Lujo Bauer, and Nicolas Christin. Misuse, Misreporting, Misinterpretation of Statistical Methods in Usable Privacy and Security Papers. In SOUPS 25. Jim Frost, What is P hacking: Methods & Best Practices, 2024. Optional: Stephanie M. Lee. Here’s How Cornell Scientist Brian Wansink Turned Shoddy Data Into Viral Studies About How We Eat. BuzzFeed News, Feb 2018.
Oct 7	Threat modeling - Adam Shostack, Shostack Associates	Adam Shostack. Experiences Threat Modeling at Microsoft. MODSEC@ MoDELS 2008 (2008): 35. Adam Shostack. Nothing Is Good Enough: Fast and Cheap Are Undervalued as Influencers of Security Tool Adoption. IEEE S&P magazine, Jan-Feb 2023. Optional: Kaur, Harjot, et al. “Threat modeling is very formal, it’s very technical, and also very hard to do correctly”: Investigating Threat Modeling Practices in Open-Source Software Projects. USENIX Security 2025.
Oct 9	Fall break, no class	Project proposals due. See the syllabus for details.
Oct 14	Password managers, ethics of human studies	Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes and Sven Bugiel. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. In SOUPS 2018. Tadayoshi Kohno, Yasemin Acar, Wulf Loh. Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations (will discuss the full PDF). In USENIX Security 2023.
Oct 16	What’s still missing in static analysis? - Mayur Naik, Prof of CIS @ UPenn	Guest lecture about static analysis technology (including for finding security bugs), the influence of LLMs on it, and how we measure progress. Optional: Ziyang Li, Saikat Dutta, Mayur Naik. IRIS: LLM-Assisted Static Analysis for Detecting Security Vulnerabilities. In ICLR 2025.
Oct 21	Building Security in Maturity Model (BSIMM)	Gary McGraw, Brian Chess, and Sammy Migues. Building Security In Maturity Model, 2009. Recommendation: Watch this talk by Gary McGraw, and refer to the report to check the details. Laurie Williams, Gary McGraw, and Sammy Migues. Engineering Security Vulnerability Prevention, Detection, and Response. IEEE Software, 2018. Alex Gantman. Retrospective on the BSIMM, personal correspondence, 2025.
Oct 23	Economic investment in cybersecurity	Gordon, Lawrence A., and Martin P. Loeb. The economics of information security investment. ACM Transactions on Information and System Security (TISSEC) 5.4 (2002): 438-457. Optional (presented by Arya Sanjary): Adam Hastings and Simha Sethumadhavan. Voluntary Investment, Mandatory Minimums, or Cyber Insurance: What Minimizes Losses? USENIX Security 2025.
Oct 28	Usability: Privacy & passwords	Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. Privacy and human behavior in the age of information. Science, Vol. 347, No. 6221, Jan 2015. Optional (presented by Sydnie-Shea Cohen): Adryana Hutchinson, Jinwei Tang, Adam Aviv, and Peter Story. Measuring the Prevalence of Password Manager Issues Using In-Situ Experiments. In Symposium on Usable Security and Privacy (USEC) 2024.
Oct 30	Measuring security trends; deployment challenges	Jason Healy. Are Cyber Defenders Winning? Lawfare blog, July 2025. Optional (presented by Noopur Bhatt): Leona Lassak, Elleen Pan, Blase Ur, and Maximilian Golla. Why Aren’t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication, USENIX Security 2024.
Nov 4	Understanding and simulating users (considering privacy)	Priyanka Nanayakkara, Mary Anne Smart, Rachel Cummings, Gabriel Kaptchuk, Elissa M. Redmiles. What Are the Chances? Explaining the Epsilon Parameter in Differential Privacy, USENIX Security 2023. Optional (presented by Jiayi Xin): Boyu Qiao, Kun Li, Wei Zhou, Shilong Li, Qianqian Lu, Songlin Hu. BotSim: LLM-Powered Malicious Social Botnet Simulation, AAAI 2025.
Nov 6	Cyber Public Health (CPH), and the quantum crypto transition	Bellovin and Shostack, Input to the Commission on Enhancing National Cybersecurity, 2016 Shostack, Adam, et al. Lessons for Cybersecurity from the American Public Health System. arXiv preprint arXiv:2506.12257 (2025). Optional (presented by Bharath Namboothiry): Ini Kong, Marijn Janssen, Nitesh Bharosa. Realizing quantum-safe information sharing: Implementation and adoption challenges and policy recommendations for quantum-safe transitions, Government Information Quarterly 41 (2024).
Nov 11	Finding bugs, and exploiting them	Optional (presented by Thia Richey): Savitha Ravi and Michael Coblenz. An Empirical Evaluation of Property-Based Testing. In OOPSLA 2025. Optional (presented by Davis Brown): Winnona DeSombre Bernsen. Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace, 2025. Optional supplemental reading: Winnona DeSombre Bernsen, Sergey Bratus. From Chaos to Capability: Building the U.S. Market for Offensive Cyber, 2025.
Nov 13	Heartbleed’s effects, and gamified security training	Zakir Durumeric, Frank Li, James Kasten, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, David Adrian, Vern Paxson, Michael Bailey, J. Alex Halderman. The Matter of Heartbleed, In ACM Internet Measurement Conference 2014. Optional (presented by Lucia Kulzer): Silic, M., & Lowry, P. B. Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance. Journal of Management Information Systems, 37(1), 129-161, 2020.
Nov 18	Modeling security risk, efforts at post-quantum mitigation	Daniel W. Woods and Rainer Bohme. SoK: Quantifying Cyber Risk. IEEE S&P 2019. Optional (presented by Ali Shirzad): Alexander Krause, Harjot Kaur, Jan H. Klemmer, Oliver Wiese, and Sascha Fahl. “That’s my perspective from 30 years of doing this”: An Interview Study on Practices, Experiences, and Challenges of Updating Cryptographic Code. USENIX Security 2025 Optional supplemental reading: Dimitri Mankowski, Thom Wiggers, and Veelasha Moonsamy. TLS → Post-Quantum TLS: Inspecting the TLS landscape for PQC adoption on Android. European IEEE S&P Symposium 2023.
Nov 20	Vulnerability lifetimes; on-line scams	Nikolaos Alexopoulos, Manuel Brack, Jan Philipp Wagner, Tim Grube, and Max Mühlhäuser. How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes. USENIX Security 2022 Optional (presented by Zhiyao Tang): Sharad Agarwal, Emma Harvey, Enrico Mariconti, Guillermo Suarez-Tangil, Marie Vasek. ‘Hey mum, I dropped my phone down the toilet’: Investigating Hi Mum and Dad SMS Scams in the United Kingdom. USENIX Security 2025.
Nov 25	TG week: No class
Nov 27	TG week: No class
Dec 2	Final project presentations
Dec 4	Final project presentations
Dec 12	Final project report due

Posted on:: November 7, 2025

Length:: 7 minute read, 1475 words

See Also: