Secure System Engineering and Management: A Data-Driven Approach

About

In this course, students learn techniques for building, deploying, and maintaining secure systems. As computer security is a constantly evolving field, the course places particular emphasis on means to empirically evaluate security technology, processes, and operational practices. As security is always in support of a primary activity and resources are limited, the course also places emphasis on strong communications, using evidence and empathy to explain and collaborate on security needs. Course activities include reading and discussing technical papers and other communications; carrying out five homework projects, on technical and non-technical topics; and taking a midterm and final exam.

By the end of the course, students should be able to:

• Understand cybersecurity from a data-driven and economic perspective.
• Think like an attacker, and thereby develop high-quality threat models for systems and deployments.
• Account for the impact to humans interacting with a computer system, both when they are attack targets and when the play a role in ensuring the system’s security.
• Understand key security defenses, the attacks they respond to, and how to put defenses together to build secure systems.
• Manage security post-deployment* Manage security post-deployment – preventing, detecting, mitigating, and recovering from incidents – and gather data to improve future decisions.
• Make risk-informed decisions: Assess design elements and technologies according to how they mitigate security risk, and prioritize them to minimize risk.
• Communicate effectively and with empathy to key stakeholders about security risks.

Prerequisites: Equivalent knowledge of CIS 2400 - Computer Systems and CIS 2610 - Discrete Probability, Stochastic Processes, and Statistical Inference.

People, Places, Times

Class time & place: UPenn CIS 7000-003, Spring 2026