Schedule

Secure System Engineering and Management: A Data-Driven Approach

By Mike Hicks

February 25, 2026

This schedule will flesh out as the semester progresses.

Jump to next class.

Date	Topic / Speaker	Readings & handouts	Slides	Assignment
Jan 15	Introduction and syllabus	S. Keshav. How to Read a Paper. ACM SIGCOMM Computer Communication Review, Volume 37, Number 3, July 2007.
Jan 20	Attacks: Vulnerability exploitation	MITRE. 2025 CWE Top 25 Most Dangerous Software Weaknesses. Dec 2025. Marc Frederic Gomez. Top 25 CWE 2025 - Technical Analysis. Blog article, Dec 2025. OWASP. OWASP Top 10: The Ten Most Critical Web Application Security Risks. Dec 2025. Christian Heilmann. Web Security: Are You Part of the Problem?. Smashing magazine, Jan 2010.
Jan 22	Attacks: Exploiting the human	Ho, Grant, et al. Understanding the efficacy of phishing training in practice. 2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025. Optional: Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of UPSEC 2008.		Proj 1: Security Breach Communication & Persuasion Video Due: Feb 9
Jan 27	Speaking and writing well (generally, and for security)	Ernst, Michael. How to give a technical presentation Click the title to the left to see the talk slides; a recording of this talk is on the Canvas site
Jan 29	Cybersecurity economics	Ross Anderson. Why information security is hard - an economic perspective. Seventeenth annual computer security applications conference (ACSAC). IEEE, 2001. Ian Grigg, The Market for Silver Bullets, 2008.
Feb 3	Cybersecurity as a scientific pursuit	Cormac Herley and P.C. van Oorschot. SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit, IEEE S&P 2017. Optional: Fred B. Schneider. A Blueprint for a Science of Cybersecurity. The Next Wave, Vol. 19, No. 2, 2012.
Feb 5	Data Analysis: Hypothesis Testing, Effect Sizes, and Regression #1	Recommended sections in these references given in lecture notes: Experimental Design and Analysis and Introduction to Data Analysis Optional: Jenny Tang, Lujo Bauer, and Nicolas Christin. Misuse, Misreporting, Misinterpretation of Statistical Methods in Usable Privacy and Security Papers. In SOUPS 25. Reference: sample vulnerability data used in lecture
Feb 10	Data Analysis: Hypothesis Testing, Effect Sizes, and Regression #2	Recommended sections in these references given in lecture notes: Experimental Design and Analysis and Introduction to Data Analysis		Proj 2: Analyzing the Vulnerability Landscape with NVD and CISA KEV Data Due: Feb 24
Feb 12	Measurements of security #1 (vulnerability oriented)	Ruef, Andrew, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. Build it, break it, fix it: Contesting secure development. CCS 2016. Note: Long version of this paper from 2020, which has more detail and another contest problem. Optional: Votipka, Daniel, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. Understanding security mistakes developers make: Qualitative analysis from build it, break it, fix it. USENIX Security 2020.
Feb 17	Measurements of security #2 (ops and end-user oriented)	Dekoven et al, Measuring Security Practices and How They Impact Security, IMC 2019 Casey F. Breen, Cormac Herley, Elissa Redmiles. A Large-Scale Measurement of Cybercrime Against Individuals, In CHI 2022. (NB: Data analysis package, done in R)
Feb 19	Security by Design Overview	Secure by Design: A Guide for Assessing Software Security Practices (pps. 1-19) SAFECode, Tactical Threat Modeling, 2017. Adam Shostack, The Ultimate Beginner Guide to Threat Modeling
Feb 24	Threat Modeling (up to this point covered on midterm)	Toreon, Threat modeling done right, 2016. Optional: Loren Kohnfelder and Praerit Garg, The Threats to Our Products, Microsoft, 1999.		Proj 3: Threat Modeling a Networked Insulin Pump Due: Mar 18
Feb 26	Secure Design: Principles and Controls #1
Mar 3	Midterm in class
Mar 5, 10, 12	No class Spring Break
Mar 17	Secure Design: Principles and Controls #2	Christoph Kern, Developer Ecosystems for Software Safety, CACM, April 2024.
Mar 19	Fuzzing	Marcel Boehme, Van-Thuan Pham, and Abhik Roychoudhury, Coverage-based Greybox Fuzzing as Markov Chain. In CCS 2016. Optional: Klees, G., Ruef, A., Cooper, B., Wei, S. and Hicks, M., 2018, October. Evaluating fuzz testing. In CCS 2018.
May 7 (Thursday)	Final exam	12-2pm LRSM 112B

Posted on:: February 25, 2026

Length:: 4 minute read, 657 words

See Also: