Schedule

Secure System Engineering and Management: A Data-Driven Approach

By Mike Hicks

January 26, 2026

This schedule will flesh out as the semester progresses.

Jump to next class.

Date	Topic / Speaker	Readings & handouts	Slides	Assignment
Jan 15	Introduction and syllabus	S. Keshav. How to Read a Paper. ACM SIGCOMM Computer Communication Review, Volume 37, Number 3, July 2007.
Jan 20	Attacks: Vulnerability exploitation	MITRE. 2025 CWE Top 25 Most Dangerous Software Weaknesses. Dec 2025. Marc Frederic Gomez. Top 25 CWE 2025 - Technical Analysis. Blog article, Dec 2025. OWASP. OWASP Top 10: The Ten Most Critical Web Application Security Risks. Dec 2025. Christian Heilmann. Web Security: Are You Part of the Problem?. Smashing magazine, Jan 2010.
Jan 22	Attacks: Exploiting the human	Ho, Grant, et al. Understanding the efficacy of phishing training in practice. 2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025. Optional: Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of UPSEC 2008.		Proj 1: Security Breach Communication & Persuasion Video Due: Feb 9
Jan 27	Speaking and writing well (generally, and for security)	Ernst, Michael. How to give a technical presentation Click the title to the left to see the talk slides; a recording of this talk is on the Canvas site
Jan 29	Cybersecurity economics	Ross Anderson. Why information security is hard - an economic perspective. Seventeenth annual computer security applications conference (ACSAC). IEEE, 2001. Ian Grigg, The Market for Silver Bullets, 2008.
Feb 3	Cybersecurity as a scientific pursuit	Cormac Herley and P.C. van Oorschot. SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit, IEEE S&P 2017. Optional: Fred B. Schneider. A Blueprint for a Science of Cybersecurity. The Next Wave, Vol. 19, No. 2, 2012.
Feb 5	Data Analysis: Hypothesis Testing, Effect Sizes, and Regression #1	Introduction to Data Analysis, chaps 5 and 16. Experimental Design and Analysis, chaps 6.2, 8.4, 16.2. Optional: Jenny Tang, Lujo Bauer, and Nicolas Christin. Misuse, Misreporting, Misinterpretation of Statistical Methods in Usable Privacy and Security Papers. In SOUPS 25. Reference: sample vulnerability data used in lecture
Feb 10	Data Analysis: Hypothesis Testing, Effect Sizes, and Regression #2	Introduction to Data Analysis, chaps 12.1, 15.2. Experimental Design and Analysis, chaps 9, 16.3.
Feb 12	Measurements of security #1 (vulnerability oriented)	Ruef, Andrew, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. Build it, break it, fix it: Contesting secure development. CCS 2016. Note: Long version of this paper from 2020, which has more detail and another contest problem. Optional: Votipka, Daniel, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. Understanding security mistakes developers make: Qualitative analysis from build it, break it, fix it. USENIX Security 2020.
Feb 17	Measurements of security #2 (ops and end-user oriented)	Dekoven et al, Measuring Security Practices and How They Impact Security, IMC 2019 Casey F. Breen, Cormac Herley, Elissa Redmiles. A Large-Scale Measurement of Cybercrime Against Individuals, In CHI 2022. (NB: Data analysis package, done in R)
Mar 3	Midterm in class
Mar 5, 10, 12	No class Spring Break

Posted on:: January 26, 2026

Length:: 3 minute read, 492 words

See Also: