Schedule

Secure System Engineering and Management: A Data-Driven Approach

By Mike Hicks

February 25, 2026

This schedule will flesh out as the semester progresses.

Date	Topic / Speaker	Readings & handouts	Assignment
Jan 15	Introduction and syllabus	S. Keshav. How to Read a Paper. ACM SIGCOMM Computer Communication Review, Volume 37, Number 3, July 2007.
Jan 20	Attacks: Vulnerability exploitation	MITRE. 2025 CWE Top 25 Most Dangerous Software Weaknesses. Dec 2025. Marc Frederic Gomez. Top 25 CWE 2025 - Technical Analysis. Blog article, Dec 2025. OWASP. OWASP Top 10: The Ten Most Critical Web Application Security Risks. Dec 2025. Christian Heilmann. Web Security: Are You Part of the Problem?. Smashing magazine, Jan 2010.
Jan 22	Attacks: Exploiting the human	Ho, Grant, et al. Understanding the efficacy of phishing training in practice. 2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025. Optional: Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proceedings of UPSEC 2008.	Proj 1: Security Breach Communication & Persuasion Video Due: Feb 9
Jan 27	Speaking and writing well (generally, and for security)	Ernst, Michael. How to give a technical presentation Click the title to the left to see the talk slides; a recording of this talk is on the Canvas site
Jan 29	Cybersecurity economics	Ross Anderson. Why information security is hard - an economic perspective. Seventeenth annual computer security applications conference (ACSAC). IEEE, 2001. Ian Grigg, The Market for Silver Bullets, 2008.
Feb 3	Cybersecurity as a scientific pursuit	Cormac Herley and P.C. van Oorschot. SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit, IEEE S&P 2017. Optional: Fred B. Schneider. A Blueprint for a Science of Cybersecurity. The Next Wave, Vol. 19, No. 2, 2012.
Feb 5	Data Analysis: Hypothesis Testing, Effect Sizes, and Regression #1	Recommended sections in these references given in lecture notes: Experimental Design and Analysis and Introduction to Data Analysis Optional: Jenny Tang, Lujo Bauer, and Nicolas Christin. Misuse, Misreporting, Misinterpretation of Statistical Methods in Usable Privacy and Security Papers. In SOUPS 25. Reference: sample vulnerability data used in lecture
Feb 10	Data Analysis: Hypothesis Testing, Effect Sizes, and Regression #2	Recommended sections in these references given in lecture notes: Experimental Design and Analysis and Introduction to Data Analysis	Proj 2: Analyzing the Vulnerability Landscape with NVD and CISA KEV Data Due: Feb 24
Feb 12	Measurements of security #1 (vulnerability oriented)	Ruef, Andrew, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. Build it, break it, fix it: Contesting secure development. CCS 2016. Note: Long version of this paper from 2020, which has more detail and another contest problem. Optional: Votipka, Daniel, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. Understanding security mistakes developers make: Qualitative analysis from build it, break it, fix it. USENIX Security 2020.
Feb 17	Measurements of security #2 (ops and end-user oriented)	Dekoven et al, Measuring Security Practices and How They Impact Security, IMC 2019 Casey F. Breen, Cormac Herley, Elissa Redmiles. A Large-Scale Measurement of Cybercrime Against Individuals, In CHI 2022. (NB: Data analysis package, done in R)
Feb 19	Security by Design Overview	Secure by Design: A Guide for Assessing Software Security Practices (pps. 1-19) SAFECode, Tactical Threat Modeling, 2017. Adam Shostack, The Ultimate Beginner Guide to Threat Modeling
Feb 24	Threat Modeling (up to this point covered on midterm)	Toreon, Threat modeling done right, 2016. Optional: Loren Kohnfelder and Praerit Garg, The Threats to Our Products, Microsoft, 1999.	Proj 3: Threat Modeling a Networked Insulin Pump Due: Mar 23
Feb 26	Secure Design: Principles and Controls #1
Mar 3	Midterm in class
Mar 5, 10, 12	No class Spring Break
Mar 17	Secure Design: Principles and Controls #2	Christoph Kern, Developer Ecosystems for Software Safety, CACM, April 2024. Optional: Christoph Kern, Safe Coding, Google TR, November 2025.
Mar 19	Fuzzing	Marcel Boehme, Van-Thuan Pham, and Abhik Roychoudhury, Coverage-based Greybox Fuzzing as Markov Chain. In CCS 2016. Optional: Klees, G., Ruef, A., Cooper, B., Wei, S. and Hicks, M., 2018, October. Evaluating fuzz testing. In CCS 2018.
Mar 24	Memory safe programming	Michael Hicks, What is memory safety?, 2014. Michael Hicks, What is type safety?, 2014. Optional: Andrew Lilley Brinker. Memory Safety for Skeptics, ACM Queue, 2025. Optional: Jeffrey Vander Stoep, Alex Rebert, and Lars Bergstrom. A Practical Guide to Transitioning to Memory-Safe Languages, ACM Queue, 2025.	Proj 4: Find and Fix Bugs with Fuzzing Updated Due: Apr 6
Mar 26	Code Integrity, Supply Chain Security, Vulnerability Remediation	Chinenye Okafor, Taylor Schorlemmer, Santiago Torres-Arias, and James C. Davis. SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties. Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, 2022.
Mar 31	Intrusion Detection & Security Operations	Robin Sommer, Vern Paxson. Outside the Closed World: On Using Machine Learning For Network Intrusion Detection, IEEE S&P, 2010. Optional: Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms, USENIX Security 2022
Apr 2	Securing IT at Penn	Guest lecture by Sam Jenkins, ISC, Penn
Apr 7	Cybersecurity for LLMs	Simon Willison, The lethal trifecta for AI agents: private data, untrusted content, and external communication, Jun 2025. Extra Credit: Chen et al. Defending Against Prompt Injection With a Few DefensiveTokens, AISec 2025.	Proj 5: Network Intrusion Detection with Suricata and Zeek Due: Apr 20
Apr 9	LLMs and attack/defense activities	Zhu et al. CVE-Bench: A Benchmark for AI Agents’ Ability to Exploit Real-World Web Application Vulnerabilities, ICML 2025. Optional: Nicholas Carlini, Milad Nasr, Edoardo Debenedetti, Barry Wang, Christopher A. Choquette-Choo, Daphne Ippolito, Florian Tramer, Matthew Jagielski. LLMs unlock new paths to monetizing exploits. arXiv preprint arXiv:2505.11449 (2025).
Apr 14	What does a CISO do (at Penn)?	Guest lecture by Nick Falcone, Penn CISO RSAC ESAF, What Top CISOs Include in Updates for the Board, 2022.
Apr 23	Cyber insurance and security risk	Guest lecture by Amanda Draeger, Cyber Insurance Risk Engineer
May 7 (Thursday)	Final exam	12-2pm LRSM 112B

Posted on:: February 25, 2026

Length:: 5 minute read, 972 words

See Also: