Syllabus

Description

In this course, students learn techniques for building, deploying, and maintaining secure systems. As computer security is a constantly evolving field, the course places particular emphasis on means to empirically evaluate security technology, processes, and operational practices. As security is always in support of a primary activity and resources are limited, the course also places emphasis on strong communications, using evidence and empathy to explain and collaborate on security needs. By the end of the course, students should be able to:

• Understand cybersecurity from a data-driven and economic perspective, learning to make decisions based on empirical evidence, following good science
• Identify key vulnerabilities and threats, especially when considering the impact of humans, both when they are attack targets and when the play a role in ensuring a system’s security
• Follow a well-designed process for secure systems construction, from threat modeling to building to testing to maintenance
• Manage security operations – preventing, detecting, mitigating, and recovering from incidents – and gather data to improve future posture
• Make risk-informed decisions: Assess designs and technologies according to how they mitigate security risk, while leveraging insurance and responding to regulation
• Communicate effectively and with empathy to key stakeholders about security options and recommendations

Prerequisites

Equivalent knowledge of CIS 2400 - Computer Systems and CIS 2610 - Discrete Probability, Stochastic Processes, and Statistical Inference. Permission to enroll is granted by the instructor (as per usual with CIS 7000-level courses).

List of topics

• Overview of a variety of cyber attacks
• Empirical cybersecurity
  • Economic view of cybersecurity
  • Cybersecurity as a scientific pursuit
  • Measuring and analyzing security
• Secure software development
  • Threat modeling and security design
  • The role of the human: Defender and victim
  • Programming (memory safety!)
  • Pen testing (fuzzing)
  • Supply chain, patching, vulnerability remediation
• Security operations
  • Cyber-incident detection and response
  • Cybersecurity management
  • Cybersecurity risk assessment
  • The role and activities of a Chief Information Security Officer (CISO)
• Cyber regulation, insurance, and analogies to public health
• How to talk persuasively about security and risk

Online resources

Website: Various course materials will be made available on the class website, which can be accessed at https://mhicks.me/courses/CIS-7000-Spring2026

Canvas: Students enrolled in the class will have access to the course canvas site. Use this site to access the Zoom link for remote attendance, to submit course assignments, and to see the gradebook.

Grading

(Tentative) The final grade will consist of two main parts:

Class participation and projects (60%). This consists of:

1. (13%) a written 2-3 paragraph review for each paper we read, due prior to the discussion date;
2. (7%) participation during class; and
3. (40%) five projects

Exams (40%), of which there are two:

1. (20%) midterm exam
2. (20%) final exam

Class activities

Paper reviews

For most papers that we read in the class, students must submit a review of each paper. These will be used to drive discussion of the paper during class – we cannot discuss what we do not read! Each review should consist of two parts: (1) a paragraph with key takeaways gleaned from the paper; (2) a few questions on topics that merit deep-dive discussion, or clarification. Note that part (1) should almost certainly not be complete (i.e., not an at-a-distance summary) but rather should be used to set up sufficient context and justification for the questions in part (2). Doing so ensures the questions are not surface-level, but rather are thought-through and engaging. You are writing a review, which means I want to see your opinion and your evidence for it. Reviews are due at midnight the day before the class, to avoid a late penalty of 20%. Reviews are graded on a score of 0-5, where

• 0: missing or showing no evidence of having read the paper
• 1-3: minimal effort or non-insightful summary (anybody can copy an abstract)
• 4: insightful, but not particularly crisp or incisive; oftentimes too long
• 5: actively insightful, with interesting and well-sourced discussion points (it often takes students a couple stabs at it to get to consistent 5’s)

Participating and presenting in class

There is an expectation to attend class and participate in discussions. The participation score will be based in large part on attendance (which we will start noting during the second week), but also on the instructor’s assessment of the thoughtfulness and insight of comments made during class.

One of the assignments for the course will be to present and lead a discussion about a cybersecurity breach. You will take the role of a cybersecurity expert trying to persuade your company’s leadership to invest in technologies that aim to ensure you do not fall prey to the same breach. To be persuasive, when designing your talk you should put yourself in their position, aiming to send an authentic message in a way that they can accept. The presentation should be about 15-20 minutes, with the ensuing discussion about 10 minutes. The goal is to learn to deep-dive into a relevant topic, and develop good presentation skills. Doing well will require doing research early, to be sure you understand the details, before preparing the presentation. Consider practicing your presentation beforehand.

Presentations will be judged based on the following criteria:

• understanding: does the presenter understand the material?
• thoughtfulness: does the presenter have insights and opinions beyond the basic headlines?
• background/perspective: did the presenter understand the context of the topic, to place it in perspective?
• clarity: can the audience understand the presentation? is the “big picture” clear? are there useful examples?
• materials: do the slides illustrate and support the talk? are there diagrams to help convey the technicalities? (when your talk gets into deep territory, a diagram is worth 10K words) are the slides more than just bullet lists?
• delivery: has the the presenter practiced?
• answering questions: can the presenter handle questions from the audience?

Remember that you will likely be able to explain more detail than you can hope to cover in a single lecture. This is one reason that it’s hard work to prepare a good presentation: not only do you need to understand the topic, but you need to filter out the irrelevant details and amplify the key arguments. A good talk should tell a story; every idea should be motivated, and all facts should fit together in a coherent picture. Telling such a story in a short time often requires creating your own explanations, motivation, and examples.

Excused absences

You are not required to come to class, but not coming will affect your class participation grade. We will have a Zoom option from Canvas for remotely attending class, which you can use up to three times. Each time you use this option it will be counted as a “no op” against your participation grade, i.e., neither for or against.

There are several justifications for excused absences from class: illness, religious observation, participation in required university activities, or a family or personal emergency. We will work with you to make sure that you have a fair amount of time to make up for excused absences. The best way that we can help is if we know about absences as well in advance as possible.

• Provide a request for absence in writing.
• Provide appropriate documentation that shows the absence qualifies as excused.
• Provide as much advance notice as is possible, safe, and appropriate.

One self-signed note is permitted, during the semester.

The policies for excused absences do not apply to project assignments. Projects will be assigned with sufficient time to be completed by students who have a reasonable understanding of the necessary material and begin promptly. In cases of extremely serious documented illness of lengthy duration or other protracted, severe emergency situations, the instructor may consider extensions on project assignments, depending upon the specific circumstances.

Besides the policies in this syllabus, the University’s policies apply during the semester.

Right to change information

Although every effort has been made to be complete and accurate, unforeseen circumstances arising during the semester could require the adjustment of any material given here. Consequently, given due notice to students, the instructor reserves the right to change any information on this syllabus or in other course materials.