Syllabus

Description

In this course, students learn techniques for building, deploying, and maintaining secure systems. As computer security is a constantly evolving field, the course places particular emphasis on means to empirically evaluate security technology, processes, and operational practices. As security is always in support of a primary activity and resources are limited, the course also places emphasis on strong communications, using evidence and empathy to explain and collaborate on security needs. By the end of the course, students should be able to:

• Understand cybersecurity from a data-driven and economic perspective.
• Think like an attacker, and thereby develop high-quality threat models for systems and deployments.
• Account for the impact to humans interacting with a computer system, both when they are attack targets and when the play a role in ensuring the system’s security.
• Understand key security defenses, the attacks they respond to, and how to put defenses together to build secure systems.
• Manage security post-deployment – preventing, detecting, mitigating, and recovering from incidents – and gather data to improve future decisions.
• Make risk-informed decisions: Assess design elements and technologies according to how they mitigate security risk, and prioritize them to minimize risk.
• Communicate effectively and with empathy to key stakeholders about security risks

Prerequisites

Equivalent knowledge of CIS 2400 - Computer Systems and CIS 2610 - Discrete Probability, Stochastic Processes, and Statistical Inference. Permission to enroll is granted by the instructor (as per usual with CIS 7000-level courses).

List of topics (tentative)

• Economic view of cybersecurity
• Cybersecurity as a scientific pursuit
• Background on cyber-relevant statistical analyses
• Overview of a variety of cyber attacks and defenses
• Threat modeling and security design
• The role of the human: Defender and victim
• Authentication, phishing, social engineering
• Cyber-incident detection and response
• Cybersecurity management challenges
• Cybersecurity public health
• Cybersecurity risk assessment
• Cyberinsurance, regulation
• How to talk persuasively about security and risk

Online resources

Website: Various course materials will be made available on the class website, which can be accessed at https://mhicks.me/courses/CIS-7000-Spring2026

Canvas: Students enrolled in the class will have access to the course canvas site. Use this site to access the Zoom link for remote attendance, to submit course assignments, and to see the gradebook.

Grading

(Tentative) The final grade will consist of two main parts:

Class participation and projects (60%). This consists of:

1. (13%) a written 2-3 paragraph review for each paper we read, due prior to the discussion date;
2. (7%) participation during class; and
3. (40%) five projects

Exams (40%), of which there are two:

1. (20%) midterm exam
2. (20%) final exam

Class activities

Paper reviews

For most papers that we read in the class, students must submit a review of each paper. These will be used to drive discussion of the paper during class – we cannot discuss what we do not read! Each review should consist of two parts: (1) a paragraph with key takeaways gleaned from the paper; (2) a few questions on topics that merit deep-dive discussion, or clarification. Note that part (1) should almost certainly not be complete (i.e., not an at-a-distance summary) but rather should be used to set up sufficient context and justification for the questions in part (2). Doing so ensures the questions are not surface-level, but rather are thought-through and engaging. You are writing a review, which means I want to see your opinion and your evidence for it. Reviews are due 3pm the day before the class, to avoid a late penalty of 20%. Reviews are graded on a score of 1-5, where

• 0: missing or showing no evidence of having read the paper
• 1-3: minimal effort or non-insightful summary (anybody can copy an abstract)
• 4: insightful, but not particularly crisp or incisive; oftentimes too long
• 5: actively insightful, with interesting and well-sourced discussion points (it often takes students a couple stabs at it to get to consistent 5’s)

Participating and presenting in class

There is an expectation to attend class and participate in discussions. The participation score will be based in large part on attendance (which we will start noting during the second week), but also on the instructor’s assessment of the thoughtfulness and insight of comments made during class.

One of the assignments for the course will be to present and lead a discussion about a cybersecurity breach. The presentation should be about 15-20 minutes, with the ensuing discussion about 10 minutes. The goal is to learn to deep-dive into a relevant topic, and develop good presentation skills. Doing well will require doing research early, to be sure you understand the details, before preparing the presentation. Consider practicing your presentation beforehand.

Presentations will be judged based on the following criteria:

• understanding: does the presenter understand the material?
• thoughtfulness: does the presenter have insights and opinions beyond the basic headlines?
• background/perspective: did the presenter understand the context of the topic, to place it in perspective?
• clarity: can the audience understand the presentation? is the “big picture” clear? are there useful examples?
• materials: do the slides illustrate and support the talk? are there diagrams to help convey the technicalities? (when your talk gets into deep territory, a diagram is worth 10K words) are the slides more than just bullet lists?
• delivery: has the the presenter practiced?
• answering questions: can the presenter handle questions from the audience?

Remember that you will likely be able to explain more detail than you can hope to cover in a single lecture. This is one reason that it’s hard work to prepare a good presentation: not only do you need to understand the topic, but you need to filter out the irrelevant details and amplify the key arguments. A good talk should tell a story; every idea should be motivated, and all facts should fit together in a coherent picture. Telling such a story in a short time often requires creating your own explanations, motivation, and examples.

Excused absences

You are not required to come to class, but not coming will affect your class participation grade. There are several justifications for excused absences from class: illness, religious observation, participation in required university activities, or a family or personal emergency. We will work with you to make sure that you have a fair amount of time to make up for excused absences. The best way that we can help is if we know about absences as well in advance as possible.

• Provide a request for absence in writing.
• Provide appropriate documentation that shows the absence qualifies as excused.
• Provide as much advance notice as is possible, safe, and appropriate.

One self-signed note is permitted, during the semester.

The policies for excused absences do not apply to project assignments. Projects will be assigned with sufficient time to be completed by students who have a reasonable understanding of the necessary material and begin promptly. In cases of extremely serious documented illness of lengthy duration or other protracted, severe emergency situations, the instructor may consider extensions on project assignments, depending upon the specific circumstances.

Besides the policies in this syllabus, the University’s policies apply during the semester.

Right to change information

Although every effort has been made to be complete and accurate, unforeseen circumstances arising during the semester could require the adjustment of any material given here. Consequently, given due notice to students, the instructor reserves the right to change any information on this syllabus or in other course materials.