Course Syllabus

Fall 2012, T/Th 5pm-6:20pm, Junkins Building Rm. 203

(Syllabus also available in PDF form.)

Instructor Information

Tyler Moore


Phone: 214-768-3716 (x83716 on campus)

Office: Caruth Hall Rm 439

Office Hours: Tuesday 1PM - 2PM, Wednesday 9AM-10AM, and by appointment

Email Hours: I strive to respond to course-related emails within 24 hours on weekdays. Inevitably I may overlook some messages; if more than 24 hours has passed, feel free to send me a reminder.

Course Description


Introduces economics as a tool for understanding and managing information security. Reviews key information security challenges and technologies in order to reason about the topics economically. Students are introduced to techniques of analytic and empirical modeling. Economic concepts reviewed include rationality, markets, and information. Models and metrics of security investment are presented, along with cost-benefit analysis techniques. Techniques for empirical investigation and measurement of cybercrime are presented. Security games are designed to capture the strategic interaction between defenders, as well as between attacker and defenders. Implications for public policy are discussed.

Learning Outcomes

Upon completing this course, students should be able to:


The course is organized roughly into five components.

  1. Introduction (3 weeks): We start by introducing key concepts from information security and economics.
  2. Security metrics and investment (2 weeks): We discuss standard models and metrics of security investment, along with their limitations.
  3. Measuring cybercrime (3 weeks): We learn about the state of the art in cybercrime and its flourishing underground economy, followed by a discussion of techniques for collecting and analyzing data on information security topics.
  4. Security games (3 weeks): We introduce game theory and discuss ways to model the strategic interaction of defenders and attackers in information security applications.
  5. Policy options (remaining time): We discuss available economic tools for improving information security, including cyber insurance/risk transfer, information sharing, and liability assignment.

Covering the first four topics may take more time than anticipated, in which case the last topic will be abbreviated. See the schedule for up-to-date details and reading assignments. Please note that because this is a new course, the schedule and topics will most likely be revised during the semester.


This course requires a background in computer science, engineering or economics. Students with a background in computer science should have taken CSE 3353 "Fundamentals of Algorithms" . However, students majoring in economics, EMIS or other disciplines are welcome to enroll in the class with my permission. If you are interested in the course but unsure if you are eligible to enroll, please contact me.

No prior experience with information security is required, but even students who have lots of prior experience should find the course engaging. There is almost no overlap with other existing security courses offered at SMU.


There is no textbook for the course. Readings are assigned from lecture notes co-authored by Rainer Böhme and myself, as well as from relevant academic papers.


The course website is located at Course announcements will be made via Blackboard. Students will also submit assignments online via Blackboard.



There are 4 assignments, each equally weighted. There will be one assignment for each of the first four broad topic areas (introduction, security metrics and investment, measuring cybercrime, and security games). Full details will be posted on the schedule in due course. Assignments will be turned in via Blackboard.


The final project will be on a topic selected by the students. Students are strongly encouraged to work in pairs. There are three broad approaches available, which may appeal to students differently based on the existing skill set. Full details on the project can be found here.


There will be a comprehensive final exam. The purpose of the exam is to assess the economics and information security concepts covered in the course, particularly those not covered by the homework assignments.

Evaluating Student Performance

Grade Distribution

I use standard percentage cut-offs when determining letter grades (e.g., [93-100] is an A, [90-93) is an A-, [87-90) is a B+, etc.). I do not use a curve in assigning grades, as I believe grading on a curve discourages collaboration among students. Occasionally, though, a particular assignment may be too difficult and so I reserve the right to adjust the score appropriately.

In order to reward progress in learning that occurs over the course of the semester, I will let students replace their lowest score on an assignment with their score on the final exam, provided that the final exam grade is higher than the lowest-graded assignment. For example, suppose you make an 82%, 88%, 90%, and 92% on the homework assignments and receive an 89% on the final exam. The 82% assignment grade is replaced by 89%, and the final exam is also treated as 89%.

Differences Between CSE 5390 and CSE 7390

Both the undergraduate and graduate offerings of this course cover the same material. Graduate students will be assigned additional problems on assignments and exams. Graduate students will also be assessed more critically with regard to novelty in topic selection for the course project.

Attendance and Participation Policy

I expect you to attend classes and participate in class discussions. I understand that occasionally circumstances may arise so that you must miss class. This is OK, but I would appreciate if you send me an email in advance letting me know that you won't be able to attend class. Chronically missing class is not acceptable, and I reserve the right to penalize the course grade in the event of persistent absence.

I also expect that you will keep up with the reading.

Late Work

The assignments are designed to prepare you for tasks on the course project, and often build on concepts introduced in earlier assignments. Consequently, it is essential that you do not fall too far behind. As a result, assignments and project tasks really are due at the time stated in the course schedule.

There are three exceptions to this policy. First, if you have an emergency (e.g., serious illness, death in the family), please let me know as soon as possible so we can work out an accommodation.

Second, students are given 3 lateness coupons for assignments (but not exams or the final project) for use throughout the semester, with one coupon equal to a 24-hour extension.

To redeem a lateness coupon, you must send an email to with subject "Lateness coupon" BEFORE the assignment is due. In the body of the email please let me know how many coupons you wish to redeem.

The third exception to the strict deadline policy is for unforeseen circumstances that affect everyone: the power goes out on campus two hours before an assignment is due, for example. In this case, I will extend the deadline in a reasonable manner (e.g., extend by 24 hours after power is restored). I will post an announcement to Blackboard if such a circumstance arises.

Collaboration and Attribution

I encourage collaboration between students on assignments and when studying. Collaboration is an essential skill for engineering, not to mention life in general. Unless I say otherwise, feel free to discuss assignments and the project with your classmates, including ideas for how to solve problems. Please do not, however, share code, equations, or written answers that solve an assignment directly with other students. Solutions to homeworks should be written from scratch and must not be pieced together from other students.

It is also important to give credit to others when appropriate. If you implement an idea that you got from another student (or students), please say so. Furthermore, if you consult a web resource that directly assists you, please say so. As a reminder, it is also not acceptable to copy code or equations directly from a web resource that solves a problem on an assignment.

Policy on Academic Dishonesty

The SMU Honor Code defines cheating, plagiarism and facilitating academic dishonesty here:

Any student found doing any of the aforementioned activities will receive a failing grade in the course. I also reserve the right to refer the case to the Honor Council.

Extra Credit

It is my policy to not offer extra credit assignments on a per-student basis. To ensure fairness, extra credit may only be offered to all students, and would most likely take the form of a modest reward for attending an optional lecture, not an extra assignment.

Special Needs

Disability Accommodations

Students needing academic accommodations for a disability must first be registered with Disability Accommodations & Success Strategies (DASS) to verify the disability and to establish eligibility for accommodations. Students may call 214-768-1470 or visit to begin the process. Once registered, students should then schedule an appointment with the professor to make appropriate arrangements.

Religious Observance

Religiously observant students wishing to be absent on holidays that require missing class should notify their professors in writing at the beginning of the semester, and should discuss with them, in advance, acceptable ways of making up any work missed because of the absence.  (See University Policy No. 1.9 for details.)

University Extracurricular Activities

Students participating in an officially sanctioned, scheduled University extracurricular activity should be given the opportunity to make up class assignments or other graded assignments missed as a result of their participation. It is the responsibility of the student to make arrangements with the instructor prior to any missed scheduled examination or other missed assignment for making up the work.    (See the University Undergraduate Catalog for details.)


Please note that this syllabus is subject to change. Because this is a new course, I reserve the right to alter its design as necessary to improve the learning experience. Any changes to the syllabus will be announced via Blackboard and displayed on the course website.