CSE 5/7338 Course Syllabus
Fall 2013, T/Th 11am-12:20pm, Caruth Hall Rm. 184
(Syllabus also available in PDF form.)
Phone: 214-768-3716 (x83716 on campus)
Office: Caruth Hall Rm. 439
Office Hours: Tuesday 1PM - 2PM, Wednesday 9AM-10AM, and by appointment
Email Hours: I strive to respond to course-related emails within 24 hours on weekdays. Inevitably I may overlook some messages; if more than 24 hours has passed, feel free to send me a reminder.
Introduces economics as a tool for understanding and managing information security. Reviews key information security challenges and technologies in order to reason about the topics economically. Students are introduced to techniques of analytic and empirical modeling. Economic concepts reviewed include rationality, markets, and information. Presents models and metrics of security investment, along with cost-benefit analysis techniques, and techniques for empirical investigation and measurement of cybercrime. Security games are designed to capture the strategic interaction between defenders, as well as between attacker and defenders. Implications for public policy are discussed.
This course requires a background in computer science, engineering or economics. Students with a background in computer science should have taken CSE 3353 "Fundamentals of Algorithms" or its equivalent. However, students majoring in economics, EMIS or other disciplines are welcome to enroll in the class with my permission. If you are interested in the course but unsure if you are eligible to enroll, please contact me.
No prior experience with information security is required, but even students who have lots of prior experience should find the course engaging. There is almost no overlap with other existing security courses offered at SMU.
Upon completing this course, students should be able to:
- identify key problems in information security and distinguish non-technical obstacles
- recognize economic concepts and apply them to information security problems
- employ security metrics and explain their limitations
- interpret analytic models of security investment and apply them to real-world situations
- describe the state of the art in cybercrime and the underground economy
- analyze and interpret security datasets by applying appropriate statistical analysis using R
- interpret game theoretic models applied to information security problems
- identify public policy issues in information security
Here are the more general ABET student outomes by which students are evaluated:
- an understanding of professional, ethical, legal, security and social issues and responsibilities
- an ability to communicate effectively with a range of audiences
- an ability to analyze the local and global impact of computing on individuals, organizations, and society.
The course is organized roughly into five components.
- Introduction (5 lectures): We start by introducing key concepts from information security and economics.
- Security metrics and investment (5 lectures): We discuss standard models and metrics of security investment, along with their limitations.
- Measuring cybercrime (7 lectures): We learn about the state of the art in cybercrime and its flourishing underground economy, followed by a discussion of techniques for collecting and analyzing data on information security topics.
- Security games (4 lectures): We introduce game theory and discuss ways to model the strategic interaction of defenders and attackers in information security applications.
- Policy options (remaining time): We discuss available economic tools for improving information security, including cyber insurance/risk transfer, information sharing, and liability assignment.
Covering the first four topics may take more time than anticipated, in which case the last topic will be abbreviated. See the schedule for up-to-date details and reading assignments. Please note that the schedule and topics will most likely be revised during the semester.
There is no textbook for the course. Readings are assigned from lecture notes co-authored by Rainer Böhme and myself, as well as from relevant academic papers.
The course website is located at http://lyle.smu.edu/~tylerm/courses/econsec/. Course announcements will be made via Blackboard. Distance students will submit assignments online via Blackboard.
Screencasts describing interactions with security datasets in R will be posted on my YouTube channel.
Unless otherwise stated, coursework is due at 4:30pm on the specified due date. Distance students turn in assignments via Blackboard; on-campus students turn in assignments to CSE Departmental Secretary Debra McDowell.
There are 4 assignments, each equally weighted. There will be one assignment for each of the first four broad topic areas (introduction, security metrics and investment, measuring cybercrime, and security games). Full details will be posted on the schedule in due course.
The final project will be on a topic selected by the students. Students are strongly encouraged to work in pairs. Full details on the project can be found here.
There is one midterm and one comprehensive final exam. The purpose of the exam is to assess the economics and information security concepts covered in the course, particularly those not covered by the homework assignments.
The midterm exam is scheduled to be given on October 17, and the final exam will be held Saturday, December 14, from 8-11am. Distance students must complete the midterm exam by October 18 (exam will be made available to proctors on October 16). Distance students must complete the final exam between Thursday, December 12 and Saturday, December 14. Any distance students that anticipate a scheduling conflict should contact the instructor well in advance.
Note: any on-campus graduate students enrolled in a distance section (e.g., due to a scheduling conflict) must take exams on campus with on-campus students during the normal exam times.
Evaluating Student Performance
- Assignments (30%)
- Project (25%)
- Midterm Exam (20%)
- Final Exam (25%)
I use standard percentage cut-offs when determining letter grades (e.g., [93-100] is an A, [90-93) is an A-, [87-90) is a B+, etc.). I do not use a curve in assigning grades, as I believe grading on a curve discourages collaboration among students. Occasionally, though, a particular assignment may be too difficult and so I reserve the right to adjust the score appropriately.
In order to reward progress in learning that occurs over the course of the semester, I will let students replace their lowest score on an assignment with their score on the final exam, provided that the final exam grade is higher than the lowest-graded assignment. For example, suppose you make an 82%, 88%, 90%, and 92% on the homework assignments and receive an 89% on the final exam. The 82% assignment grade is replaced by 89%, and the final exam is also treated as 89%.
Differences Between CSE 5338 and CSE 7338
Both the undergraduate and graduate offerings of this course cover the same material. Graduate students will be assigned additional problems on assignments and exams. Graduate students will also be assessed more critically with regard to novelty on the course project.
Attendance and Participation Policy
I expect you to attend classes and participate in class discussions. I understand that occasionally circumstances may arise so that you must miss class. This is OK, but I would appreciate if you send me an email in advance letting me know that you won't be able to attend class. Chronically missing class is not acceptable, and I reserve the right to penalize the course grade or academically withdraw students in the event of persistent absence.
I also expect that you will keep up with the reading.
The assignments are designed to prepare you for tasks on the course project, and often build on concepts introduced in earlier assignments. Consequently, it is essential that you do not fall too far behind. As a result, assignments and project tasks really are due at the time stated in the course schedule.
There are three exceptions to this policy. First, if you have an emergency (e.g., serious illness, death in the family), please let me know as soon as possible so we can work out an accommodation.
Second, students are given 3 lateness coupons for assignments (but not exams or the final project) for use throughout the semester, with one coupon equal to a 24-hour extension.
To redeem a lateness coupon, you must send an email to
email@example.com with subject "Lateness coupon" BEFORE the assignment is due. In the body of the email please let me know how many coupons you wish to redeem.
The third exception to the strict deadline policy is for unforeseen circumstances that affect everyone: the power goes out on campus two hours before an assignment is due, for example. In this case, I will extend the deadline in a reasonable manner (e.g., extend by 24 hours after power is restored). I will post an announcement to Blackboard if such a circumstance arises.
Collaboration and Attribution
I encourage collaboration between students on assignments and when
studying. Collaboration is an essential skill for engineering, not to
mention life in general. Unless I say otherwise, feel free to discuss
assignments and the project with your classmates, including ideas for
how to solve problems. Please do not, however, share code,
equations, or written answers that solve an assignment directly with
other students. Solutions to homeworks should be written from
scratch and must not be pieced together from other students.
If you work with another student on assignments, you must turn in a single copy with both students' names.
It is also important to give credit to others when appropriate. If you implement an idea that you got from another student (or students), please say so. Furthermore, if you consult a web resource that directly assists you, please say so. As a reminder, it is also not acceptable to copy code or equations directly from a web resource that solves a problem on an assignment.
Policy on Academic Dishonesty
The SMU Honor Code defines cheating, plagiarism and facilitating academic dishonesty here:
Any student found doing any of the aforementioned activities will receive a failing grade in the course. Note that this includes copying code or writing from the Internet or other resources without attribution. I also reserve the right to refer the case to the Honor Council.
It is my policy to not offer extra credit assignments on a per-student basis. To ensure fairness, extra credit may only be offered to all students, and would most likely take the form of a modest reward for attending an optional lecture, not an extra assignment.
Students needing academic accommodations for a disability must first be registered with Disability Accommodations & Success Strategies (DASS) to verify the disability and to establish eligibility for accommodations. Students may call 214-768-1470 or visit http://www.smu.edu/alec/dass to begin the process. Once registered, students should then schedule an appointment with the professor to make appropriate arrangements.
Religiously observant students wishing to be absent on holidays that require missing class should notify their professors in writing at the beginning of the semester, and should discuss with them, in advance, acceptable ways of making up any work missed because of the absence. (See University Policy No. 1.9 for details.)
University Extracurricular Activities
Students participating in an officially sanctioned, scheduled University extracurricular activity should be given the opportunity to make up class assignments or other graded assignments missed as a result of their participation. It is the responsibility of the student to make arrangements with the instructor prior to any missed scheduled examination or other missed assignment for making up the work. (See the University Undergraduate Catalog for details.)
Please note that this syllabus is subject to change. Any changes to the syllabus will be announced via Blackboard and displayed on the course website.