CS 52300 - Social, Economic, and Legal Aspects of Security Spring 2020



Link to Blackboard Learn login page


Link to Piazza class page


Description

This course is an introduction to the elements of information security and protection. It covers issues for systems and networks, including policy, design, operation, incident detection and response, and more.

Catalog description: This course focuses on social, legal, and economic aspects of information security and privacy, also including ethics, policies, and human behavioral issues. The course covers the interactions between non-technological aspects of information security as well as relevant technological aspects. It focusses on how non-technological facets can inform and guide technological choices, and how technological choices can enhance or detract from the broader organizational and societal goals. Typically offered Spring.

Credit

3 class hours, 3 credit hours

Prerequisites

CS 42600 or CS 526 Computer Security or equivalent course with the consent of the instructor (can be taken concurrently).

Policies & Standards

All of my courses operate under the same general policies and standards . My students are expected to study and understand all of these policies. Potential students are encouraged to check these out before signing up for one of my classes.

Details

Semester schedule

Class meetings

MWF in LWSN 1106, 11:30am ‐ 12:20pm

Midterm:

Tentatively scheduled for March 9, in class
No books or notes. NO electronic devices.

The midterm may be done as a take-home exam due March 9 instead of in-class.

Final exam:

TBD
Comprehrensive. No books or notes. NO electronic devices. May 6 10:30a - 12:30p in LWSN B-151.

There will also be a final paper, due on the last day of classes (May 1).

Instructor

Eugene H. Spafford (Spaf)

Some classes will be taught by other faculty or video when Spaf is out of town.

For office hours, telephone/email, etc., see Spaf's homepage .

TA

Maryam Davari
Office hours: Tues 12:30-2:30pm
Thur 2:15-4:15pm
or by appointment office: HAAS G-72
email: < davari@purdue.edu >

Contacting Students

There will be a course email list used for high-priority announcements. This will use your registered @purdue.edu email address; make sure this is forwarded to an account you read on a regular basis.

Some announcements may be posted in Blackboard, so be sure to check that at least once each week.

This informational page will be updated over the course of the semester! Be sure to check it regularly.

Grades and Grading

Blackboard will be used to distribute assignments and collect your responses. Grades will only be available there.

The final grade in the class will be based on assignments, a midterm exam, a final paper, and a comprehensive final exam. Classroom and discussion participation may be used to adjust final grades. In-class quizzes may be given without advance notice.

The determination of final scores will be approximately 15% for projects, 25% for the term paper, 25% for the midterm, and 35% for the final exam.

I have adopted this 10 point scale for assignments, originally described by Professor Clifton for grading all non-test items:

10 Exceptional work. So good that it makes up for substandard work elsewhere in the course. These will be rare, and for many homeworks/problems a perfect score will correspond to an 8.
8 What I'd expect of a Ph.D. candidate or outstanding MS student. This corresponds to an A grade.
6 Average Master's degree student work, but not what I'd like to see for a Ph.D. candidate. This corresponds to a B grade.
4 Okay for a Master's candidate who does extremely well in other courses. This corresponds to a C grade.
2 Not good enough for a graduate student. But something.
0 Missing work, or so bad that you needn't have bothered.

Week-by-week topics

The following shows an approximate week-by-week list of topics and readings (readings will be fleshed out as the semester advances). The actual presentation of some of these topics may change, subject to availability of guest lecturers and additional resources.

† Normally, Wikipedia should not be relied upon as a definitive resource: many of its pages contain incomplete and incorrect information. Some of the pages are actually carefully crafted hoaxes . For this course, I will, however, list some Wikipedia entries for overview purposes because I have reviewed them (at the time of assignment) and found no glaring errors.
‡ You will need to access some of these readings via the Purdue online library ‐ you need to use the Purdue portal to get to them.
Week / Dates Topics Readings & Notes
1 / Jan 13 Class introduction & policies and overview of class.
Overview of course.
Cyber crime
  • Identity theft and identity fraud
  • Organized crime and terrorism
  • Underground hacking economy
  • Law enforcement and prosecution
2 / Jan 20 Personnel security and insider threat
  • Data theft; information traceability
  • Sabotage
  • Personnel security issues: vetting, training, certifications, clearances, conflict of interests, monitoring
  • detection, mitigation, and prevention
3 / Jan 27 Computer forensics
  • Procedures: search and seizure, handling of evidence
  • Admissibility in court and jurisdiction
  • Standards and key organizations: American Society of Crime Laboratory Directors (ASCLAD), etc
4 / Feb 3 Incident responses
  • Data collection, handling, analysis, validity
  • Damage assessment; preincident preparation; monitoring, detection, reaction
  • Standards and key organizations: CERT/CC, FIRST, etc.
5 / Feb 10 Economics of information security
  • Quantifying business value of security, and of investments therein
  • Quantifying value of privacy and data
  • Role of incentives in attack and defense;
  • Role of uncertainty and risk aversion
  • Role of insurance in cyber security
6 / Feb 17 Security management
  • Analysis and planning; organization; supervision
  • Evaluation and evolution as circumstances change
  • Organizational security/privacy policies and their enforcement
  • Standards and key organizations: NIST's Security Content Automation Protocol, COBIT framework, etc.
7 / Feb 24 Behavioral and usability issues in security and privacy
  • Human factors in security; attitudes towards privacy, security
  • Measurement (online surveys, monitoring); social engineering attacks
  • Motivations of attackers; effects of monitoring and traceability on behavior
  • Designing for ease of use
8 / Mar 2 Week 8 Privacy: social, ethical and legal considerations
  • General vs domainspecific; monitoring for compliance; enforcement
  • International issues: US versus other countries such as EU
  • Relationships between technical and legal notions of privacy
  • Related laws: HIPPA, GLBA, COPPA, FERPA

Midterm
9 / Mar 9 Regulations and compliance
  • Electronic commerce; privacy; monitoring for compliance; enforcement
  • Contract issues, copyright, trademark, trade secret
  • Digital Rights Management (DRM)
  • Digital Millennium Copyright Act and the European Union's Copyright Directive
  • Related laws: Electronic Communications Privacy Act(ECPA), Computer Fraud and Abuse Act (CFAA), etc.
March 11 Midterm Exam
March 14 Spring Break!
10 / Mar 23 Web security issuesLiability and its limits for intermediaries (mere conduit, caching, hosting)
  • Software liability and impact of software security
  • Data breach liability
  • Intermediary liability issues
11 / Mar 30 Cyber warfare and international issues
  • Cyber weapons
  • Cyber espionage
  • International laws and treaties
12 / Apr 6 Risk management
  • Quantitative and qualitative risk assessment.
  • Exposure factors; controlling risk
  • Metrics and quantification and their limitations; risk reviews

Also note that the CERIAS Symposium and associated events are this week!
April 7-8 CERIAS Annual Symposium!
13 / Apr 13 Ethical aspects of information security
  • Design for accessibility
  • Protection from harmful, inaccurate, or misleading content
  • Balance need for monitoring and surveillance and respect of personal privacy
14 / Apr 20 Emerging topics
  • Cryptocurrency and impact on economy
  • Internet of things security and privacy
  • Threats to critical infrastructure and their security
15 Apr 27 Wrap-up and overflow.
Finals / Week of May 4 Final Exam: Comprehensive, closed book, May 6 10:30a - 12:30p in LWSN B-151

Other Information

Students are encouraged to attend the weekly security seminar or to view the podcasts online.

Other information, handouts, assignments, etc will all be on the class page in Blackboard and eventually linked in here.