CS 52300 - Social, Economic, and Legal Aspects of Security Spring 2020

Navigation

As of March 23rd, all classroom instruction is being conducted online. Email was sent to all registered students introducing some of the details. This syllabus has been updated to reflect those changes. Students are expected to watch lectures online (linked at the class Blackboard site), and monitor their email and the class Piazza site.

Questions or concerns should be directed to the instructor and/or the TAs.

University COVID-19 website
Call Center: 765-496-INFO (4636) (1-833-571-1043 toll free).

Description

This course is an introduction to the elements of information security and protection. It covers issues for systems and networks, including policy, design, operation, incident detection and response, and more.

Catalog description: This course focuses on social, legal, and economic aspects of information security and privacy, also including ethics, policies, and human behavioral issues. The course covers the interactions between non-technological aspects of information security as well as relevant technological aspects. It focusses on how non-technological facets can inform and guide technological choices, and how technological choices can enhance or detract from the broader organizational and societal goals. Typically offered Spring.

Credit

3 class hours, 3 credit hours

Prerequisites

CS 42600 or CS 526 Computer Security or equivalent course with the consent of the instructor (can be taken concurrently).

Policies & Standards

All of my courses operate under the same general policies and standards . My students are expected to study and understand all of these policies. Potential students are encouraged to check these out before signing up for one of my classes.

Details

Semester schedule

Class meetings

MWF in LWSN 1106, 11:30am ‐ 12:20pm

Lectures will be posted on-line via the class Blackboard site. Students are expected to watch the lectures and do the associated readings.

Midterm:

Tentatively scheduled for March 9, in class
No books or notes. NO electronic devices.

The midterm may be done as a take-home exam due March 9 instead of in-class.

Final exam:

There will be no final exam. Instead, a final paper will be due May 6.

Instructor

Eugene H. Spafford (Spaf)

Some classes will be taught by other faculty or video when Spaf is out of town.

For office hours, telephone/email, etc., see Spaf's homepage .

If you need to talk to me about class, or simply need to talk to someone about your Purdue classes or because you are feeling overwhelmed, I will be happy to schedule a Skype or Zoom session to talk one-on-one. Send me email with a request and some times that will work for you.

TA

Maryam Davari: Office hours: Tues 12:30-2:30pm, Thur 2:15-4:15pm, or by appointment Tu: 2:30 - 4:30, Th: 1:30 - 4:30, F: 3:30- 6:30 office: HAAS G-72 Online in Piazza
email: < davari@purdue.edu >

Contacting Students

There will be a course email list used for high-priority announcements. This will use your registered @purdue.edu email address; make sure this is forwarded to an account you read on a regular basis.

Some announcements may be posted in Blackboard, so be sure to check that at least once each week.

This informational page will be updated over the course of the semester! Be sure to check it regularly.

Grades and Grading

Blackboard will be used to distribute assignments and collect your responses. Grades will only be available there.

The final grade in the class will be based on assignments, a midterm exam, and a final paper.

The determination of final scores will be approximately 20% for projects, 40% for the term paper, and 40% for the final paper.

I have adopted this 10 point scale for assignments, originally described by Professor Clifton for grading all non-test items:

10	Exceptional work. So good that it makes up for substandard work elsewhere in the course. These will be rare, and for many homeworks/problems a perfect score will correspond to an 8.
8	What I'd expect of a Ph.D. candidate or outstanding MS student. This corresponds to an A grade.
6	Average Master's degree student work, but not what I'd like to see for a Ph.D. candidate. This corresponds to a B grade.
4	Okay for a Master's candidate who does extremely well in other courses. This corresponds to a C grade.
2	Not good enough for a graduate student. But something.
0	Missing work, or so bad that you needn't have bothered.

Week-by-week topics

The following shows an approximate week-by-week list of topics and readings (readings will be fleshed out as the semester advances). The actual presentation of some of these topics may change, subject to availability of guest lecturers and additional resources.

† Normally, Wikipedia should not be relied upon as a definitive resource: many of its pages contain incomplete and incorrect information. Some of the pages are actually carefully crafted hoaxes . For this course, I will, however, list some Wikipedia entries for overview purposes because I have reviewed them (at the time of assignment) and found no glaring errors.
‡ You will need to access some of these readings via the Purdue online library ‐ you need to use the Purdue portal to get to them.
Week / Dates	Topics	Readings & Notes
1 / Jan 13	Class introduction & policies and overview of class. Overview of course. Cyber crime Identity theft and identity fraud Organized crime and terrorism Underground hacking economy Law enforcement and prosecution	entry on Information Security in Wikipedia ^† Threats and heuristics in enterprise risk management by Sam Liles USACM primer on Identity and Identification
2 / Jan 20	Personnel security and insider threat Data theft; information traceability Sabotage Personnel security issues: vetting, training, certifications, clearances, conflict of interests, monitoring detection, mitigation, and prevention
3 / Jan 27	Computer forensics Procedures: search and seizure, handling of evidence Admissibility in court and jurisdiction Standards and key organizations: American Society of Crime Laboratory Directors (ASCLAD), etc	Fourth Amendment Seizures of Computer Data by Orin Kerr
4 / Feb 3	Incident responses Data collection, handling, analysis, validity Damage assessment; preincident preparation; monitoring, detection, reaction Standards and key organizations: CERT/CC, FIRST, etc.
5 / Feb 10	Economics of information security Quantifying business value of security, and of investments therein Quantifying value of privacy and data Role of incentives in attack and defense; Role of uncertainty and risk aversion Role of insurance in cyber security
6 / Feb 17	Security management Analysis and planning; organization; supervision Evaluation and evolution as circumstances change Organizational security/privacy policies and their enforcement Standards and key organizations: NIST's Security Content Automation Protocol, COBIT framework, etc.	The Economics of Information Security by Ross Anderson and Tyler Moore
7 / Feb 24	Behavioral and usability issues in security and privacy Human factors in security; attitudes towards privacy, security Measurement (online surveys, monitoring); social engineering attacks Motivations of attackers; effects of monitoring and traceability on behavior Designing for ease of use
8 / Mar 2	Week 8 Privacy: social, ethical and legal considerations General vs domainspecific; monitoring for compliance; enforcement International issues: US versus other countries such as EU Relationships between technical and legal notions of privacy Related laws: HIPPA, GLBA, COPPA, FERPA The Balance of Privacy and Security Midterm
9 / Mar 9	Guest lecture by Prof. Sorin Matei The generative nature of the internet and its downsides The conficker worm	What is the Internet? What does the Internet do? What is the Internet edge-to-edge (end-to-end or e2e) design principle? The generative dilemma of the Internet Conflicker and its legacy: An Overview of the Conficker worm. The Enemy Within
9 / Mar 9	Regulations and compliance Electronic commerce; privacy; monitoring for compliance; enforcement Contract issues, copyright, trademark, trade secret Digital Rights Management (DRM) Digital Millennium Copyright Act and the European Union's Copyright Directive Related laws: Electronic Communications Privacy Act(ECPA), Computer Fraud and Abuse Act (CFAA), etc.
9 / Mar 11	Guest lecture by Prof. Karthik Kannan	Shimao, Hajime and Komiyama, Junpei and Khern-am-nuai, Warut and Kannan, Karthik Natarajan, Strategic Best-Response Fairness in Fair Machine Learning Algorithms (October 9, 2019).
March 13	Day off in lieu of Midterm Exam
March 14	Spring Break!
10 / Mar 23 (Online)	Topic TBD
10 / Mar 25 (Online)	Topic TBD
10 / Mar 27 (Online)	Web security issues: Liability and its limits for intermediaries (mere conduit, caching, hosting) Software liability and impact of software security Data breach liability Intermediary liability issues
11 / Mar 30 (Online)	Cyber warfare and international issues Cyber weapons Cyber espionage International laws and treaties
12 / Apr 6 (Online)	Risk management Quantitative and qualitative risk assessment. Exposure factors; controlling risk Metrics and quantification and their limitations; risk reviews
April 7-8	CERIAS Annual Symposium!
13 / Apr 13 (Online)	Ethical aspects of information security Design for accessibility Protection from harmful, inaccurate, or misleading content Balance need for monitoring and surveillance and respect of personal privacy
14 / Apr 20 (Online)	Emerging topics Cryptocurrency and impact on economy Internet of things security and privacy Threats to critical infrastructure and their security
15 Apr 27 (Online)	Wrap-up and overflow.
Finals / Week of May 4	No final exam -- a final paper will be due on May 4.

Other Information

Students are encouraged to attend the weekly security seminar or to view the podcasts online.

Other information, handouts, assignments, etc will all be on the class page in Blackboard and eventually linked in here.