I teach the Threats & Risks module for the Cybersecurity CDT at Bristol. The below materials are those used in the 2019/2020 academic year. The course was designed in a partly-flipped, partly-participatory-design structure, with one planned 2-hour taught session every second week, followed by an exercise and a session from me on a topic requested by the students the next week. The third block, on risk management, was delivered by Prof. Rashid.
Block 1: Threat Modelling begins with an introduction to the module teaching style and high-level outline of what will be covered. The background to security operations information is justified, and the MAPE-K framework used to discuss activities in protecting systems. The session breaks out into a short exercise for analysing log files to understand the behaviour in them. A series of useful resources (MITRE, ATT&CK, CVE) are also introduced. In the second part, we work through attack modelling approaches: the killchain and attack trees, with an in-class exercise for building an attack tree. The flipped session defined for students at the end of the week involves them investigating existing threat modelling frameworks (STRIDE and TRIKE).
Block 2: Unknowns begins with the typical Rumsfeldian 2x2 square of knowns and unknowns, and a discussion of how we can plan around known knowns and unknowns. Class discussion around what unknown knowns might be, folding into how they arise in requirement and priority elicitation in security design. The difference between observed and elicited priorities is covered. Discussion of 'black swan' events -- new classes of threat. In the second part, we address the unintended consequences of security interventions, drawing on my work with Chua et al. and the categories discussed in that paper. The flipped session for this block involves sociological and legal paper discussions around the topic of lack of knowledge in security.
Block 4: Driving Factors introduces cybercriminology as a field of study, and discusses a series of theories from criminology generally that have been applied to understand cybercriminal behaviour -- what evidence there might be to support them, and what they suggest we might do about cybercrime. Students are then asked to design a study that captures common traits of cybercriminals, and the issues they run into in the design stage are used to frame the context behind summary results about those traits from the literature. In the second part, we discuss security economics, starting with the perspective of incentive structures as a way to understand and handle security problems. A selection of classic economic approaches are used to understand persistent security problems, from the tragedy of the commons to the market for lemons. Moves on to a discussion of the costs of cybercrime, and how these might be estimated, following Anderson et al. 2012. The flipped session for this block directed students to explore the citation context around two security economics papers, to understand the chain of evidence being used.
Block 5: Scaling Security Analysis discusses how machine learning can be applied to security problems, and in particular those issues that arise with machine learning in security contexts. The issue of obtaining representative labelled data for supervised learning, problems with handling imbalanced classes, concept drift, and unexpected results from machine learning generally are all discussed. There is then a hands-on session, in which the students start building a spam classifier which is also intended to be their flipped session result.
Block 1: Threat Dragon was a hands-on session with a particular threat modelling support tool (Threat Dragon), using some of the demonstrated features to carry out a STRIDE analysis.
Block 2: Paper Review was an example paper review from me, to complement those the group were doing. They selected a survey paper on threats in IoT, which I thought was quite a bad paper.
Block 4: Underground Economy covers the underground economy, using a series of different papers to give an insight into how cybercriminals interact, and how research into cybercrime operates. Covers IRC communities, underground carding forums, and cryptomarkets.