Security and Human Behavior


Winter 2018

TR 2:00pm - 3:20pm


Dr. Rachel Greenstadt
Department of Computer Science
Drexel University
Office: University Crossings 140
Tel: 1 215 895 2920
Email: rachel.a.greenstadt AT drexel edu
Office Hours: Wed 2:00-3:00 or by appt

Course Overview

Humans are usually the weakest link in information security. Technical measures are easily thwarted by end- user decisions. How are end user decisions made? This course examines security decisions online from the distinct perspective of economics, psychology, anthropology, evolutionary biology, and criminology. We will address topics such as System I vs. System II, mental models, risk perceptions, safety engineering, groups behaviors in primates.


  • (INFO 110 Minimum Grade: D or INFO 310 Minimum Grade: D ) and PSY 101 Minimum Grade: D and ECON 201 Minimum Grade: D


The textbook for the course is The New School of Information Security by Adam Shostack and Andrew Stewart.

Coursework and Grading

Grading will consist of two exams, two projects, online and in-class participation (including online discussion), and some written homework assignments. Projects may be done in groups of two or three people. The exams will be written, in class, and cover topics from the textbook, lectures, and supplemental readings. This class will follow the departmental academic integrity policy.

Below is the grading breakdown:

  • Midterm: 15%
  • Final: 20%
  • Security Breach Project: 20%
  • Final Project: 15%
  • Other homeworks, Class participation: 30%

The class participation grade will be determined by active participation in class discussions and exercises, including adding *short* discussion questions/points prior to class. You have two late days to use on the project. After this, late assignments will be dropped 20% per day.



Note: This schedule is tentative and can change. In particular, look for readings to be added/changed.

January 9 : Intro to Security and Human Behavior

January 11 : The Security Industry

January 16: The Rise of the Security Breach

January 18: Discussion

January 23 : On Evidence

January 25 : Discussion

January 30 : Economics of Information Security 1

February 1 : Discussion

February 6 : Economics of Information Security 2

February 8 : Qualitative Research and Ethics Discussion

  • No class due to Eagles parade, discussion online.
  • CITI Training due
  • Reading TBA
  • Interviewing

February 13 : Midterm

February 15 : Security Usability

February 20 : Guest Lecture

  • Russell Handorf, FBI

February 22 : Discussion

February 27: Psychology of Security

March 1 : Security Breach Discussion

  • No class! Participate in an online discussion. Post a short description of the security breach and something interesting you found out about it by Thursday, March 1. Respond to someone else's post by next Tuesday, March 6.

March 6 : Discussion

March 8 : Discussion

March 13 : Conclusions and Review

  • Readings
    • Shostack, Chapter 8

    March 15 : Last Day of Classes / Presentations

    • Project 2 due

    Finals Week