Today's large complex systems-of-systems are difficult to overlook and manage, while an attacker only needs to find one vulnerability to get in. This course teaches methods for analyzing threats, risks and defense mechanisms of large systems, which can streamline security work and improve protection.

• The schedule can be found here. Lectures and seminars will normally take place both in the class room and online at Zoom. However guest lectures might be either or. 
• Some seminars are used as Q&A sessions. Instructions for these can be found here.
• This page gathers all the course material. 

Assignments

The purpose of the course assignment is to give skills in, and understanding of, the area of security analysis of large-scale computer systems. More specifically to learn a methodology, threat modeling, to assess cyber security risk of a (large-scale) IT system. The assignment, your project, is designed to be as realistic as possible. This means that not all information needed to solve the assignment is provided in the description. It is therefore necessary for you to make assumptions that are realistic as well as seek new information in order to pass the assignment. 

The first thing you need to do is to choose what organisation you will represent and thus do the threat model of. You are free to choose what type of organisation you want, however we encourage you to pick a cyber security incident reported in the media and reverse engineer it. This shall tell you how the organization works and allow you to explore the main attack as well as other attack possibilities. 

The course assignments are all carried out individually; this includes:

• the main project,
• the drafts and peer-reviews,
• the guest lectures,
• the reflection document, and
• the oral presentation.

The grading of the main project is described here.

Deliver each assignment in one pdf and name it with your name and assignment tag (e.g. RobertLagerstrom_finalreport.pdf). Your name must be on the first page of the reports, both draft versions and final version. Only .pdf is accepted as file format.

Deadlines for handing in the assignments are found on the respective assignment submission blocks in Canvas.

References and plagiarism

The main principle behind plagiarism is that you should be responsible for what you submit as your work. Letting others (in particular the teachers) think that something you submitted was your work when in fact it was not, is plagiarism. It is your responsibility to make sure that no one makes that mistake. So be clear with references to others when you are using work and ideas from others.

The use of references is mandatory. When you use a fact from some source you should include a reference to this source. Use references according to this or some similar standard but be consistent. For instance:

******

”Early assessment of system characteristics in software projects is one of the main concerns of the discipline of software architecture [1].”

List of references:

[1] Heineman, G., W. Councill (Eds), Component-based software engineering: Putting the pieces together, Addison-Wesley, 2001.

[2] Wikipedia: Enterprise Architecture, http://en.wikipedia.org/wiki/Enterprise_architecture (Links to an external site.), accessed 2012-03-18

*****

Please note that when solving the project assignments co-operation between individuals is allowed and even encouraged. However, you are responsible for the content of your own reports and any plagiarism will result in an immediate failing of the assignment in addition to a written report to KTH’s central disciplinary committee. This means that all students should write their own reports. You are not allowed to copy text from other person and you are not allowed to copy text from the Internet. If you want to use a quote from a source, it must be clearly indicated that it is a quote. The reports will be checked with respect to plagiarism using automated scanners.  

With respect to generative AI and large language models (chatGPT etc.) they are allowed and can be used freely, again also encouraged. However, we require you to give an account for what tools you used and how (see assignment descriptions). And most importantly the above statement still holds: what you submit must be your original work as a whole. So you for instance need to fact and sanity check material from your co-pilot tools.

Overall this course follows the EECS code of honour. Of particular importance is "Rule 2: In any assessment, every student shall honestly disclose any help received and sources used".

For questions and more information about plagiarism and how to avoid it see this page,  post a question in the Discussion section on Canvas or contact the teachers directly.

Attendance at guest lectures

Attendance at guest lectures is mandatory, and will be registered on one or more lists that are passed around during the lectures. The attendance requirement is part of the grading (Pass/Fail). Cheating with the attendance list is thus equivalent to cheating on an exam. Attendance is for the whole lecture. You are not allowed to be late and at the same time sign-up for attendance.

Administration

The course teachers are located at Teknikringen 33. The easiest way to contact us is by Canvas or email. 

Any complaints regarding the grading of the assignments should be sent to the course teachers no later than one week after the result has been posted.

Disability

If you have a disability, you may receive support from Funka, KTH’s coordinator for students with disabilities, see https://www.kth.se/en/student/stod/studier/funktionsnedsattning/funka-1.953214 . Please inform the course responsible if you have special needs and show your certificate from Funka.

- Support measures under code R (i.e. adjustments related to space, time, and physical circumstances) are generally granted by the examiner.

- Support measures under code P (pedagogical measures) may be granted or rejected by the examiner, after you have applied for this in accordance with KTH rules. Normally, support measures under code P will be granted.