Project: Technology Threat Assessment or Organization Breach Report

This is a group project – teams of up to four. Have each member of your team join one of the already-existing “Project | Threat Assessment” groups on Canvas. Do not make your own group. Search Canvas groups for “Project | Threat Assessment” and join one of those.

Your team has two choices for this project – either perform a “Technology Threat Assessment”, or report on an “Organization Breach.” Both options are described below.

Approval for Topic

Your team should pitch your proposed topic on the #project_idea_claim on slack. You must obtain my approval for your topic.

Option 1: Technology Threat Assessment Review

This option is adapted from Cryptography Engineering, 2nd edition, by Ferguson, Schneier and Kohno (2010).

This exercise deals with developing your security mindset in the context of real products or systems. Your goal with the security reviews is to evaluate the potential security and privacy issues of new technologies, evaluate the severity of those issues, and discuss how to address those security and privacy issues. This review should reflect deeply on the technology that you’re discussing.

Your security review should contain:

Some examples of past security reviews are online at

Deliverables for Option 1

Submit the following to Canvas:

  1. Your written security review
  2. A brief powerpoint slide presentation, following the general outline of the security review. Be prepared to present (probably ~5 minutes, up to 10 minutes allowed) – a few lucky teams will be selected to present to the class.

Option 2: Organization Breach

The purpose of this option is to explore the unfolding of a breach from the perspective of the organization – to analyze how an organization handled it, and to look at how the public reacted to the dumpster fire (if at all). Teams will choose a semi-recent security breach incident and report on the unfolding of events leading up to, during, and after the breach. This report is more than just a summary of one or two news articles. It is a meta- and longitudinal analysis of the breach as it unfolded – not a snapshot. For this reason, the breach needs to be sufficiently old for information to have eeked out and for public response to have waxed and waned. (No breaking news.)


Deliverable for Option 2

Your final report should probably be the length of an interesting online news article, e.g., for the nytimes or Wired. Long enough to cover the important points, but don’t overdo it. I am not looking for a congressional oversight report in scope or length, but I am looking for sufficient detail to interest at least the average member of our class. Informative and engaging, please.

Submit the following to canvas:

The report structure is flexible. If you can fulfill the main goal of a longitudinal exploration of an organization handling and the public responding to a breach, while touching on the ideas I request in the structure outline, then I am satisfied. I have not given this option before. Option 1 has more precise expectations because that option has been around for a few years. Look at that option, and get a gauge for the weight of the deliverable. The complexity and Option 1 and Option 2 should be comparable.