Project 1 - A Semester-Long Security Posture Improvement Project

Project Description

The primary goal of this assessment is to bridge the gap between the theoretical concepts of information security learned in this course and their practical application in your digital life. This project requires you to critically evaluate individual security practices, evaluate the implementation of meaningful improvements over the course of the semester, and analyze the results. You will gain hands-on experience in selecting, implementing, and evaluating security controls, while also considering fundamental trade-offs between security and usability.

This project is divided into two parts:

  1. Part 1: The Initial Assessment. At the beginning of the semester, you will conduct a baseline audit of a personal security posture across several key domains. This will serve as the starting point.

  2. Part 2: The Report & Analysis. At the end of the semester, you will submit a comprehensive report detailing changes implemented in your personal security, the reasoning behind them based on course concepts, and an impact analysis of these changes. The final report can relate to actual or experimental changes, for which you studied and evaluated the implementation cost along the semester. The point is, while it is advised to have increased security, each measure has a cost and should prevent a reasonable attack. This should all be considered when selecting its application, and your report should analyze this.

Security Assessment Topics

You must choose 5 controls for analysis, where each control belongs to a different topic (you cannot have multiple controls from the same topic). The topics are the ones presented in the web application, as follows:

  • Authentication: How credentials are managed for online accounts, their complexity, storage and sharing;
  • Messaging: How communication is done with others across the internet, and in local networks;
  • Web Browsing: How much information is exposed through normal browsing activities;
  • Email: How communication through email is conducted, the current practices and tools;
  • Social Media: How interactions are conducted in social networks, where messages, videos and other contents are exchanged;
  • Networks: How home and SOHO networks are built and kept secure from malicious actors;
  • Mobile Devices: How smartphones, tablets, and other mobile devices are kept secure;
  • Personal Computers: How laptops and desktops are free from virus, malware and external access;
  • Smart Home: How houses with IoT devices operate as expected, without the interference of malicious actors;
  • Personal Finance: How the accounts in banks and other organizations are kept safe from scams and frauds;
  • Human Aspect: How the direct interactions between individuals can be kept secure;
  • Physical Security: How our spaces (home, offices, buildings, factories) are free from intruders.

For each selected control, you must present the following analysis:

Control Identification and Motivation

  • Clearly state the specific control you have chosen to evaluate for this topic. (e.g., “For Authentication, I am evaluating the use of a Password Manager, considering the baseline where no Password Manager is used”).

  • Describe the relevance: Explain why this control exists and its relevance to a personal security assessment.

  • Describe the starting implementation of this control: Which practices are applicable to this control, how they map to the control. For example, is it followed effectively, partially, incorrectly, or not considered at all?

  • Describe the attack vectors that are possible with the initial state of the control: Describe which attacks can be carried out, and their impact, or consequences to an individual. Relate to specific attacks found in news, social media posts, or other sources.

Control Implementation Assessment

  • Describe in detail the way you experimented with the control over the semester. This could involve implementing a new tool, changing a configuration, creating a new policy, or even deciding not to make a change after further analysis and impact analysis.

  • Present the reasoning behind changes: Justify why these changes were proposed. You must connect your reasoning directly to concepts learned in this course. Refer to specific threats (e.g., phishing, malware, credential stuffing), security principles (e.g., principle of least privilege, defense in depth, encryption), or topics discussed in lectures.

  • Present a security impact analysis: Analyze the positive (and or negative) impact of the changes on an individual security posture. Identify how does the new implementation better mitigate the risks you identified. Be specific. For instance, instead of saying “it’s more secure,” explain how (e.g., “Using MFA prevents attack X, Y and Z. Attack X consists of … aims to …. and is conducted as follows…. . The application of this control is able to mitigate the attack X because …. . Attack Y …. “).

  • Present a usability impact analysis: Analyze the impact of the changes on usability. Did the change make tasks easier or more difficult? Did it add extra steps to an existing workflow? Is there a noticeable performance impact? Discuss the security-usability trade-offs experienced. Was the gain in security worth the cost in convenience?

Each control should not exceed more than 2-3 pages, including diagrams, screenshots, and references.

Important Disclaimer: Privacy

Your privacy is paramount. You should NOT, under any circumstances, include actual passwords, private keys, or highly sensitive personal information in your report. This assessment is about processes, policies, and configurations, not the secret data itself. For example, describe password complexity policy (e.g., “I now use 16-character passphrases with mixed character types”), not the password itself.

Do not present personal information. Focus solely on the improvement and impact of the selected controls. Consider using anonymized or fictional examples to illustrate points without revealing sensitive data. Conduct experiments in a controlled manner, ensuring that no real accounts or sensitive data are compromised during the process. Even if using a personal use case, describe it in a abstract manner that does not link your identity to the practices.

Grading and Milestones

The Project should be done by a group of 2 students.

There are two milestones to consider:

  • October 3rd: You must upload the result of an assessment, as exported from the web tool. This will define the initial state of the control.

  • November 28th: You must upload the assessment report, with the analysis of the selected controls which were improved. This should be a single, well-structured PDF report. It should include a title page, an introduction, the detailed analysis for all five topics, and a concluding summary of the overall security improvement.

Your final report will be graded based on the following criteria:

| Criteria | Weight | Description |

| Implementation of Changes | 35% | Clear and detailed description of the changes made. Demonstrates a tangible effort to improve security posture.| | Reasoning and Application of Course Concepts | 35% | Strength of the justification for the changes. The extent to which you successfully apply concepts, principles, and terminology from the course.| | Impact Analysis (Security & Usability) | 20% | Depth and thoughtfulness of your analysis on the effects of the changes. Clear articulation of the security-usability trade-off.| | Report Structure and Clarity | 10% | Professionalism of the report, including clear writing, proper formatting, and logical organization.|

Good luck! We’re looking forward to seeing your progress throughout the semester!!!

Previous
Next

Last updated on 5 Sep 2025