Carnegie Mellon University

Undergraduate concentration in Security & Privacy

In a world where data breaches and cyberattacks are ever-present, the need for technologists who have a solid understanding of the principles that underlie strong security and privacy practices is greater than ever. 

The Security & Privacy concentration is designed to expose students to the key facets of and concerns about computer security and privacy that drive practice, research, and legislation. After completing the curriculum, students will be prepared to continue developing their interests in security or privacy through graduate study; take jobs in security or privacy that will provide further training in applicable areas; and be informed participants in public and other processes that shape how organizations and society develop to meet new challenges related to computer security and privacy.

The concentration is open to all ECE undergraduates (a matching concentration is available for SCS undergraduates). Students intending to pursue the concentration should contact the concentration coordinator to register their intention. To officially declare, students should fill out the BS Concentration Declaration form in their final semester by the semester course withdrawal deadline. Please note that students must wait until their final semester to submit the form. Once signed by the academic advisor, this form serves as proof of completion of the concentration, as no additional certificate is issued, and concentrations are not listed on the transcript.

A distinguishing feature of this field is the ubiquitous need to consider an adversary and the resulting interplay between attack and defense that routinely advances both theory and practice. In order to understand widely deployed defensive techniques and secure-by-design approaches, students must also understand the attacks that motivate them and the “adversarial mindset” that leads to new forms of attack. The curriculum is designed around this principle

Students in the Security & Privacy concentration will take courses that cover the basic principles (Introduction and Basics Course Area), underlying theory (Theoretical Foundations Course Area), and practical application (System Design Course Area) of security and privacy. Additionally, they will be required to select a course that covers either usability or policy (Context Course Area). Finally, students will have the opportunity to dive deep into a particular security and privacy topic by completing an elective of their choosing (Depth Course Area).


To complete the undergraduate Security & Privacy concentration, students must meet the requirements outlined below in each of the following five course areas:

  • Introduction and basics
  • Theoretical foundations 
  • System design 
  • Context 
  • Depth 

Only two of the courses that are counted toward concentration requirements can also be counted toward core course requirements of majors and minors.

Introduction and basics

Introduction to Computer Security (15/18-330)
Note: Students who have successfully completed 15/18-487 in F17 will be allowed to count this course as having satisfied the “intro” requirement for the concentration as long as they also successfully complete Privacy Policy, Law, and Technology (17-333; previously 8-533).

Theoretical foundations

Introduction to Cryptography (15-356)

-- or both --

Applied Cryptography (18-733), and
Foundations of Privacy (18-734 / 17-731)

System design

Secure Software Systems (18-335)

-- or --

Software Foundations of Security and Privacy (15-316)


Students are required to fulfill course requirements for either the Usability or the Policy track.

Usable Privacy and Security (17-334)

Privacy Policy, Law, and Technology (17-333)
-- or --
Foundations of Privacy (18-734 / 17-731)
(Note: This option is not available if Foundations of Privacy was used to satisfy
the Theoretical Foundations requirement).


The depth requirement can be fulfilled in the following ways:

  1. By successfully completing an elective course (from the list below) or at least 9 units of independent study in a security or privacy area.
  2. By successfully completing five, rather than four, courses from the list above to satisfy the requirements described above (this might be achieved by taking both a policy and a usability course, or taking the two-course foundations alternative).

Approved electives

Note: We expect this list to grow as new courses are offered. Students can also petition to have another course, including independent study, approved as an elective. Some electives may have prerequisites beyond the courses required by the concentration. Any core course can serve as an elective (unless an anti-requisite has been taken).

  • Browser Security (14-828 / 18-636)
  • Introduction to Hardware Security (18-632)
  • Network Security (18-731)
  • Cryptocurrencies, Blockchains, and Applications (17-303 / 19-303; previously also 8-303/ 19-355)
  • Wireless Network Security (14-814 / 18-637)
  • Mobile Security (14-829 / 18-638)
  • Engineering Privacy in Software (17-735; previously also 8-605)
  • Introduction to Cyber Intelligence (14-809)
  • Introduction to Software Reverse Engineering (14-819)
  • Host-Based Forensics (14-822)
  • Network Forensics (14-823)
  • Secure Computer Systems (15-793)

Prior coursework

Any courses from the core or elective list successfully completed before F18 will likely also count toward concentration requirements, but check with the concentration program coordinator to make sure your previous courses will count.


When two (or more) courses overlap significantly in the material they cover, only one can count toward the Security and Privacy concentration. Below is a list of anti-requisites; each bullet is a list of courses out of which only one can count toward the security and privacy concentration.

  • Software Foundations of Security and Privacy (15-316)
    Secure Software Systems (18-335)
  • Introduction to Cryptography (15-503)
    Applied Cryptography (18-733)

Excluded courses

The following security and privacy courses may not be counted toward concentration requirements. These courses all serve specific, important purposes, but they do not fit into the concentration as currently designed. For example, 17-331 is more suitable for students who are interested in a broader single-course introduction to information security, but it has too much overlap with the concentration’s required intro course to be able to count toward the concentration.

  • Information Security and Privacy (17-331/17-631/45-885/45-985; previously also 15-421/8-731/8-761)
  • Introduction to Information Security (14-741/18-631)
  • Introduction to Computer Security (18-730)