Carnegie Mellon University

Undergraduate Concentration in Security & Privacy

In a world where data breaches and cyber-attacks are ever-present, the need for technologists who have a solid understanding of the principles that underlie strong security and privacy practices is greater than ever. 

The Security & Privacy concentration is designed to expose students to the key facets of and concerns about computer security and privacy that drive practice, research, and legislation. On completing the curriculum, students will be well prepared to continue developing their interests in security or privacy through graduate study; to take jobs in security or privacy that will provide further training in applicable areas; and to be informed participants in public and other processes that shape how organizations and society develop to meet new challenges related to computer security or privacy.

The concentration is open to all undergraduates in Computer Science (a matching concentration is available for ECE undergraduates) . There is no formal admissions process. Students intending to pursue the concentration should contact the concentration coordinator to register their intention.

A distinguishing feature of this field is the ubiquitous need to consider an adversary, and the resulting interplay between attack and defense that routinely advances both theory and practice. In order to understand widely-deployed defensive techniques and secure-by-design approaches, students must also understand the attacks that motivate them and the “adversarial mindset” that leads to new forms of attack. The curriculum is designed around this principle

Students in the Security & Privacy concentration will take courses that cover the basic principles (Introduction and Basics), the underlying theory (Theoretical Foundations), and the practical application (System Design) of security and privacy. Additionally, they will be required to select a course which covers either usability or policy (Context). Finally, students will have the opportunity to dive deep on a particular security & privacy topic by completing an elective of their choosing (Depth).


To complete the undergraduate Security & Privacy concentration, students must meet the requirements outlined below in each of the following five course areas:

  • Introduction and basics
  • Theoretical foundations 
  • System design 
  • Context 
  • Depth 

O nly two of the courses that are counted toward concentration requirements can also be counted towards core course requirements of majors and minors.

Introduction and Basics

Introduction to Computer Security (15/18-330)
Note: Students who have successfully completed 15/18-487 in F17 will be allowed to count this course as having satisfied the “intro” requirement for the concentration as long as they also successfully complete Privacy Policy, Law, and Technology (17-333; previously 8-533).

Theoretical Foundations

Introduction to Cryptography (15-356)

-- or --

15/18-435 Foundations of Blockchains

-- or  both --

Applied Cryptography (18-733), and
Foundations of Privacy (18-734 / 17-731)

System Design

Software Foundations of Security and Privacy (15-316)

-- or --

Secure Software Systems ( 18-335)


Students are required to fulfill course requirements for either the Usability or the Policy track.

Usable Privacy and Security (17-334)

Privacy Policy, Law, and Technology (17-333)
-- or --
Foundations of Privacy (18-734 / 17-731)
(Note: This option is not available if Foundations of Privacy was used to satisfy
the Theoretical Foundations requirement).


The depth requirement can be fulfilled in the following ways:

  1. By successfully completing an elective course (from the list below) or at least 9 units of independent study in the security or privacy area.
  2. By successfully completing five, rather than four, courses from the list above to satisfy the requirements described above (this might be achieved by taking both a policy and a usability course, or taking the two-course foundations alternative).

Approved Electives
Note: We expect this list to grow as new courses are offered. Students can also petition to have another course, including independent study, approved as an elective. Some electives may have prerequisites beyond the courses required by the concentration. Any core course can serve as an elective (unless an anti-requisite has been taken).

  • Browser Security (14-828 / 18-636)
  • Introduction to Hardware Security (18-632)
  • Network Security ( 18-334)
  • Cryptocurrencies, Blockchains, and Applications (17-303 / 19-303; previously also 8-303/ 19-355)
  • Wireless Network Security (14-814 / 18-637)
  • Mobile Security (14-829 / 18-638)
  • Engineering Privacy in Software (17-735; previously also 8-605)
  • Introduction to Cyber Intelligence (14-809)
  • Introduction to Software Reverse Engineering (14-819)
  • Host-Based Forensics (14-822)
  • Network Forensics (14-823)
  • Algorithms for Private Data Analysis (17-880)

Prior Coursework

Any courses from the core or elective list successfully completed before F18 will likely also count toward concentration requirements, but check with the concentration  program coordinator to make sure your previous courses will count.


When two (or more) courses overlap significantly in the material they cover, only one can count toward the security and privacy concentration. Below is a list of anti-requisites; each bullet is a list of courses out of which only one can count toward the security and privacy concentration.

  • Software Foundations of Security and Privacy (15-316)
    Secure Software Systems (18-732)
  • Introduction to Cryptography (15-503)
    Applied Cryptography (18-733)

Excluded Courses

The following security and privacy courses may not be counted towards concentration requirements. These courses all serve specific important different purposes, but do not fit into the concentration as currently designed. For example, 17-331 is more suitable for students who are interested in a broader single-course introduction to information security, but has too much overlap with the concentration’s required intro course to be able to count toward the concentration.

  • Information Security and Privacy (17-331 / 17-631 / 45-885 / 45-985; previously also 15-421 / 8-731 / 8-761)
  • Introduction to Information Security (14-741 / 18-631)
  • Introduction to Computer Security (18-730)