Incident Handling & Response · Week 5 of 10 · Days 09 & 10
RESEARCH 03

Introduction to Cybersecurity Research Topics

Your kickoff for the term-long research project. Pick a topic from the Class 2 column of the course Table of Contents (ToC), scope it down to something you can actually answer, find four-to-five credible academic sources, and write three pages that argue something — not just summarise it.

Deadline Sun · 17 May 2026 · 23:59 EST
Time Budget 4 hours of work
Deliverable 3-page A4 PDF + refs
Ponderation 2 — 3 — 3 of 8
4 h
of focused work
3 pp
A4 maximum body
6
substantive topics
8
marks total · 2-3-3
01

Why this exercise exists

You enrolled in this course to learn how to handle incidents. Reading a Web Application Firewall (WAF) log without flinching, knowing which rung of the containment ladder you are standing on, sending the right notification to the Spanish data protection authority (AEPD) within seventy-two hours of becoming aware of a breach. Most of that we drill in the lab.

There is a second skill, less talked-about, that separates the engineer who runs the meeting from the engineer who attends it: the ability to find the answer that nobody on your team has yet. When the next zero-day drops at three in the morning, the senior on call will not type “what to do” into a search bar. They will read the CVE Programme record, skim the vendor advisory, pull a peer-reviewed paper from IEEE Xplore on the underlying class of vulnerability, and write the paragraph that the rest of the team can act on. That is research, and it is the unglamorous half of what makes a senior engineer senior.

This is the first proper research exercise of the term — Research 03 in our numbering scheme — and it is small on purpose. Treat it as the kickoff for a longer research project that will run alongside the rest of the course over the next nine weeks.

The longer project, the one you will eventually submit at the end of the term, is built from the Class 2 topics of weeks 2 through 10 of this course (Week 1 is excluded because it was course orientation). Those topics are listed in section 5 of this brief. You do not have to choose your final topic today. You only have to choose the topic for this kickoff — and you are free to change it later if your interests shift.

02

What you have to learn from these four hours

By the time you submit the deliverable on Sunday 17 May at midnight Eastern, you should be able to:

  1. Explain, in your own words, what independent research in a cybersecurity course is for, what it is not for, and how it will be assessed.
  2. Name three or four current research areas in cybersecurity (threat intelligence, zero-trust architecture, AI security, post-quantum cryptography, supply-chain security, and so on) and say one specific thing that is currently unresolved in each.
  3. Take a topic that is too broad to write about and shrink it into a research question that one student can answer in three pages.
  4. Write a thesis statement that is sharp enough that a reader can disagree with it.
  5. Use IEEE Xplore, the ACM Digital Library, and Google Scholar — these three databases — to find at least four credible sources on your topic and tell the difference between a peer-reviewed paper and a vendor blog post.
  6. Lay out a short academic deliverable that follows a recognised structure (abstract, introduction, body, conclusion, references) with citations in IEEE format.

That is the whole list. There will be no quiz on these — there will be a deliverable, and the deliverable is how we check.

03

How to spend your four hours (suggested)

The four hours are not meant to be done in one sitting unless you genuinely want to. A common, effective rhythm is two sessions of two hours, two or three evenings apart, so that the ideas have time to settle between sessions.

Hour 1 — Choose your topic, narrow it, defend the choice (≈60 minutes)

  • 0:00 – 0:15 — Read section 5 of this brief (the topic pool) carefully. Pick the one that interests you the most, not the one that looks easiest. Write the topic name on the first line of a fresh page in your notebook.
  • 0:15 – 0:30 — Apply the funnel test. Write three bullets under your topic: (a) the broad area, (b) one sub-question inside it that interests you, (c) the specific angle you would like to investigate. If bullet (c) still feels too big to answer in three pages, narrow it again.
  • 0:30 – 0:45 — Write a single sentence beginning “In this report I will argue that …”. That sentence is your draft thesis. It will probably change. That is normal.
  • 0:45 – 1:00 — Write a short paragraph (three or four sentences) that explains why your scoped question matters to an incident-response team in 2026. If you cannot explain why it matters, the question is not yet scoped well enough. Go back to the funnel.

Hour 2 — Database survey and source collection (≈60 minutes)

  • 1:00 – 1:20 — Open IEEE Xplore. Search using two or three keywords from your scoped question. Read titles and abstracts of the top ten results. Save the metadata (author, title, year, conference or journal name, Digital Object Identifier (DOI)) of any paper that looks relevant.
  • 1:20 – 1:40 — Repeat the same process in the ACM Digital Library. The ACM tends to favour systems papers; IEEE tends to favour engineering and policy. You will see the difference within minutes.
  • 1:40 – 2:00 — Open Google Scholar. Search for the same keywords. Note: Google Scholar is a search index, not a curated library. It returns peer-reviewed papers next to vendor white papers next to PDFs hosted on someone’s personal website. Use it for breadth; verify everything you cite back to a primary source. Aim to walk away with four to five credible sources in your notebook.

Hour 3 — Outline, read, take notes (≈60 minutes)

  • 2:00 – 2:20 — Read the abstract and the introduction (only) of each of your four or five sources. Most of them will turn out to be only loosely relevant. Drop the loose ones. Keep three or four.
  • 2:20 – 2:40 — For each kept source, write two sentences in your own words about what the paper actually claims and what method it used. Two sentences. No copy-paste. No “the authors explore the multifaceted landscape of …” — boilerplate signals you have not understood the paper.
  • 2:40 – 3:00 — Sketch the outline of your three pages on paper, with rough word budgets. A workable shape is in section 6 of this brief.

Hour 4 — Write, format, cite, verify (≈60 minutes)

  • 3:00 – 3:40 — Write the report straight through, in your own voice, without stopping to format. Three pages is short enough that you can draft it in one go. Resist the temptation to polish each paragraph as you go — you will polish later.
  • 3:40 – 3:55 — Add citations. Convert your notebook bibliography into IEEE format (numbered references in square brackets, in the order they first appear in the text). The free citation managers Zotero and Mendeley will do this for you in seconds; it is worth twenty minutes one evening to learn one of them.
  • 3:55 – 4:00 — Re-read the deliverable once. Check that every claim that is not your own is cited. Export to PDF. Submit.

If you are over four hours, finish the deliverable anyway and tell me at the top of the document how long it took. This is the first time; calibration is more useful than perfection.

04

What “independent research” means in this course (and what it does not)

Independent research, in the context of an academic cybersecurity course, has a narrow technical meaning that is worth being precise about.

It does mean: picking a question that is your own, surveying what has already been published on it, comparing what you find, drawing a conclusion that is at least partially your own, and citing every source you used so that the reader can check your work and disagree with you on equal footing.

It does not mean: running offensive tools against systems you do not own; collecting personal data on third parties; downloading paywalled academic papers from unauthorised sources; or feeding the entire question into a large language model and submitting whatever comes out. Each of those would be either a legal or an academic-integrity problem, and several of them are both.

A specific note on AI tools, since you will reasonably wonder. You are allowed to use AI assistants (ChatGPT, Claude, Gemini, perplexity.ai, etc.) as research aides — for explaining a concept you do not understand, for suggesting search keywords, for spotting a sentence that does not flow. You are not allowed to use them as a ghostwriter for the deliverable itself. The rule of thumb that has held up for me is: if you could read your report aloud and explain every sentence in it without notes, the work is yours; if you could not, it is not. Plagiarism detectors increasingly flag AI-generated prose, and the false-positive rate is uncomfortably high, so the safest path is also the most useful one — write it yourself, in your own voice, even where the prose is awkward.

05

The topic pool — what you may research

The topic pool for this kickoff (and for the longer project that will spread over the remaining nine weeks of the course) is drawn directly from the Class 2 column of the course Table of Contents (ToC), Week 2 through Week 10. Week 1 is excluded because it was orientation. Mid-term-review and final-exam weeks (5 and 10) and the exam weeks themselves (6 and the final week) are not researchable topics — they are exam slots — and are listed below for completeness only.

The substantive topics, any one of which is a fair choice for this kickoff, are:

# Week Class 2 topic Suggested research angle (only a starting point — narrow further)
1 2 Securing crime scenes & collecting digital evidence Chain-of-custody requirements under the Spanish Ley de Enjuiciamiento Criminal versus the United States Federal Rules of Evidence — what changes when an investigation crosses borders?
2 3 Malware detection, analysis & containment The shift from signature-based detection to behavioural and machine-learning detection: what does the empirical literature say about false-positive rates in production environments?
3 4 Analysing email headers & tracing attacks Domain-based Message Authentication, Reporting, and Conformance (DMARC) deployment in EU member states: what fraction of public-sector domains enforce it as of 2025–2026, and why is the rest of the population stuck?
4 7 Network traffic analysis & incident validation Encrypted-traffic analysis after TLS 1.3 (Transport Layer Security): what signals are still detectable without decryption, and how does this affect Network Detection and Response (NDR) tooling?
5 8 Detecting & eradicating insider activity User and Entity Behaviour Analytics (UEBA) — does the published evidence support the marketing? Survey three peer-reviewed papers from the last five years and report what they actually measured.
6 9 Mobile & IoT (Internet of Things) forensics and analysis Forensic acquisition challenges on locked iOS / Android devices in 2025–2026: what does the academic literature say about the ethical and legal limits of vendor-assisted unlock?

The exam-related weeks below are listed for completeness; they are not valid research-topic choices for this exercise:

# Week Class 2 slot
5 Mid-term review
6 Mid-term examination
10 Final examination

Pick one substantive topic from the table above. You may change your mind for the longer project later in the term — what you submit on 17 May commits you only to this 3-page report.

06

The structure of your 3-page report

A good academic short-form report has six chapters, in this order. The word counts are guidance, not law, and they assume an A4 page in a standard 11-point body type with reasonable margins.

(a) Title block — top of page 1, ~6 lines
Title of your report (one line, declarative — not the topic from the table above; rephrase as a question or claim). Your full name. Date of submission. Course name and module. Word count of the body (everyone forgets this; do it).

(b) Abstract — page 1, ~80–120 words
What is the question, what did you do, what did you find, and why does it matter. One paragraph, not bullet points. Write this last, after the rest is written.

(c) Introduction — page 1, ~250–350 words
Three things, in this order: (i) the broader area and why it matters to incident handlers in 2026; (ii) the specific question you are asking, scoped narrowly enough that a reader believes you can answer it in three pages; (iii) your thesis statement, written as one sentence beginning “This report argues that …”. The thesis is the line that makes your report disagreeable — without it, you are summarising, not researching.

(d) Literature survey and discussion — pages 2 and 3, ~700–900 words combined
This is where you talk about what you found in the four to five sources you read. Do not summarise each paper in turn — that is a book report, not a research report. Instead, organise by theme: what do the sources agree on? Where do they disagree? What does the most recent paper say that the older ones do not? Where are the gaps? Every claim that is not your own gets a citation in square brackets, like [3].

(e) Conclusion and implications — end of page 3, ~150–200 words
What did you find. What does it mean for an incident-response team. What you would research next if you had three more pages. Do not introduce a new topic in the conclusion — the reader should not be surprised on the last paragraph of a research report.

(f) References — separate page, does not count against the 3-page limit
Numbered list, IEEE style. Format example for a journal article:

[1] A. Surname and B. Surname, “Title of paper,” Journal Name, vol. 12, no. 3, pp. 45–60, Mar. 2025, doi: 10.xxxx/yyyyy.

For a conference paper, IEEE-style:

[2] C. Surname et al., “Title of paper,” in Proc. Conf. on …, City, Country, 2024, pp. 100–110.

For a credible online source (vendor advisory, government report) where it is the primary source:

[3] Organization Name, “Document title,” 2025. [Online]. Available: https://example.org/document. [Accessed: 12 May 2026].

The IEEE Author Center publishes the full reference style guide at ieeeauthorcenter.ieee.org. Bookmark it.

07

How to use figures, screenshots, and images — and not get into trouble

Figures are not decoration. A short report tolerates one or two figures at most, and only if they earn their space. Each figure must have a caption (e.g. “Figure 1. Distribution of detection latencies, adapted from [4]”), and each must be referred to by number in the body text — never floating.

For diagrams you draw yourself. Preferred. Use a free tool — draw.io / diagrams.net, Excalidraw, Inkscape, Mermaid, or even a clean photograph of a hand drawing — and put your name in the caption. These you own; cite nothing.

For screenshots of your own work (a tool you ran on your own machine, a virtual machine in the lab, output of a command). These are fine. Keep the screenshot to the relevant region; do not include personal data, hostnames, or anything identifying. Crop ruthlessly.

For figures or photographs from third parties. This is where students get into trouble. The default position is: do not use a third-party image unless you have a clear licence to do so. “I found it on Google” is not a licence. The reliable safe-harbour options are:

  • Images explicitly released under a Creative Commons (CC) licence — read the specific licence (CC BY, CC BY-SA, CC BY-NC, etc.); attribute the author by name in the caption and link back to the source URL.
  • Stock photo libraries that grant a free editorial / non-commercial licence by default — Unsplash, Pexels, Pixabay. Even with these, attribute the photographer in the caption.
  • Public-domain works — older artworks, government works released to the public domain. Cite the source anyway.

Adapted figures (you redrew or modified an existing figure). Caption must say “adapted from [n]” with the citation pointing to the original. This is not a workaround for using a figure you do not have rights to — it means meaningfully redrawn, not retraced.

When in doubt: draw it yourself, or do not include it.

09

Plagiarism and academic integrity — the hard part

Plagiarism is presenting someone else’s words, ideas, structure, figures, or data as your own. It includes:

  • copy-paste from a paper, vendor blog, encyclopaedia article, or another student;
  • close paraphrase that follows the source’s sentence structure;
  • recycled work from a previous course, your own or a friend’s;
  • AI-generated prose submitted as your own writing;
  • figures and screenshots reproduced without licence and citation.

The defence is straightforward: paraphrase in your own words, and cite everything. The rule of thumb is — if you would not be comfortable defending the sentence aloud in office hours, it does not belong in your deliverable. Your deliverable will be checked by Turnitin, by an AI-text detector, and by me reading it. The first two are imperfect, the third is not.

If you are unsure whether something needs a citation, cite it. Over-citation is a venial sin in undergraduate work; under-citation is not.

10

Submission

  • Format: PDF only. No Word documents, no Markdown, no Google Docs links.
  • Filename: LastName_FirstName_Research03.pdf (yes, those underscores).
  • Where: the Research 03 — Introduction assignment slot in our Chamilo Learning Management System (LMS) course site.
  • When: by 23:59 EST on Sunday 17 May 2026. That is 05:59 (06:59 from CEST adjustment) on Monday 18 May 2026 in Madrid local time — set yourself a reminder. Late submissions lose 10 percent of the awarded mark per 24 hours, up to 72 hours, after which they are not accepted.
  • What is included: the 3-page report (max), plus the references page (does not count against the limit). Cover sheet is not needed — the title block at the top of page 1 is the cover.

If something goes wrong with the LMS at the last minute, e-mail me a copy with a screenshot of the error, before the deadline. After the deadline, the LMS timestamp is what counts.

11

Rubric — how the 2 — 3 — 3 ponderation breaks down

Your work is marked on three criteria, weighted 2, 3, 3, for a total of 8 marks. Your final percentage is (your marks ÷ 8) × 100. The four levels below are the descriptors I will use; the line between Acceptable and Strong is where most first attempts land, and that is fine.

Criterion A — Topic selection, scoping, and thesis · Weight 2

Level What it looks like
Insufficient (0) Topic is one of the listed weeks copied verbatim. No thesis, or the thesis is a tautology.
Acceptable (1) Topic is narrowed below the original heading. Thesis exists but is descriptive (“X is important”).
Strong (1.5) Question is sharp enough that a reasonable reader could disagree with the thesis.
Excellent (2) Question is original and the thesis is defensible without overreach.

Criterion B — Literature survey and use of academic databases · Weight 3

Level What it looks like
Insufficient (0–1) Fewer than three sources, or all sources are vendor blogs / Wikipedia. IEEE / ACM not used.
Acceptable (1.5) Four sources, mix of credible and weaker. Databases used but search strategy not visible.
Strong (2.5) Four to five credible sources, at least three peer-reviewed. Sources span more than one viewpoint.
Excellent (3) Five credible sources including recent (≤ 3 years) peer-reviewed work. Disagreements between sources are surfaced and discussed.

Criterion C — Thesis development, writing, structure, and citations · Weight 3

Level What it looks like
Insufficient (0–1) Structure missing, citations absent or wrong format, prose unclear or AI-flavoured.
Acceptable (1.5) All six chapters present. Citations in IEEE format, mostly. Prose readable.
Strong (2.5) Voice is the student’s own. Argument flows. Conclusions follow from the evidence presented.
Excellent (3) Argument is original and defensible. Citations precise (page numbers where appropriate). The report would be readable to a junior incident-response team without explanation.
13

Disclaimers — read before you start

Intellectual property. All material in this brief — the structure, the prose, the rubric, the topic pool framing, and any diagrams — is the intellectual property of Cyber.SoHo Educational Hub. Cyber.SoHo Educational Hub is the only creator and owner of these materials. Reproduction, redistribution or republication outside this course requires written permission from Cyber.SoHo Educational Hub.

No third-party affiliation. This brief, and the course it belongs to, is produced and delivered by Cyber.SoHo Educational Hub independently. No affiliation, partnership, sponsorship or endorsement is implied with any university, certification body, vendor, professional association, or other third party named or linked in this document. Any third-party name appears for educational orientation only and remains the property of its respective owner.

Educational context — the lab caveat. The wider course this brief belongs to includes hands-on cybersecurity labs that use tools and techniques that are functionally close to those used in real-world offensive and defensive operations. Apply any technique only on systems you own, or for which you hold explicit, written authorisation to test. Acting otherwise is, in most jurisdictions including Spain (Ley Orgánica 10/1995 del Código Penal), the United Kingdom (Computer Misuse Act 1990), and across the European Union and the United States, a criminal offence. This brief does not authorise testing of any third-party system. Curiosity is encouraged; trespass is not.

Tools and methods — open and replaceable. Every tool and database mentioned in this brief is named as a worked example. Each one is open, free of cost for academic use, and fully replaceable by an equivalent alternative of your choice. If you find a better tool, use it; if you would like to write your own, do so and tell us about it. Cybersecurity is a field where today’s mainstream tool is tomorrow’s footnote — practise picking, comparing, and rolling your own from day one.

Plagiarism, citation and intellectual property of others. When you quote, paraphrase or build on the work of someone else, you must cite them, in IEEE format, with enough information for the reader to find the original. Reproducing copyrighted prose without licence — even in a student paper — is an infringement. Cyber.SoHo Educational Hub will not shield work that breaches third-party intellectual-property rights, and the responsibility for compliance lies with the student who submits the deliverable.

External links and online safety. Every external link in this brief was checked at the time of writing. The web changes; a link that was safe today may not be safe tomorrow. Pre-flight every link with VirusTotal before you click. Cyber.SoHo Educational Hub takes reasonable care to reference reputable sources but accepts no liability for the content of third-party sites at the time you visit them.

Liability. This brief is educational. It is not legal, regulatory, or operational advice for any specific situation. Cyber.SoHo Educational Hub disclaims all liability for the consequences of any action taken by a student on the basis of material in this brief.

Ethics. The Cyber.SoHo Educational Hub teaches techniques for defenders. Choose the side of the wall on which the rest of your career will live.

End of Research 03 brief — Cyber.SoHo Educational Hub.
Issued from Madrid, 4 May 2026. Due 17 May 2026, 23:59 EST.