Why you should apply to Stony Brook if you want to pursue a PhD in computer security and privacy

I remember it as if it was yesterday. I was entering the second year of my MS degree in Computer Science, when I realized that I wanted to pursue a PhD in Security outside of Greece. Where should I apply? Where does one go in order to work on security? Should I go to one of the very well known universities that everyone knows from Hollywood movies? Will they accept me? Or maybe I should go to a place where I actually know someone’s research and I really really want to work with them? What kind of research do I like?

It has been eight years since I asked these questions and I now find myself on the other side of things. How do I find smart, capable, hard-working young students and get them to apply for a PhD at Stony Brook? Therefore, the purpose of this blog post is to lay in front of you all the reasons why you should apply to Stony Brook if you are interested in Security and Privacy.

Take generic department rankings with a large grain of salt

Many students, when they start having the questions that I had eight years ago, search for “best computer science graduate programs,” find the relevant article from U.S. News, and pretty much start applying from the top until they run out of money for applications. While this is a reasonable strategy if you want to join a CS undergrad, I would argue that this is not the best strategy for finding a place to do a PhD in Computer Science.
Why do I say that? For starters, if you start researching how these rankings are compiled, you will realize that they are heavily influenced by subjective surveys rather than objective metrics. Even if they were objective (which they aren’t), one should realize that no department on the face of the Earth can be “best” at everything. For example, a department can be “best” at machine learning while being “very good” at systems, and perhaps “passable” at computer vision. This distinction is not important when someone wants to get a grand overview of a field (e.g., undergraduate studies), but it is very important when you plan on working for five to six years on advancing the state of the art of a very specific area of Computer Science. Therefore, the fact that the Computer Science department of Stony Brook was subjectively ranked 40th in the 2014 US News survey of Best Graduate Schools should mean very little for those who know the field they want to work in.

How does Stony Brook rank in Computer Security?

This is still a bit vague (Ranking in which area of Computer Security? What about young faculty whose influence will not be visible for a few years? etc.), but at least it is a better question than the earlier one.
To answer this question, I will use two different sources. None of them is perfect, but they are clearly better than the generic US News rankings.

  • csrankings.org is a website that ranks departments according to their publications in specific fields. There, you will find that, if you focus on Security, Stony Brook is (at the time of this writing) actually ranked 14th, topping many departments that popular wisdom claims are very prestigious. Naturally, csrankings.org has its flaws (only three conferences per field considered, journals are not included, etc.), but at least it is based on objective metrics rather than subjective feelings of quality.
  • Davide Balzarotti (Associate Professor at Eurecom) compiled a list of statistics about the last ten years of the top 4 Security conferences (IEEE S&P, USENIX Security, NDSS, CCS). Among others, you can find the list of people who have published the most in these conferences during the last ten years. There, you will find that many people who are faculty at Stony Brook University have been consistently publishing in the very top conferences of the field. As before, this metric is not perfect (there are many excellent conferences not included in these four), but it is a good approximation.


With some luck, I have now got you to question the US News rankings and think that applying to Stony Brook may be a worthwhile endeavor. Now, I would like to focus your attention on the number of Security faculty at Stony Brook, which you will find hard to beat.

At the time of this writing (November 2016) and according to Stony Brook’s National Security Institute, there are currently no less than seven people who are spending most of their waking hours thinking about and working on Security and two more who are Security affiliated. This post would grow too long if I wanted to do justice to all of them, so I will limit myself to saying one thing about each one (in alphabetical order):

  • You want to work on mobile security? Long Lu is your guy
  • You want to work on web security and privacy? Nick Nikiforakis (that’s me) will welcome you
  • You want to work on malware? You can’t go wrong with Michalis Polychronakis
  • Hardcore crypto you say? Omkant Pandey is there for you
  • Software hardening? R. Sekar will take you under his wing
  • Your head is in the clouds and you want to make sure they are secure? Radu Sion can help
  • Is “trust, but verify” your favorite adage? Scott Stoller agrees

Stony Brook has gathered not only a large number of security people, but has made sure that each one brings with them expertise that the rest do not have. This allows graduate students to be exposed to a wide range of research and to find the topic that best suits them.


I want you to work in securityI hope this post convinces the security-minded of you to apply for a PhD at Stony Brook. If you are accepted, you will be joining a team of highly motivated faculty and their talented and hard-working students. You will be working in one of the newest Computer Science buildings in the country, on an island full of beautiful parks and beaches, and a 90-minute train ride away from New York City.

This entry was posted in Miscellanea. Bookmark the permalink.

2 Responses to Why you should apply to Stony Brook if you want to pursue a PhD in computer security and privacy

Leave a Reply

Your email address will not be published. Required fields are marked *