Teaching Security Lesson 1
The Security Mindset:
Cybersecurity through Threat Modeling
– Beta Version –
Wait, how did I end up on the Teaching Privacy website? The Teaching Security lesson plan pages are temporarily housed here on our sister website while we get the Security site up and running. You’ll always be able to find the lesson plans from TeachingSecurity.org
About This Lesson:
Lesson 1 introduces students to the basic concepts of cybersecurity and the “Security Mindset”. This perspective frames the topics in the remaining lessons.
Intended Audience: High school students or early undergraduates. Geared towards AP Computer Science Principles, but compatible with any introductory computer science course.
Delivery Format: Traditional classroom.
Duration for Whole Unit: 75 minutes (with options to shorten).
After completing this lesson:
- Students can explain what cybersecurity is.
- Students can enumerate some reasons cybersecurity is important.
- Students can discuss some of the unique challenges in the field of cybersecurity.
- Students can identify the goals and summarize the overall process of threat modeling.
- Given a description of a system, students can identify some potential threats (who might attack it and how) and the human impacts of those threats.
Introduce the topic, probe prior knowledge, and ignite students’ interest.
Quick Opening Questions (Whole-Class Mini-Discussion)
Estimated Time: 5-7 minutes.
What You’ll Need: Blackboard/whiteboard (optional).
Are there any computer systems in the world that are safe from being hacked? Why or why not?
Optional Follow-Up Prompt:
- What would a totally safe system look like?
Target Answer + Details: No system is safe from attack. For a computer/system to actually be useful, it has to have some way for information to go in and come out (whether or not it’s connected to the Internet). It’s impossible to think of and protect against every way someone could possibly abuse those channels, other than just disabling them entirely.
Quick Knowledge Check
What is cybersecurity? What have you heard about it?
Optional Follow-Up Prompts:
- In what ways is it important?
- Who is it important to?
- Why do you need to protect systems from attackers? Who would do such a thing and why?
Target Answer + Details:
- Cybersecurity is about studying and protecting computer systems from adversaries who attempt to use the system in a way that it wasn’t meant to be used. (Where “computer systems” include many kinds of networked — or non-networked — devices, from smartphones to traffic lights.)
- It’s important because any system that’s designed for whatever purpose can be misused by an attacker/adversary. In other words, it’s important to anyone who interacts with computer systems, which is pretty much everybody!
- It’s common for criminals to attack a system for financial gain, i.e., to make money. It’s common for people to attack a system to exercise or demonstrate power, to prevent the real users from accessing the system, or simply because they’re bored or want to prove they can.
Small-Group Brainstorming Activity: Defend and Attack
Estimated Time: 5-10 minutes.
What You’ll Need: Print out slips of paper with words or pictures on them (the school mascot, your state bird, a popular movie title, etc.).
In this activity, students get a taste of how cybersecurity involves thinking about possible attacks — but also the drawbacks of not taking a systematic approach.
- Ask your students to form groups of three or four.
- Label each as Group A or Group B.
- Give every Group A a copy of the paper. (Or ask Group B to close their eyes while you show the word or picture on a slide or the whiteboard.)
- Tell Group As their task is to figure out a plan for protecting the paper.
- Tell Group Bs their task is to figure out a plan for finding out what’s on the paper.
- Give groups three minutes to discuss their ideas for protecting or obtaining the piece of paper.
- Beginning with a Group B, ask the groups to report back. After hearing a Group B plan to get the paper, ask if any Group A has a plan to prevent that specific attack.
Key Ideas That May Emerge:
Computing in the News - Cybersecurity Edition
Coming Soon: Specific questions and example articles for Lesson 1, without having to go off-page.
Ground students’ learning in firsthand experience and spark new ideas.
Small-Group Activity: Threat Model a House
Estimated Time: 20-30 minutes.
What You’ll Need:
- A whiteboard or a computer and projector
- Copies of the worksheet (1 per group)
- Students will need extra paper and pens/pencils
Description: Students practice a structured approach to planning defenses against possible attacks, using a house as an example “system”.
Introduction (2 minutes)
- Ask your students to form groups of 3-4.
- Introduce the activity:
Blue Team Portion (10-15 minutes)
- Pass out a worksheet to each group
- Give students 10-15 minutes to complete the Blue Team part of the worksheet.
Red Team Portion (5 – 10 minutes)
- Have groups swap worksheets.
- Give students 5-10 minutes to plan how they could gain access to the valuables inside the houses.
Debrief/Wrap-Up (3-10 minutes)
- Have students return the worksheets to the original group so each Blue Team can spend a couple of minutes review the attacking Red Team’s plans.
- Optional: Ask each group to share an example of a clever or unexpected Red Team attack against their house, or one that would be difficult to prevent. (I.E., they should share examples thunk up by the group attacking them, not their own attack on someone else.)
Students may be surprised that Red Teams were able to come up with new attacks, despite the thought they put into their plans to protect their valuables.
- Wrap up by highlighting how designing a secure system differs from other fields of engineering, in that you have an active, motivated adversary to contend with. That’s why cybersecurity is often called an arms race. And it’s just a fact that you cannot predict or prevent all attacks.
Introduce important facts and underlying concepts.
Slide Deck: Cybersecurity and Threat Modeling
Estimated Time: 15 minutes.
What You’ll Need: Computer, projector, and speakers.
Description: In this presentation, students learn about what cybersecurity is, how threat modeling works, and why threat modeling is a useful place to start for cybersecurity. The slides are accompanied by Notes with details and examples to guide your lecture.
Coming Soon: Graphic organizer for student note-taking.
Go deeper into the underlying concepts and/or let students practice important cybersecurity skills.
Small-Group Activity: Threat Modeling with the Security Cards
Estimated Time: 20-30 minutes
What You’ll Need:
- Several sets of Security Cards (1 per group)
- “Suggested Systems” handouts or students’ sketches of systems they’re already studying or building (if they already have sketches) or blank paper for students to sketch the systems they’re studying or building
- Computer and projector
Description: Students use the Security Cards (from University of Washington) as a tool to practice threat modeling for a computer system. Includes a slide deck for introducing the activity.
Educators can get free pre-printed decks; let them know where you heard about it. You can also print them yourself from a PDF.
Access Slide Deck: “Threat Modeling with the Security Cards” (Continues from Explain deck.)
Alternative Activities: The producers of the Security Cards have several suggested variations on how you can use them, depending on time and how advanced the class is: http://securitycards.cs.washington.edu/activities.html
Credits: Some of our instructions and explanations are paraphrased with permission from the University of Washington’s “Sorting by Importance” activity. Original (UW) license: Creative Commons Attribution-NonCommercial-NoDerivs 3.0 (CC BY-NC-ND 3.0).
Coming Soon: Unplugged version with “Introducing the Security Cards” handout and slide-free teacher’s notes.
Assess students’ understanding of the material and development of new skills.
More for Teachers
Resources and background information to help you brush up on the technical nitty-gritty and be prepared for student questions.