Teaching Security Lesson 1


The Security Mindset:

Cybersecurity through Threat Modeling

– Beta Version –

Wait, how did I end up on the Teaching Privacy website? The Teaching Security lesson plan pages are temporarily housed here on our sister website while we get the Security site up and running. You’ll always be able to find the lesson plans from TeachingSecurity.org

About This Lesson:

Lesson 1 introduces students to the basic concepts of cybersecurity and the “Security Mindset”. This perspective frames the topics in the remaining lessons.

Intended Audience: High school students or early undergraduates. Geared towards AP Computer Science Principles, but compatible with any introductory computer science course.

Delivery Format: Traditional classroom.

Duration for Whole Unit: 75 minutes (with options to shorten).

Learning Objectives

After completing this lesson:

  1. Students can explain what cybersecurity is.
  2. Students can enumerate some reasons cybersecurity is important.
  3. Students can discuss some of the unique challenges in the field of cybersecurity.
  4. Students can identify the goals and summarize the overall process of threat modeling.
  5. Given a description of a system, students can identify some potential threats (who might attack it and how) and the human impacts of those threats.

“Engage” Activities:

Introduce the topic, probe prior knowledge, and ignite students’ interest.

Quick Opening Questions (Whole-Class Mini-Discussion)

Estimated Time: 5-7 minutes.
What You’ll Need: Blackboard/whiteboard (optional).

Ignite Question

Are there any computer systems in the world that are safe from being hacked? Why or why not?

Optional Follow-Up Prompt:

  • What would a totally safe system look like?

Target Answer + Details: No system is safe from attack. For a computer/system to actually be useful, it has to have some way for information to go in and come out (whether or not it’s connected to the Internet). It’s impossible to think of and protect against every way someone could possibly abuse those channels, other than just disabling them entirely.

Quick Knowledge Check

What is cybersecurity? What have you heard about it?

Optional Follow-Up Prompts:

  • In what ways is it important?
  • Who is it important to?
  • Why do you need to protect systems from attackers? Who would do such a thing and why?

Target Answer + Details:

  • Cybersecurity is about studying and protecting computer systems from adversaries who attempt to use the system in a way that it wasn’t meant to be used. (Where “computer systems” include many kinds of networked — or non-networked — devices, from smartphones to traffic lights.)
  • It’s important because any system that’s designed for whatever purpose can be misused by an attacker/adversary. In other words, it’s important to anyone who interacts with computer systems, which is pretty much everybody!
  • It’s common for criminals to attack a system for financial gain, i.e., to make money. It’s common for people to attack a system to exercise or demonstrate power, to prevent the real users from accessing the system, or simply because they’re bored or want to prove they can.
Small-Group Brainstorming Activity: Defend and Attack

Estimated Time: 5-10 minutes.

What You’ll Need: Print out slips of paper with words or pictures on them (the school mascot, your state bird, a popular movie title, etc.).

In this activity, students get a taste of how cybersecurity involves thinking about possible attacks — but also the drawbacks of not taking a systematic approach.

  1. Ask your students to form groups of three or four.
  2. Label each as Group A or Group B.
  3. Give every Group A a copy of the paper. (Or ask Group B to close their eyes while you show the word or picture on a slide or the whiteboard.)
  4. Tell Group As their task is to figure out a plan for protecting the paper.
  5. Tell Group Bs their task is to figure out a plan for finding out what’s on the paper.
  6. Give groups three minutes to discuss their ideas for protecting or obtaining the piece of paper.
  7. Beginning with a Group B, ask the groups to report back. After hearing a Group B plan to get the paper, ask if any Group A has a plan to prevent that specific attack.

Key Ideas That May Emerge:

  • It’s tough to cover every possible attack.
  • It’s easier to think of attacks than it is to think of protection measures.
  • Brainstorming attacks and protections feels disorganized.
  • Both sides will have lots of open questions about what’s possible.

Computing in the News - Cybersecurity Edition
View Outline: “Computing in the News – Cybersecurity Edition”

Coming Soon: Specific questions and example articles for Lesson 1, without having to go off-page.

“Explore” Activities:

Ground students’ learning in firsthand experience and spark new ideas.

Small-Group Activity: Threat Model a House

Estimated Time: 20-30 minutes.
What You’ll Need:

  • A whiteboard or a computer and projector
  • Copies of the worksheet (1 per group)
  • Students will need extra paper and pens/pencils

Description: Students practice a structured approach to planning defenses against possible attacks, using a house as an example “system”.

Download Worksheet: “House Model Worksheet”

Introduction (2 minutes)

  1. Ask your students to form groups of 3-4.
  2. Introduce the activity:

    • We’re going to talk about a process that can be used to approach thinking about security. It’s called threat modeling.
    • At a high level, in threat modeling, you consider questions like what are you building or protecting, and what could go wrong?
    • In groups, we’ll work through an example of how you would create a threat model for a basic house.

Blue Team Portion (10-15 minutes)

  1. Pass out a worksheet to each group
  2. Explain:

    • In this activity, every group will start out as a Blue Team.
    • The house on the worksheet and your answers to the first couple of questions are the “model” of what you’re protecting. This is an abstraction of the system at the heart of your threat model.
    • The rest of the Blue Team questions involve thinking of ways that someone might attack the house or gain unauthorized access to the things inside.
  3. Give students 10-15 minutes to complete the Blue Team part of the worksheet.

Red Team Portion (5 – 10 minutes)

  1. Have groups swap worksheets.
  2. Give students 5-10 minutes to plan how they could gain access to the valuables inside the houses.

Debrief/Wrap-Up (3-10 minutes)

  1. Have students return the worksheets to the original group so each Blue Team can spend a couple of minutes review the attacking Red Team’s plans.
  2. Optional: Ask each group to share an example of a clever or unexpected Red Team attack against their house, or one that would be difficult to prevent. (I.E., they should share examples thunk up by the group attacking them, not their own attack on someone else.)
    Students may be surprised that Red Teams were able to come up with new attacks, despite the thought they put into their plans to protect their valuables.
  3. Wrap up by highlighting how designing a secure system differs from other fields of engineering, in that you have an active, motivated adversary to contend with. That’s why cybersecurity is often called an arms race. And it’s just a fact that you cannot predict or prevent all attacks.

“Explain” Activities:

Introduce important facts and underlying concepts.

Slide Deck: Cybersecurity and Threat Modeling

Estimated Time: 15 minutes.
What You’ll Need: Computer, projector, and speakers.

Description: In this presentation, students learn about what cybersecurity is, how threat modeling works, and why threat modeling is a useful place to start for cybersecurity. The slides are accompanied by Notes with details and examples to guide your lecture.

Access Slide Deck: “Cybersecurity and Threat Modeling”

Coming Soon: Graphic organizer for student note-taking.

“Elaborate” Activities:

Go deeper into the underlying concepts and/or let students practice important cybersecurity skills.

Small-Group Activity: Threat Modeling with the Security Cards

Estimated Time: 20-30 minutes
What You’ll Need:

  • Several sets of Security Cards (1 per group)
  • “Suggested Systems” handouts or students’ sketches of systems they’re already studying or building (if they already have sketches) or blank paper for students to sketch the systems they’re studying or building
  • Computer and projector

Description: Students use the Security Cards (from University of Washington) as a tool to practice threat modeling for a computer system. Includes a slide deck for introducing the activity.

Get Card Decks: The Security Cards from University of Washington

Educators can get free pre-printed decks; let them know where you heard about it. You can also print them yourself from a PDF.

Access Slide Deck: “Threat Modeling with the Security Cards” (Continues from Explain deck.)
Download Worksheet: “Suggested Systems”

Alternative Activities: The producers of the Security Cards have several suggested variations on how you can use them, depending on time and how advanced the class is: http://securitycards.cs.washington.edu/activities.html

Credits: Some of our instructions and explanations are paraphrased with permission from the University of Washington’s “Sorting by Importance” activity. Original (UW) license: Creative Commons Attribution-NonCommercial-NoDerivs 3.0 (CC BY-NC-ND 3.0).

Coming Soon: Unplugged version with “Introducing the Security Cards” handout and slide-free teacher’s notes.

“Evaluate” Activities:

Assess students’ understanding of the material and development of new skills.

More for Teachers

Resources and background information to help you brush up on the technical nitty-gritty and be prepared for student questions.

Contact us and let us know what you think!

12 + 2 =