Teaching Security Lesson 1
The Security Mindset: Cybersecurity through Threat Modeling
Has moved to our new site!
Wait, what’s going on here?
Probably you got an old link, from before we had a real website for Teaching Security. The first Teaching Security lesson plan has moved:
https://teachingsecurity.org/lesson-1-the-security-mindset/
About This Lesson:
Lesson 1 introduces students to the basic concepts of cybersecurity and the “Security Mindset”. This perspective frames the topics in the remaining lessons.
Intended Audience: High school students or early undergraduates. Geared towards AP Computer Science Principles, but compatible with any introductory computer science course.
Delivery Format: Traditional classroom.
Duration for Whole Unit: 75 minutes (with options to shorten or lengthen).
Learning Objectives
After completing this lesson:
- Students can explain what cybersecurity is.
- Students can enumerate some reasons cybersecurity is important.
- Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it from other design and engineering efforts.
- Students can identify the goals and summarize the overall process of threat modeling.
- Given a description of a system, students can identify some potential threats (who might attack it and how) and the human impacts of those threats.
Curriculum Standards Addressed
This lesson addresses the following computer-science curricular standards.
AP Computer Science Principles Curriculum Framework
The lesson substantially addresses the following Essential Knowledge under Big Idea X, NAME:
- EK XXX. Essential knowledge statement.
The following Essential Knowledge is also touched on:
- Under Big Idea X: NAME: XX, XXX.
CSTA K–12 Computer Science Standards (Level 3 — High School)
The lesson substantially addresses the following learning objectives under Level X, Course Y: NAME:
- XXX. Learning objective.
The following learning objectives are also touched on:
- Under Level X, Course Y: NAME: XX; XXX.
ACM Computer Science Curricula 2013 (CS2013) Guidelines (Undergraduate)
The lesson substantially addresses the following Learning Outcomes under NAME:
- SUBNAME X: Learning outcome.
The following Learning Outcomes are also touched on:
- Under NAME: SUBNAME X; SUBNAME Y.
“Engage” Activities:
Introduce the topic, probe prior knowledge, and ignite students’ interest.
Quick Opening Questions (Whole-Class Mini-Discussion)
Estimated Time: 5-7 minutes.
What You’ll Need: Blackboard/whiteboard (optional).
Ignite Question
Are there any computer systems in the world that are safe from being hacked? Why or why not?
Optional Follow-Up Prompt:
- What would a totally safe system look like?
Target Answer + Details: No system is safe from attack. For a computer/system to actually be useful, it has to have some way for information to go in and come out (whether or not it’s connected to the Internet). It’s impossible to think of and protect against every way someone could possibly abuse those channels, other than just disabling them entirely.
Quick Knowledge Check
What is cybersecurity? What have you heard about it?
Optional Follow-Up Prompts:
- In what ways is it important?
- Who is it important to?
- Why do you need to protect systems from attackers? Who would do such a thing and why?
Target Answer + Details:
- Cybersecurity is about studying and protecting computer systems from adversaries who attempt to use the system in a way that it wasn’t meant to be used. (Where “computer systems” include many kinds of networked — or non-networked — devices, from smartphones to traffic lights.)
- It’s important because any system that’s designed for whatever purpose can be misused by an attacker/adversary. In other words, it’s important to anyone who interacts with computer systems, which is pretty much everybody!
- It’s common for criminals to attack a system for financial gain, i.e., to make money. It’s common for people to attack a system to exercise or demonstrate power, to prevent the real users from accessing the system, or simply because they’re bored or want to prove they can.
Small-Group Brainstorming Activity: Defend and Attack
Estimated Time: 5-10 minutes.
Description: In this activity, students get a taste of how cybersecurity involves thinking about possible attacks — but also experience the drawbacks of not using a structured approach to that thought process.
What You’ll Need: Print or write out slips of paper with a “secret” written on each one. Print one secret for each Blue Team, for them to keep hidden from the Red Team. Examples:
- “[Teacher] likes [title of movie/book/etc.].”
- “[Rival school]’s mascot is [name].”
- A random number
- An inspirational quote or a silly phrase
Running the Activity:
- Ask your students to form groups of three or four. There should be an even number of groups overall.
- Introduce the concept of a Red Team/Blue Team exercise:
- Red Team/Blue Team exercises take their name from a military exercise. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it.
- In the physical world, these exercises are used by the military to test force-readiness. They are also used to test the physical security of sensitive sites like nuclear facilities and government labs that conduct top-secret research.
- In the 1990s, cybersecurity experts began using Red Team/Blue Team exercises to test the security of information systems.
- Label each group as a Red Team or a Blue Team.
- Give each Blue Team a slip of paper with their “secret”.
- Tell the Blue Teams their task is to figure out a plan for protecting the information on the paper.
- Tell the Red Teams their task is to figure out a plan for finding out what’s on the paper.
- Give the teams 3-5 minutes to discuss their ideas for protecting or obtaining the information.
- Beginning with one of the Red Teams, ask the groups to report back. After hearing a Red Team plan to get the paper, ask if any of the Blue Teams has a plan to prevent that specific attack. (Repeat a few times.)
Types of Plans You’re Likely to Hear:
- Red Teams’ ideas will likely sort into two broad categories:
- Direct attacks: Plans that rely on directly pursuing the secret or attempting brute force; and
- Indirect attacks: Plans that rely on tricking the people involved into breaking protocol or exposing vulnerabilities.
- Blue Teams may attempt to reduce their risk.
Higher-Level Ideas That May Emerge:
- It’s tough to cover every possible attack.
- It’s easier to think of attacks than it is to think of protection measures.
- Brainstorming attacks and protections feels disorganized.
- Both sides may have lots of open questions about what’s possible, or answers that begin with “It depends”.
Computing in the News - Cybersecurity Edition
View Outline: “Computing in the News – Cybersecurity Edition”
Coming Soon: Specific questions and example articles for Lesson 1, without having to go off-page.
Other Media Resources for "Engage"
Estimated Time: TIME minutes.
What You’ll Need: Computer, projector, and speakers.
Summary: SUMMARY
Video: VIDEO TITLE
- Content Advisory: IF YOU NEED ONE.
(Produced by PRODUCER.)
“Explore” Activities:
Ground students’ learning in firsthand experience and spark new ideas.
Small-Group Activity: Threat Model a House
Estimated Time: 20-30 minutes.
What You’ll Need:
- A whiteboard or a computer and projector
- Copies of the worksheet (1 per group)
- Students will need extra paper and pens/pencils
Description: Students practice a structured approach to planning defenses against possible attacks, using a house as an example “system”.
Download Worksheet: “House Model Worksheet”
Running the Activity:
Introduction (2 minutes)
- Ask your students to form groups of 3-4.
- Introduce the activity:
- We’re going to talk about a process that can be used to approach thinking about security. It’s called threat modeling.
- At a high level, in threat modeling, you consider questions like what are you building or protecting, and what could go wrong?
- In groups, we’ll work through an example of how you would create a threat model for a basic house.
Blue Team Portion (10-15 minutes)
- Pass out a worksheet to each group
- Explain:
- In this activity, every group will start out as a Blue Team.
- The house on the worksheet and your answers to the first couple of questions are the “model” of what you’re protecting. This is an abstraction of the system at the heart of your threat model.
- The rest of the Blue Team questions involve thinking of ways that someone might attack the house or gain unauthorized access to the things inside.
- Write detailed notes for the whole group on one copy of the worksheet. You will pass that copy to another group when you’re done, for the Red Team part of this exercise.
- Give students 10-15 minutes to complete the Blue Team part of the worksheet (i.e. the first page and a half).
Red Team Portion (5 – 10 minutes)
- Have groups swap worksheets.
- Give students 5-10 minutes to plan how they could gain access to the valuables inside the houses.
Debrief/Wrap-Up (3-10 minutes)
- Have students return the worksheets to the original group so each Blue Team can spend a couple of minutes review the attacking Red Team’s plans.
- Optional: Ask each group to share an example of a clever or unexpected Red Team attack against their house, or one that would be difficult to prevent. (I.E., they should share examples thunk up by the group attacking them, not their own attack on someone else.)
Students may be surprised that Red Teams were able to come up with new attacks, despite the thought they put into their plans to protect their valuables. - Wrap up by highlighting how designing a secure system differs from other fields of engineering, in that you have an active, motivated adversary to contend with. That’s why cybersecurity is often called an arms race. And it’s just a fact that you cannot predict or prevent all attacks.
Whole-Class Brainstorm & Discussion: TITLE
Estimated Time: TIME minutes.
What You’ll Need: Blackboard/whiteboard (optional).
Ask students to give examples of SOMETHING. Examples can be written on the board. Pick a few interesting example and ask:
- QUESTIONS
Some examples you can start them off with:
- EXAMPLE
- INFORMATION ABOUT THE EXAMPLE
Extended Version:
FURTHER QUESTION
Interactive App: APP TITLE
Estimated Time: TIME minutes.
What You’ll Need: Computer and projector.
DESCRIPTION
TITLE App: URL
CAPTION |
MAYBE CHECK WITH BRYAN FOR INSTRUCTIONS ON HOW TO ADD MEDIA; IT’S WEIRD |
Options:
- OPTIONS
“Explain” Activities:
Introduce important facts and underlying concepts.
Slide Deck: Cybersecurity and Threat Modeling
Estimated Time: 15 minutes.
What You’ll Need: Computer, projector, and speakers.
Description: In this presentation, students learn about what cybersecurity is, how threat modeling works, and why threat modeling is a useful place to start for cybersecurity. The slides are accompanied by Notes with details and examples to guide your lecture.
Access Slide Deck: “Cybersecurity and Threat Modeling”
Coming Soon: Graphic organizer for student note-taking.
Estimated Time: TIME minutes.
What You’ll Need: Computer, speakers, and projector.
DESCRIPTION.
“Elaborate” Activities:
Go deeper into the underlying concepts and/or let students practice important cybersecurity skills.
Small-Group Activity: Threat Modeling with the Security Cards
Estimated Time: 20-30 minutes
What You’ll Need:
- Several sets of Security Cards (1 per group)
- “Suggested Systems” handouts or students’ sketches of systems they’re already studying or building (if they already have sketches) or blank paper for students to sketch the systems they’re studying or building
- Computer and projector
Description: Students use the Security Cards (from University of Washington) as a tool to practice threat modeling for a computer system. Includes a slide deck for introducing the activity.
Get Card Decks: The Security Cards from University of Washington
Educators can get free pre-printed decks; let them know where you heard about it. You can also print them yourself from a PDF.
Access Slide Deck: “Threat Modeling with the Security Cards” (Continues from Explain deck.)
Download Worksheet: “Suggested Systems”
Alternative Activities: The producers of the Security Cards have several suggested variations on how you can use them, depending on time and how advanced the class is: http://securitycards.cs.washington.edu/activities.html
Credits: Some of our instructions and explanations are paraphrased with permission from the University of Washington’s “Sorting by Importance” activity. Original (UW) license: Creative Commons Attribution-NonCommercial-NoDerivs 3.0 (CC BY-NC-ND 3.0).
Coming Soon: Unplugged version with “Introducing the Security Cards” handout and slide-free teacher’s notes.
In-Class Whole-Group Activity: TITLE
Estimated Time: TIME minutes.
What You’ll Need: Computer and projector.
DESCRIPTION.
More stuff here.
Making Connections: Small-Group Discussion Questions
Estimated Time: Depends on protocol chosen.
What You’ll Need: Blackboard/whiteboard (optional).
Use one or more of the following questions to help students digest the information presented in the lesson so far and personalize the content. The questions are compatible with many common classroom discussion protocols. We suggest Think-Pair-Share, Inside/Outside Circles, Chalk Talk, or Listening Dyads, but many others can be found on the NSRF’s protocol list.
QUESTION(S).
“Evaluate” Activities:
Assess students’ understanding of the material and development of new skills.
Review Questions (Quiz/Homework)
Estimated Time: TIME minutes.
What You’ll Need: Copies of review sheet.
This learning assessment can be used as an in-class quiz or as homework.
Download Assessment: “MODULE TITLE: Review Questions”
Answer key coming soon!
More for Teachers
Resources and background information to help you brush up on the technical nitty-gritty and be prepared for student questions.
Other Recommended Classroom Resources for Threat Modeling and the Security Mindset
ACTIVITY TYPE: TITLE
- Target grades: XXX
- Summary: One or two sentences.
- Produced by: Producer.
- Link: LINK
Contact Teaching Privacy if this doesn't work for you!
” autoresize=”true” height=”400″ header=”show” ssl=”true”]