Lesson 1 (Beta)
The Security Mindset:
Cybersecurity through Threat Modeling
About This Lesson:
Lesson 1 introduces students to the basic concepts of cybersecurity and the “Security Mindset”. This perspective frames the topics in the remaining lessons.
Intended Audience: High school students or early undergraduates. Geared towards AP Computer Science Principles, but compatible with any introductory computer science course.
Delivery Format: Traditional classroom.
Duration for Whole Unit: 75 minutes (with options to shorten or lengthen).
Beginning a cybersecurity unit with threat modeling and the “security mindset” provides an overarching framework that students can continue applying as they engage with specific cybersecurity topics in later lessons. This lesson is built around a series of progressively more structured threat modeling activities, demonstrating the value of taking an organized approach. Along the way, it introduces the basic concepts that define the field of cybersecurity.
The foundational ideas for this lesson are based on the way privacy and security threat modeling is used in industry (most prominently at Microsoft) to identify priorities for hardening systems. As Adam Shostack, author of Threat Modeling: Designing for Security, puts it: “Threat modeling is the use of abstractions to aid in thinking about risks. [...] Threat modeling is the key to a focused defense. Without threat models, you can never stop playing whack-a-mole.” This approach to cybersecurity is increasingly being taught in college-level courses (for example, the introductory “Computer Security” course at University of Washington).
- Students can explain what cybersecurity is.
- Students can enumerate some reasons cybersecurity is important.
- Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it from other design and engineering efforts.
- Students can identify the goals and summarize the overall process of threat modeling.
- Given a description of a system, students can predict and prioritize some potential threats (who might attack it and how) and the human impacts of those threats.
Introduce the topic, probe prior knowledge, and ignite students’ interest. (Choose one Engage activity, or use more if you have time.)
Quick Opening Questions (Whole-Class Mini-Discussion)
Estimated Time: 5-7 minutes.
What You’ll Need: Blackboard/whiteboard (optional).
Are there any computer systems in the world that are safe from being hacked? Why or why not?
Optional Follow-Up Prompt:
- What would a totally safe system look like?
Target Answer + Details: No system is safe from attack. For a computer/system to actually be useful, it has to have some way for information to go in and come out (whether or not it’s connected to the Internet). It’s impossible to think of and protect against every way someone could possibly abuse those channels, other than just disabling them entirely.
Quick Knowledge Check
What is cybersecurity? What have you heard about it?
Optional Follow-Up Prompts:
- In what ways is it important?
- Who is it important to?
- Why do you need to protect systems from attackers? Who would do such a thing and why?
Target Answer + Details:
- Cybersecurity is about studying and protecting computer systems from adversaries who attempt to use the system in a way that it wasn’t meant to be used. (Where “computer systems” include many kinds of networked — or non-networked — devices, from smartphones to traffic lights.)
- It’s important because any system that’s designed for whatever purpose can be misused by an attacker/adversary. In other words, it’s important to anyone who interacts with computer systems, which is pretty much everybody!
- It’s common for criminals to attack a system for financial gain, i.e., to make money. It’s common for people to attack a system to exercise or demonstrate power, to prevent the real users from accessing the system, or simply because they’re bored or want to prove they can.
Small-Group Brainstorming Activity: Defend and Attack
Estimated Time: 5-10 minutes.
What You’ll Need: Print or write out slips of paper with a “secret” written on each one. Print one secret for each Blue Team, for them to keep hidden from the Red Team. Examples:
- “[Teacher] likes [title of movie/book/etc.].”
- “[Rival school]’s mascot is [name].”
- A random number
- An inspirational quote or a silly phrase
Description: In this activity, students get a taste of how cybersecurity involves thinking about possible attacks — but also experience the drawbacks of not using a structured approach to that thought process. This activity works best as a lead-in/contrast to the more organized activities later in this lesson plan.
Running the Activity:
- Ask your students to form groups of three or four. There should be an even number of groups overall.
- Introduce the concept of a Red Team/Blue Team exercise:
- Label each group as a Red Team or a Blue Team.
- Give each Blue Team a slip of paper with their “secret”.
- Tell the Blue Teams their task is to figure out a plan for protecting the information on the paper.
- Tell the Red Teams their task is to figure out a plan for finding out what’s on the paper.
Types of Plans You’re Likely to Hear:
Higher-Level Ideas That May Emerge:
Computing in the News - Cybersecurity Edition
Estimated Time: 3-7 minutes.
What You’ll Need: Computer and projector (optional).
Description: Teachers can use current news items about cyberattacks/data breaches or cybersecurity innovations to grab students’ attention at the beginning of class and illustrate the relevance of cybersecurity.
Ground students’ learning in firsthand experience and spark new ideas.
Small-Group Activity: Threat Model a House
Estimated Time: 20-30 minutes.
What You’ll Need:
- A whiteboard or a computer and projector
- Copies of the worksheet (1 per group)
- Students will need extra paper and pens/pencils
Description: Students practice a more structured approach to planning defenses against possible attacks, using a house as an example “system”.
Running the Activity:
Introduction (2 minutes)
- Ask your students to form groups of 3-4.
- Introduce the activity:
Blue Team Portion (10-15 minutes)
- Pass out pages 1 and 2 of the worksheet to each group
- Give students 10-15 minutes to complete the Blue Team part of the worksheet (i.e. pages 1-2).
Red Team Portion (5 – 10 minutes)
- Have groups swap worksheets (pages 1-2) and pass out page 3.
- Give students 5-10 minutes to plan how they could gain access to the valuables inside the houses.
Debrief/Wrap-Up (3-10 minutes)
- Have students return the worksheets to the original group so each Blue Team can spend a couple of minutes review the attacking Red Team’s plans.
- Optional: Ask each group to share an example of a clever or unexpected Red Team attack against their house, or one that would be difficult to prevent. (I.E., they should share examples thunk up by the group attacking them, not their own attack on someone else.)
- Wrap up by highlighting how designing a secure system differs from other fields of engineering, in that you have an active, motivated adversary to contend with. That’s why cybersecurity is often called an arms race. And it’s just a fact that you cannot predict or prevent all attacks.
- Allow both teams’ imaginations to run wild.
- Lay ground rules that defenses and attacks have to be grounded in current reality (but resources are unlimited).
- Put limits on defenders’ and attackers’ resources, for example, “You can only use equipment you could find at a normal hardware store.”
- Allow students to assume unlimited resources during the main part of the activity, but ask them at the end to revisit their Blue Team plans and think about how the plans would have been different if their resources had been limited (for example, to normal hardware-store equipment).
Introduce important facts and underlying concepts.
Slide Deck: Cybersecurity and Threat Modeling
Estimated Time: 15 minutes.
What You’ll Need: Computer, projector, and speakers.
Description: In this presentation, students learn about what cybersecurity is, how threat modeling works, and why threat modeling is a useful place to start for cybersecurity. The slides are accompanied by Notes with details and examples to guide your lecture.
- Presents an overview of web security (4-minute video), slide 2
- Defines cybersecurity, slides 3–9
- Defines cyber attack, slide 10
- Defines threat modeling, slides 11–14
- Explains the strengths and limitations of threat modeling, slides 15–24
Options: If you’re short on time, you might condense the material presented on slides 3–6 and/or skip/remove slides 17–24.
Coming Soon: Graphic organizer for student note-taking.
Go deeper into the underlying concepts and/or let students practice important cybersecurity skills.
Small-Group Activity: Threat Modeling with the Security Cards
Estimated Time: 20-30 minutes
What You’ll Need:
- Several sets of Security Cards (1 set per group)
- “Suggested Systems” handouts (1 system/page per group) or students’ sketches of systems they’re already studying or building (if they already have sketches) or blank paper for students to sketch the systems they’re studying or building
- Computer and projector
Description: Students use the Security Cards (from University of Washington) as a tool to practice threat modeling for a computer system. Includes a slide deck for introducing the activity.
- Educators can get free pre-printed decks; let them know where you heard about it. You can also print them yourself from a PDF.
Access Slide Deck: “Threat Modeling with the Security Cards” (Continues from Explain deck.)
- The handout has four pages, one for each system. If you are using this option, assign one system to each group.
Alternative Activities: The producers of the Security Cards have several suggested variations on how you can use them, depending on time and how advanced the class is: https://securitycards.cs.washington.edu/activities.html
Credits: Some of our instructions and explanations are paraphrased with permission from the University of Washington’s “Sorting by Importance” activity. Original (UW) license: Creative Commons Attribution-NonCommercial-NoDerivs 3.0 (CC BY-NC-ND 3.0).
Coming Soon: Unplugged version with “Introducing the Security Cards” handout and slide-free teacher’s notes.
Assess students’ understanding of the material and development of new skills.
Assignment: Create a Password PSA
Estimated Time: 30-45 minutes.
What You'll Need:
- Copies of the assignment handout
- Student computers with software that can make a flyer/poster and/or a slide presentation
- (Optional) Devices that can capture video
Suggested Preparation: Look up the password policy for your school or district (for whatever system students interact with the most) to make sure it’s findable. (At least by trying to make a new account.)
Description: Students (individuals or groups) create a poster or public service announcement that explains the school’s or district’s password policy and also gives general guidelines for coming up with a good password.
- Print out or screenshot the password policy for your district’s or school’s online systems, or send your students to the URL.
- Leave finding out what the password policy is as a problem-solving exercise for the students (assuming it’s findable).
- If your district’s/school’s policy isn’t findable, use another system students might interact with that would be worth making a PSA for (like the public library).
More for Teachers
Resources and background information to help you brush up on the technical nitty-gritty and be prepared for student questions.