Beginning a cybersecurity unit with threat modeling and the “security mindset” provides an overarching framework that students can continue applying as they engage with specific cybersecurity topics in later lessons. This lesson is built around a series of progressively more structured threat modeling activities, demonstrating the value of taking an organized approach. Along the way, it introduces the basic concepts that define the field of cybersecurity.

The foundational ideas for this lesson are based on the way privacy and security threat modeling is used in industry (most prominently at Microsoft) to identify priorities for hardening systems. As Adam Shostack, author of Threat Modeling: Designing for Security, puts it: “Threat modeling is the use of abstractions to aid in thinking about risks. […] Threat modeling is the key to a focused defense. Without threat models, you can never stop playing whack-a-mole.” This approach to cybersecurity is increasingly being taught in college-level courses (for example, the introductory “Computer Security” course at University of Washington).

1. Students can explain what cybersecurity is.
2. Students can enumerate some reasons cybersecurity is important.
3. Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it from other design and engineering efforts.
4. Students can identify the goals and summarize the overall process of threat modeling.
5. Given a description of a system, students can predict and prioritize some potential threats (who might attack it and how) and the human impacts of those threats.

This lesson addresses standards laid out in the AP Computer Science Principles Framework for 2020–21, Fall 2019 version.

Supports the following Learning Objectives under Big Idea 4, Computing Systems and Networks:

LO CSN-1.A Explain how computing devices work together in a network. Essential Knowledge points covered:

• EK CSN-1.A.3 A computer network is a group of interconnected computing devices capable of sending or receiving data.

LO CSN-1.B Explain how the Internet works.

Supports the following Learning Objectives under Big Idea 5, Impact of Computing:

LO IOC-1.A Explain how an effect of a computing innovation can be both beneficial and harmful. Essential Knowledge points covered:

• EK IOC-1.A.3 Not every effect of a computing innovation is anticipated in advance.

LO IOC-1.B Explain how a computing innovation can have an impact beyond its intended purpose. Essential Knowledge points covered:

• EK IOC-1.B.1 Computing innovations can be used in ways that their creators had not originally intended. (Example: The World Wide Web was originally intended only for rapid and easy exchange of information within the scientific community.)
• EK IOC-1.B.2 Some of the ways computing innovations can be used may have a harmful impact on society, economy, or culture.

LO IOC-2.B Explain how computing resources can be protected and can be misused. Essential Knowledge points covered:

• EK IOC-2.B.9 Malware is software intended to damage a computing system or to take partial control over its operation.
• EK IOC-2.B.10 All real-world systems have errors or design flaws that can be exploited to compromise them. Regular software updates help fix errors that could compromise a computing system.

LO IOC-2.C Explain how unauthorized access to computing resources is gained.

LO IOC-1.F Explain how the use of computing can raise legal and ethical concerns.

Also touches on the following Essential Knowledge:

Under Big Idea 1, Creative Development:

• EK CRD-2.E.3 A development process that is iterative requires refinement and revision based on feedback, testing, or reflection throughout the process. This may require revisiting earlier phases of the process.

Under Big Idea 3, Algorithms and Programming:

• EK AAP-3.F.1 Simulations are abstractions of more complex objects or phenomena for a specific purpose.
• EK AAP-3.F.4 The process of developing an abstract simulation involves removing specific details or simplifying functionality.

Under Big Idea 5, Impact of Computing:

• EK IOC-1.A.1 People create computing innovations.
• EK IOC-1.A.2 The way people complete tasks often changes to incorporate new computing innovations.
• EK IOC-1.A.4 A single effect can be viewed as both beneficial and harmful by different people, or even by the same person.
• EK IOC-1.B.3 Responsible programmers try to consider the unintended ways their computing innovations can be used and the potential beneficial and harmful effects of these new uses.
• EK IOC-1.B.4 It is not possible for a programmer to consider all the ways a computing innovation can be used.
• EK IOC-1.F.8 As with any technology or medium, using computing to harm individuals or groups of people raises legal and ethical concerns.
• EK IOC-1.F.9 Computing can play a role in social and political issues, which in turn often raise legal and ethical concerns.
• EK IOC-1.F.11 Computing innovations can raise legal and ethical concerns. (Example: The existence of computing devices that collect and analyze data by continuously monitoring activities.)
• EK IOC-2.A.5 Technology enables the collection, use, and exploitation of information about, by, and for individuals, groups, and institutions.
• EK IOC-2.A.10 Commercial and governmental curation of information may be exploited if privacy and other protections are ignored.
• EK IOC-2.A.11 Information placed online can be used in ways that were not intended and that may have a harmful impact. For example, an email message may be forwarded, tweets can be retweeted, and social media posts can be viewed by potential employers.
• EK IOC-2.B.1 Authentication measures protect devices and information from unauthorized access. Examples of authentication measures include strong passwords and multifactor authentication.
• EK IOC-2.B.8 A computer virus is a malicious program that can copy itself and gain access to a computer in an unauthorized way. Computer viruses often attach themselves to legitimate programs and start running independently on a computer.
• EK IOC-2.C.3 Data sent over public networks can be intercepted, analyzed, and modified. One way that this can happen is through a rogue access point.

Provides opportunities to use the following Computational Thinking Practices:

P1 Computational Solution Design: Design and evaluate computational solutions for a purpose.

• P1.D Evaluate solution options.

P3 Abstraction in Program Development: Develop programs that incorporate abstractions.

• P3.B Use abstraction to manage complexity in a program.

P4 Code Analysis: Evaluate and test algorithms and programs.

• P4.C Identify and correct errors in algorithms and programs, including error discovery through testing.

P5 Computing Innovations: Investigate computing innovations.

• P5.A Explain how computing systems work.
• P5.C Describe the impact of a computing innovation.
• P5.D Describe the impact of gathering data.
• P5.E Evaluate the use of computing based on legal and ethical factors.

P6 Responsible Computing: Contribute to an inclusive, safe, collaborative, and ethical computing culture.

• P6.A Collaborate in the development of solutions.
• P6.B Use safe and secure methods when using computing devices.

Some activities in this lesson involve learning skills that could be used to attack networked systems. Before beginning your cybersecurity unit, we recommend you ask students to sign an agreement such as the one below. The agreement commits them to use their powers only for good, and lays out some specifics of what that means.

Download Agreement: "Cybersecurity Ethics Agreement"

Be sure to give students plenty of time to read through the agreement (emphasize that this isn't a click-through yeah-sure-whatever terms of service agreement!) and invite them to ask questions if anything is unclear. Give them a copy to sign and a copy to keep.

• Check your district's policies to see whether students will need to have their parents sign the agreement as well.

Credits: Inspiration for the points to cover in this agreement came from Avi Rubin, Michael E. Whitman and Herbert J. Mattord (the Hands-On Information Security Lab Manual), an anonymous CS teacher from a Facebook group, and EC-Council’s Code of Ethics.

Estimated Time: 5-7 minutes.

What You’ll Need: Blackboard/whiteboard (optional).

Ignite Question

Are there any computer systems in the world that are safe from being hacked? Why or why not?

Optional Follow-Up Prompt:

• What would a totally safe system look like?

Target Answer + Details: No system is safe from attack. For a computer/system to actually be useful, it has to have some way for information to go in and come out (whether or not it’s connected to the Internet). It’s impossible to think of and protect against every way someone could possibly abuse those channels, other than just disabling them entirely.

Quick Knowledge Check

What is cybersecurity? What have you heard about it?

Optional Follow-Up Prompts:

• In what ways is it important?
• Who is it important to?
• Why do you need to protect systems from attackers? Who would do such a thing and why?

Target Answer + Details:

• Cybersecurity is about studying and protecting computer systems from adversaries who attempt to use the system in a way that it wasn’t meant to be used. (Where “computer systems” include many kinds of networked — or non-networked — devices, from smartphones to traffic lights.)
• It’s important because any system that’s designed for whatever purpose can be misused by an attacker/adversary. In other words, it’s important to anyone who interacts with computer systems, which is pretty much everybody!
• It’s common for criminals to attack a system for financial gain, i.e., to make money. It’s common for people to attack a system to exercise or demonstrate power, to prevent the real users from accessing the system, or simply because they’re bored or want to prove they can.

Estimated Time: 5-10 minutes.

What You’ll Need: Print or write out slips of paper with a “secret” written on each one. Print one secret for each Blue Team, for them to keep hidden from the Red Team. Examples:

• “[Teacher] likes [title of movie/book/etc.].”
• “[Rival school]’s mascot is [name].”
• A random number
• An inspirational quote or a silly phrase

Description: In this activity, students get a taste of how cybersecurity involves thinking about possible attacks — but also experience the drawbacks of not using a structured approach to that thought process. This activity works best as a lead-in/contrast to the more organized activities later in this lesson plan.

Running the Activity:

1. Ask your students to form groups of three or four. There should be an even number of groups overall.
2. Introduce the concept of a Red Team/Blue Team exercise:
   • Red Team/Blue Team exercises take their name from a military exercise. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it.
   • In the physical world, these exercises are used by the military to test force-readiness. They are also used to test the physical security of sensitive sites like nuclear facilities and government labs that conduct top-secret research.
   • In the 1990s, cybersecurity experts began using Red Team/Blue Team exercises to test the security of information systems.

3. Label each group as a Red Team or a Blue Team.
4. Give each Blue Team a slip of paper with their “secret”.
5. Tell the Blue Teams their task is to figure out a plan for protecting the information on the paper.
6. Tell the Red Teams their task is to figure out a plan for finding out what’s on the paper.
• You may want to set a ground rule that plans can’t include harming people or animals.
7. Give the teams 3-5 minutes to discuss their ideas for protecting or obtaining the information.
8. Beginning with one of the Red Teams, ask the groups to report back. After hearing a Red Team plan to get the paper, ask if any of the Blue Teams has a plan to prevent that specific attack. (Repeat a few times.)

Types of Plans You’re Likely to Hear:

• Red Teams’ ideas will likely sort into two broad categories:
  • Direct attacks: Plans that rely on directly pursuing the secret or attempting brute force; and
  • Indirect attacks: Plans that rely on tricking the people involved into breaking protocol or exposing vulnerabilities.
• Blue Teams may attempt to reduce their risk of direct or indirect attacks.

Higher-Level Ideas That May Emerge:

• It’s tough to cover every possible attack.
• It’s easier to think of attacks than it is to think of protection measures.
• Brainstorming attacks and protections feels disorganized.
• Both sides may have lots of open questions about what’s possible, or answers that begin with “It depends”.

Estimated Time: 3-7 minutes.

What You’ll Need: Computer and projector (optional).

Description: Teachers can use current news items about cyberattacks/data breaches or cybersecurity innovations to grab students’ attention at the beginning of class and illustrate the relevance of cybersecurity.

View Outline: “Computing in the News – Cybersecurity Edition”

Estimated Time: 20-30 minutes.

What You’ll Need:

• A whiteboard or a computer and projector
• Copies of the worksheet (1 per group)
• Students will need extra paper and pens/pencils

Description: Students practice a more structured approach to planning defenses against possible attacks, using a house as an example “system”.

Download Worksheet: “House Model Worksheet”

Running the Activity:

Introduction (2 minutes)

1. Ask your students to form groups of 3-4.
2. Introduce the activity:

   • We’re going to talk about a process that can be used to approach thinking about security. It’s called threat modeling.
   • At a high level, in threat modeling, you consider questions like what are you building or protecting, and what could go wrong?
   • In groups, we’ll work through an example of how you would create a threat model for a basic house.

Blue Team Portion (10-15 minutes)

3. Pass out pages 1 and 2 of the worksheet to each group
4. Explain:

   • In this activity, every group will start out as a Blue Team.
   • The house on the worksheet and your answers to the first couple of questions are the “model” of what you’re protecting. This is an abstraction of the system at the heart of your threat model.
   • The rest of the Blue Team questions involve thinking of ways that someone might attack the house or gain unauthorized access to the things inside.
   • Write detailed notes for the whole group on one copy of the worksheet. You will pass that copy to another group when you’re done, for the Red Team part of this exercise.

5. Give students 10-15 minutes to complete the Blue Team part of the worksheet (i.e. pages 1-2).

Red Team Portion (5 – 10 minutes)

6. Have groups swap worksheets (pages 1-2) and pass out page 3.
7. Give students 5-10 minutes to plan how they could gain access to the valuables inside the houses.
• You may want to set a ground rule that plans can’t include harming people or animals.
• If you’re short on time, you can direct Red Teams to write their responses on page 3, but skip having them represent their attacks on the Blue Teams’ diagrams.

Debrief/Wrap-Up (3-10 minutes)

8. Have students return the worksheets to the original group so each Blue Team can spend a couple of minutes review the attacking Red Team’s plans.
9. Optional: Ask each group to share an example of a clever or unexpected Red Team attack against their house, or one that would be difficult to prevent. (I.E., they should share examples thunk up by the group attacking them, not their own attack on someone else.)
10. Wrap up by highlighting how designing a secure system differs from other fields of engineering, in that you have an active, motivated adversary to contend with. That’s why cybersecurity is often called an arms race. And it’s just a fact that you cannot predict or prevent all attacks.

Options:

1. Allow both teams’ imaginations to run wild.
2. Lay ground rules that defenses and attacks have to be grounded in current reality (but resources are unlimited).
3. Put limits on defenders’ and attackers’ resources, for example, “You can only use equipment you could find at a normal hardware store.”
4. Allow students to assume unlimited resources during the main part of the activity, but ask them at the end to revisit their Blue Team plans and think about how the plans would have been different if their resources had been limited (for example, to normal hardware-store equipment).

Estimated Time: 15 minutes.
What You’ll Need: Computer, projector, and speakers.

Description: In this presentation, students learn about what cybersecurity is, how threat modeling works, and why threat modeling is a useful place to start for cybersecurity. The slides are accompanied by Notes with details and examples to guide your lecture.

Access Slide Deck: “Cybersecurity and Threat Modeling”

Contents:

• Presents an overview of web security (4-minute video), slide 2
• Defines cybersecurity, slides 3–9
• Defines cyber attack, slide 10
• Defines threat modeling, slides 11–14
• Explains the strengths and limitations of threat modeling, slides 15–24

Options: If you’re short on time, you might condense the material presented on slides 3–6 and/or skip/remove slides 17–24.

Coming Soon: Graphic organizer for student note-taking.

Estimated Time: 20-30 minutes
What You’ll Need:

• Several sets of Security Cards (1 set per group)
• “Suggested Systems” handouts (1 system/page per group) or students’ sketches of systems they’re already studying or building (if they already have sketches) or blank paper for students to sketch the systems they’re studying or building
• Computer and projector

Description: Students use the Security Cards (from University of Washington) as a tool to practice threat modeling for a computer system. This activity further develops the framework for structured security thinking introduced in the Explore and Explain activities. Includes a slide deck for introducing the activity.

Get (Free) Printable PDFs or Purchase Pre-Printed Decks: The Security Cards from University of Washington

Access Slide Deck: “Threat Modeling with the Security Cards” (Continues from Explain deck.)

Download Worksheet: “Suggested Systems”

Running the Activity:

1. Introduce the activity, using the slides and lecture notes.
2. Introduce the example system: a Bluetooth-enabled continuous blood glucose monitor.
3. Pass out a deck of Security Cards to each group.
4. Introduce the Security Cards.
5. The slide deck shows one sample card from each dimension. Introduce each dimension, then discuss (with the whole class) how the card might be relevant to the example of the Bluetooth-enabled blood glucose monitor:
   • Human Impact (blue)
   • Adversary’s Motivations (orange)
   • Adversary’s Resources (red)
   • Adversary’s Methods (green)
6. Break students into groups.
7. Pass out “Suggested Systems” handouts. The handout has four pages, one for each system. Have students choose which system their group will model, or otherwise explain what system they’ll be using (see Options below). Each group should model only one system.
8. Introduce the group task. Students will:
   1. Identify stakeholders (direct and indirect) and what data the system handles. Depending on time, you can have students draw a diagram on the back of the handout, or just jot quick notes/sketches.
   2. Sort the Security Cards by dimension.
   3. Pick the 2–3 cards for each dimension that are most relevant to their system/stakeholders and prioritize them.
9. Ask groups to report back on their card choices and priorities.
10. Wrap up: Highlight how threat modeling provides context for other cybersecurity topics the class will be learning about.

Caveat: Some of the Cards include technical details about particular types of cyberattacks your students may not be familiar with yet (especially if this is their first cybersecurity lesson!). For this activity, students don’t need to focus on those details. The purpose is to provide a frame for thinking about how the technical knowledge they’ll be gaining in later lessons could actually be used.

Options:

1. Using the “Suggested Systems” handout:
   1. Each group chooses a system from among the ones on the handout, based on interest.
   2. Choose which system each group will model at random, and pass them that handout.
   3. Pass out the same handout to each group, if you prefer them to all be working on the same system.
2. The makers of the Security Cards provide some system suggestions.
3. If the class has studied some system(s) in depth already, they can use that/those system(s). Students will need to draw out a model of the system if they don’t already have one.
4. (Advanced version) If your students are designing or building systems in groups, they can work with their regular group and use the systems they’re building. Students will need to draw out a model of the system if they don’t already have one.

Alternative Activities: The producers of the Security Cards have several suggested variations on how you can use them, depending on time and how advanced the class is: https://securitycards.cs.washington.edu/activities.html

Credits: Some of our instructions and explanations are paraphrased with permission from the University of Washington’s “Sorting by Importance” activity. Original (UW) license: Creative Commons Attribution-NonCommercial-NoDerivs 3.0 (CC BY-NC-ND 3.0).

Coming Soon: Unplugged version with “Introducing the Security Cards” handout and slide-free teacher’s notes.

Estimated Time: 10-15 minutes.

What You’ll Need:

• Copies of the assignment handout (one per student/group)
• Students will need pens/pencils

Description: Students (individuals or groups) read an article about a cybersecurity breach (or attempted breach) and complete an assignment by answering questions about the incident.

Download Handout: “Interpreting the Cybersecurity News”

Good sources for recent articles on cybersecurity incidents:

• SANS NewsBites (semiweekly newsletter on security incidents and news, with links to full news articles)
• Krebs on Security (blog about recent security breaches and related news/analysis)
• Wired, “The Biggest Cybersecurity Crises of 2019 So Far” (similar roundups once or twice a year; summaries and links to news articles)
• CSIS, “Significant Cyber Incidents Since 2006” (running list of incidents; does not cite articles)

Suggestions when picking articles (or incidents) to assign:

• Think about whether students can easily relate to the incident or its consequences.
• Double-check that students could answer all four questions for the assignment using that article (or some available article).

Assignment Options:

1. Pick one article for the whole class.
2. Present a list of articles they can choose from.
3. Assign a different article to each student/group.

Optional Extensions

• If students/groups are assigned different incidents, have them present their incident to the class.
• Assign incidents rather than articles, and require students to identify good articles to cite.
  • Teach Global Impact’s tips for identifying good sources (boxes at bottom left and top right)

Download Sample Responses: “Interpreting the Cybersecurity News (Example Responses)”

Scoring as an Assessment: Each answer should be clearly connected to the incident, and should be supported with pertinent details from the article and references to the lesson content.