Students in Whitney Poucher’s cybersecurity education courses are no strangers to highly technical topics. At Greenbrier High School in Georgia’s Columbia County district, they learn how hackers monitor users’ systems to exploit weaknesses, and staff from the nearby U.S. Army fort drop in to give lectures.
But some of the most relevant lessons are also the simplest.
One incident at the school stands out in Poucher’s memory: A student opened another’s email account, impersonating that peer and sending a threatening email message to another classmate. The victim hadn’t logged out of an account on a public work station, which allowed the other student access.
Now, said Poucher, she makes sure to emphasize basic, practical security precautions—like logging out of public computers—in her courses.
Facing an increasing array of daily security threats, schools like Greenbrier are teaching what is being dubbed “cyber hygiene,” the basic cybersecurity habits that will keep students safe online at home and on their school networks. As reports of large-scale cyber attacks targeting business and government institutions have multiplied in recent years, cybersecurity education has come into national focus. Across the country, schools are implementing workforce-oriented courses to prepare students for careers in designing and protecting networks.
Profound Consequences
Cyber hygiene is foundational for students on these pathways, argue some educators and privacy advocates, though they also believe it has broader relevance. It’s not only IT specialists who deal with sensitive information online. Training in best practices can help middle and high school students protect their personal computers, understand the difference between ethical and unethical hacking, and prepare them to confront the digital threats they will face in the workplace.
At the same time, the challenge is to present lessons on cybersecurity habits in ways that engage, rather than overwhelm, students and resonate with their daily experiences, educators and advocates say. Teachers also say there’s a need to remind students of the ethical choices that come with making decisions about how they use technology.
National Integrated Cyber Education Research Center: The project, funded by the federal Department of Homeland Security and based out of Louisiana’s nonprofit Cyber Innovation Center, offers free K-12 cybersecurity curricula to schools and districts. Courses at the high school level include Cyber Science and Cyber Society. They cover everyday safety risks, cyber law, and online ethics.
Common Sense K-12 Digital Citizenship: Common Sense Media includes lessons on privacy, security, and internet safety in their broader digital citizenship curriculum. Topics covered at all grade levels include identifying spam, creating strong passwords, and figuring out whether a website is protecting users’ personal information.
CyberPatriot Training Modules: CyberPatriot, a cyber education program created by the Air Force Association, aims to encourage students to pursue careers in cybersecurity or STEM fields. Training materials for the program’s national IT simulation competition for middle and high school students include tips on protecting personally identifiable information, instructions on building strong passwords, and case studies on ethical cyber behavior. Archived training modules are publicly available on the CyberPatriot website.
Elementary School Cyber Education Initiative: Also developed by CyberPatriot, these three free digital games are designed to teach students in grades K-6 about online safety and introduce them to the basics of cybersecurity. The games, available in English and Spanish, cover topics like phishing, malware, security software, and sharing personal information.
iSAFE Digital Citizenship: iSAFE, a nonprofit publisher, offers digital curricula for grades K-12 covering a range of privacy, security, and digital citizenship topics. Lessons in digital safety and security summarize broad subjects like personally identifiable information and acceptable use policies, but also touch on specific issues relevant to teenagers’ lives—for example, risks to watch out for when shopping online.
As targeted cyberattacks, like phishing, become more sophisticated, schools have a vested interest in helping take security precautions, said Jonathan King, the chief strategy officer at i-SAFE, a provider of curricula on cybersecurity, privacy, and digital citizenship. Counting teachers, administrative staff, students, and parents, districts have an “inordinate” amount of users on their systems, said King.
“Anything they can do to help mitigate irregular use on their infrastructure helps them in the long run,” he said.
As soon as students begin using devices in the classroom, teachers and administrators need to start having age-appropriate discussions about staying safe and protected, said Kevin Nolten, the director of academic outreach for the National Integrated Cyber Education Research Center. The center develops cybersecurity curricula for schools to integrate across disciplines.
“When I walk into a kindergarten class, and they have a set of iPads that they’re utilizing, we need to begin having a conversation about security,” said Nolten.
At that age, he said, teachers can talk with students about the purpose and use of passwords, and other, broader questions. Why do we secure certain information? Why might we want a private space online?
When they’re working with older students, teachers can draw connections to current events. Poucher said she keeps her high school students up to date on news about ever-evolving cyber attacks, like phishing scams, that could target them at home or at school. “The best defense,” she said, “is understanding the offense.”
Drawing direct connections to situations that users could actually experience makes cybersecurity warnings stick, said Michelle Mazurek, an assistant professor in computer science at the Institute for Advanced Computer Studies at the University of Maryland, College Park. That’s why demonstrating the consequences of a specific action, like leaving an account open on a public computer, is a good strategy, said Mazurek, whose research is focused on building systems to support users’ security and privacy behaviors and preferences.
“If you hear a story about something that went wrong, and you say, ‘I would never do that,’ that’s less effective,” she said.
But one of the risks in cyber-education programs—for students or adults—is that the audiences are overloaded with warnings and other information, Mazurek said. People have “limited bandwidth” to make changes in their daily routines, even if they know what security precautions they should be taking, she said. Focusing on a few crucial, actionable steps—generating strong passwords, updating software, being cautious of scams—makes it more likely that people will actually follow advice.
In the Bossier Parish school system in Louisiana, many students get those types of lessons through the CyberPatriot program, a national competition for middle and high school students run by the Air Force Association. Students practice in local teams to run an IT simulation, in which they manage the network of a small company. The district also offers cyber literacy and cyber science electives, taught with National Integrated Cyber Education Research Center curriculum materials, for high schoolers, and fields CyberPatriot teams at the middle and high school level.
Parsing Cyber Ethics
Lessons that prepare students for the competition touch on topics like how to craft a strong password, safe browsing tips, and websites that pose security risks (online shopping and social media are at the top of the list).
A step-by-step guide on spotting phishing attempts shows a sample email and labels the telltale signs: Messages are sent from a spoofed sender address, and generally ask the recipient to click through a link to input personally identifiable information.
For most of the students she’s worked with, these warnings are new information, said Charlene Cooper, an instructional coach at Cope Middle School in the Bossier Parish system and a CyberPatriot coach.
Most students don’t immediately make the connection that the kinds of cyber attacks unleashed on banks or government agencies could happen closer to home, said Marco Reyes, a cyber literacy teacher at Bossier High School.
Learning about attacks and security in school settings make it clear that these are concrete concerns, with profound consequences, he said.
Those consequences are especially apparent when the school is the site of an attack.
One Friday last school year, Nathan Mielke was getting ready for a cybersecurity-themed homeroom lesson at Hartford Union High School in Wisconsin. A few minutes after the period was supposed to start, a distributed denial-of-service, or DDoS, attack cut off access to the internet.
Mielke, the director of technology services in the high school district, said that to this day, leadership isn’t sure whether a student or an outside actor was responsible.
“But I will tell you that after we talked to students face to face about it, it stopped,” he wrote in an email.
He used the network failure as a teachable moment, explaining what happened and how the attack blocks internet connectivity, in follow-up announcements and in the school newsletter.
Grounding cybersecurity lessons in conversations about right and wrong can steer students away from mischief-minded experiments, said Nolten, of the national research center.
“It’s not only important to teach a student how to push the gas pedal,” he said. “We’ve also got to teach them how to push the brake.”
In Columbia County, Ga., Poucher teaches her students how to use a virtually protected network, or VPN, which allows users to securely access a private network and still share data through public networks. Protected networks can insulate users from hackers and surveillance online, Poucher explains to students, so they can be a safer alternative to public networks at coffee shops and hotels.
But she stresses to her classes that using the same technology at school can violate district policy, because it can be used to bypass the school’s internet filtering software. In that case, she said, students would be trying to avoid protections put in place by administrators meant to keep them safe.
In Poucher’s classes, students learn how to parse the sometimes messy distinctions between moral and immoral, and safe and risky, behaviors.
“Teaching them the responsibility that they have over themselves,” she said, “is huge.”