Cyber Security: Curriculum for High School Students

Research Paper
CET 751 Computer Hardware and Networking
Dakota State University
820 North Washington Street
Madison, South Dakota 57042

Submitted by Joey Liesinger

Abstract: This paper is strictly a basic study on developing and delivering a fundamental
curriculum for high school students. In no way is this study, or curriculum research and
designed to be all encompassing for which it would be impossible. But rather, this paper is a
simple, fundamental approach to the predominant topics of the day and how those basic systems
can best inform, teach, and protect today’s high school student.
 June 17, 2019

I. Statement of Research Question/Problem

What does research indicate about various Cybersecurity curriculums for high school

students in a traditional classroom setting with either a synchronous or hybrid delivery?

II. Summary of Literature

Because of an explosion in computer and network technology, there is a vital need to

emphasize cybersecurity awareness to our population of high school students. Everyday

computers are becoming more powerful and networks are more prevalent thereby making

everyone more vulnerable. With one click, a person can be connected to fiscal accounts for a

large corporation across the globe and just as quick, those networks can be intercepted, spied on,

and used maliciously. The issued today is how do we inform students of alternatives for a safe

digital footprint and make them aware of how to protect themselves and others.

Even though students and society are becoming more and more comfortable with

information systems, a curriculum for secondary education should begin by defining a common-

sense approach to cybersecurity by first introducing fundamentals of connectivity and the

vocabulary of today’s most ubiquitous sources (Lu, 2018).

For instance, “What is Cybersecurity?” Today’s students are very comfortable and

familiar with Youtube and a simple search can find detailed introductions, information on

careers, and even full courses for beginners albeit asynchronous. To get students started, a great

video by Cyberactive Security (2019) begins with simple non-invasive vocabulary to include

reasoning. Lu (2018) defines protecting data as, “Cybersecurity is information system

management by individuals or organization to manage end-users’ security behaviors, on the basis

of personal perceived behaviors toward potential security breach in work and non-work
environment.” An example of a nice “Word Cloud” is also included in the research Lu (2018)

based off frequency of terms throughout fifty articles and demonstrates the possibilities for

student interaction or creation as an icebreaker.

Then next step before students acquire thinking and communication skills are to become

familiar with information and communication technologies (Njoku, 2015). Students must at least

have a knowledge of this basic list of Information and Communication Technologies (ICT’s)

with connectivity and guaranteed to enhance learning:

Presentation Online Community

Instant Messaging Chat Rooms
Software or Internet Forum
Learning
Management Social Networking Blogs Twitter
Sytems
Wiki Mobile Phones Digital Cameras Internet of Things
 With the setting established, students now move toward an awaking of both use and

impact when investigating many of the tools and connections currently available to the global

community already. One of the best methods is to discover the Internet of Things (IoT’s). The

IoT is revolutionary because of the impact it has on daily lives: smart environments at home;

eHealth, smart transportation systems; business; manufacturing; and entertainment (Lu, & Xu,

2019). IoT’s connect with smart devices anytime and anywhere to create this inevitable problem

of protection with Cybersecurity.

The U. S. Government has tried to step in and regulate IoT’s, however the discussions

have simply led to more questions than answers (Kirtley, 2018). Some examples of IoT’s looked

at where things like smart televisions, smart cities, and medical devices. But Iot’s also include

things like phones, watches, microwaves, cars, and even washing machines.

The susceptibility of cyber protection could impact everything from drinking water to

personal well-being. Javelin Strategy and Research recently found that cyber criminals stole

more than $16 billion from over 15 million U.S. consumers in 2016 (Harman, 2017). Police once

asked felon Willie Sutton why he robbed banks and he answered, “Because that is where the

money is.”

But. These detrimental impacts on victims aren’t always about money. Even though the

primary sources of vulnerability have commonalities characterized by people making mistakes,

attacks take place locally or regionally, and ultimately victims also suffer from stress and shame.

The main mistake people make are dealing with passwords. One common attack is to

leverage passwords people reuse across sites with different levels of security thereby allowing

hackers access to accounts layered with higher requirements for authorization (Jenkins, et al.

2014). A strong password is a non-routine set of characters that include upper- and lower-case
letters, special characters, have considerable length, have digits or numbers, and constructed in

such a manner that the user can’t even remember them. But there is more research being

completed on keystroke dynamics along with alleviating cognition by simply using easily

remembered strings or phrases in combination with numbers and special characters (Jenkins, et.

al., 2014). Even artificial intelligence is a new feature for password managing but it is so new

there must be more research on its vulnerability.

Blackhat (the bad guys) hackers will Phish for passwords too. A great video for students

on to graphically grasp an understanding for what phishing is, how to recognize the

impersonations, and to prevent the deception by watching the Youtube video “What is

Phishing?” Safety in Canada, (2014). There is an entire volume of Youtube videos that can be

easily accessed, motivational, and informative on attacks of Phishing and Spear-phishing.

Other vulnerabilities are widespread with malware, spyware, and viruses. Once example

of this is the famous ransomeware attack where hackers locked down networks of businesses and

demanded money before unlocking those companies’ computers. The “WannaCry” ransomware

attack that occurred in May 2017 sneaked into the networks of many medical centers and clinics

through a security hole in outdated Windows systems. On the first day alone, it targeted more

than 200,000 computers as hackers demanded money to put systems back online.8 The

ransomware that struck Hancock Health - a different program known as SamSam - came through

an administrative account for a hospital vendor (Malmo, 2018).

Malware (“malicious software") is any software that brings harm to a computer or

network system. Some forms are viruses, Trojan horses, spyware, adware, and rootkits, which

can steal protected data, delete documents, or add software not approved by a user Malware can
lie dormant for several weeks or months without being exposed. Certainly, this data-mining is

being pulled from networks around the world right now without detection (Malmo, 2018).

Ethics must be the overall consideration of cybersecurity. There are black hatters, people

who attack for harm, white hatters, people who search and solve vulnerabilities for the purpose

of correcting and improvement, and then there are those who create concerns in the name of

advancement but create unintended consequences.

But more subtle issues are things like facial recognition, neutral equality, hospital safety,

national security, and free elections (Segall, 2019). For instance, is ethical to edit the DNA of a

human? Ethics requires thinking first and acting second and should be a habit of decision and

structure at all levels of every organization.

Students must have a curriculum well versed in the detriments of how cyber-bullying

affects victims, how it affects themselves, and the electronic footprints left behind with meta-

data. These concerns have further increased pursuant to various high-profile cases covered in the

media in which cyber-victims committed suicide (Wright, 2018).

Research shows there is a need for teaching internet safety at a very young age through

every educational level. Internet safety is widely accepted among teachers as a need and there is

an unanimous agreement among educators to provide this, however there is also a consensus that

students should also receive a continuum of electronic safety across mediums beyond the

schoolhouse and into churches, communities, and parents (Moreno, 2013).

One of the best characteristics of a great curriculum is the inheritance of higher order

thinking skills. The difference between knowing how to perform a well learned skill and being

able to explain that performance is familiar to anyone who has acquired skilled expertise

(Bojinov, 2014). A good cybersecurity program must have scenarios of cryptography where
graphic keys are given and other scenarios involving how to solve for those keys through

patterns.

Software security is another leg of a great cybersecurity curriculum but is more difficult

to teach. Protecting people from cyber threats imposes great challenges, not only technically, but

also socially. To achieve the intended level of awareness, software security principles need to be

shown with concrete examples during security education (Yasin, et. al., 2019). This article

provides scenarios and specific for embedded software security learning through a Cyber

Security Requirements Awareness Game. Other factors at play are layers of operating systems

and applications for learning outcomes and leaner engagement.

No cybersecurity curriculum would be complete without simulating packet routing

without protocols for embedding learning through student engagement. A fundamental

requirement for any network simulation environment is the realistic forwarding of packets from a

source to a destination within topology (Riley & Reddy, 2005). The simulations should include

routing decision at each hop along the path accurately reflecting router resolutions as affected by

topology changes with link weight adjustments or node failures. Below is a simple diagram of

topology.
 Internet Protocol (IP) addresses or Uniform Resource Locators (URLs), and Domains, the

extensions to the right of URLs, are also fundamental subjects inherent to cyber security. The

most common domains are .com and .org, however the Internet Corporation for Assigned Names

and Number is opening applications for generic top-level domains (gTLDs). So, students will

have to become familiar with many more domains and aware of possible threats to cybersecurity

because big corporations like Google and Youtube plan to buy more (Del Rey, 2012).

Ultimately, after students can grasp the impact of connectivity, the prevalence of network

activity in daily life, and the need for everchanging layers of protection against harm, the goal for

for a high school curriculum is to prepare learners for careers in cybersecurity. It is a huge

consideration when hiring certified employees, but not necessarily required (Knapp, Maurer, &

Plachkinova, 2017). There is however a basic knowledge required at the entry level and the

organizations should look for three things when hiring: degree or earning a degree, vendor-

specific certifications, and job experience.

III. Summary and Conclusion

There are numerous tools, methods, and strategies to teach cybersecurity. Some are web-

based asynchronous, some are expository with all of the topics above and more. Web-based

tools allow for students to self-pace, and at the same time, educators can combine any of the

topics above with activities within correlating modules. Two such web-based curricula are:

NSA Day of Cyber Security: https://www.nsa.gov/resources/students/nsa-day-of-cyber/

CodeHS.com: https://codehs.com

Both courses cover the topics above, have great video, include reflection, and offer puzzles. The

CodeHS course however comes with a built-in learning management system (LMS) that offers

teachers to monitor program, grade book, and offers multiples course beyond the scope of
cybersecurity. As technology continues to explode, the demand for further research must too.

No one knows what tomorrow will bring as far as tools, methods, and safeguards, but when

teachers and students work together, both learn. When teachers continue to participate in

conferences, lead in workshops, and pursue degrees, threats of cybersecurity can be minimized.

The goal is not to teach students every possible topic, but rather to energize, motivates, and help

students understand how easily Goliath can slayed.

IV. List of References

Bojinov, H., Sanchez, D., Reber, P., Boneh, D., & Lincoln, P. (2014). Neuroscience Meets

Cryptography: Crypto Primitives Secure Against Rubber Hose Attacks. Communications

of the ACM, 57(5), 110-118. https://www.exproxy.dsu.edu:2079/10.1145/2594445

Cyberactive Security. (2019, June 10). What is Cyber Security? Retrieved from

https://www.youtube.com/watch?v-2mh-N9_O_yl

Del Rey, J. (2012). Few brands admit to buying new domains: Google, Deloitte among those that

say they plan to apply for generic top-level domains. Advertising Age, 83(15), 1-n/a.

Retrieved from http://www.exproxy.dsu.edu:2048/login?url=https://www.ezproxy.dsu.

Edu:2085/docview/993592857?accountid=27073

Harman, P. L. (2017). Assessing identity theft risks. Claims, Retrieved from

http://www.ezproxy.dsu.edu:2048/login?url=https://www.ezproxy.dsu.edu:2085/docview

/1893779299?accountid=27073

Jenkins, J. L., Grimes, M., Proudfoot, J. G., & Lowry, P. B. (2014). Improving Pasword

Cybersecurity Through Inexpensive and Minimall Invasive Means: Detecting and

Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Justi-in-Time

Fear Appeals. Information Technology for Development, 20(2), 196-213. Retrieved from

https://www.exproxy.dsu.edu:2079/10.1080/02681102.2013.814040

Kirtley, J., & Memmel, S. (2018). TOO SMART FOR ITS OWN GOOD: ADDRESSING THE

PRIVACY AND SECURITY CHALLENGES OF THE INTERNET OF THINGS

1.Journal of Internet Law, 22(4), 1-33. Retrieved from

http://www.ezproxy.dsu.edu:2048/login?url=https://www.ezproxy.dsu.edu:2085/docview

/2127173283?accountid=27073
Knapp, K. J., Maurer, C. & Plachkinova, M. (2017). Maintaining a cybersecurity curriculum:

Professional certification as valuable guidance. Journal of Information Systems

Education, 28(2), 101-113. Retrieved from

http://www.ezproxy.dsu.edu:2048/login?url=https://www.ezproxy.dsu.edu:2085/docview

/1977218971?accountid=27073

Lu, Y. (2018). Cybersecurity research: A review of current research topics. Singapore. Journal of

Industrial Integration and Management, 3(4). Retrieved from

http://www.exproxy.dsu.edu:2119/stamp/stamp.jsp?tp=&arnumber=8462745

Lu, Y. and Xu, L. D. (2019). Internet of things (IoT) cybersecurity research: A review of current

research topics. IEEE Internet of Things Journal, 6(2), 2103-2115. Retrieved from

https://www.exproxy.dsu.edu:2119/document/8462745

Malmo, K. (2018). How to defend yourself against. PT in Motion, 10(7), 18-26. Retrieved from

http://www.ezproxy.dsu.edu:2048/login?url=https://www.ezproxy.dsu.edu:2085/docview

/2172050611?accountid=27073

Moreno, M. A., Egan, K. G., Bare, K., Young, H. N., & Cox, E. D. (2013). Internet safety

education for youth: Stakeholder perspectives. BMC Public Health, 13(1), 1-6. Retrieved

from https://www.exproxy.dsu.edu:2079/10.1186/1471-2458-13-543

Njoku, C. P.-U. (2015). “Information and communication technologies to raise quality of

teaching and learning in higher education institutions. “International Journal of Education

and Development using Information and Communication Technology”. 11(1), 122-147.

Riley, G., & Reedy, D. (2005). Simulating realistic packet routing without routing

protocols. Workshop on Principles of Advanced and Distributed Simulation

(PADS'05), 151-158. doi: 10.1109/PADS.2005.28

Safety in Canada. (2014, February 03). What is Phishing? Retrieved from

https://www.youtube.com/watch?v=9TRR6lHviQc, 2019 June 17

Segall, L. (2019). Be Afraid, Very Afraid What the Tech World Should Fear Next. TIME

Magazine, 193(3), 32–33. Retrieved from

http://www.ezproxy.dsu.edu:2067/login.aspx?direct=true&db=aph&AN=134160309&sit

e=ehost-live&scope=site

Wright, M. (2018). Cyberbullying Victimization through Social Networking Sites and

Adjustment Difficulties: The Role of Parental Mediation. Journal of the Association for

Information Systems, 19(2), 113–123.

https://www.ezproxy.dsu.edu:2079/10.17705/1jais.00486

Yasin, A., Liu, L., Li, T., Fatima, R., & Jainmin, W. (2019). Improving software security

awareness using a serious game. IET Software, 13(2), 159-169.doi: 10.1049/iet-

sen.2018.5095