Schools Teach ‘Cyber Hygiene’ to Combat Phishing, Identity Theft

By Sarah Schwartz — March 06, 2018 7 min read

Students in Whitney Poucher’s cybersecurity education courses are no strangers to highly technical topics. At Greenbrier High School in Georgia’s Columbia County district, they learn how hackers monitor users’ systems to exploit weaknesses, and staff from the nearby U.S. Army fort drop in to give lectures.

But some of the most relevant lessons are also the simplest.

One incident at the school stands out in Poucher’s memory: A student opened another’s email account, impersonating that peer and sending a threatening email message to another classmate. The victim hadn’t logged out of an account on a public work station, which allowed the other student access.

Now, said Poucher, she makes sure to emphasize basic, practical security precautions—like logging out of public computers—in her courses.

Facing an increasing array of daily security threats, schools like Greenbrier are teaching what is being dubbed “cyber hygiene,” the basic cybersecurity habits that will keep students safe online at home and on their school networks. As reports of large-scale cyber attacks targeting business and government institutions have multiplied in recent years, cybersecurity education has come into national focus. Across the country, schools are implementing workforce-oriented courses to prepare students for careers in designing and protecting networks.

Profound Consequences

Cyber hygiene is foundational for students on these pathways, argue some educators and privacy advocates, though they also believe it has broader relevance. It’s not only IT specialists who deal with sensitive information online. Training in best practices can help middle and high school students protect their personal computers, understand the difference between ethical and unethical hacking, and prepare them to confront the digital threats they will face in the workplace.

At the same time, the challenge is to present lessons on cybersecurity habits in ways that engage, rather than overwhelm, students and resonate with their daily experiences, educators and advocates say. Teachers also say there’s a need to remind students of the ethical choices that come with making decisions about how they use technology.

Cyber Safety Habits Curricula

National Integrated Cyber Education Research Center: The project, funded by the federal Department of Homeland Security and based out of Louisiana’s nonprofit Cyber Innovation Center, offers free K-12 cybersecurity curricula to schools and districts. Courses at the high school level include Cyber Science and Cyber Society. They cover everyday safety risks, cyber law, and online ethics.

Common Sense K-12 Digital Citizenship: Common Sense Media includes lessons on privacy, security, and internet safety in their broader digital citizenship curriculum. Topics covered at all grade levels include identifying spam, creating strong passwords, and figuring out whether a website is protecting users’ personal information.

CyberPatriot Training Modules: CyberPatriot, a cyber education program created by the Air Force Association, aims to encourage students to pursue careers in cybersecurity or STEM fields. Training materials for the program’s national IT simulation competition for middle and high school students include tips on protecting personally identifiable information, instructions on building strong passwords, and case studies on ethical cyber behavior. Archived training modules are publicly available on the CyberPatriot website.

Elementary School Cyber Education Initiative: Also developed by CyberPatriot, these three free digital games are designed to teach students in grades K-6 about online safety and introduce them to the basics of cybersecurity. The games, available in English and Spanish, cover topics like phishing, malware, security software, and sharing personal information.

iSAFE Digital Citizenship: iSAFE, a nonprofit publisher, offers digital curricula for grades K-12 covering a range of privacy, security, and digital citizenship topics. Lessons in digital safety and security summarize broad subjects like personally identifiable information and acceptable use policies, but also touch on specific issues relevant to teenagers’ lives—for example, risks to watch out for when shopping online.

As targeted cyberattacks, like phishing, become more sophisticated, schools have a vested interest in helping take security precautions, said Jonathan King, the chief strategy officer at i-SAFE, a provider of curricula on cybersecurity, privacy, and digital citizenship. Counting teachers, administrative staff, students, and parents, districts have an “inordinate” amount of users on their systems, said King.

“Anything they can do to help mitigate irregular use on their infrastructure helps them in the long run,” he said.

As soon as students begin using devices in the classroom, teachers and administrators need to start having age-appropriate discussions about staying safe and protected, said Kevin Nolten, the director of academic outreach for the National Integrated Cyber Education Research Center. The center develops cybersecurity curricula for schools to integrate across disciplines.

“When I walk into a kindergarten class, and they have a set of iPads that they’re utilizing, we need to begin having a conversation about security,” said Nolten.

At that age, he said, teachers can talk with students about the purpose and use of passwords, and other, broader questions. Why do we secure certain information? Why might we want a private space online?

When they’re working with older students, teachers can draw connections to current events. Poucher said she keeps her high school students up to date on news about ever-evolving cyber attacks, like phishing scams, that could target them at home or at school. “The best defense,” she said, “is understanding the offense.”

Drawing direct connections to situations that users could actually experience makes cybersecurity warnings stick, said Michelle Mazurek, an assistant professor in computer science at the Institute for Advanced Computer Studies at the University of Maryland, College Park. That’s why demonstrating the consequences of a specific action, like leaving an account open on a public computer, is a good strategy, said Mazurek, whose research is focused on building systems to support users’ security and privacy behaviors and preferences.

“If you hear a story about something that went wrong, and you say, ‘I would never do that,’ that’s less effective,” she said.

But one of the risks in cyber-education programs—for students or adults—is that the audiences are overloaded with warnings and other information, Mazurek said. People have “limited bandwidth” to make changes in their daily routines, even if they know what security precautions they should be taking, she said. Focusing on a few crucial, actionable steps—generating strong passwords, updating software, being cautious of scams—makes it more likely that people will actually follow advice.

In the Bossier Parish school system in Louisiana, many students get those types of lessons through the CyberPatriot program, a national competition for middle and high school students run by the Air Force Association. Students practice in local teams to run an IT simulation, in which they manage the network of a small company. The district also offers cyber literacy and cyber science electives, taught with National Integrated Cyber Education Research Center curriculum materials, for high schoolers, and fields CyberPatriot teams at the middle and high school level.

Parsing Cyber Ethics

Lessons that prepare students for the competition touch on topics like how to craft a strong password, safe browsing tips, and websites that pose security risks (online shopping and social media are at the top of the list).

A step-by-step guide on spotting phishing attempts shows a sample email and labels the telltale signs: Messages are sent from a spoofed sender address, and generally ask the recipient to click through a link to input personally identifiable information.

For most of the students she’s worked with, these warnings are new information, said Charlene Cooper, an instructional coach at Cope Middle School in the Bossier Parish system and a CyberPatriot coach.

Most students don’t immediately make the connection that the kinds of cyber attacks unleashed on banks or government agencies could happen closer to home, said Marco Reyes, a cyber literacy teacher at Bossier High School.

Learning about attacks and security in school settings make it clear that these are concrete concerns, with profound consequences, he said.

Those consequences are especially apparent when the school is the site of an attack.

One Friday last school year, Nathan Mielke was getting ready for a cybersecurity-themed homeroom lesson at Hartford Union High School in Wisconsin. A few minutes after the period was supposed to start, a distributed denial-of-service, or DDoS, attack cut off access to the internet.

Mielke, the director of technology services in the high school district, said that to this day, leadership isn’t sure whether a student or an outside actor was responsible.

“But I will tell you that after we talked to students face to face about it, it stopped,” he wrote in an email.

He used the network failure as a teachable moment, explaining what happened and how the attack blocks internet connectivity, in follow-up announcements and in the school newsletter.

Grounding cybersecurity lessons in conversations about right and wrong can steer students away from mischief-minded experiments, said Nolten, of the national research center.

“It’s not only important to teach a student how to push the gas pedal,” he said. “We’ve also got to teach them how to push the brake.”

In Columbia County, Ga., Poucher teaches her students how to use a virtually protected network, or VPN, which allows users to securely access a private network and still share data through public networks. Protected networks can insulate users from hackers and surveillance online, Poucher explains to students, so they can be a safer alternative to public networks at coffee shops and hotels.

But she stresses to her classes that using the same technology at school can violate district policy, because it can be used to bypass the school’s internet filtering software. In that case, she said, students would be trying to avoid protections put in place by administrators meant to keep them safe.

In Poucher’s classes, students learn how to parse the sometimes messy distinctions between moral and immoral, and safe and risky, behaviors.

“Teaching them the responsibility that they have over themselves,” she said, “is huge.”

A version of this article appeared in the March 07, 2018 edition of Education Week as Schools Teach ‘Cyber Hygiene’ to Prevent Internet Attacks


This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Equity & Diversity Webinar
Culturally Relevant Pedagogy to Advance Educational Equity
Schools are welcoming students back into buildings for full-time in-person instruction in a few short weeks and now is the perfect time to take a hard look at both our practices and systems to build
Content provided by PowerMyLearning
Classroom Technology Webinar Making Big Technology Decisions: Advice for District Leaders, Principals, and Teachers
Educators at all levels make decisions that can have a huge impact on students. That’s especially true when it comes to the use of technology, which was activated like never before to help students learn
Professional Development Webinar Expand Digital Learning by Expanding Teacher Training
This discussion will examine how things have changed and offer guidance on smart, cost-effective ways to expand digital learning efforts and train teachers to maximize the use of new technologies for learning.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Data Knowing What Schools Did in the Pandemic is Crucial. So Is Preserving That Data
A prominent researcher is working to collect information on schools and COVID-19 to inform future study on the pandemic's effects.
6 min read
Kindergarten students wear masks and are separated by plexiglass during class at Milton Elementary School, in Rye, N.Y. on May 18, 2021.
Kindergarten students wear masks and are separated by plexiglass during class in May at Milton Elementary School, in Rye, N.Y.
Mary Altaffer/AP
Data Will Coronavirus Hobble Yet Another National Education Survey?
Amid all the schooling disruptions, federal researchers are scrambling to connect with teachers and principals for a key national survey.
2 min read
Illustration of a person taking a survey.
DigitalVision Vectors
Data Spotlight Spotlight on Student Data
In this Spotlight, discover how students perform on national tests and more.
Data Using Student Data to Identify Future Criminals: A Privacy Debacle
A police department uses sensitive school data to keep a secret list of students it deems as at risk of engaging in criminal behavior.
8 min read
Silhouette of group of students with data overlay.
iStock/Getty Images Plus