Computer Science · 10th Grade

Active learning ideas

Incident Response Planning

Active learning works for incident response planning because students must practice making high-stakes decisions with incomplete information, mirroring real-world cybersecurity challenges. The hands-on activities in this hub help students experience the tension between speed and thoroughness that professionals face every day.

Common Core State StandardsCSTA: 3A-IC-26CSTA: 3A-NI-05
25–55 minPairs → Whole Class3 activities

Activity 01

Mock Trial55 min · Small Groups

Tabletop Exercise: Ransomware Incident

Present a scenario in phases: a school district discovers its student information system is encrypted and a ransom note has appeared. Small groups receive a role card (IT director, principal, communications lead, legal counsel) and must make sequential decisions at each phase. A facilitator introduces new complications as the exercise progresses.

Design an initial incident response plan for a small organization.

Facilitation TipDuring the tabletop exercise, circulate but do not coach; let teams struggle with the decision to document versus act first to create authentic pressure.

What to look forProvide students with a brief scenario of a data breach (e.g., a small e-commerce site suspects customer credit card data has been stolen). Ask them to list the first three steps they would take and explain why each step is important for containment.

AnalyzeEvaluateCreateDecision-MakingSocial Awareness
Generate Complete Lesson

Activity 02

Think-Pair-Share25 min · Pairs

Think-Pair-Share: Containment Trade-offs

Present a scenario: a hospital discovers a breach in progress. Isolating the affected server will stop the spread but will also shut down medication dispensing for two hours. Students individually decide what to do and why, then pair to compare reasoning, then share the hardest part of the decision with the class.

Explain the importance of containment and eradication in incident response.

Facilitation TipUse the Think-Pair-Share to force students to confront trade-offs by making them defend their containment choices to peers who disagree.

What to look forPose the question: 'Imagine your school's network has been infected with ransomware. What are the immediate priorities for the IT department, and what ethical considerations must they balance when deciding whether to pay the ransom?' Facilitate a class discussion on containment, eradication, and legal obligations.

UnderstandApplyAnalyzeSelf-AwarenessRelationship Skills
Generate Complete Lesson

Activity 03

Mock Trial40 min · Small Groups

Document Analysis: Breach Notification Requirements

Provide simplified excerpts from HIPAA, FERPA, and a state breach notification law. Small groups identify which rule applies to a given scenario (a school leaks student grades, a hospital exposes patient records) and draft a one-paragraph notification that meets the legal requirements. Groups compare their drafts and discuss what was hardest to get right.

Analyze the legal and ethical obligations following a data breach.

Facilitation TipHave students annotate the breach notification document with color-coded highlights to visually connect legal requirements to the NIST phases.

What to look forPresent students with a list of actions taken during an incident response (e.g., 'disconnecting infected computers', 'restoring from backup', 'notifying customers', 'analyzing logs'). Ask them to categorize each action into one of the NIST incident response lifecycle phases: Preparation, Detection & Analysis, Containment, Eradication, Recovery, or Post-Incident Review.

AnalyzeEvaluateCreateDecision-MakingSocial Awareness
Generate Complete Lesson

A few notes on teaching this unit

Teachers should frame incident response as a blend of technical skill and ethical reasoning, emphasizing that the best responders balance urgency with responsibility. Avoid treating the NIST lifecycle as a checklist; instead, have students analyze why each phase exists and what happens when it is skipped. Research shows that scenario-based learning increases retention, so repeat the tabletop exercise with new variables to reinforce patterns.

By the end of these activities, students should demonstrate the ability to apply the NIST lifecycle in context, explain why skipping steps risks legal or operational consequences, and justify their choices with evidence from scenarios or documents. Success looks like clear connections between actions taken and their impact on containment, recovery, or compliance.

Watch Out for These Misconceptions

  • During Tabletop Exercise: Ransomware Incident, watch for students who rush through containment without documenting evidence.

    During the exercise, stop teams after 10 minutes and ask them to list what data they have preserved so far; require them to add forensic notes to their response log before proceeding.

  • During Think-Pair-Share: Containment Trade-offs, watch for students who assume isolation is always the best first step.

    Prompt pairs to debate a containment method that preserves some business functions, using the scenario’s revenue loss data to justify their choice.

Methods used in this brief

More in Cybersecurity and Digital Defense

Introduction to Cybersecurity Threats

Students identify common cybersecurity threats such as malware, phishing, and denial-of-service attacks.

2 methodologies

Social Engineering Tactics

Students learn about social engineering techniques and how human psychology is exploited in cyberattacks.

2 methodologies

Common Software Security Flaws

Students identify common software security flaws and understand how they can be exploited, focusing on prevention.

2 methodologies

Introduction to Cryptography

Students learn the basic principles of cryptography, including symmetric and asymmetric encryption.

2 methodologies

Digital Signatures and Certificates

Students learn how digital signatures verify authenticity and integrity, and the basic role of digital certificates in trust.

2 methodologies