Computer Science · 12th Grade

Active learning ideas

Defensive Strategies and Security Best Practices

Active learning works for defensive strategies because students need to experience security decision-making firsthand. They learn best when they analyze trade-offs between security and usability, design layered defenses, and practice responding to threats in realistic scenarios.

Common Core State StandardsCSTA: 3B-NI-04CCSS.ELA-LITERACY.RST.11-12.7
30–50 minPairs → Whole Class4 activities

Activity 01

Inquiry Circle50 min · Small Groups

Inquiry Circle: Threat Modeling Workshop

Groups receive a simple web application architecture diagram , a user, a web server, a database, and an external API. Using the STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), they systematically identify one potential threat per category. Groups share their models and compare which threats they identified and which they missed.

How can developers build security into the software lifecycle rather than adding it at the end?

Facilitation TipDuring the Threat Modeling Workshop, ask each group to present their top threat to the class and explain why it matters to their fictional business.

What to look forStudents work in small groups to design a security strategy for a fictional small business. After drafting their plan, groups swap plans with another group. Each group then provides written feedback on the other's plan, specifically addressing: Are the technical controls appropriate? Are the human elements clearly defined? Are there any obvious gaps?

AnalyzeEvaluateCreateSelf-ManagementSelf-Awareness
Generate Complete Lesson

Activity 02

Formal Debate35 min · Whole Class

Formal Debate: Usability vs. Security

Students debate a specific policy: requiring two-factor authentication for all users of a school system, including community education participants who may not have smartphones. One side argues the security benefit; the other argues the accessibility cost. The goal is not to win but to arrive at a policy nuanced enough to serve both values simultaneously.

What are the trade-offs between system usability and high-level security?

Facilitation TipFor the Usability vs. Security debate, assign roles (security advocate, usability advocate, neutral moderator) to keep the discussion focused and equitable.

What to look forPresent students with a scenario describing a new feature being added to a social media app. Ask them to identify one security control that should be implemented at the design phase, one during coding, and one post-deployment. They should briefly explain the purpose of each control.

AnalyzeEvaluateCreateSelf-ManagementDecision-Making
Generate Complete Lesson

Activity 03

Think-Pair-Share30 min · Pairs

Think-Pair-Share: Incident Response Planning

Present a scenario: the school's student information system shows signs of unauthorized access at 3am on a Friday. Students individually write down their first five actions. Pairs compare lists and resolve disagreements about priority. The class compiles a single incident response checklist and compares it against a NIST incident response framework template.

Design a comprehensive security strategy for a small business, incorporating both technical and human elements.

Facilitation TipIn the Incident Response Planning Think-Pair-Share, provide a template with clear sections so pairs can focus on content rather than format.

What to look forFacilitate a class discussion using the prompt: 'Imagine you are developing a new online banking app. How would you balance the need for extremely high security with the desire for a simple, user-friendly experience for customers? What specific trade-offs are you willing to make, and why?'

UnderstandApplyAnalyzeSelf-AwarenessRelationship Skills
Generate Complete Lesson

Activity 04

Gallery Walk35 min · Small Groups

Gallery Walk: Security Controls by Layer

Post cards representing different security controls (firewall, MFA, encryption at rest, security training, code review, backup, penetration testing) around the room. Students label each as a prevent, detect, or respond control and note which layer of defense in depth it addresses. A debrief asks which categories are most commonly overlooked in real organizations.

How can developers build security into the software lifecycle rather than adding it at the end?

Facilitation TipDuring the Gallery Walk, post a 'critical question' at each station to guide students' analysis of the security controls.

What to look forStudents work in small groups to design a security strategy for a fictional small business. After drafting their plan, groups swap plans with another group. Each group then provides written feedback on the other's plan, specifically addressing: Are the technical controls appropriate? Are the human elements clearly defined? Are there any obvious gaps?

UnderstandApplyAnalyzeCreateRelationship SkillsSocial Awareness
Generate Complete Lesson

A few notes on teaching this unit

Teach this topic by making security tangible. Use role-playing, scenario-based tasks, and layered discussions to help students see security as a system, not a checklist. Avoid isolating concepts—connect each strategy to a real risk and a real cost. Research shows students grasp defense-in-depth better when they map controls to specific threats rather than memorizing definitions.

Successful learning looks like students confidently applying security principles to real-world problems, debating trade-offs with evidence, and designing controls that balance protection with usability. They should articulate why security-by-design matters and how layered controls reduce risk.

Watch Out for These Misconceptions

  • During Collaborative Investigation: Threat Modeling Workshop, watch for students assuming adding a firewall at the end fixes all security issues.

    Use the workshop’s threat model templates to push students to identify risks early. Ask them to cost out retrofitting a firewall versus designing network segmentation at the start, using the provided cost multipliers.

  • During Structured Debate: Usability vs. Security, watch for students claiming all security measures reduce usability.

    Have students refer to real examples like password managers or biometric logins. Ask them to present one example where security improved usability and explain the trade-off they avoided.

Methods used in this brief

More in Network Architecture and Cryptography

Network Fundamentals: OSI and TCP/IP Models

Students learn about the layered architecture of networks using the OSI and TCP/IP models, understanding how data flows.

2 methodologies

Internet Protocols: TCP/IP, DNS, HTTP

Students study TCP/IP, DNS, and HTTP in detail, simulating how packets move across a distributed network.

2 methodologies

Routing and Switching

Students explore how routers and switches direct network traffic, understanding concepts like IP addressing and subnetting.

2 methodologies

Wireless Networks and Mobile Computing

Students investigate the principles of wireless communication, Wi-Fi security, and the challenges of mobile computing.

2 methodologies

Common Cybersecurity Threats and Attack Vectors

Students analyze common attack vectors like SQL injection, man-in-the-middle, and social engineering.

2 methodologies