Blackbox Intelligence Group
Request review copyView pricing
<- All modules

starter · Module 1

Module 1: Cyber Ethics & Authorized Use

Set the rules of the lab. Students sign a real safety agreement, learn the line between ethical and unauthorized use, and practice classifying real scenarios.

60 min · beginner · Free preview

Free Lesson Pack

5 typeset PDFs plus a full slide deck and in-browser presenter — teach from this dashboard or download to run offline.

Teach class →Slides (.pptx)Lesson Pack (.zip)Teacher Guide (.pdf)Full free pack (.zip)

Module 1 — Cyber Ethics & Authorized Use

Lesson at a glance

| Field | Value | | ------------------- | ------------------------------------------------------------------------------- | | Grade band | 9–12 | | Total time | 60 minutes (with 10-minute extension option) | | Difficulty | Beginner — no prior cyber knowledge required | | Required materials | Printed Safety Agreement, scenario cards, projector or board, student worksheet | | Lab access | None required for this module | | Standards alignment | CSTA 3A-IC-29, ISTE 1.2.b, NICE Framework K0003 |

Safety: This module establishes the rules students must agree to before any future hands-on cyber lab work. Do not skip the signed Safety Agreement step.

Learning objectives

By the end of this lesson students will be able to:

  1. Explain in their own words the difference between ethical and unethical use of computer skills.
  2. Define authorization and identify three signals that authorization exists.
  3. Classify at least 8 of 10 real-world scenarios as Authorized, Unauthorized, or Needs more information.
  4. Sign and explain the classroom Safety Agreement they will operate under for the rest of the course.
  5. Identify the consequences of unauthorized access under U.S. federal law (CFAA, 18 U.S.C. § 1030) at a high level.

Vocabulary (student-friendly)

  • Authorization — Clear permission, granted in advance, by the owner of a system, account, or data.
  • Scope — The exact limits of what you are allowed to do (which system, which actions, for how long).
  • Defensive cybersecurity — Skills used to protect, detect, and respond. The focus of this course.
  • Offensive cybersecurity — Skills used to attack systems. Only legal with explicit written permission.
  • Penetration test — Authorized, contracted attempt to find security weaknesses.
  • CFAA — Computer Fraud and Abuse Act. The U.S. federal law that makes unauthorized computer access a crime.
  • Acceptable Use Policy (AUP) — The school’s rules for using its network and devices.
  • Disclosure — Telling the right person about a security problem, in the right way.

Why this module is first (teacher background)

Every cybersecurity course that ends in a news story usually has the same root cause: a student picked up a powerful skill before they internalized the line between authorized and unauthorized use. The line is not “don’t hack things you aren’t supposed to hack” — that’s too vague to act on. The line is written permission, with defined scope, granted by the system owner, before any action.

This module makes that line operational. By the end of the period, students can:

  • Tell you what authorization sounds like out loud.
  • Tell you what makes a scenario not authorized even when it feels harmless.
  • Sign their name to a Safety Agreement that uses language they can repeat.

Treat this lesson as the gate. No student does Module 2 in the lab until their Safety Agreement is signed and on file.

Materials checklist

  • [ ] Printed Safety Agreements (one per student) — see the Classroom Safety Agreement template in your Blackbox CLC pack.
  • [ ] Printed Scenario Packet (Module 1 scenarios.pdf, 10 scenarios) — one per pair of students.
  • [ ] Printed Student Worksheet (Module 1 worksheet.pdf) — one per student.
  • [ ] Projector or board for the class chart (Authorized / Unauthorized / Needs more info).
  • [ ] Pen for each student to physically sign the agreement.
  • [ ] Optional: Parent/Student Acknowledgment template if your district requires home signature.

Pacing — minute-by-minute

| Time | Block | What happens | | ----- | ---------------- | ----------------------------------------------- | | 0–5 | Opener | The unlocked car question | | 5–15 | Mini-lesson | Authorization, scope, the CFAA in one slide | | 15–35 | Activity | Scenario classification with the 10-card packet | | 35–45 | Discussion | Whole-class chart and gray-area cases | | 45–55 | Safety Agreement | Read aloud, walk through, sign | | 55–60 | Exit ticket | Three-question check |

0–5 min · Opener — the unlocked car question

Project or write on the board:

Your neighbor’s car door is unlocked. Is it OK to open it and look inside?

Give students 60 seconds to discuss with the person next to them, then take three quick voices.

Teacher script (say close to verbatim):

“Almost every one of you said no. Why? The door being unlocked didn’t give you permission. Permission comes from the owner. Today we’re going to apply that same rule to something a lot more powerful than a car door — a computer, an account, or a network. The rule is the same. An open door is not an invitation. Today we draw that line in writing, you sign it, and that’s the line we operate on for the rest of the course.”

Transition to the mini-lesson.

5–15 min · Mini-lesson — Authorization, scope, and the law

Write or project these three lines, one at a time, talking through each:

1. Authorization

Permission, granted in advance, by the owner of the system or data.

Say: “Authorization is not a feeling. It’s not ‘they probably wouldn’t mind.’ It’s a yes from the right person, before you do the thing. In this class, that yes will almost always be in writing.”

Three signals authorization exists:

  • The system owner explicitly told you in writing or in a signed agreement.
  • You are operating inside a lab the teacher set up for this purpose.
  • A bug bounty or penetration test contract names the system and the dates.

2. Scope

The exact limits of what you are allowed to do.

Say: “Even when you have permission, you don’t have permission for everything. A locksmith hired to rekey the front door doesn’t get to walk into the bedroom and read your mail. Cybersecurity works the same way. Authorization always comes with a scope: which system, which actions, for how long.”

3. The law in one sentence

The Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030) makes it a federal crime to access a computer without authorization or in excess of authorization.

Say: “‘Without authorization’ means you weren’t allowed in at all. ‘Exceeding authorization’ means you were let in for one thing and you did another. Both are crimes. And ‘I was just curious’ is not a defense. We say this out loud now so nobody is surprised later.”

Safety: Be calm and matter-of-fact when you say this. The goal is not to scare students out of cyber — it’s to make sure the few who would push the line know exactly where the line is and what’s on the other side of it.

15–35 min · Activity — Scenario sort (20 minutes)

Pair students up. Hand each pair the Scenario Packet (10 cards). Each pair classifies every card as one of:

  • A — Authorized (clearly OK to do)
  • U — Unauthorized (clearly not OK)
  • ? — Needs more information before deciding

Students record their answers and a one-sentence reason on their worksheets.

While they work, walk the room. Listen for two things:

  • Pairs that justify a verdict by feeling rather than by authorization/scope. Push back: “Where’s the permission?”
  • Pairs that mark something “Authorized” because it’s technically possible. Push back: “Does possibility equal permission?”

The 10 scenarios are printed in the Scenario Packet PDF. The fully worked answer key with rationales is in the Answer Key PDF.

35–45 min · Discussion — class chart

Build a 3-column chart on the board: Authorized / Unauthorized / Needs more info.

Go scenario by scenario. Each pair posts their verdict. Where the room disagrees, slow down and use this prompt every time:

“What would change your verdict? What single piece of information would flip you?”

That question is the whole point of this lesson. Cybersecurity professionals live in “Needs more info” every day. The job is to know what info to ask for before they act.

Hot scenarios — most rooms argue these. Be ready:

  • Scenario 4 (your friend tells you their password and asks you to log in for them): Most students say authorized. Push: was the friend authorized to share the password under the school’s AUP? Almost always no. The friend cannot grant you authorization the system owner did not.
  • Scenario 7 (you find a USB stick in the parking lot and plug it in to find the owner): Most students say authorized — they’re trying to help. Push: who is the system owner of the USB? You don’t know. And plugging in unknown media is a textbook attack vector. Verdict: unauthorized, even if the intent is good.
  • Scenario 9 (you notice a public website has a SQL injection bug and you test one input box to “make sure”): Most students say authorized because the site is public. Push: public-facing is not the same as public-permission. Without a bug bounty program or written invitation, this is a CFAA violation. The right move is responsible disclosure to the site owner, not testing.

45–55 min · Safety Agreement walkthrough and signing

Hand out the Classroom Safety Agreement (printed from the templates pack). Read every line aloud. Stop after each numbered item and say in plain language what it means.

Teacher script (verbatim is fine here):

“This is not a permission slip. This is the agreement we operate under for the rest of the course. You will sign it, I will sign it, and a copy goes in the file. If you violate it, we treat it the way the school treats any other AUP violation — and depending on what happened, the way the law treats it. Read it. If something doesn’t make sense, ask.”

Students sign. Teacher countersigns. Make a photocopy or scan for your file. The student keeps a copy.

Safety: A student who refuses to sign does not work in the lab. There is no exception, and that’s not a punishment — it’s the same rule that applies to a chemistry teacher and goggles. You don’t have to embarrass anyone. Have a quiet alternative assignment ready (research a recent breach and write a one-pager) so a refusing student has dignified work.

55–60 min · Exit ticket

Hand each student a 3-line exit ticket (also on the worksheet). They answer in their own words:

  1. Define authorization in one sentence.
  2. Give one example of an action that is technically possible but unauthorized.
  3. What is the one thing you must always have before testing or accessing a system in this class?

Collect on the way out the door. Sample acceptable answers are in the Answer Key.

Differentiation and supports

  • Below grade level / EL learners: Pair them with a confident partner for the scenario sort. Provide the vocabulary list as a printed reference. Allow drawn or labeled answers on the exit ticket instead of full sentences.
  • Above grade level: Add the Extension Challenge — students draft their own 11th scenario that is genuinely ambiguous and trade with another student to classify.
  • IEP/504 — extended time: Reduce scenario set to the 5 starred cards (1, 3, 5, 7, 10) and allow the rest as homework.
  • Anxiety around legal language: Frame the CFAA section as “the same kind of rule a doctor follows about touching a patient — permission first, every time.” The point is not fear; the point is clarity.

Common student misconceptions

  • “If I don’t mean any harm it’s OK.” Intent is not authorization. The law and the school’s AUP both look at the act, not the feeling.
  • “If the system has a bug, finding it is a favor.” Only if you were invited. Otherwise it is unauthorized testing, even if you report it after.
  • “My friend gave me their password, so I have permission.” The friend almost certainly was not authorized to share it. Authorization comes from the system owner, not from another user.
  • “It’s the school’s computer, so anything I do on it is the school’s problem.” The CFAA is federal, not school policy. School consequences and federal consequences can both apply.

Career connection

Tell students: every role below pays you to live in “authorized vs. not” every single day.

  • SOC analyst (Security Operations Center) — entry-level $55K–$80K. Watches alerts, escalates, never touches a system without a ticket.
  • Penetration tester — $90K–$150K. Attacks systems for a living, and would be a felon on Tuesday without a written contract from Monday.
  • Incident responder — $80K–$130K. Investigates breaches; access scope is set by the contract with the victim organization.
  • GRC / compliance analyst — $70K–$110K. Writes the rules of authorized use for an entire company.

The skill we just built — being able to articulate authorization out loud — is the skill that gets used in every one of those interviews.

Extension (10 minutes, optional)

Students draft their own ambiguous scenario, exchange with a partner, and defend their verdict. The best 3–5 of these get added to the class’s “our own scenarios” deck for later modules.

Assessment

  • Formative: Scenario sort accuracy (target: 8 of 10 correct with reasoning).
  • Summative: Exit ticket scored 0–3 against the rubric in the Answer Key. A 2 or 3 is a pass; a 0 or 1 means the student does not enter the lab next class — they retake the exit ticket after a 5-minute reteach.
  • Long-term: The signed Safety Agreement is the gate to every future hands-on module.

Teacher reflection prompts (after the period)

  • Which scenarios produced the most disagreement? Note them — they’re your strongest discussion fuel for Module 6.
  • Did any student refuse to sign? What did they say? That conversation often surfaces a real concern worth following up on.
  • Did your room separate “possible” from “permitted”? If not, plan a 5-minute reteach next class before any keyboards open.