Blackbox Intelligence Group
Request review copyView pricing
<- All modules

cybersec-1 · Module 1

Cybersecurity I, Unit 1: Orientation and Professional Ethics

Open the course with the line every student must internalize before they touch a tool: tools are not toys, permission matters, and 'I was just testing it' is not a legal defense.

180 min · foundational · Free preview

Free Lesson Pack

5 typeset PDFs plus a full slide deck and in-browser presenter — teach from this dashboard or download to run offline.

Teach class →Slides (.pptx)Lesson Pack (.zip)Teacher Guide (.pdf)Full free pack (.zip)

Unit 1: Cybersecurity Orientation and Professional Ethics

Lesson at a glance

| Item | Detail | | --------------------- | ---------------------------------------------------------------------------------------- | | Suggested length | 3 × 60 minutes (or 4 × 45 minutes) | | Recommended placement | Week 1 of Cybersecurity I | | Prerequisite | None. This is the on-ramp for the whole program. | | Companion artifacts | Student Worksheet, Scenario Packet (10 cards), Quiz, Answer Key | | Required signed forms | Lab Safety & Acceptable Use Agreement (this unit) | | Materials | Projector, student devices or printed packets, the printed Safety Agreement, signing pen |

Safety: No student touches a scanning, exploitation, password, or recon tool until the Lab Safety & Acceptable Use Agreement is signed by the student and a guardian and on file with the teacher. This is the gate for the entire course.

Standards & credential alignment

  • Virginia CTE Cybersecurity Competencies: Demonstrate ethical behavior; explain laws governing computer use; identify acceptable use policies.
  • EC-Council Ethical Hacking Essentials (EHE) Domain 1: Information Security Fundamentals — ethics, legal compliance, professional responsibility.
  • NICE Framework: Securely Provision (SP) — workforce ethics; Oversee and Govern (OV) — legal advice and advocacy basics.

Learning objectives

By the end of this unit, students can:

  1. Define cybersecurity in their own words and give two examples of who depends on it.
  2. Describe at least three career pathways in cybersecurity and a typical entry-level role for each.
  3. Distinguish authorized testing from unauthorized access using the scope, permission, intent test.
  4. Explain what the Computer Fraud and Abuse Act (CFAA), Virginia Code § 18.2-152, and FERPA each protect against in a student-friendly way.
  5. Apply responsible disclosure to a realistic scenario.
  6. Sign and articulate the meaning of the classroom Lab Safety & Acceptable Use Agreement.

Vocabulary (pin to the wall)

  • Cybersecurity — Protecting systems, networks, data, and people from digital harm.
  • Authorized testing — Testing a system you have explicit, written permission to test, within a defined scope.
  • Scope — The exact systems, accounts, times, and techniques permission covers. Outside the scope = unauthorized.
  • Responsible disclosure — Privately reporting a vulnerability to the system owner before talking about it publicly, and giving them time to fix it.
  • Acceptable Use Policy (AUP) — The rulebook for how a network/device may be used. Schools, employers, and ISPs all have one.
  • CFAA — U.S. federal law (18 U.S.C. § 1030) that makes unauthorized access to a "protected computer" a crime.
  • FERPA — Federal student-records privacy law. Student data is not fair game.
  • Black hat / white hat / gray hat — Attacker / authorized professional / someone who tests without permission and reports findings (still illegal in most jurisdictions).
  • Bug bounty — A program where a company pre-authorizes researchers to test specific scope in exchange for rewards.

Teacher background (read this before the lesson)

Most students will arrive with one of three pre-loaded mental models: (1) hacking is what the hoodie person in the movies does, (2) hacking is something edgy I do to my school's wifi to flex on my friends, or (3) hacking is a job I saw on TikTok that pays $200K. None of those are wrong, exactly — they're just incomplete. Your job in Unit 1 is to install the scaffolding the rest of the course will hang on: professionals operate under written authority within a defined scope, and the difference between a six-figure career and a felony is paperwork.

Two specific landmines to watch for:

  1. The "victimless crime" frame. Students often think probing a school portal "doesn't hurt anyone" because no data leaves. The CFAA does not care. Unauthorized access is the crime. Teach this early and don't soften it.
  2. The "I was just learning" defense. It's not a defense. The whole reason this course exists is so students can learn legally. Make it explicit that the lab is the place to be curious; the production school network is not.

The Virginia Computer Crimes Act (Va. Code § 18.2-152.3 et seq.) maps closely to the CFAA but is broader and easier to charge. Brief students on it without legalese; the takeaway is "Virginia law treats this as a real crime, not a school discipline issue."

Materials checklist

  • [ ] Printed copies of template-safety-agreement.pdf (one per student, plus a guardian signature copy)
  • [ ] Printed scenarios.pdf (one packet per group of 3–4 students)
  • [ ] Worksheet PDFs (one per student)
  • [ ] Quiz PDFs (one per student, hold until Day 3)
  • [ ] Wall poster: the three-question test (Scope? Permission? Intent?)
  • [ ] Pen for signing (yes, real ink — the ceremony matters)

Pacing — Day 1 (60 minutes)

| Time | Segment | What's happening | | ----------- | ------------------------------------------- | ------------------------------------------------------------- | | 0:00 – 0:05 | Hook — "Who got hacked this week?" | Teacher pulls a real, recent breach headline. Students react. | | 0:05 – 0:20 | Mini-lesson — What is cybersecurity? | Direct instruction with vocabulary. | | 0:20 – 0:45 | Activity — Pathways panel | Students map five real cyber jobs to industries. | | 0:45 – 0:55 | Discussion — Why this matters here | Local angle: hospital, city, school division. | | 0:55 – 1:00 | Exit ticket — "One job that surprised you." | Index card collected at the door. |

Day 1 — Hook (5 min)

Teacher says, verbatim: "In the last seven days, somewhere in the United States, a hospital had to switch back to paper charts because of ransomware, a school district had student records leaked, and a city couldn't process water bills because of a cyberattack. I'm not going to tell you which ones — I'm going to ask you to find one before the end of class."

Project a current headline. Don't dwell. The point is to land the idea that this is now, not history class.

Day 1 — Mini-lesson (15 min)

Define cybersecurity. Walk the vocabulary wall. Hit these talking points:

  • "Cybersecurity is not just antivirus. It's people, process, and technology — in that order."
  • "The defenders outnumber the attackers, but the attackers only need to be right once."
  • "Every industry hires cyber. Hospitals, banks, schools, the DMV, your local water utility, the company that makes your sneakers."

Day 1 — Activity: Pathways panel (25 min)

Pre-print five role cards on the worksheet:

  1. SOC Analyst — watches alerts, triages, escalates. Entry: $55K–$72K.
  2. Penetration Tester (Junior) — tests systems with permission. Entry: $70K–$95K.
  3. Incident Responder — shows up after the breach. Entry: $75K–$100K.
  4. GRC Analyst (Governance, Risk, Compliance) — writes the rules. Entry: $60K–$85K.
  5. Security Engineer — builds the defenses. Entry: $80K–$110K.

Students work in pairs to match each role to: (a) one industry where it's needed, (b) one tool/skill from this course they'll use, (c) one thing that role cannot legally do without authorization. Share-out at 0:40.

Day 1 — Exit ticket (5 min)

Name one cyber career that surprised you and one industry you didn't realize needed it.

Pacing — Day 2 (60 minutes)

| Time | Segment | What's happening | | ----------- | ------------------------------- | ------------------------------- | | 0:00 – 0:05 | Recap | Three vocab words, cold-call. | | 0:05 – 0:20 | Mini-lesson — Legal vs. illegal | CFAA, Virginia law, AUP, FERPA. | | 0:20 – 0:50 | Activity — Scenario cards | Groups work the 10-card packet. | | 0:50 – 1:00 | Discussion — Hot scenarios | Cards #4, #7, #9 in particular. |

Day 2 — Mini-lesson: legal vs. illegal (15 min)

Drop the three-question test on the board and leave it there for the rest of the year:

  1. Scope — Is this exact system, on this date, in writing, in my permission?
  2. Permission — Who said yes, and do they have the authority to say yes?
  3. Intent — If a judge read my chat logs, would my intent look like research or like harm?

Walk through the four legal anchors students need to know by name:

  • CFAA (18 U.S.C. § 1030) — federal; criminalizes unauthorized access.
  • Virginia Code § 18.2-152.3 — state; criminalizes unauthorized use of computer services.
  • FERPA — student records privacy. Touching grades/records of other students is a separate world of consequences.
  • School AUP — your contract for using the school network. Violating it can be discipline and a civil/criminal matter.

Land the line: "You don't have to memorize the statute numbers. You have to ask the three questions every single time."

Day 2 — Activity: scenario cards (30 min)

Hand out the Scenario Packet (10 cards). Groups apply the three-question test to each card, decide Authorized / Unauthorized / Gray-area, and write a one-sentence justification per card. Use the answer key to debrief. Cards #4 (friend's password), #7 (USB stick in parking lot), and #9 (testing public-site SQLi) are the ones that will produce the best classroom argument; deliberately leave time for those.

Safety: Walk the room while groups discuss. If a student says some version of "well, I already did this," that is your cue for a private, calm, no-discipline conversation about what they did, when, and to what. Reset, don't punish — but document.

Day 2 — Discussion: hot scenarios (10 min)

For each of #4, #7, #9, the right answer is Unauthorized even though the scenario sounds harmless. Press on why — pre-existing trust ≠ permission, finding a USB ≠ ownership, "the site is public" ≠ "the database is in scope."

Pacing — Day 3 (60 minutes)

| Time | Segment | What's happening | | ----------- | ------------------------------------ | --------------------------------- | | 0:00 – 0:10 | Mini-lesson — Responsible disclosure | What it is and why it exists. | | 0:10 – 0:25 | Activity — Disclosure roleplay | Pairs draft an email to a vendor. | | 0:25 – 0:45 | Safety Agreement walk-through | Read aloud, sign, collect. | | 0:45 – 0:55 | Quiz | 10 questions, individual. | | 0:55 – 1:00 | Close — career connection | Salary banner, what's next. |

Day 3 — Responsible disclosure (10 min)

Teach the workflow as a script:

  1. You found something.
  2. You stop. You do not poke further to "confirm."
  3. You write the vendor through their security@ or bug-bounty channel.
  4. You give them reasonable time to fix (typical: 90 days).
  5. You do not post about it on Discord, Reddit, or TikTok before that.

This is the etiquette of the field. It is also what protects the researcher legally under most safe-harbor programs.

Day 3 — Activity: disclosure roleplay (15 min)

Give pairs a fictional finding ("an unauthenticated ?order_id= URL on a small e-commerce site shows other customers' order details"). They draft the disclosure email together. Five-minute share-out — read two strong examples aloud.

Day 3 — Safety Agreement walk-through (20 min)

Read the agreement aloud, line by line. Stop and explain anything technical. When you reach the signature line, this is the moment of the unit:

Teacher says: "When you sign this, you are not signing a permission slip. You are signing a professional commitment. Your future colleagues — the ones at the SOC, at the federal agency, at the hospital — they signed something just like this. You are joining a profession today."

Collect signed copies. Send a duplicate home for guardian signature. Do not allow students into Unit 3 (virtualization) labs without both signatures on file.

Day 3 — Quiz (10 min)

Use the included quiz PDF. 6 multiple-choice + 4 short-answer. 14 points. See answer key.

Day 3 — Career connection close (5 min)

Project the salary banner:

SOC Analyst $55K–$72K · Pen Tester (Jr) $70K–$95K · Incident Responder $75K–$100K · GRC Analyst $60K–$85K · Security Engineer $80K–$110K

Land it: "You signed the same kind of agreement the people earning these signed. The only thing between you and that paycheck is the next nine units."

Differentiation, IEP, and 504 supports

  • Reading support: Vocabulary cards are pre-printed; scenario packet is available in a 16-pt large-print version on request.
  • Processing time: Scenario activity can be reduced to 5 cards instead of 10 with no loss of learning.
  • Speech/expressive language: Discussion prompts can be answered in writing on the worksheet instead of out loud.
  • Executive function: A printed checklist of Day 1 / Day 2 / Day 3 deliverables helps students track what's due.
  • EL students: Pair the three-question test with icons — eye (Scope), key (Permission), heart (Intent).

Common misconceptions and how to redirect

  • "It's not hacking if I didn't break anything." — The CFAA criminalizes the access itself. Damage is a separate, additional charge.
  • "My friend gave me their password, so it's fine." — Your friend can't authorize you on a system they don't own (the school's, the bank's, the game's). Permission has to come from the system owner.
  • "The school can't get me in trouble for what I do at home." — Maybe true for the school; not true for federal and state law.
  • "Bug bounty programs mean I can hack any company." — Bug bounty programs work only inside their published scope. Outside the scope is the same crime as if no program existed.

Career connection (close-of-unit poster)

The skills you start building in this unit map to real, hire-tomorrow roles:

| Today's skill | Where it shows up on the job | | -------------------------------- | ------------------------------------------- | | The three-question test | Pre-engagement scoping in pen testing | | Responsible disclosure | Bug bounty submissions, CVE coordination | | Reading an AUP | Every onboarding packet of every IT job | | Documenting what you did and why | Incident response timelines, audit evidence |

Homework / extension

  • All students: Bring a signed Lab Safety Agreement to next class.
  • Stretch: Read a real CFAA case (e.g., United States v. Swartz talking points handout) and write one paragraph: was the prosecution proportionate? Defend your answer.

Teacher reflection prompts (do this within 24 hours)

  1. Which student was quietest during the scenario debate? Plan a check-in.
  2. Did anyone privately admit to past unauthorized access? What's your follow-up?
  3. Which scenario produced the best argument? Save that for next semester's opening anecdote.