Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity I · Module 2

Cybersecurity I, Unit 2: Security Fundamentals

Install the mental scaffolding the rest of the course rests on: CIA, AAA, least privilege, defense in depth, and the difference between threat, vulnerability, and risk.

Length
180 min
Level
foundational
Track
Cyber I
Cadence
Semester 1

Career paths

GRC & RiskFoundations
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

Student Worksheet

Locked

Student-facing exercises and reflection prompts.

Scenario Packet

Locked

Real-world scenario packet for guided discussion or activity.

Quiz

Locked

Formative or summative assessment items.

Answer Key

Locked

Teacher answer key with rubric or scoring notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 2: Security Fundamentals

Lesson at a glance

| Item | Detail | | --------------------- | -------------------------------------------------------------------------------------------- | | Suggested length | 3 × 60 minutes | | Recommended placement | Week 2 of Cybersecurity I | | Prerequisite | Unit 1 complete; signed Lab Safety Agreement on file | | Materials | Whiteboard, vocabulary cards, printed scenario worksheet, one printed sample security policy |

Safety: This unit is whiteboard-and-paper. No tools yet. The next time students touch a tool, they'll already have the mental model to use it correctly.

Standards & credential alignment

  • EHE Domain 1: Information Security Fundamentals (CIA, AAA, defense in depth).
  • VA CTE: Identify and explain core information-security principles and controls.
  • NIST SP 800-12, SP 800-53: Baseline control families (technical, administrative, physical).

Learning objectives

By the end of this unit, students can:

  1. Define and apply the CIA triad to a real scenario.
  2. Distinguish authentication, authorization, and accounting (AAA).
  3. Apply least privilege to a school-context scenario.
  4. Diagram defense in depth on a real system (e.g., a bank ATM, a school grade portal).
  5. Distinguish between threat, vulnerability, risk, and impact.
  6. Classify a control as administrative, technical, or physical.

Vocabulary

  • Confidentiality - Only the right people can see the data.
  • Integrity - The data is correct and hasn't been tampered with.
  • Availability - The data and systems are there when you need them.
  • Authentication - Proving you are who you say you are. (Username + password, MFA, biometric.)
  • Authorization - What you're allowed to do once authenticated. (Read this folder; not write to that one.)
  • Accounting - Logging what you did. ("User amorrow logged in at 09:14 and accessed /grades.")
  • Least privilege - Give the minimum access required to do the job, and no more.
  • Defense in depth - Layered controls so a single failure doesn't end the game.
  • Threat - A potential cause of harm (e.g., a ransomware gang).
  • Vulnerability - A weakness that could be exploited (e.g., unpatched server).
  • Risk - The probability that a threat exploits a vulnerability times the impact.
  • Impact - What it costs you when it happens.
  • Control - A safeguard. Three flavors: administrative (policy), technical (firewall), physical (locked door).

Teacher background

The single most useful sentence to land in this unit:

Risk is not a vulnerability. Risk is what happens when a threat meets a vulnerability and there's something valuable behind it.

Students will conflate threat / vulnerability / risk for weeks. Plant the distinction now and refer back to it every time a new vocabulary word lands.

The CIA triad survives because it works. Students can tell you whether a real-world incident violated C, I, A, or some combination - and that's the entire point. Train them to make the call.

Materials checklist

  • [ ] Vocabulary cards (one per student or wall-pinned)
  • [ ] CIA Triad poster
  • [ ] Printed sample security policy (one per group of 3) - provided in the appendix
  • [ ] Worksheet PDF
  • [ ] Whiteboard markers (red, blue, green for the three control types)

Pacing - Day 1 (60 min): CIA Triad and AAA

| Time | Segment | Notes | | ----------- | ---------------------------- | ------------------------------------------------------- | | 0:00 – 0:05 | Recap from Unit 1 | Cold-call: three-question test. | | 0:05 – 0:25 | Mini-lesson - CIA Triad | Definitions + 3 real examples each. | | 0:25 – 0:40 | Mini-lesson - AAA | Use the school portal as the running example. | | 0:40 – 0:55 | Activity - Tag the violation | Eight headlines; students tag C, I, A, or combinations. | | 0:55 – 1:00 | Exit ticket | One headline of their choice; tag and justify. |

Day 1 - Mini-lesson script

Teacher says: "Every cyber incident in the news boils down to one or more of three failures. Either someone saw what they shouldn't (confidentiality), someone changed what they shouldn't (integrity), or someone couldn't reach what they needed (availability). Pick any breach, ransomware event, or leak - name which letters got hit."

Walk through three examples:

  • Equifax 2017 - confidentiality (147 million records exposed). Some integrity damage. Availability mostly intact.
  • Colonial Pipeline 2021 - availability (gas shut down for the East Coast). Integrity questioned during recovery. Confidentiality also breached (data theft).
  • Ransomware on a school district - availability (systems locked) and frequently confidentiality (data exfiltration before encryption is now standard).

Day 1 - Activity: Tag the violation (15 min)

Eight short headlines (provided in the worksheet). Students mark each as C, I, A, or combinations, and justify in 5 words. Walk the room. Common error: students under-call I (integrity) because data theft feels more dramatic than data tampering.

Pacing - Day 2 (60 min): Least privilege and defense in depth

| Time | Segment | Notes | | ----------- | ------------------------------------------ | ---------------------------------------------------------------------------------------- | | 0:00 – 0:10 | Mini-lesson - least privilege | School-network analogies. | | 0:10 – 0:25 | Activity - Re-design school accounts | What should a student account, teacher account, and admin account each be allowed to do? | | 0:25 – 0:45 | Mini-lesson - defense in depth | Diagram the ATM. | | 0:45 – 0:55 | Activity - Diagram the school grade portal | Pairs whiteboard the layers. | | 0:55 – 1:00 | Share-out | Two strong diagrams on the doc cam. |

Day 2 - Defense in depth: the ATM

Whiteboard the ATM as a case study. The layers:

  1. Physical - bolted to concrete, lit area, camera coverage.
  2. Authentication - physical card + PIN (something you have + something you know).
  3. Network - encrypted dedicated line back to the bank.
  4. Application - withdrawal limits, fraud heuristics.
  5. Backend - audit logging, transaction reversal capability.
  6. Administrative - bank insurance policies, customer agreement.

Land the line: "For an attacker to win, they have to defeat every layer. For the defender to win, the attacker only has to fail at one."

Pacing - Day 3 (60 min): Threat × vuln × risk and control types

| Time | Segment | Notes | | ----------- | ------------------------------------------- | -------------------------------------------------------------- | | 0:00 – 0:20 | Mini-lesson - threat / vuln / risk / impact | Use a table. | | 0:20 – 0:40 | Activity - Risk register | Groups score 5 scenarios. | | 0:40 – 0:55 | Activity - Control sort | Sort 12 controls into administrative / technical / physical. | | 0:55 – 1:00 | Exit ticket | "Name a control your school uses for each of the three types." |

Day 3 - The clean table to put on the board

| Term | Plain-English definition | Example | | ------------- | ---------------------------- | ----------------------------------- | | Threat | Who or what could cause harm | Ransomware gang | | Vulnerability | The weakness that lets them | Unpatched email server | | Risk | Probability × impact | "Likely × catastrophic" | | Impact | What it costs you | Days of downtime, fines, trust loss |

Day 3 - Activity: Risk register

Pairs receive 5 scenarios (laptop left in car, USB stick on desk, vendor email with attachment, expired antivirus, weak Wi-Fi password). For each, score:

  • Likelihood: 1 (rare) – 5 (almost certain)
  • Impact: 1 (annoyance) – 5 (catastrophic)
  • Risk score: L × I

Discussion: which two are highest? Where would you spend the budget first?

Day 3 - Activity: Control sort (15 min)

Twelve controls printed on cards. Students sort under three columns:

  • Administrative: Acceptable Use Policy, security awareness training, background checks, vendor risk assessment.
  • Technical: firewall rules, MFA, antivirus, full-disk encryption.
  • Physical: badge readers, security cameras, locked server rooms, cable locks.

Land it: "Most real defenses use all three. The strongest controls reinforce each other."

Common misconceptions

  • "A vulnerability is a hack." No - it's a weakness. The hack is the exploit.
  • "Risk is bad. Get rid of it." No - risk is unavoidable. You manage it: accept, mitigate, transfer (insurance), or avoid.
  • "More layers always mean more security." Only if the layers are independent and well-maintained. Six broken locks don't beat one good one.

Differentiation

  • Visual learners: defense-in-depth diagrams travel well.
  • Verbal learners: have them teach CIA back to a partner.
  • Reading support: pre-printed sentence stems for the worksheet ("This headline violates __ because __").

Assessment

  • Day 1 exit ticket - 1 point per correct C/I/A tag.
  • Day 2 diagram - rubric: layered (1), labeled (1), accurate (1), defensible (1).
  • Day 3 risk-register share-out - pass/fail; revisit if not yet defensible.

Career connection

GRC analysts ($60K–$85K starting) write risk registers, draft policies, and sort controls into the three buckets every single workday. Today's lesson is literally Monday morning at a GRC desk.

Homework / next class

Bring one example of a control you saw this week - at the doctor's office, the bank, a store. Be ready to classify it.

Ready to use this in class?

Unlock the full Cybersecurity I edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum