Show news footage or images from the WannaCry attack on the NHS. Display the ransom screen that appeared on thousands of hospital computers. Ask students: 'How do you think malicious software got onto these computers? Who would do this, and why?' Collect initial thoughts.

Interactive presentation introducing malware types. For each type (virus, worm, trojan, ransomware, spyware), show: what it does, how it spreads, a real example, and an analogy. Students complete a 'Malware ID Card' worksheet for each type.

Analogies:

• Virus: Like a cold - needs a host (file) to spread, infects what it touches
• Worm: Like a rumour - spreads on its own without needing to attach to anything
• Trojan: Like a gift-wrapped bomb - appears helpful but hides danger
• Ransomware: Like a kidnapper - takes your files hostage for money
• Spyware: Like an invisible stalker - watches everything you do

Display a series of emails/messages on screen (mix of genuine and phishing). Students work in pairs to identify which are phishing attempts and explain their reasoning. Include increasingly sophisticated examples:

1. Obvious Nigerian prince scam
2. Fake Amazon delivery notification
3. Convincing bank security alert
4. Spear-phishing email referencing their 'school'

After each reveal, discuss the red flags. Introduce the concept that social engineering exploits trust, urgency, fear, and curiosity.

Discussion and mini-lecture on why humans are often easier to 'hack' than computers. Cover psychological principles attackers exploit:

• Authority (impersonating IT support, bank, police)
• Urgency ('Act now or lose access!')
• Fear ('Your account has been compromised!')
• Curiosity ('Click to see who viewed your profile')
• Helpfulness (holding door open for someone without ID)

Show examples of social engineering beyond phishing: tailgating, pretexting, baiting (infected USB drives left in car parks).

Brief ethical discussion: Security professionals use social engineering techniques to test organisations (covered in Lesson 4). Is deception ever acceptable? What about governments using these techniques? What about journalists?

Link to careers: Social engineering skills (understanding psychology, communication) are valued in cybersecurity, marketing, and many other fields.

Quick-fire activity: Display 5 scenarios (email, pop-up, USB stick found, phone call). Students hold up green card (safe) or red card (danger). Discuss any where opinions differed.

Exit ticket: 'What's one thing you'll do differently online after today's lesson?'

Display live password strength checker (howsecureismypassword.net or similar - DO NOT have students enter real passwords, use fake examples). Show how adding length and complexity exponentially increases cracking time.

Demonstrate: 'password' = instant, 'Password1' = seconds, 'P@ssw0rd!' = minutes, 'MyD0g$Name!2024' = years.

Ask: 'If computers keep getting faster, is any password safe? What else might attackers try?'

Explain brute-force attacks using physical analogy: like trying every combination on a padlock (000, 001, 002...). Work through the maths together:

• 4-digit PIN: 10,000 combinations (10^4)
• 8-character lowercase: 208 billion combinations (26^8)
• 8-character mixed case + numbers + symbols: 6 quadrillion combinations

Introduce dictionary attacks as 'smart brute force' - trying common passwords first.

Activity: Students calculate combinations for different password types using formula: (possible characters)^(length)

Explain DoS using real-world analogy: imagine 1000 people calling a shop's phone line simultaneously - genuine customers can't get through.

Introduce concepts:

• DoS: One attacker overwhelming a system
• DDoS (Distributed): Army of computers (botnet) attacking together

Show diagram of DDoS attack with compromised devices. Brief video showing Mirai botnet attack's impact.

Discussion: 'Why would someone launch a DoS attack?' (Extortion, protest/hacktivism, competition, distraction for other attacks, revenge)

Explain how data travelling over networks can be intercepted:

• Public WiFi risks (man-in-the-middle attacks)
• Packet sniffing on unsecured networks
• Why HTTPS matters (link to encryption, covered in next lesson)

Analogy: Like someone opening and reading your letters before resealing them.

Quick demo: Show Wireshark (or screenshot) capturing unencrypted data to show what attackers might see. Emphasise what can be stolen: login credentials, bank details, private messages.

Explain SQL injection conceptually (students don't need to know SQL syntax for exam):

1. Websites use databases to store information
2. Login forms send your input to the database
3. Attackers can type special characters that 'break out' of the expected query
4. This can bypass login, reveal data, or delete information

Show classic example: Instead of username, entering: admin' -- (The ' ends the text field, -- comments out the password check)

Analogy: It's like writing on a form: 'Give me [your name]' and someone writes 'Give me [all the money and delete the records]'

Optional demo: Use a safe SQL injection practice website (like DVWA or WebGoat) if available.

In pairs, students create 'attack profile cards' for each attack type covered. Each card must include:

• Attack name
• How it works (in their own words)
• Purpose of the attack (why attackers use it)
• One real-world example
• Difficulty rating (easy/medium/hard for attacker)

Groups can swap and peer-assess accuracy.

Quick quiz: Present scenarios, students identify which attack type applies:

1. A hacker tries millions of passwords per second (Brute force)
2. A website becomes unavailable after being overwhelmed with fake traffic (DoS/DDoS)
3. Someone at a coffee shop captures other customers' login details (Data interception)
4. An attacker enters special characters in a login form to access all user accounts (SQL injection)

Exit ticket: 'Which attack do you think is most dangerous, and why?'

Ask students to list security features on their phone: PIN/passcode, fingerprint, face recognition, encryption, app permissions, remote wipe capability.

Reveal: A modern smartphone uses multiple layers of security that work together. Today we'll explore these defences and understand how they protect us.

Explain how anti-malware software works:

1. Signature-based detection: Recognising known threats (like a wanted poster database)
2. Heuristic/behaviour analysis: Spotting suspicious activity (like noticing someone acting strangely)
3. Real-time scanning: Continuous monitoring
4. Updates: Why keeping software updated is crucial

Discuss limitations:

• Zero-day exploits (new threats not yet in database)
• Performance impact
• False positives

Brief activity: Students list 3 things anti-malware can protect against and 2 things it can't (linking back to lesson 1 threats).

Explain firewalls using analogy: Like a security guard checking everyone entering a building.

Concepts to cover:

• Monitors incoming and outgoing network traffic
• Uses rules to allow or block connections
• Can be software (on your computer) or hardware (protecting a whole network)
• Checks: Source, destination, type of traffic, known threats

Show example firewall rules: 'Allow web browsing (port 80/443)', 'Block unknown programs accessing internet', 'Alert on suspicious connections'

Link to DoS attacks: Firewalls can help filter attack traffic, but massive DDoS may overwhelm even good defences.

Build on brute-force lesson with defence strategies:

Good password practices:

• Length (12+ characters recommended)
• Complexity (mix of character types)
• Uniqueness (different password for each account)
• Unpredictability (not based on personal info)

Introduce passphrase concept: 'correct horse battery staple' is stronger than 'P@ssw0rd!'

Discuss multi-factor authentication (MFA):

• Something you know (password)
• Something you have (phone/token)
• Something you are (fingerprint/face)

Why MFA matters: Even if password is stolen, attacker needs second factor.

Brief mention of password managers as practical solution.

Explain encryption conceptually:

1. Start with simple cipher example: Caesar cipher where each letter shifts by 3 (A→D, B→E). Have students encrypt 'HELLO' (KHOOR).

2. Explain that real encryption is vastly more complex - AES-256 has more possible keys than atoms in the observable universe.

3. Cover key concepts:

• Plaintext (original) → Encryption → Ciphertext (scrambled)
• Key needed to decrypt
• Symmetric (same key) vs Asymmetric (public/private keys) - brief overview

1. Where encryption protects us:

• HTTPS (padlock in browser)
• Stored data (phone encryption)
• Messaging apps (WhatsApp, Signal)
• Bank transactions

Link back to data interception: Encrypted data is useless to interceptors.

Consolidate learning: Draw 'layers of security' diagram together showing how defences work together:

Outer: Firewall (blocks bad traffic) Next: Anti-malware (catches threats that get through) Next: Encryption (protects data even if intercepted) Inner: Strong passwords + MFA (last line of defence)

Quick quiz: For each threat from lessons 1-2, identify which defence(s) would help.

Exit ticket: 'Which defence do you think is most important, and why?' (Trick question - the answer is 'all of them working together')

Share story: In 2019, a security researcher found a bug in Apple's systems that could have given him access to any iCloud account. Apple paid him $100,000 in bug bounty.

Ask: Why would Apple pay someone to find problems in their own systems? Isn't that dangerous?

Collect answers, then reveal: This is called penetration testing, and it's one of the most in-demand careers in cybersecurity.

Explain penetration testing:

1. What it is: Authorised simulated attacks to find vulnerabilities
2. Types: External (from internet), internal (from inside network), social engineering (testing staff)
3. Process: Reconnaissance → Scanning → Exploitation → Reporting → Remediation
4. Rules of engagement: Scope, what's allowed, legal protection

Show example pen test report structure (sanitised).

Discuss: Why is it better to find vulnerabilities before criminals do?

Link to earlier lessons: Pen testers use all the attack methods we learned about (but legally and with permission).

Introduce principle of least privilege: Users should have minimum access needed for their job.

Example scenario: In a school network

• Students: Can access learning resources, not staff files
• Teachers: Can access student records for their classes, not all students
• IT admin: Can access everything, including system settings
• Head teacher: Can access all student records but maybe not system settings

Activity: Present business scenario (e.g., hospital). In groups, decide access levels for: receptionist, nurse, doctor, IT support, hospital director. Justify decisions.

Discuss: What could go wrong if everyone had full access? (Link to insider threat, accidental deletion, malware spreading)

Remind students: All our digital security means nothing if someone can physically access the computers.

Physical security measures:

• Access controls (keys, cards, biometrics)
• Security personnel
• CCTV surveillance
• Server room protection (locked doors, climate control)
• Device security (cables, laptop locks, encrypted drives)
• Secure disposal of old equipment

Show Google data centre security video clip (or images) - biometric mantrap doors, visitor escorts, drive destruction.

Activity: 'Physical Security Audit' - students identify physical security measures (or lack thereof) in their own school/classroom. What's good? What could be improved? (Keep it constructive!)

Discuss tensions in security:

1. Employee monitoring: Should employers monitor staff emails? Keystroke logging? Location tracking?
2. CCTV: How much surveillance is too much?
3. Encryption: Should governments have 'backdoor' access to encrypted communications?
4. User access: How do you balance convenience with security?

Group discussion: Present scenario where security measure (e.g., banning USB drives) helps security but hurts productivity. How do you balance?

Link to 1.6 ethical, legal, cultural, environmental issues.

Final consolidation: Present a business scenario (e.g., small company with 20 employees, some working remotely, handling customer payment data).

In pairs, create a security plan covering:

• Technical defences (lessons 2-3)
• Human factors (lessons 1, 4)
• Physical security (lesson 4)

Share and compare plans. Discuss: Why do companies need multiple layers of protection?

Final exit ticket: 'If you could give one piece of security advice to everyone in your family, what would it be and why?'