Lesson Plan: Digital Assets
An Introduction to Digital Assets
One goal of network security is to protect the information, or data, we value. These data may represent a variety of things, ranging from the last four digits of your social security number to the plans for a new cutting-edge invention. We also value data in variety ways.
In the game [d0x3d!], the objective is to reclaim four stolen “digital assets,” namely: authentication credentials, financial data, intellectual property, and personally identifiable information. In this lesson—intended to be used prior to and after playing the game—we explore the idea of digital assets in more depth, to better appreciate the importance of securing the data we value in our own lives. It is intended to be taught over two 50 minute class periods.
Students will learn about valued, digital data and relate them to their lives and the real world.
This lesson assumes that students have experience using the Internet for personal and academic purposes, and have some experience or knowledge of common practices related to social networking and sharing personal data online.
The digital age has brought many exciting new technologies that are now part of our everyday lives. We can check email from our phones. We can upload pictures to the Internet from the dinner table. Many personal and valuable things take digital form. While it is convenient to share and access this data, anywhere and anytime, it opens the possibility of unwanted people getting access to these data, too.
Across a period of weeks in 2012, several major Internet companies each had their systems compromised and user information stolen. For example, a compromise at eHarmony resulted in 1.5 million passwords taken [LA Times, 2012]. At LinkedIn, 6 million passwords were stolen [LinkedIn, 2012]. At Yahoo, 450,000 passwords were stolen and posted online [CNN, 2012]. With these passwords, attackers gained or provided access to all of the sensitive, personal data users had uploaded to these websites. The scale of these attacks was unprecedented. At the same time, they are examples of a nearly constant threat against networks: hackers attempting to gain unauthorized access to online services and individuals’ data.
A digital asset is any valued data stored in electronic form on a computing device. The game [d0x3d!] uses tokens to represent some valued data, classifying them into four generic types: authentication credentials, financial data, intellectual property and personally identifiable information. These types have less to do with the data itself, and more to do with how we value or use the data.
An authentication credential is data used to access a system, like a key or password. If this data is stolen, a hacker may use it to get unauthorized access to something or impersonate a user.
Financial data is related to money, like credit card numbers or bank account numbers. If this data is stolen, a hacker may use it to launder money or commit fraud.
Intellectual property covers a broad range of topics, including copyright, trademark, patents, design rights, inventions, and treatment of creative works. Intellectual property is any product of the mind over which a creator retains some right. Examples include a piece of music (written or performed), a piece of software (as source code or in function), a scientific invention, or a secret formula. Sometimes, technology is used to protect the data or keep it secret. For example, trade secrets, once lost, cannot be easily recovered. Piracy occurs when the creator’s rights are abused in some way. This may happen when some intellectual property is shared or modified without permission.
Personally identifiable information is any data that describes an individual and, if lost, may damage one’s privacy, reputation or identity. Examples range from relatively benign, such as a date of birth or phone number, to very sensitive, such as a social security number or medical record. If these data are stolen, a hacker may use it to, among other things, commit identity theft.
The previous four asset categories are not strict and sometimes overlap. Some valued data doesn’t fall into one of these categories, and some fall into several. During the Engage activity, it may help to use a diagram to characterize example assets along a spectrum, guided by the terms used in the game. If some example fits neatly into one of these categories, we can illustrate this using a point (or a small circular shape) in the appropriate corner. Many examples fall naturally into these categories:
When an example contains characteristics of more than one type, you might draw a shape that has been “stretched” toward those corners. The result is a “blob,” whose size and shape reflects our thoughts about the function or value of that data. See below for two examples. Bigger blobs don’t necessarily mean the data is more important, just thats its role or value is harder to understand.
Ultimately, the cost of keeping digital assets safe depends on their value. The Principle of Adequate Protection states: data should be protected in ways that reflect its value. It makes no financial sense to spend $20 to protect a penny. While intuitive, this principle is sometimes hard to apply. Often, the value of data is very personal and hard to estimate. How much are your vacation photos worth? Estimating value for digital assets may require estimating the cost of data replacement, the loss of potential future income, the damage to reputation and customer confidence, the potential losses associated with misuse of data in related crimes, etc.
In some states, a company must notify its customers if their account data is ever lost or stolen. These are called “security breach notification laws.” The first such law was passed in California in 2002. These laws force companies to inform customers about a data loss or security incident that might affect their data. Viewed another way, this is a requirement that creates an extra cost to the company when they lose data. The law indirectly uses the Principle of Adequate Protection: increasing company costs associated with data loss will allow the company to increase its spending to protect customer data.
These activities are intended to help students connect with the core materials and questions, before any independent work or activities.
Engage students in a classroom discussion introducing the concept of digital assets, without using its definition. Try to get the students, as a group, to give examples of data they value and the ways in which they value it. You might pose the following questions:
Possible responses are numerous, but may include: your address, your phone number, the name of your favorite movie, your birthdate, a pet’s name, pictures, music, videos, homework and academic reports, financial records, game money (Playstation Credits, Microsoft Points).
Introduce the definition of a “digital asset,” and how we value data in a number of different ways. Have students classify their examples into groups, based on how they value the data. You may depict these groups using the digital asset square diagram. See “Background for Teachers” for a demonstration of using this diagram. Have students try to categorize the following examples:
personally identifiable information
credit card number
bank account data
The following data are not very easily classifiable, and may provoke an interesting debate:
Using the list you developed as a group, have students (in groups or pairs) define each classification of “digital assets.” Discuss results. Have students defend which assets belong in each category.
When students appear to understand what digital assets are, interpret this data from the “2011 Data Breach Investigations Report,” by the US Secret Service and Verizon.
This graph is available as a handout on PowerPoint, PDF and other formats. Similar summary results exist in later reports, too. Consider looking at the current year’s report, if it’s available.
Based on the above graph, consider the following questions:
Play the game [d0x3d!] in groups of three or four. Have students use the “Customizable Drive Map” provided with the game and this lesson plan to give examples of assets that relate to their lives. As students play the game, circulate through the class and check that their customized mats align with the class discussion.
Assign students a pair of articles relating to stolen digital assets from the “Article Bank.” Students will:
Students pick one of the assets they wrote down during the game and explain how having this lost or stolen might affect them: if someone found that embarrassing picture of them from elementary school, what would be the effects? If someone had access to their Facebook password, what might happen?
Students interview someone they know who has had a digital asset stolen. Students will report their findings to the class.
Using articles from the “Article Bank,” students take opposing positions on whether the article overestimates (or underestimates) the consequences and value of the data compromise in the described situation. Alternatively, students may debate the categorization of the asset in question in terms of the four types of assets described in the game.
Students will evaluate the class generated list of digital assets. Students will discuss which digital asset might be the most difficult to steal. Students should justify their answers using claims made in some of the below articles, or others.
Ochocinco unfazed by stolen wallet, credit cards but mourns loss of Starbucks card
Police: Man stole credit card information through Wi-Fi networks
'Catfished': Teen Reporters Investigate Online Relationships
Hackers not only stole my identity but also tried to fleece my friends
Foreign Hackers Attacking SC DMV Database Daily
Hospital hack exposes more than 2,000 patient records
Pepsi Alerted Coca-Cola to Stolen-Coke-Secrets Offer
Even a stolen library card can cost you
Grad Student’s Thesis, Dreams on Stolen Laptop
SC continues handling fallout after tax records hacked
Jonathan Coulton Publicly Shames Fox For Copying His Arrangement In Glee