Lesson Plan: Digital Assets


An Introduction to Digital Assets

Lesson Plan for grades 9–12
Time:
2 periods (50 min ea.)

INTRODUCTION

One goal of network security is to protect the information, or data, we value. These data may represent a variety of things, ranging from the last four digits of your social security number to the plans for a new cutting-edge invention.  We also value data in variety ways.

In the game [d0x3d!], the objective is to reclaim four stolen digital assets,” namely: authentication credentials, financial data, intellectual property, and personally identifiable information. In this lessonintended to be used prior to and after playing the gamewe explore the idea of digital assets in more depth, to better appreciate the importance of securing the data we value in our own lives. It is intended to be taught over two 50 minute class periods.

SUMMARY

Students will learn about valued, digital data and relate them to their lives and the real world.

Objectives

  1. Student will be able to define what a digital asset is, generically.
  2. Students will be able to describe some characteristics of the four types of digital assets present in the game [d0x3d!].
  3. Students will be able to give some examples of digital assets in their own lives.
  4. Students will be able to describe and compare scenarios where digital assets have been compromised, in terms of potential effects or damages in the real world.

Standards

Assumed Student Prior Knowledge

This lesson assumes that students have experience using the Internet for personal and academic purposes, and have some experience or knowledge of common practices related to social networking and sharing personal data online.

Materials

Vocabulary


BACKGROUND FOR TEACHER

The digital age has brought many exciting new technologies that are now part of our everyday lives. We can check email from our phones. We can upload pictures to the Internet from the dinner table. Many personal and valuable things take digital form. While it is convenient to share and access this data, anywhere and anytime, it opens the possibility of unwanted people getting access to these data, too.

Across a period of weeks in 2012, several major Internet companies each had their systems compromised and user information stolen. For example, a compromise at eHarmony resulted in 1.5 million passwords taken [LA Times, 2012]. At LinkedIn, 6 million passwords were stolen [LinkedIn, 2012]. At Yahoo, 450,000 passwords were stolen and posted online [CNN, 2012]. With these passwords, attackers gained or provided access to all of the sensitive, personal data users had uploaded to these websites. The scale of these attacks was unprecedented. At the same time, they are examples of a nearly constant threat against networks: hackers attempting to gain unauthorized access to online services and individualsdata.

WHAT ARE DIGITAL ASSETS?

A digital asset is any valued data stored in electronic form on a computing device. The game [d0x3d!] uses tokens to represent some valued data, classifying them into four generic types: authentication credentials, financial data, intellectual property and personally identifiable information. These types have less to do with the data itself, and more to do with how we value or use the data.

An authentication credential is data used to access a system, like a key or password. If this data is stolen, a hacker may use it to get unauthorized access to something or impersonate a user.

Financial data is related to money, like credit card numbers or bank account numbers. If this data is stolen, a hacker may use it to launder money or commit fraud.

Intellectual property covers a broad range of topics, including copyright, trademark, patents, design rights, inventions, and treatment of creative works. Intellectual property is any product of the mind over which a creator retains some right. Examples include a piece of music (written or performed), a piece of software (as source code or in function), a scientific invention, or a secret formula. Sometimes, technology is used to protect the data or keep it secret. For example, trade secrets, once lost, cannot be easily recovered. Piracy occurs when the creator’s rights are abused in some way. This may happen when some intellectual property is shared or modified without permission.

Personally identifiable information is any data that describes an individual and, if lost, may damage one’s privacy, reputation or identity. Examples range from relatively benign, such as a date of birth or phone number, to very sensitive, such as a social security number or medical record. If these data are stolen, a hacker may use it to, among other things, commit identity theft.

EXAMPLE ASSETS

The previous four asset categories are not strict and sometimes overlap. Some valued data doesn’t fall into one of these categories, and some fall into several. During the Engage activity, it may help to use a diagram to characterize example assets along a spectrum, guided by the terms used in the game. If some example fits neatly into one of these categories, we can illustrate this using a point (or a small circular shape) in the appropriate corner. Many examples fall naturally into these categories:

When an example contains characteristics of more than one type, you might draw a shape that has been “stretched” toward those corners. The result is a “blob,” whose size and shape reflects our thoughts about the function or value of that data. See below for two examples. Bigger blobs don’t necessarily mean the data is more important, just thats its role or value is harder to understand.

THE VALUE OF DATA

Ultimately, the cost of keeping digital assets safe depends on their value. The Principle of Adequate Protection states: data should be protected in ways that reflect its value. It makes no financial sense to spend $20 to protect a penny. While intuitive, this principle is sometimes hard to apply. Often, the value of data is very personal and hard to estimate. How much are your vacation photos worth? Estimating value for digital assets may require estimating the cost of data replacement, the loss of potential future income, the damage to reputation and customer confidence, the potential losses associated with misuse of data in related crimes, etc.

In some states, a company must notify its customers if their account data is ever lost or stolen. These are called “security breach notification laws.” The first such law was passed in California in 2002. These laws force companies to inform customers about a data loss or security incident that might affect their data. Viewed another way, this is a requirement that creates an extra cost to the company when they lose data. The law indirectly uses the Principle of Adequate Protection: increasing company costs associated with data loss will allow the company to increase its spending to protect customer data.


ENGAGE

These activities are intended to help students connect with the core materials and questions, before any independent work or activities.

1. Engagement Discussion

Engage students in a classroom discussion introducing the concept of digital assets, without using its definition. Try to get the students, as a group, to give examples of data they value and the ways in which they value it. You might pose the following questions:

Possible responses are numerous, but may include: your address, your phone number, the name of your favorite movie, your birthdate, a pet’s name, pictures, music, videos, homework and academic reports, financial records, game money (Playstation Credits, Microsoft Points).

2. Define “Digital Asset”

Introduce the definition of a “digital asset,” and how we value data in a number of different ways. Have students classify their examples into groups, based on how they value the data. You may depict these groups using the digital asset square diagram. See Background for Teachers for a demonstration of using this diagram. Have students try to categorize the following examples:

financial data

authentication credentials

personally identifiable information

intellectual property

bank statement

credit card number

bank account data

gift certificate

password

driver’s license

photo ID

school ID

library card

phone number

address

grades/transcript

medical record

family photos

English report

original song

secret recipe

original video

artistic photos

 

The following data are not very easily classifiable, and may provoke an interesting debate:

3. Group Activity

Using the list you developed as a group, have students (in groups or pairs) define each classification of “digital assets.” Discuss results. Have students defend which assets belong in each category.

4. Discussion

When students appear to understand what digital assets are, interpret this data from the “2011 Data Breach Investigations Report,” by the US Secret Service and Verizon.

Compromised Data Types by Number of Breaches

This graph is available as a handout on PowerPoint, PDF and other formats. Similar summary results exist in later reports, too. Consider looking at the current year’s report, if it’s available.

Based on the above graph, consider the following questions:

CHECK FOR UNDERSTANDING

Play

Play the game [d0x3d!] in groups of three or four. Have students use the “Customizable Drive Map” provided with the game and this lesson plan to give examples of assets that relate to their lives. As students play the game, circulate through the class and check that their customized mats align with the class discussion.

ASSESSMENT: Identity Theft

Assign students a pair of articles relating to stolen digital assets from the “Article Bank.” Students will:

  1. Identify which type(s) of digit asset is being discussed.
  2. Compare and contrast what was stolen and the possible effects of each theft.
  3. Discuss which situation was more damaging. Use evidence and examples from the article to support this discussion.
  4. Share these findings with the class.

EXTENSION ACTIVITIES

Personal Narrative

Students pick one of the assets they wrote down during the game and explain how having this lost or stolen might affect them: if someone found that embarrassing picture of them from elementary school, what would be the effects? If someone had access to their Facebook password, what might happen?

Interview

Students interview someone they know who has had a digital asset stolen. Students will report their findings to the class.

Debate

Using articles from the “Article Bank,” students take opposing positions on whether the article overestimates (or underestimates) the consequences and value of the data compromise in the described situation. Alternatively, students may debate the categorization of the asset in question in terms of the four types of assets described in the game.

Risk estimation

Students will evaluate the class generated list of digital assets. Students will discuss which digital asset might be the most difficult to steal. Students should justify their answers using claims made in some of the below articles, or others.


ARTICLE BANK: Compromised Digital Assets

Ochocinco unfazed by stolen wallet, credit cards but mourns loss of Starbucks card

http://www.cbsnews.com/8301-31751_162-57440957-10391697/ochocinco-unfazed-by-stolen-wallet-credit-cards-but-mourns-loss-of-starbucks-card/

Police: Man stole credit card information through Wi-Fi networks

http://www.ocregister.com/articles/police-381974-credit-larson.html

'Catfished': Teen Reporters Investigate Online Relationships

http://www.huffingtonpost.com/2013/03/02/teens-discuss-online-relationships-and_n_2792601.html

Hackers not only stole my identity but also tried to fleece my friends

http://www.standard.co.uk/news/crime/hackers-not-only-stole-my-identity-but-also-tried-to-fleece-my-friends-8504446.html

Foreign Hackers Attacking SC DMV Database Daily

http://www2.wspa.com/news/2012/feb/02/foreign-hackers-attacking-sc-dmv-database-daily-ar-3161441/

Hospital hack exposes more than 2,000 patient records

http://www.massdevice.com/news/hospital-hack-exposes-more-2000-patient-records

Pepsi Alerted Coca-Cola to Stolen-Coke-Secrets Offer

http://www.foxnews.com/story/0,2933,202439,00.html

Even a stolen library card can cost you

http://www.woodtv.com/dpp/news/local/grand_rapids/Even-a-stolen-library-card-can-cost-you

Grad Student’s Thesis, Dreams on Stolen Laptop

http://gawker.com/5625139/grad-students-thesis-dreams-on-stolen-laptop

SC continues handling fallout after tax records hacked

http://www.wsoctv.com/news/news/local/sc-continues-handling-fallout-after-tax-records-ha/nWJbq/

Jonathan Coulton Publicly Shames Fox For Copying His Arrangement In Glee

http://www.techdirt.com/articles/20130118/15021521732/jonathan-coulton-publicly-shames-fox-copying-his-arrangement-glee.shtml


REFERENCES


TableTop Security

Rev. 6/20/13

pg.  of