Characterizing Security and Privacy Teaching Standards for Schools in the United States

TL;DR

This study analyzes U.S. K-12 security and privacy standards, revealing their coverage, alignment with professional expectations, and highlighting gaps in emphasis on threat modeling and security mindset.

Contribution

It provides a comprehensive classification of security and privacy topics in educational standards and compares them with expert expectations.

Findings

Standards cover 103 security and privacy topics.

Professionals emphasize threat modeling and security mindset more.

Significant gaps exist between standards and professional priorities.

Abstract

Increasingly, students begin learning aspects of security and privacy during their primary and secondary education (grades K-12 in the United States). Individual U.S. states and some national organizations publish teaching standards -- guidance that outlines expectations for what students should learn -- which often form the basis for course curricula. However, research has not yet examined what is covered by these standards and whether the topics align with what the broader security and privacy community thinks students should know. To shed light on these questions, we started by collecting computer science teaching standards from all U.S. states and eight national organizations. After manually examining a total of 11,954 standards, we labeled 3,778 of them as being related to security and privacy, further classifying these into 103 topics. Topics ranged from technical subjects like encryption, network security, and embedded systems to social subjects such as laws, ethics, and appropriate online behavior. Subsequently, we interviewed 11 security and privacy professionals to examine how the teaching standards align with their expectations. We found that, while the specific topics they mentioned mostly overlapped with those of existing standards, professionals placed a greater emphasis on threat modeling and security mindset.