I was recently asked to prepare a 30-40 minute lecture for high school students. The point of the lecture is to explain what we try to accomplish in information security, and to convince them to enroll in our Computer Science program. After thinking this over for a bit, I realized that presenting to high school kids is not that much different than presenting to c-level management. Here is my rationale:
- Short attention span
- Little or no interest in details
- Focus on outcome, rather than on how the outcome is created
- Think they already know all there is to know
So, taking these observations into account, I must divide my presentation in two or three subtopics, each of which does not exceed 10-15 minutes. I must focus primarily on the show effect (what vs. how) and I must work around the fact that they think they know everything, yet they do not.
When presenting, always ending with that one catch-phrase that you want the audience to remember is good practice. Whether that catch phrase is "give infosec more money" or "enroll in the program" is irrelevant.
Initially, I thought that a nice Metasploit demo might be just want we needed to end the presentation. What is cooler than showing how to own a networked box in under five minutes? Not much, right? Well; true as that may be, high school kids do not live in the world of complex command-line invocations and text-based output. Running a Metasploit demo is one thing, but explaining what it actually means is another. Would the audience, that is used to living in world that predominantly consists of Facebook, Twitter and text messaging, understand the coolness of complete pwnage via a text-based interface? Doubtful.
So, taking it from there, I moved to browser-based stuff. Everyone will be used to having a browser at their fingertips and demonstrating a SQL-injection attack that can be used to retrieve private information would be something they understand. Oh wait-- private information is mostly worthless for most teenagers. They'll pretty much tell you everything you want to know right on their public profiles. While the attack would be successful, and I would show how to list out people's home addresses and/or credit card numbers, that would be of little or no value to them.
Clearly, I need to spend more time on this. Password cracking? Maybe, if that password can be used to do stuff with their Facebook accounts. Denial-of-service? Now, there is an interesting one. Taking away their access may be one thing, but showing how to DoS an individual's cable modem may not be necessarily the wisest move to do.
Any suggestions among my readers? I'd love to hear your thoughts on this. What can you tell a 17-year old that would capture their interest in a way that would be sufficient to at least let them consider to enroll in your program?