Topic

3.6.2 Cyber security threats

GCSE Computer Science AQA

This resource covers 3.6.2 Cyber security threats for AQA GCSE Computer Science. It sits within section 3.6 Cyber security and focuses on the specific threats students must be able to identify, explain, and apply in exam answers. That means keeping the teaching tightly anchored to the specification rather than drifting into a giant tour of everything frightening on the internet.

Teachers usually need students to do more than recite a list of threats. Students need to understand how each threat works, why it is dangerous, and how examiners reward precise explanation. This page is designed to help you teach the topic clearly, anticipate common misconceptions, and mark responses with a sharper eye for what is secure, vague, or only half-right.


At a Glance

🎯 Specification context

  • AQA GCSE Computer Science, 3.6.2 Cyber security threats

  • Sits within 3.6 Cyber security and supports later work on security measures

Students must know

  • social engineering techniques

  • malicious code (malware)

  • pharming

  • weak and default passwords

  • misconfigured access rights

  • removable media

  • unpatched and or outdated software

  • what penetration testing is and what it is used for

Key exam focus

  • explaining how the threat works, not just naming it

  • distinguishing between similar threats accurately

  • using precise technical vocabulary

  • linking the threat to possible consequences for data, systems, and users

Common student challenges

  • mixing up phishing, pharming, and other social engineering methods

  • treating malware as one single thing rather than a category

  • describing weak passwords vaguely without explaining the risk

  • confusing penetration testing with criminal hacking


Understanding the Topic

Where this sits in the curriculum

This specification point appears in AQA GCSE Computer Science 3.6 Cyber security. It gives students the threat knowledge they need before moving on to methods of detection and prevention. In other words, students need to understand what can go wrong before they can explain how to stop it going wrong, which is a fairly sensible order for both the specification and real life.

For this topic, students should be able to explain each listed threat clearly and recognise what makes it dangerous. Stronger answers usually show mechanism + consequence. For example, instead of writing malware is dangerous because it harms computers, stronger students explain what the malware does and how that affects files, performance, access, privacy, or security.

The core threat areas students need to know

Social engineering techniques

Social engineering is about tricking people rather than directly attacking hardware or software. The attacker exploits human behaviour such as trust, panic, curiosity, or carelessness.

Students should be able to explain examples such as:

  • phishing, where fake emails, texts, or messages are used to persuade someone to reveal login details or financial information
  • blagging or pretexting, where an attacker invents a believable story to obtain confidential information
  • shoulder surfing, where someone watches a user enter private information

The key teaching point is that the weakness being exploited is often the person, not the machine.

Malicious code (malware)

Malware is a general term for software designed to cause harm, disrupt systems, steal data, or gain unauthorised access.

Students do not need to treat malware as one blurry monster. They should know it is a category that includes different forms, such as:

  • viruses
  • worms
  • trojans
  • spyware
  • ransomware

A useful classroom distinction is this:

  • a virus attaches itself to files and spreads when the infected file is opened
  • a worm self-replicates across networks without needing a host file
  • a trojan appears legitimate but hides malicious behaviour
  • spyware secretly gathers information
  • ransomware encrypts files and demands payment

Pharming

Pharming redirects a user from a legitimate website to a fake website without the user realising. The aim is usually to steal login details or financial information.

Students often confuse pharming with phishing. The difference matters:

  • phishing persuades the user to click or respond to a fake message
  • pharming redirects the user to a fake site, often even when the correct web address is entered

Weak and default passwords

Weak passwords are easy to guess, crack, or brute-force. Default passwords are the original passwords supplied with a device or system and are often widely known or predictable.

Students should be able to explain why these are dangerous:

  • they make unauthorised access much easier
  • users may never change them
  • attackers often try common defaults first
  • reused passwords create wider risk across multiple accounts

Misconfigured access rights

Misconfigured access rights happen when users are given the wrong level of permission. Someone may be able to view, edit, delete, or share information that should be restricted.

This can lead to:

  • accidental deletion or editing of data
  • deliberate misuse by insiders
  • unauthorised access to sensitive files
  • greater damage if one compromised account has too many privileges

Students should understand that cyber security is not only about stopping outsiders. Sometimes a system becomes vulnerable because permissions inside the organisation are poorly managed.

Removable media

Removable media includes devices such as USB memory sticks, external hard drives, and memory cards. These can introduce malware, allow data theft, or cause data loss.

Students should be able to explain the risk clearly:

  • infected media can transfer malware between systems
  • portable devices are easy to lose or steal
  • users may plug in unknown devices without checking them

Unpatched and or outdated software

If software is not updated, known security flaws may remain open. Attackers can exploit these vulnerabilities to gain access, install malware, or disrupt systems.

This is an area where students benefit from specific wording. Strong answers often explain that patches are released to fix vulnerabilities, so failing to install them leaves systems exposed to attacks that are already understood by criminals.

Penetration testing

Penetration testing is the process of deliberately attempting to find weaknesses in a system by simulating an attack. Its purpose is to identify vulnerabilities before a genuine attacker does.

Students should understand the two broad forms AQA expects:

  • internal testing, where the tester has some knowledge or basic credentials and simulates an insider threat
  • external testing, where the tester has no prior access and simulates an outside attacker

A very common exam issue is that students write as if penetration testing is illegal hacking. It is not. It is an authorised security activity used to improve protection.


Key Terms and Concepts

Term Explanation
Social engineering Manipulating people into giving away confidential information or allowing access.
Phishing A social engineering attack using fake messages to trick a user into revealing information.
Pharming Redirecting a user to a fake website in order to steal information.
Malware Software designed to damage systems, disrupt operations, spy on users, or gain unauthorised access.
Default password The original password supplied with a device or system, often predictable if left unchanged.
Access rights The permissions a user has to view, edit, share, or delete files and data.
Removable media Portable storage devices such as USB drives that can carry data or malware between systems.
Patch An update released to fix bugs or security vulnerabilities in software.
Penetration testing An authorised attempt to test a system by simulating cyber attacks to find weaknesses.

How to Teach This Topic

Recommended teaching sequence

  • Start with the idea that cyber threats can target people, software, settings, or devices
  • Group the specification content into manageable chunks rather than teaching it as one long list
  • Revisit the same question repeatedly: How does this threat work, and what damage could it cause?
  • Finish with penetration testing so students see the link between identifying threats and testing defences

Classroom approaches that work well

Teaching tips

  • Use sorting tasks to group threats by whether they exploit people, hardware, software, or system setup
  • Give students short scenarios and ask them to identify the specific threat involved
  • Build comparison practice between phishing and pharming early
  • Use mini whiteboards for quick checks on precise definitions

Marking-aware tips

  • Train students to name the threat and then explain the mechanism
  • Reward answers that include consequence, such as stolen data, unauthorised access, or disrupted service
  • Challenge vague phrases like it hacks the computer
  • Insist on accurate distinction between authorised testing and criminal behaviour

Discussion prompts

  • Why are people often the easiest target in a secure system?
  • Why is a default password still dangerous even if the system seems modern?
  • Is removable media a human risk, a hardware risk, or both?
  • Why would an organisation pay for penetration testing instead of waiting to see whether anything goes wrong?

Scaffolding ideas

  • Provide sentence starters such as: This threat works by... and The main risk is that...
  • Use dual coding with one column for the threat and one for the method or consequence
  • Build retrieval practice around common confusions, especially phishing versus pharming and malware versus virus
  • Ask students to improve weak definitions by adding missing precision

Extension activities

  • Give students mixed examples and ask which part of the system is being exploited
  • Ask students to rank threats by likely exam confusion rather than real-world severity
  • Set a short write-up comparing two threats and evaluating which would be easier for an organisation to prevent

💡 Teacher tip: students often remember examples before they remember categories. That is useful, but in exams they still need the category and the explanation. A student who writes it was like one of those scam emails is halfway there. The mark usually lives in the precision that follows.


How to Mark This Topic Effectively

What strong answers usually contain

  • the correct threat is identified accurately
  • the explanation shows how the threat operates
  • the response includes a clear consequence for the user, data, or system
  • technical terms are used correctly
  • similar threats are distinguished rather than blurred together

What examiners reward

Feature What to reward
Accurate knowledge Correct identification of the named threat and secure subject vocabulary.
Explanation A clear description of how the threat works, not just what it is called.
Development Linked consequences such as data theft, unauthorised access, disruption, or financial loss.
Precision Clear distinction between related ideas, especially phishing versus pharming and malware versus specific malware types.

Common weaknesses in student answers

  • describing all online crime as hacking
  • giving an example but not naming the actual threat
  • saying a password is weak without explaining why it is guessable or easy to crack
  • assuming penetration testing is malicious
  • writing about prevention when the question asks for explanation of the threat itself

Distinguishing weak from strong responses

Stronger responses

  • identify the specific threat precisely
  • explain the method used
  • link to outcome clearly
  • stay tightly focused on the question wording

Weaker responses

  • use vague language like someone hacks it
  • confuse similar terms
  • list facts without explaining them
  • drift into generic internet safety advice

📝 Marking reminder: if a student names a threat correctly but cannot explain how it works, the answer usually has recognition without secure understanding. If they explain the mechanism and consequence accurately, that is where stronger reward becomes justified.


Example Student Responses

Example question

Explain one way social engineering can be used to gain unauthorised access to data.

Marks: 4

Marking guidelines:

  • 1 mark for identifying a valid social engineering method
  • further marks for explaining how the attacker uses it
  • reward developed explanation of how the victim is manipulated and how access or data theft follows
Strong response

A criminal could use phishing by sending an email that looks as if it comes from a trusted company such as a bank or school network. The message may ask the user to click a link and log in. If the user enters their details on the fake site, the attacker can steal the username and password and use them to access the real account.

Why teachers should reward this:

  • identifies a valid social engineering method
  • explains the deception clearly
  • shows how the victim is manipulated
  • links directly to unauthorised access to data
Weak response

They could send a fake email and hack the account. The person might click it and then the hacker gets in.

Why this is weak:

  • the method is only partly identified
  • the explanation is too vague
  • hack the account does not explain the actual process
  • consequence is implied rather than clearly developed

Second example question

Explain why penetration testing is used by organisations.

Marks: 3

Marking guidelines:

  • reward understanding that it is an authorised test
  • reward explanation that it finds vulnerabilities before attackers do
  • reward reference to improving security
Strong response

Organisations use penetration testing to check whether weaknesses exist in their systems. A tester deliberately attempts to gain access in an authorised way so that security flaws can be found and fixed before a real attacker exploits them.

Why this is strong:

  • clearly states purpose
  • makes authorisation clear
  • links testing to security improvement
Weak response

It is when someone tries to hack in and see what happens.

Why this is weak:

  • misses the idea of authorisation
  • does not explain the security purpose clearly
  • sounds more like criminal activity than a defensive measure

Practice Questions

Short answer practice

  • 2 marks: State two cyber security threats listed in AQA GCSE Computer Science 3.6.2.
    • Marking guidance: reward any two valid threats from the specification.
  • 3 marks: Explain why weak passwords are a cyber security threat.
    • Marking guidance: reward explanation that weak passwords are easier to guess, crack, or brute-force, leading to unauthorised access.
  • 4 marks: Explain one risk of using removable media.
    • Marking guidance: reward clear explanation of malware transfer, data theft, or data loss.

Longer exam-style questions

  • 4 marks: Explain the difference between phishing and pharming.
    • Marking guidance: reward clear distinction that phishing uses deceptive communication to trick the user, while pharming redirects the user to a fake website.
  • 6 marks: A company has not updated its software for several months. Explain how this could increase cyber security risk.
    • Marking guidance: reward explanation of unpatched vulnerabilities, possible exploitation, malware installation, data breaches, and disruption.
  • 6 marks: Evaluate which is likely to create greater risk for an organisation: misconfigured access rights or weak passwords.
    • Marking guidance: reward balanced comparison, precise explanation of both threats, and a justified judgement.

🎓 Exam technique: teach students to answer threat questions using a simple structure: name it → explain how it works → explain the consequence. It is not glamorous, but it wins marks with admirable reliability.


Common Misconceptions

  • Misconception: Phishing and pharming are the same thing.
    • Quick correction: Phishing tricks the user through a fake message. Pharming redirects the user to a fake site.
  • Misconception: Malware means only viruses.
    • Quick correction: A virus is one type of malware. Malware is the wider category.
  • Misconception: Strong cyber security is only about stopping outside attackers.
    • Quick correction: Poor internal permissions and careless use of removable media can also create major risk.
  • Misconception: Penetration testing is illegal hacking.
    • Quick correction: Penetration testing is authorised and used to improve security.
  • Misconception: Outdated software is only a performance issue.
    • Quick correction: Outdated software may contain known vulnerabilities that attackers can exploit.

FAQ

Do students need to memorise lots of malware subtypes for this topic?

They should understand malware as a category and know clear examples such as viruses, worms, trojans, spyware, and ransomware. Precision matters more than producing an endless list from memory.

What is the most common exam weakness on this topic?

Students often recognise the threat name but do not explain the mechanism. They write that something is dangerous without showing exactly how the attack works.

How can I help students remember the difference between phishing and pharming?

Teach them through contrast. Phishing begins with a deceptive message. Pharming begins with a deceptive redirection. If students can explain that difference in one sentence, they are usually on safer ground.

Should I teach penetration testing alongside prevention methods or with threats?

It works well at the end of the threats section. Students can then see it as a deliberate way of checking whether the threats they have studied could succeed.

Do students need real-world case studies for this specification point?

Not in the same way they do in some other subjects. Short real-world examples can help understanding, but exam success depends more on accurate explanation than on named incidents.


Make cyber security marking faster and sharper

Marking.ai helps teachers review student explanations with greater consistency, spot where answers are precise or vague, and give clearer feedback on what would lift a response from partial understanding to secure exam-ready explanation. It is especially useful when you are reading the fifteenth answer in a row that says it hacks the system and hoping the sixteenth one might be more specific.