Swanson Academy for Business & Finance · Unit 2.4 · Grade 9 · Quarter 2

Interactive Manual

Complete guide to every game, security audit, and quiz — for students and facilitators

About This Manual

What's Covered Here

Complete reference for every interactive element in Unit 2.4

Unit 2.4 — Online Safety and Responsible AI Use — closes Quarter 2 with the most immediately personal content in the suite. Unlike spreadsheet functions or document formatting, the threats and tools covered here affect students' lives right now: their accounts are either secured or they are not; the AI tools they use are either employed with integrity or they are not. The interactive tools are designed to convert awareness into concrete action.

This unit has more facilitator discussion anchors than any other Quarter 2 unit because the content invites it — phishing targeting in vulnerable communities, data as a community resource, and AI as an economic equalizer are all topics that connect directly to the Heritage-as-Capital framework running through the curriculum.

ToolLocationFocus
🎣 Threat SpotterStudy Guide → Games tabMatch attack scenarios to their threat type (phishing, vishing, smishing, spear phishing, pretexting, misinformation)
🛡️ Safe or Risk?Study Guide → Games tabSix applied digital safety and AI integrity scenarios — choose the safer, more responsible decision
⚖️ True or FalseStudy Guide → Games tabSecurity and AI facts vs. common misconceptions — 10 statements
🔒 Security AuditStudy Guide → Security Audit tabFive-question self-assessment producing scores across account protection, threat awareness, and information integrity
✏️ Unit Quizg9-2-4-quiz.htmlComprehensive mastery — 20 questions from 23-question bank
Game 1 of 3 · Study Guide → Games Tab

🎣 Threat Spotter

Six attack scenarios matched to their threat type

🎣
Threat Spotter

Six realistic attack scenarios matched to their threat category. Covers the six attack types introduced in Topic 1 and Topic 3. The misinformation risk pair bridges the phishing/scam content to the information literacy content in Topic 3.

6 pairsShuffled each restartNo timer

The Six Pairs — Answer Key

ScenarioThreat TypeKey Indicator
Email from regions-bank-secure.net saying account is locked — click immediatelyPhishingFake domain + false urgency + embedded link
Caller claims to be from the IRS — your SSN will be suspended unless you pay nowVishingVoice call + government impersonation + payment demand
Text says Amazon package delayed — click tracking linkSmishingSMS delivery + embedded link + package pretext
Email claiming to be from the CEO — urgently wire funds to a new vendorSpear PhishingBusiness email compromise — personalized with org context
Caller pretends to be IT support — needs your password to fix a detected virusPretextingFabricated scenario (IT support) to obtain credentials
Shocking financial claim — no author, no date, unknown siteMisinformation riskNo provenance markers — authorless, sourceless, alarming claim
🎓
Facilitator Note — Threat Spotter

After completing, ask students which attack type they believe is most likely to succeed against someone they know — and why. The CEO fraud spear phishing pair (business email compromise) and the IRS vishing pair target the authority/urgency combination that is most effective against people who have not encountered these attacks before. This discussion personalizes the threat from abstract to real.

Game 2 of 3 · Study Guide → Games Tab

🛡️ Safe or Risk?

Six digital scenarios — choose the safer, more responsible action

🛡️
Safe or Risk?

Six scenarios featuring AOBF students navigating real digital decisions: a phishing email, credential reuse after a breach, financial misinformation, AI hallucination in an essay, SMS 2FA vs. authenticator app, and AI academic integrity without a written policy. Each has one clearly defensible correct answer with a detailed explanation.

6 scenarios4 choices eachExplains all wrong choices

Scenario Guide

#Student / SituationCorrect ActionCore Concept
1Marcus — bank security email with suspicious domainCall the bank directly using official number — do not click the linkPhishing response (Topic 1)
2Destiny — same password on all accounts; Instagram gets hackedOther accounts are at immediate risk — credential stuffing is the attack vectorPassword reuse + credential stuffing (Topic 2)
3Jerome — viral financial panic article, no author, unknown siteApply SIFT before sharing — verify through credible sourcesSIFT framework + financial misinformation (Topic 3)
4Aaliyah — AI generates statistics for her essayVerify each statistic independently before including itAI hallucination + verification standard (Topic 5)
5DeShawn — sets up SMS 2FA; is there a stronger option?Authenticator app — codes generated locally, immune to SIM swapping2FA quality: SMS vs. authenticator app (Topic 2)
6Brianna — submits AI-generated essay, school has no written AI policyStill an integrity issue — policy absence does not resolve authorshipAI academic integrity (Topic 6)

Scenario 6 — Most discussion-worthy

Scenario 6 (Brianna, no written AI policy) is the most nuanced in the set. Students often argue that absence of a policy means absence of a rule. The teaching point: academic integrity is about the purpose of the assignment, not only about written prohibitions. An essay exists to develop and demonstrate analytical capability — submitting AI output misrepresents that capability regardless of policy. This scenario generates productive classroom discussion about integrity vs. compliance.

🎓
Facilitator Note — Safe or Risk?

After Scenario 4 (Aaliyah, AI statistics), ask: "Has anyone already submitted AI-generated statistics in a school assignment without verifying them?" Give space for honest answers without judgment. Then ask: "What would have happened if those statistics were wrong?" This connects the abstract concept of AI hallucination to a concrete consequence students can visualize.

Game 3 of 3 · Study Guide → Games Tab

⚖️ True or False

Security and AI facts vs. myths — 10 statements

⚖️
True or False

Ten statements targeting the most persistent misconceptions in this unit: HTTPS safety (false), 2FA effectiveness (true), password reuse (false), social engineering vector (false), AI hallucination (true), misinformation vs. disinformation (false), phishing design quality (false), password managers (true), SIFT (true), and AI integrity without policy (false).

10 statementsShuffled each roundExit ticket recommended

Answer Key — All 10 Statements

#Statement (summarized)Answer
1HTTPS means the website is always safe to enter personal information onFALSE — HTTPS = encrypted connection, not verified legitimacy
22FA makes an account significantly harder to compromise even if password is stolenTRUE
3Reusing a strong password across multiple accounts is acceptableFALSE — credential stuffing bypasses password strength entirely
4Social engineering primarily exploits software vulnerabilitiesFALSE — exploits human psychology, not software
5AI language models can produce confident, fluent, factually incorrect output (hallucination)TRUE
6Misinformation and disinformation are the same — both deliberately falseFALSE — misinformation = unintentional; disinformation = deliberate
7Phishing emails can be identified reliably by checking for professional design and logosFALSE — design can be copied perfectly; check the actual domain
8A password manager stores strong unique passwords for every account behind one master passwordTRUE
9SIFT (Stop, Investigate, Find coverage, Trace) is for verifying online information before sharingTRUE
10Submitting AI-generated work as your own is only an integrity issue if there is a written policy prohibiting itFALSE — integrity is about purpose, not only policy

Statements 1 (HTTPS) and 7 (phishing design) are the most commonly missed — both correct popular misconceptions that feel like common sense. Statement 10 (AI integrity without policy) is the highest-discussion item. Below 7/10 on this exit ticket: revisit Topics 1, 2, and 5 before the quiz.

Security Audit · Study Guide → Security Audit Tab

🔒 Personal Security Audit

Five questions, three score categories, one highest-priority action

🔒
Personal Security Audit

Five yes/partial/no questions covering unique passwords, 2FA, phishing recognition, information verification, and AI fact-checking. Produces scores across Account Protection, Threat Awareness, and Information Integrity, plus one highest-priority action specific to the student's answers.

5 questions3 score categoriesPersonalized priority action

Scoring Logic

QuestionCategoryYes = 2Partial = 1No = 0
Unique passwords for important accountsAccount Protection210
2FA enabled on important accountsAccount Protection210
Can identify 3+ phishing warning signsThreat Awareness210
Verify information before sharing onlineThreat Awareness210
Always verify AI-generated factsInformation Integrity210

Score interpretation

Total maximum: 10. Score 80%+ (8–10): Strong. Score 55–79% (6–7): Moderate. Below 55% (0–5): Needs Work. The priority action hierarchy: missing professional email → no self-Google → high post volume → many platforms → always LinkedIn. The audit is self-reported and unverified — its value is in prompting honest reflection, not producing a certified score.

🎓
Facilitator Note — Security Audit

Run the audit as an anonymous class aggregate: have students raise hands for each "No" answer. Show what percentage of the class has 2FA enabled, uses unique passwords, and verifies AI facts. The aggregate data makes the discussion concrete without requiring anyone to disclose their personal security posture. Then ask: "If you got a 4 out of 10 today, what would it take to get to an 8 by next week?"

Graded Assessment · g9-2-4-quiz.html

✏️ Unit Quiz Engine

20 questions from a 23-question bank — phishing, passwords, SIFT, privacy, AI

✏️
Unit 2.4 Quiz Engine

Same engine as prior units. Unit 2.4 has the highest proportion of applied judgment questions in Quarter 2 — students must choose the correct action in a realistic scenario, not just recall a definition. The quiz intentionally includes the most common misconceptions as wrong-answer options.

23-question bank20 drawn per attemptShuffled choicesUnlimited retakes

Question Bank Coverage

TypeCountTopics Covered
Multiple Choice15Phishing definition, domain-as-indicator, smishing vs. vishing, authenticator app vs. SMS, smishing response protocol, credential stuffing, HTTPS misconception, SIFT framework, misinformation vs. disinformation, data as commodity, AI hallucination, responsible AI use, password manager, financial misinformation, social engineering definition
True / False8HTTPS safety (false), 2FA effectiveness (true), password reuse (false), AI as research tool requiring verification (true), misinformation vs. disinformation intent (false), data privacy settings limit (false), spear phishing danger (true), AI integrity without policy (false)

Grading Scale

A
90–100%
Outstanding
B
80–89%
Strong
C
70–79%
Passing
D
60–69%
Approaching
F
0–59%
Not Yet

Highest error-rate questions

The HTTPS misconception question (false: HTTPS does not mean a site is safe) and the phishing visual design question (false: professional design is not a reliability indicator) are the most missed. Both correct commonly held but wrong beliefs. Students who score below 70% should return to Topics 1 and 5 and re-read the annotated phishing email in the Study Guide.

For Facilitators

🎓 Facilitator Notes

Sequencing, NAF/AOBF alignment, and Heritage-as-Capital discussion anchors

Recommended Learning Sequence

  • 1Study Guide Topics 1–2 (~25 min). Phishing anatomy (annotated email), smishing/vishing, password security, 2FA. Students should be able to identify five phishing red flags before moving on.
  • 2Threat Spotter (5–8 min). After completing: run the discussion — which attack type is most likely to succeed on someone in their community and why.
  • 3Study Guide Topics 3–4 (~20 min). SIFT framework, misinformation vs. disinformation, data privacy. Apply SIFT to a live example as a class — choose a current financial or health claim in the news.
  • 4Study Guide Topics 5–6 (~20 min). AI capabilities/hallucination, responsible AI use. Demonstrate a live AI hallucination using an available AI tool: ask it for a financial statistic with a source, then attempt to verify the source independently. The demonstration is more effective than any description.
  • 5Safe or Risk? (10–15 min). Pause at Scenario 4 (AI statistics) for the honest-reflection question. Pause at Scenario 6 (AI integrity) for the integrity vs. compliance discussion.
  • 6Security Audit (8–10 min). Run as anonymous aggregate first. Then have students complete it individually and identify their one priority action to take this week.
  • 7True or False (8–10 min). Exit ticket. Below 7/10: re-read Topics 1, 2, and 5 before the quiz.
  • 8Unit Quiz independently. 70% minimum passing score.

Heritage-as-Capital Discussion Anchors

  • 📋
    Introduction — Scam Targeting as a Community Wealth Problem"Financial fraud is not an abstract internet problem — it is a community wealth problem." Ask: do you know someone who has been targeted by a phone or email scam? What made them vulnerable? What would have helped them recognize the attack?
  • 💡
    Topic 4 — Data as Community Resource"Tech companies collect data from communities across Birmingham-Bessemer and profit from it — but the community sees none of that value." Ask: what would it mean for a community to collectively understand and assert its data rights? What decisions could be made differently?
  • 🏛️
    Topic 6 — AI as Equalizer"A student in Birmingham-Bessemer with strong AI literacy has access to tools that cost thousands of dollars per hour a decade ago." Ask: what professional task could you accomplish better or faster with AI literacy that you could not do easily without it? What does it mean to use that capability with integrity?

NAF / AOBF Alignment

Unit 2.4 TopicNAF Academy of Finance Standard
Phishing, scams, social engineeringCybersecurity Awareness — identifying and responding to digital threats
Password security and 2FAInformation Security — protecting accounts and sensitive data
Evaluating sources and misinformationInformation Literacy — critical evaluation of financial and professional information
Data privacy and digital rightsConsumer Finance — understanding data rights and financial privacy
AI capabilities and limitsTechnology in Finance — emerging tools and their appropriate professional use
Responsible AI useProfessional Ethics — integrity in the use of technology tools
Quick Reference — All Interactive Tools
🎣 Threat Spotter
6 pairs · Phishing, vishing, smishing, spear phishing, pretexting, misinformation · Post-game community discussion
🛡️ Safe or Risk?
6 scenarios · Pause at #4 (AI stats) and #6 (no policy) for discussion
⚖️ True / False
10 statements · HTTPS and design-as-indicator are highest error · Exit ticket
🔒 Security Audit
5 questions · 3 categories · Run anonymously as class aggregate first
✏️ Unit Quiz
20/23 drawn · Judgment-heavy · HTTPS and phishing design are highest error
Live Demo
Before Topic 5: demonstrate a live AI hallucination with any available AI tool — most effective moment in the unit