Dataverse | Cybersecurity Education Guide for Hong Kong Secondary Schools 2026

1. Why Does Cybersecurity Matter?

Cybersecurity is not just an issue for adults. As more and more Hong Kong secondary school students use the internet for learning, socialising, and entertainment, the online threats they face continue to grow.² A lack of awareness around personal data protection makes students more vulnerable to attacks.

Hackers may target students in the following ways:

Theft of personal information: Stealing students' identity details, student numbers, or banking information, causing serious harm.
Account hacking: Gaining unauthorised access to social media, email, or gaming accounts.
Scams and extortion: Using false information or threats to defraud victims.
Malware and viruses: Infecting devices through downloaded files or software.
Deepfake attacks: Using AI-generated fake audio or video to commit fraud.

For these reasons, systematically incorporating anti-scam education and cybersecurity knowledge into Hong Kong secondary school curricula has become an important direction in both local and international education policy.³

2. Software Updates: Your First Line of Defence

Why Update Your Software?

With the advancement of new AI technologies, researchers are now able to identify high-risk vulnerabilities in mainstream operating systems and browsers more efficiently than ever before. This has made it necessary for software vendors to continuously release security updates to patch these gaps.

Cybersecurity experts point out that when users delay installing updates, hackers can analyse the patch content, identify where the vulnerability lies, and then launch targeted attacks against systems that have not yet been updated. Therefore, installing software updates promptly is one of the most effective ways to reduce the risk of being compromised. From a personal protection standpoint, software updates sometimes include new features or interface changes — but what truly matters is that they patch known weaknesses, reducing the risk of devices being infiltrated by malware or taken over by unauthorised parties. This makes updating one of the most fundamental, yet often overlooked, steps in good cyber hygiene.⁴

Key Points to Teach Students:

Explain the danger of delaying updates: Hackers analyse software update content and use reverse engineering to identify vulnerabilities, then attack devices that have not yet been updated. The sooner you update, the lower the risk of being hacked.

Set up automatic updates:

Teach students to enable automatic updates on their phones, tablets, and computers.
Prioritise updating operating systems (e.g. iOS, Android, Windows) and browsers (e.g. Chrome, Safari).
Remind students to pay attention to update prompts that require manual confirmation and not to ignore them.

Practical recommendations:

Check for pending software updates on devices once a week.
Do not delay updates — even if a device restart is required, do it promptly.
Help students understand that updating is an important step in keeping themselves safe.

3. Understanding a Device's "Lifespan"

The Risks of Outdated Devices

Several international public bodies and cybersecurity organisations have noted that all devices and software have a limited support period. Once a product passes its "End-of-Life" (EoL) date, the vendor will no longer provide security updates or patches.⁵ The UK's National Cyber Security Centre (NCSC) emphasises that obsolete products no longer receive patches, meaning known vulnerabilities remain exploitable indefinitely. Ideally, these outdated products should stop being used altogether.⁶

Identifying a Device's Support Period:

Teach students how to use https://endoflife.date/ to check the support period of common devices (such as phones, tablets, or operating system versions).

(For example: The iPhone XR's support period ended in April 2026, after which no further security support is provided.⁷)

Practical recommendations:

Regularly check the support status of your own devices.
If a device has passed its end-of-support date, consider replacing it.
Never use an unsupported device for important tasks such as online banking or social media logins.

4. Password Security: The Key to Protecting Your Accounts

Why Password Security Matters

International research consistently shows that a large number of account breaches are directly linked to weak passwords, password reuse, and credential leaks. Hackers frequently use automated tools to attempt logging in across multiple platforms using the same set of credentials — a technique known as "credential stuffing."⁸ For Hong Kong secondary school students, developing good password security awareness is a fundamental requirement of digital citizenship education.

Principles for Creating Strong Passwords:

Passwords should be sufficiently long and complex (at least 12 characters).
Include uppercase letters, lowercase letters, numbers, and special symbols.
Use a unique password for every account — never reuse passwords.
Avoid including information that can be easily guessed (such as birthdays, personal interests, names, or student numbers).

Using a Password Manager:

Encourage students to use a password manager (such as Roboform, NordPass, Google Password Manager, or the Passkey feature built into their device).

Practical recommendations:

Teach students how to set up a password manager.
Regularly review accounts and delete any that are no longer in use.
If a password is suspected to have been leaked, change it immediately.

5. Multi-Factor Authentication (MFA): Double the Protection

What Is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security mechanism that requires users to complete an additional identity verification step when logging in — beyond just entering a password. For example, entering a verification code sent to your phone. This ensures that even if a hacker obtains a user's password, they still cannot successfully log in. Common forms of MFA include one-time passcodes (OTPs), hardware security keys, and biometrics (such as fingerprint or facial recognition). Hardware security keys and Passkeys are considered the most effective methods for resisting phishing attacks.⁹

MFA and Secure Login Methods (Ranked from Most to Least Secure):

Most recommended: Passkeys — Best protection against phishing and fake login page interception.
Second choice: Authenticator apps (e.g. Google Authenticator, Microsoft Authenticator) — Generates a one-time passcode (OTP).
Use with caution: SMS OTP — Relatively more vulnerable to SIM swap attacks and SMS interception.

Practical recommendations:

Teach students to enable MFA for all important accounts (such as email, social media, and gaming accounts).
Prioritise using an authenticator app over SMS verification codes, as it is more secure.
Keep backup verification codes in a safe place in case a phone is lost.

6. Passkeys: The Next Generation of Login

What Are Passkeys?

Passkeys are a new and more secure way to log in compared to traditional passwords. When a user registers, the Passkey is linked to the legitimate website and stored on the device or in a password manager. The system will then automatically verify whether the website's identity matches — if a phishing website is encountered, since the domain does not match, the Passkey simply cannot be used. This means users cannot be deceived by a fake login page.

Advantages of Passkeys:

Cannot be tricked by phishing attacks (fake websites).
More convenient and faster than passwords.
Automatically replaces both passwords and MFA.
Supported by an increasing number of services (such as Google, Facebook, and Microsoft).

Practical recommendations:

Teach students how to set up Passkeys.
When a website or app offers the option to set up a Passkey, encourage students to enable it.
Prioritise setting up Passkeys for important accounts.

7. Recognising and Avoiding Phishing Attacks

What Is a Phishing Attack?

A phishing attack is when hackers use fake emails, text messages, or websites to trick users into revealing personal information or clicking on malicious links.¹⁰ Teaching students to recognise these tactics is the core of anti-scam education. For Hong Kong secondary school students, developing the skill to identify phishing attacks is the first step in protecting personal data.

How to Teach Students to Recognise Phishing Emails

Signs of a phishing email:

Demands immediate action or requests personal information.
Comes from an unknown sender or impersonates a well-known organisation.
Contains suspicious links or attachments.
Contains grammatical errors or poor formatting.

Practical recommendations:

Teach students not to click on links in suspicious emails.
If an email is suspected to be a phishing attempt, delete it immediately or report it to the IT security team.
Verify the sender's identity, especially when the email requests personal information.
Never download attachments from unknown sources.

8. Avoiding Malware and Unsafe Downloads

The Risks of Malware

Malware can infect devices through various means, including downloading pirated software, free game mods, or files from unknown websites.¹¹

Principles for Safe Downloads:

Only download apps from official app stores (such as the App Store or Google Play).
Avoid downloading pirated software or games.
Do not download free game mods or cheating programmes.
Be cautious of downloads from unfamiliar websites.

Practical recommendations:

Teach students to check an app's ratings and download count before installing.
Install reputable antivirus software.
Regularly scan devices to check for malware.

9. Deepfakes and Social Engineering Attacks

An Emerging Threat: AI-Generated Fake Content

The Hong Kong government has noted in LegCo documents that local cases have been recorded in which scammers used deepfake technology to create highly realistic synthetic video and voice content, impersonating company executives to instruct employees to transfer approximately HK$200 million. This reflects growing public concern about criminals using AI-generated faces and voices to commit fraud.¹² In Hong Kong secondary school anti-scam education, deepfake attacks are an increasingly important topic that can no longer be ignored.

Signs of a Deepfake:

Unusual audio or video quality (e.g. lip movements out of sync).
Demands immediate action or requests money.
Claims there is an urgent situation requiring help.

Practical recommendations:

Teach students not to overshare personal information on social media.
If a suspicious call or message is received, ask the person to verify their identity.
Establish a family "code word" or "safe phrase" as a method of identity verification.
In any suspicious situation, contact a parent or teacher immediately.

10. The Family Code Word Strategy: Protecting Your Loved Ones

Establishing a Family Code Word

It is recommended that family members collectively establish a secret code word or safe phrase. If someone calls claiming to be a family member but cannot say the code word, it may be a scam call.

Choosing a Code Word:

Choose a word or phrase that only family members know (e.g. a shared unique family memory).
Make sure all family members can remember the code word.
Update the code word regularly to improve security.

Practical recommendations:

Teach students that if they receive a call or message claiming to be from a family member, they should ask the person to say the code word.
If the person cannot say the code word, hang up immediately and call the police.
Discuss this strategy together as a family to ensure everyone understands and follows it.

11. Cybersecurity Education at the School Level

Classroom Teaching Suggestions (Can Be Combined with Online Self-Study Courses)

Developing a comprehensive cybersecurity teaching plan is an important foundation for promoting digital citizenship education in Hong Kong secondary schools. Teachers can make good use of ready-made cybersecurity online self-study courses and local teaching resources to systematically integrate relevant content into the curriculum.

Integrating into the Curriculum

Include cybersecurity units in IT, computer science, STEM, or digital citizenship subjects, combining videos, case studies, and hands-on activities.
Make use of cybersecurity online self-study courses provided by local organisations, such as the SEED Foundation's Dataverse 2026 online course at seedfoundation.hk/dataverse/2026/. This allows students to progressively master key concepts — including password security, phishing attacks, scam prevention, and personal data protection — through a self-study plus classroom extension approach.
Invite cybersecurity experts or representatives from relevant organisations to visit the school for talks or workshops, sharing the latest information on technology crimes and prevention methods to reinforce curriculum content.
Design mock phishing email or message exercises, allowing students to practise identifying suspicious elements in a safe environment, consolidating what they have learned in online courses.

Cybersecurity Teaching Activities

Ask students to complete cybersecurity worksheets or online tasks — for example, checking and improving the security settings on their personal devices (updates, passwords, MFA, etc.) — and share their reflections in class.
Linked to online course content, organise "password strength checks" or "account security reviews," allowing students to practically apply their skills in using strong passwords and password managers.
Organise a "cybersecurity knowledge competition" or short video / Reels creation contest, encouraging students to reinterpret the anti-scam messages they have learned in courses like "Dataverse" in their own words, spreading awareness to fellow students and parents.

Home–School Partnership

Share clear and concise cybersecurity tips with parents through school newsletters, parent days, or online platforms. Introduce the cybersecurity self-study courses students are participating in, so parents know how to continue the discussion at home.
Organise parent workshops or briefings demonstrating common online scam tactics (including deepfakes, phishing, and mobile malware), as well as how to establish a family internet safety agreement together with their children.
Develop and regularly review the school's cybersecurity and device usage policy to ensure it is aligned with the latest EDB guidelines and local cybersecurity recommendations. Maintain open communication with parents to form a home–school protection network.

12. Conclusion: Building a Culture of Cybersecurity

Cybersecurity is not a one-time task — it is a way of life. Through systematic cybersecurity lesson plans and teaching programmes, we can help Hong Kong secondary school students build safe digital lives:

Regularly update software — Keep devices updated to fix security vulnerabilities.
Password security and password managers — Protect accounts from hackers.
Enable Multi-Factor Authentication — Strengthen account security.
Recognise phishing attacks — A core skill in anti-scam education.
Protect personal data — Only download from safe sources and share personal information with care.
Be alert to deepfakes — Understand the risks of AI-generated content.
Establish a family code word — Protect family members from scams.

By following these steps, students can protect themselves in the digital world and become responsible digital citizens.

Recommended Resources

Password Managers (as recommended by Consumer Council testing)¹³: Roboform, NordPass, Google Password Manager

Antivirus Software (as recommended by Consumer Council testing)¹⁴: Avira Internet Security, Norton360, McAfee

Authenticator Apps: Google Authenticator, Microsoft Authenticator

Conclusion

In this digital age, cybersecurity education is the key to cultivating Hong Kong secondary school students who can use technology responsibly. Through well-developed cybersecurity lesson plans and digital citizenship education, we can help students grow and learn safely in the virtual world. It is our hope that this guide will assist educators and parents in more effectively promoting cybersecurity education in Hong Kong secondary schools, building a safer digital environment for the next generation.

_{References：}

類別