Level 1
Unit No:
Guided learning hours:
48 hours


Learners will learn about cybercrime and the risks and effects it has on individuals and organisations. They will understand routine protective methods used to maintain cybersecurity including the principles of vulnerability and penetration testing and user access control.

Unit Learning Outcomes


Know about cybercrime. 

Common forms of cybercrime and motives:

  • Phishing: using fake email messages to get personal information
  • Stealing/misusing personal information (identity theft)
  • Hacking: accessing, shutting down or misusing websites, networks and IT systems
  • Advocating terrorism-related acts
  • Email and internet fraud
  • Theft of financial or card payment data
  • Theft and sale of corporate data
  • Cyberextortion (demanding money to prevent a threatened attack)
  • Ransomware attacks
  • Denial-of-Service (DoS) attack
  • Cryptojacking (where hackers mine cryptocurrency using resources they do not own)
  • Cyberespionage (where hackers access government or company data)

AC 1.3:

  • Social engineering: relies on human instinct of trust, carefully worded email, voicemail, or text message from a cybercriminal can convince people to transfer money, provide confidential information, or download a file that installs malware.

Tactics to defraud:

  • Phishing: tactics include deceptive emails, websites, and text messages to steal information.
  • Spear phishing: email is used to carry out targeted attacks against individuals or businesses.
  • Baiting: an online and physical social engineering attack that promises the victim a reward.
  • Malware: victims are tricked into believing that malware is installed on their computer and that if they pay, the malware will be removed.
  • Pretexting: uses false identity to trick victims into giving up information.
  • Vishing: urgent voice mails convince victims they need to act quickly to protect themselves from arrest or other risk.
  • Learners could refer to a ‘real world’, for example, by looking at each other’s social media accounts to identify information that could potentially be used to defraud their peers.

Assessment Criteria

  • 1.1

    Identify different forms of cybercrime and possible motives. 

  • 1.2

    Outline how cybercrime can affect individuals and organisations. 

  • 1.3

    Describe the tactics cybercriminals use to defraud people. 


Know about protective methods to maintain cybersecurity. 

AC 2.1

  • Protective methods: practicing diligence, installing appropriate anti-virus software, installing other appropriate security software, turning on firewall, protecting personal information, browser safety, client software, frequent and regular updating, care with email attachments, not opening pop ups, avoiding emails from unknown sources, not visiting suspect sites, anti-malware software, use and protection of passwords, data protection (personal/financial information), restricting access, regular backups.

AC 2.2:

  • Cyber security testing: measures the effectiveness of security measures against a potential attack, can be manual or automated, vulnerability testing to reduce the possibility for intruders (hackers) to get unauthorised access, penetration testing (ethical hacking).
  • Purpose: to test an IT system, network or web application to find security vulnerabilities that a cybercriminal could exploit.

AC 2.3:

  • User access controls: learners could do this by setting up user access control on a network or operating system. For example, a cloud based application could be used to set up shared folders, learners could set various permissions, including some with restricted access.

Assessment Criteria

  • 2.1

    Identify routine importance of cybersecurity testing. 

  • 2.2

    State the importance of cybersecurity testing.

  • 2.3

    Set up user access controls. 


Know about legislation and codes of conduct related to cybersecurity. 

AC 3.1:

  • Current UK legislation that applies to different IT systems and data.
  • The principles and requirements of the data protection legislation (The Data Protection Act, 2018, GDPR) and its impact on organisations, IT systems and data.
  • Computer Misuse Act 1990, its definitions of illegal practices and the impact it has on organisations, IT systems and data.
  • Other legislation could include: Official Secrets Act 1989, The Privacy and Electronic Communications Regulations 2003.

AC 3.2:

  • Ethical conduct could include: adherence to organisational IT policies and procedures, maintaining confidentiality, adherence to applicable laws, promoting information security, refraining from conflicts of interest.
  • Unethical conduct could include: sabotage, disclosing or misusing confidential information, maliciously injuring the reputation or prospects of an individual or organisation.

Assessment Criteria

  • 3.1

    Identify protections for and responsibilities of individuals and organisations as set out in key legislation. 

  • 3.2

    Describe ethical and unethical conduct in relation to cybersecurity.