This study investigates whether U.S. K–12 computer science (CS) standards adequately align with industry expectations for security and privacy education. Using a mixed-methods approach, we systematically collected and coded 11,954 state and national CS standards, augmented by large-scale text analysis, expert-driven manual annotation, and semi-structured interviews with security and education professionals. We identified 103 distinct security and privacy themes and developed the first comprehensive, dual-dimension (technical–societal) knowledge taxonomy for K–12 CS education. Results indicate that current standards broadly cover foundational topics—including cryptography, network security, and digital ethics—but critically omit explicit learning objectives for higher-order competencies such as threat modeling and security mindset development. This work provides the first empirically grounded, nationwide characterization of security and privacy coverage in K–12 CS standards, revealing significant curricular gaps and offering evidence-based guidance for curriculum redesign and policy reform.

Increasingly, students begin learning aspects of security and privacy during their primary and secondary education (grades K-12 in the United States). Individual U.S. states and some national organizations publish teaching standards -- guidance that outlines expectations for what students should learn -- which often form the basis for course curricula. However, research has not yet examined what is covered by these standards and whether the topics align with what the broader security and privacy community thinks students should know. To shed light on these questions, we started by collecting computer science teaching standards from all U.S. states and eight national organizations. After manually examining a total of 11,954 standards, we labeled 3,778 of them as being related to security and privacy, further classifying these into 103 topics. Topics ranged from technical subjects like encryption, network security, and embedded systems to social subjects such as laws, ethics, and appropriate online behavior. Subsequently, we interviewed 11 security and privacy professionals to examine how the teaching standards align with their expectations. We found that, while the specific topics they mentioned mostly overlapped with those of existing standards, professionals placed a greater emphasis on threat modeling and security mindset.