This is the top of the list because it's the cornerstone.
While the actual topics and resources may vary, the SAT I'm designing now is built around this formula:
Why are you a target?
Users are the first line of defense, but they often don't see their value. It's like the line from Usual Suspects - The greatest trick the Devil ever pulled was convincing the world he didn't exist. The first response to training about security is "I don't have to worry about this. Who would want to hack me???" The piece they often don't see is that they're valuable because of what they have access to.
Data, data, data. It's easy to make a case that the kind of data a school holds on their students and staff should be protected. A user with administrative rights to the school's student information system could has a wealth of data - names, parents' names, addresses, phone numbers, birthdates, social security numbers, etc. It may even include medical information, sensitive custody information, or special education records. This is all valuable information to an attacker that can be sold or used for identity theft. In the case of students - have teachers picture a student in their class, and imagine that an attacker gets their personal information and steals their identity to rack up massive credit card debt. When will the student find out they've been compromised? If the student is 12, they may not do anything that requires a credit check till they're 18 or older. This is what the user needs to protect - protecting the data protects the student. On the other side of the coin, this is data that schools need to operate effectively, and attackers know that. An attacker may hope that the info in the student information system is valuable enough to pressure the school into paying a ransom for it. With ransomware payments currently averaging over $300,000, it's a very promising target. In the wake of COVID, schools are now the most popular targets for ransomware attacks according to the FBI.
In educational terms, it's like how teachers create lessons with Backward Design. If the last question was "What information do I have/have access to that someone else might want?", the next question is who would want that access?
In pretty broad strokes, the perpetrators of cyber attacks generally fall into the categories below: