Effective Teaching and Learning Techniques for Security Education

Security Education is Changing

Traditionally this function has focused on awareness and knowledge transfer, but that has begun to change, thankfully. Behavioural science and looking for more nuianced understanding has now become a normal part of the conversation. This article focuses on modern pedagogical practises that foster learning communities, critical thinking, collaboration, and real-world application of security concepts.

Transformative Security Education

I was first introduced to transformative security education when I joined Duo Security. Kim Burton was the Security Education Lead and was amazing, highly regarded across the org and really worked with teams and people to understand what they need and build with them. She and others who had input and influence into this program introduced me to how security education could build things with people, far past simple awareness. I’m reminded again of Kelly Shortridge’s article “Cybersecurity isn’t Special”, there arcde well-established pedagogical practices and strategies that we should not ignore. There are of course teaching techniques tailored for adult learners in corporate settings, with some consideration around what will work for Security Education practitioners and audiences.

Here is a short list of considerations. Below you’ll find a topic, an explanation and an external link to a resource.

1. Promoting Engaged Pedagogy: Engaged pedagogy, as advocated by Bell Hooks, encourages a mutual exchange of knowledge between teachers and learners. In security education, this approach can be applied by creating an environment where learners are empowered to share their experiences, question assumptions, and actively participate in the learning process. Creating a space without fear, where questions are expected and encouraged.
   1. Research 🔬: “A Review of the Literature on Engaged Learning” (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8421560/) by James M. Lang. This research paper explores the benefits of engaged learning approaches across various disciplines.
2. Cultivating a Community of Learners: Rather than positioning instructors as the sole authority, embracing a community of learners fosters a collaborative and supportive environment. Cybersecurity educators can facilitate discussions where learners contribute their unique perspectives, learn from one another’s insights, and collectively navigate complex challenges. Another quote from Bell Hooks represents this well: “To begin, the professor must genuinely value everyone’s presence. There must be an ongoing recognition that everyone influences the classroom dynamic, that everyone contributes. These contributions are resources. Used constructively they enhance the capacity of any class to create an open learning community.”
   1. Resource ⛏️: The National Academies of Sciences, Engineering, and Medicine report “Facilitating Learning from Sharing Experiences: The Power of Collaborative Learning” (https://files.eric.ed.gov/fulltext/ED485070.pdf).
3. Encouraging Critical Thinking: Effective security education should go beyond mere knowledge transfer and emphasise the development of critical thinking skills. Educators can achieve this by encouraging learners to question existing paradigms, challenge conventional wisdom, and explore alternative solutions to cybersecurity problems. “Is this system built to allow people to succeed?”
   1. Website 🌐: The “Critical Thinking Guide” by The University of Washington (https://careers.uw.edu/videos/how-to-use-critical-thinking/) provides practical tips and resources for developing critical thinking skills.
4. Blended Learning: This approach combines traditional classroom instruction with online and digital learning resources, allowing for flexibility, self-paced learning, and the incorporation of various multimedia elements. By leveraging blended learning, people can access materials at their convenience while benefiting from interactive simulations and video tutorials.
   1. Report 📋: “The Blended Learning Universe: A Comparative Review of Definition, Models, and Research” by Nathalie Vermeijden (https://www.researchgate.net/publication/288443155_The_Definition_of_Blended_Learning_in_Higher_Education). This report provides a comprehensive overview of blended learning approaches and research.
5. Experiential Learning: Hands-on activities, case studies, and real-world scenarios are at the core of experiential learning. In the context of cybersecurity, this approach enables learners to apply theoretical concepts to practical situations, such as responding to simulated cyber attacks or analysing real-world security incidents. We always loved the IR readouts to share our real-world experiences in the security team.
   1. Resource ⛏️: “Experiential Learning Experience Everything” by David A. Kolb (https://www.amazon.com/Experiential-Learning-Experience-Source-Development/dp/0133892409). This book is a classic text on experiential learning theory and its applications in education and training.
6. Collaborative Learning: Group discussions, team projects, and peer-to-peer learning foster a collaborative learning environment. People can share their diverse experiences and perspectives, collectively tackling complex challenges and enhancing their problem-solving abilities.
   1. Research 🔬: “Student Engagement and Learning: The Role of Collaboration” by Nancy Chickering and Zelda Gamson (https://www.aacu.org/priorities/fostering-community-based-and-global-engagement). This research paper explores the benefits of collaborative learning for student engagement and deeper learning.
7. Personalised Learning: With the help of learning analytics and adaptive learning technologies, personalised learning experiences can be tailored to individual learners’ needs, preferences, and skill levels. This approach ensures that cybersecurity professionals receive training that is relevant and tailored to their specific roles and knowledge gaps.
   1. Report 📋: Going Beyond the Hype: How Personalized Learning Can Transform Education" by The Gates Foundation (https://usprogram.gatesfoundation.org/news-and-insights/usp-resource-center/resources/continued-progress-promising-evidence-on-personalized-learning--report). This report explores the potential of personalized learning approaches to improve educational outcomes.
8. Microlearning: Recognising the demands on professionals’ time and attention, microlearning delivers training content in bite-sized chunks, often through accessible means like short videos, writing or even on mobile. This technique enhances retention and allows learners to consume information at their convenience, really taking into consideration the cognitive load on people at work.
   1. Website 🌐: The “Microlearning Consortium” (https://www.microlearningconf.com/) is a professional organization focused on the advancement of microlearning practices. Their website has resources and research on microlearning design and implementation.
9. Gamification: Incorporating game-like elements, such as points, badges, leaderboards, and challenges, into cybersecurity programs can increase learner engagement, motivation, and retention. Gamification techniques leverage the human inclination toward competition and achievement, making learning more enjoyable and effective. Though approaching competition with caution is advised, it can be easy to lean a little too hard into competition and breed an environment you weren’t expecting, be conscious of this.
   1. Website 🌐: The “Gamification Education” website (https://elearningindustry.com/gamification-in-education-advancing-21st-century-learning) has a wealth of resources on gamification design and case studies
10. Social Learning: Social learning emphasises the role of learners’ social interactions and connections in the learning process. This approach leverages internal knowledge-sharing platforms, discussion forums, and collaborative tools to facilitate peer-to-peer learning, knowledge exchange, and the development of a learning culture within cybersecurity teams and organisations.
    1. Resource ⛏️: “Communities of Practice: Learning, Meaning, and Identity” by Etienne Wenger (https://books.google.co.uk/books/about/Communities_of_Practice.html?id=heBZpgYUKdAC). This book is a seminal work on communities of practice and their role in social learning.
11. Inclusive Design and Accessibility: Check out Mismatch - How Inclusion Shapes Design by Kat Holmes. An amazing, concise book that talks to the importance of inclusion being at the forefront of the design process, ensuring that we build with rather than simply for. I briefly wrote about it on LinkedIn.
    1. Book 📗: Mismatch - How Inclusion Shapes Design - This book effectively demonstrates how inclusive design principles can benefit all learners. https://direct.mit.edu/books/book/4137/MismatchHow-Inclusion-Shapes-Design

Practical Tips for Enriching Cybersecurity Learning:

1. Think about cognitive load first. Ensure that we are aware of the asks we have and how cognitive load impacts the ability to learn, take on information or even just get work done. Careful with those nudges.
2. Use storytelling. This really is key, security thrives on good stories and the ability to share and tell stories in a compelling way takes practise.
3. Incorporate authentic cybersecurity activities and projects, such as conducting vulnerability assessments, implementing security controls, or responding to incidents. This was something I saw Kim Burton and the team at Duo do in a great way, the annual security awareness training was actually something people enjoyed for the most part (shock horror!), one year folks ran through a task as if they were a security analyst reviewing the security of a vendor.
4. Use a good learning management system. Look for something that allows you to build great multimedia elements, allowing for different ways of learning: video, audio, interactive, labs and reading (For example if you create a video, upload the transcript. This increases accessibility and gives another option). Make sure it’s easily searchable, has easy feedback loops and options built-in for feedback.
5. Build systems and processes that are easy for you to manage. Use automation where you can and leverage what you can to make what you do scalable and importantly, write good docs on processes and what it takes to run things like a security champion program!
6. Foster collaboration through group activities and discussions, allowing learners to share their perspectives and learn from each other’s experiences. Breakout rooms and other fun ways to have people engage together are your friends.
7. Increase accessibility as much as possible. Don’t make accessibility an afterthought, build with people and not just for them.
8. Encourage creativity through open-ended challenges and thinking outside the box, preparing people to tackle evolving and complex threats.
9. Consider practising experiments instead of simple knowledge transfer training. “Acquisition of skills requires a regular environment, an adequate opportunity to practise, and rapid and unequivocal feedback about the correctness of thoughts and actions” - Daniel Kahneman.

It’s crucial to continuously adapt and look for ways to get the most out of emerging technologies and learning theories in a thoughtful way to ensure that cybersecurity education remains relevant and impactful. By embracing these long standing and modern teaching techniques, organisations can cultivate learning and teaching communities capable of safeguarding critical systems and people.

Great resources

• Touch as a simple and effective way to manage learners’ cognitive load: https://www.timeshighereducation.com/campus/touch-simple-and-effective-way-manage-learners-cognitive-load
• Pretesting can be a scary thought even for teachers, and most people when you talk about it aren’t a fan, but the evidence suggests it’s a great learning aid: Optimizing the Efficacy of Learning Objectives through Pretests https://www.lifescied.org/doi/10.1187/cbe.19-11-0257 
• Effective Instructional Videos: https://www.learningscientists.org/blog/2021/7/1-1
• Mayer’s Cognitive Theory of Multimedia Learning:: https://cornerstone.lib.mnsu.edu/cgi/viewcontent.cgi?article=1140&context=all
• Read Marc Green’s “Safety Hierarchy: Design Vs. Warnings” - “Warnings are most likely to fail in the very circumstances where they are most needed”, “This is not to say that warnings and procedures are always useless but rather that the best safety mechanisms do not rely on humans to act contrary to their nature 100% of the time”.