2.3 Coaching & Exercising
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
2 hours 23 minutes
Lesson three. Coaching and exercising.
Do you like being tested? Well, I guess you came back with a resounding no to that question because no one really likes being tested.
But we have to evaluate in some way to assess whether or not our security education program is making a difference to the threat recognition capability of our organization.
That's the issue we are going to address in this module a different way of evaluating competence by using coaching and feedback.
In this lesson, we're going to focus on the development of assessment approaches that build the confidence of participants on makes them feel less like they are being interrogated on Maura's. If they are being equipped to deal with cyber threats, they face on a daily basis.
To do this, we will be using approaches that depart from some of the accepted norms of testing, such as multiple choice questions or covert fishing. Simulations
will be focusing less on examining and more on building the skills and confidence of our colleagues so that they feel they are being supported and guided.
No one deliberately develops tests that make people feel like those images shown here, But many approaches to testing do,
creating negative feelings and disengagement from the security education program.
How your colleagues experience training and development will have a major effect on their retention of the subject matter.
Many training courses make use of multiple choice questions with a scoring system of the back end,
which is fine in terms of testing a colleague's retention of pure facts. I know that, but for cybersecurity training, where we have that overarching objective of developing and improving our colleague cyberthreat recognition capabilities,
we need to help them acquire more than know that we need to be building no hell
on a multiple choice question and answer session. Just will not deliver that level of skills development.
Some organizations you simulated phishing emails.
But these exercises can create feelings of resentment towards the Intersect function on disengagement with the security education program,
the best way to build your colleagues that recognition capabilities is to apply training techniques that build confidence and imperil uses to make informed decisions.
This is an area where experiential learning techniques can be applied with great success on this part of the course will walk you through some examples, including a fishing test on show you how you can use experiential learning techniques as an alternative to helping your colleagues build their threat recognition capability.
Our first step in the experiential learning process is to provide a short recap for the user off the proceeding material.
As you can see here, we're providing a recap of the phishing email. Walk through that we covered in lesson, too, when we looked at visualizations.
Now, having had that visual demonstration, we asked the user if they think they could nail recognize a phishing email on their own
when they already they can take the test. But this test is different. They see a phishing email, and they have to click on those parts of the email that they think could be red flags. This makes the test Tactile gives immediate feedback on the option. If they use is not sure to get some additional coaching immediately.
There's no pass or fail. No reward of additional training, just support. All focused on building the user's confidence and threat recognition skills.
They are learning by doing, which is, of course, the foundation of experiential learning. With the addition of support on positive feedback,
the user is developing riel. No hell they are encountering a phishing email in a simulated safe environment that's designed to be supportive rather than adversarial. In the next slide, we're going to be showing a screen recording of this approach in action.
Screen recording will start in a few moments. In it, you'll see an approach where a user is asked to apply what they have learned about phishing e mails, receiving feedback and support. In the process,
you can see from the screen recording how the use of skills are being simultaneously coached and developed.
If you'd like to try this out for yourself, there's a link at the end of this module that will take you to a browser based version that you'll be able to test. Drive yourself.
The reason the approach shown here works better is because the user is being asked to retrieve and apply what they have learned. It's actually a more challenging approach rather than being asked to check off the most common fishing red flags in a multiple choice question.
Because we in this example, we gave the user no clues as to what the answer might be.
The user has to recall the principles and then apply them to a specific example on. Because the test is harder, it actually exercises the brain more vigorously on this results in embedding the knowledge further, it's the same effect as physical exercise, making your body stronger.
In this specific example by our singer used to apply the newly acquired knowledge,
it has become more deeply embedded. There's also a bit of positive psychology going on, too.
Did you notice that the user was never told they had failed? They were congratulated when they spotted a red flag,
and if they were not confident that they'd found them, all they could ask for help on were taken to a walk through of all of the red flags.
So rather than being subjected to a pass or fail test, they were coached through the process, creating an environment of support rather than one of critique.
Although recognizing fishing threats may appear to be the obvious candidate for this approach, it's not the only area of security education where we can apply it.
We can apply these techniques to create interactive experiential learning resources for other end user cybersecurity threats, such a safe, Internet browsing safe wife I use
and security while traveling
before we move on to the summary. Just a quick post assessment question.
Why does experiential learning in bed knowledge more effectively?
Well, it's the process of retrieval on application. Retrieving and applying knowledge embeds it more deeply
and ensures that the learning is retained for longer.
This concludes Lesson three, where we have looked at integrating experiential learning techniques into training and assessment activities.
We've discussed some of the shortcomings in some of the current methods of assessment and shown some alternative approaches in the form of exercises which coach uses to develop threat recognition capabilities. If you'd like to test drive the example shown for yourself, there is a link to a browser based version in the next slide.
This will give you the opportunity to see an interactive version in operation
and experience it as a user would during a training course. The three sessions in this module have concentrated on integrating experiential learning techniques into the delivery of training and awareness content.
The next model moves on to building on this foundation to develop a process of establishing on maintaining permanent cybersecurity competence and provide some guidance on capturing meaningful metrics to measure competence and threat recognition capability.
I promised you a test drive at the fishing test example that we showed earlier. You'll need to write it down. Here's the U. R L.
And it'll stay on the screen for around 15 to 20 seconds.
Or that now concludes less than three on this module of making it stick.
Thanks for watching, and I'll look forward to seeing you in Less and one of Module two.
Course Assessment - Creating Effective User Awareness Training