Although this seems like a step back, I have witnessed first-hand how engaged my children are with their learning, even the subjects that don’t necessarily lend themselves to creativity and fun. With security training, we have all been there – sitting at our desks and clicking through the latest iteration of security awareness training. As soon as we see the screen, we know what’s coming and know that it won’t be engaging in any way. So, what areas of school education could we take a page from?
Like many parents, I have been involved in home schooling my children at various points over the last year or so. Knowledge I constantly told myself I would never use when I was at school has on occasion resurfaced – much to my surprise – and my respect for teachers has deepened massively.
It has been a challenge at times, but also always a pleasure to spend time with my children, even if it means I get the occasional humbling moment where I find their skills outstripping mine.
One thing that I found really fascinating was the way in which they learn. It got me thinking about what my industry – cybersecurity – can learn from school education. There are universal methods that exist in my children’s education that cybersecurity must learn from if it is to see human-caused breaches drop. With the ICO estimating that 90 percent of all security incidents are as a result of human behavior, it is vital that we do.
Make use of technology
One of the stark differences between my education and my children’s is the growing use of technology. No longer is it about the dull text and exercise books used in my day, but online portals and platforms. Of course, this has been accelerated by the need for remote learning, but my children regularly talk to me about the technology they use in their lessons.
There is some really incredible technology out there that could be used to help adults learn about how and why they should be keeping their organizations safe, but instead, most people are made to sit through at-desk training modules. These are essentially the same old exercise books, but they have migrated online, which on its own doesn’t make it exciting or engaging. At present, most security awareness training is very low tech, and that has to change or else people will continue to click through it as fast as possible and not take anything in.
Storytelling is key
Much of school education is based around scenarios – “Jack’s mother gives him £3 and sends him to the shops to buy oranges. They cost 50p each – how many oranges could Jack buy with the money his mother gave him?”. This is the beginning for a story, which can be developed to make learning stick.
By embedding context you develop a narrative and help the audience understand why this matters. For example, perhaps Jack’s mother has a cold and is unable to leave the house. This is a crude example but is starting to develop a story.
Cybersecurity too, must make use of storytelling to make the content and the subject more engaging, in a format that we as human beings understand. At the moment, we are only getting a part of the story – “if you have a weak password, you’re putting the company at risk”. But we should be developing narrative and a story around this scenario that makes people sit up and listen.
When done right, storytelling is a powerful tool that really helps us to remember lessons or impart wisdom, but it is often overlooked in cybersecurity training.
Understanding that learning – even about serious subjects – can be fun
One sure fire way to increase engagement with education is to inject some fun into it. Whether this be making learning interactive, or introducing elements of gamification, I have seen the impact it has on my children’s learning, particularly on knowledge retention. I am sure if we as adults all look back, we can remember certain lessons from our school days, because they used a technique that was unusual, or made the lessons more fun.
We should be applying the same technique to cybersecurity learning. This doesn’t mean trivializing important issues by making them fun or gimmicky just for the sake of it but injecting some element of gamification or interactivity can help to draw the subject in and make sure they learn and retain knowledge from their education.
Group learning can help people to understand topics
Finally, group learning can be a really powerful tool for education. This is difficult at the moment with social distancing, but I have seen my daughters joining virtual breakout rooms with their classmates, all bouncing ideas off each other and learning in a collaborative way.
This doesn’t occur in all of their lessons, and nor should it, but having occasional elements of cooperation in learning can really help to get the brain moving, and enable us to see problems from the perspectives of others.
I have seen group learning really help people to learn. On the surface, security doesn’t look like a topic that lends itself to group learning, which means that we have to get creative with it. This can be done through interactive cyber escape rooms in groups, which are a far cry from the current group activities we see in security training, which is limited to group webinars.
Learning from our children
To increase engagement and truly get through to people, the cybersecurity industry must follow these steps. As always, we can learn lessons from our children – I am constantly learning lessons from mine.
Getting adults to learn at an age when they think they have left school behind them can be difficult, but there are some universal truths of education that apply whether you are five or 75 years old. We like to learn with experiences attached that help us to remember our lessons. If we fail to do so in cybersecurity, we will never see engagement increase and people will continue to be the main target of cyber attacks.
Simeon Quarrie, founder and CEO, VIVIDA