As technology creators, providers, and users, we must answer significant questions to address these problems; for example:
• How can we help individuals be good cybercitizens? In particular, how can we give them a clear understanding of both cybersecurity issues and how their personal choices affect cybersecurity?
• How can organizations educate the public about cybersecurity issues in ways that inform better choices?
• Can building an effective cyberworkforce help users understand their responsibilities online and with computer-based technologies?
• What influences online and technology-related behavior, and how do cybersecurity training and awareness affect public perception and behavior?
This special issue of IEEE Security & Privacy addresses these questions. In particular, we examine the security and privacy training and education needs and challenges of disparate age groups, business and government sectors, and skill levels as well as the various ways that these education and training needs can be satisfied.
The Difference between Training and Education
Although the words training and education are sometimes used interchangeably, they're in fact very different. Training refers to learning concrete skills for meeting specific, real-life goals in a clearly understood situation. For instance, training in medieval times was often provided by guilds in which people who had mastered the skills took novices under their wings to show them how to perform some activity. Although some training can be accomplished using textbooks or online courses, most training focuses on exercise and repetition under supervision. Once trainees master the skill set, the training is complete; refresher sessions can remind them of key aspects of the skills or show them how to perform tasks faster or more precisely.
By contrast, education focuses on understanding and knowledge; learners master facts, principles, and concepts. Educated learners can associate principles and concepts, apply them to solve a variety of new problems, and evaluate those solutions' effectiveness. Here, performance speed is irrelevant; instead, improvement efforts focus on cognition, understanding, and conceptual linkage.
In some sense, training is a closed system. It can begin with a task analysis that yields a list of required skills and knowledge; then, trainees can demonstrate competence in each area. However, the concepts and principles to be mastered with education are vast. Educators can't be comprehensive; instead, they present a sample of relevant ideas and facts to illustrate broad concepts and principles. Because education is a more open system, it encourages learners to abstract key ideas and then to build models, some of which can predict future behavior or occurrences. Thus, educators convey knowledge from a variety of perspectives, and learners have discretion in terms of assimilating, organizing, and internalizing what they're taught.
This distinction between training and education is important as we consider how to answer the questions above. How can technology designers and developers best learn to provide effective security technology? How can users best learn to use technology in ways that balance security with functionality?
Understanding How We Learn
Understanding how people learn is helpful for effective training and education. Three theories of learning are behaviorism, cognitivism, and constructivism:
• Behaviorism focuses on objectively observable aspects of learning. It links actions to outcomes, so learners can clearly demonstrate that they understand and can apply a principle or technique.
• Cognitivism explores theories that explain the brain's role during learning. For example, cognitive psychologists often use techniques such as functional magnetic resonance imaging to identify the parts of the brain that are active during a task. Then, they use this information to suggest instructional methods for activating those brain areas known to cause or enhance task performance.
• Constructivism examines the learning process, to discover how the learner actively constructs or builds new ideas or concepts.
All three perspectives can be useful in suggesting ways to design cybersecurity training and education. And because educators have been studying learning for a long time, we needn't start from scratch. Dozens of well-tested theories describe how to move learning into practice, including experiential learning, 1
general problem solving, 2
information processing theory, 3
lateral thinking, 4
and modes of learning. 5
Educators haven't yet determined the best ways to teach all concepts, let alone cybersecurity. But any exploration of effective cybersecurity training and awareness can build on these initial explorations. A one-size-fits-all solution is unlikely to be the answer; different techniques will be useful for different kinds of training and awareness.
An essential element of any exploration of security training or awareness techniques is knowing when education and training have been effective. We want to be able to answer questions such as the following:
• How often do we have to repeat and review? We know that once-a-year security training isn't working, but we don't yet know how often to provide a refresher or reminder.
• How does a changing threat model affect the way we conduct education and training? We don't know how changes to threats translate into changes to curriculum.
• What is the role of awareness campaigns? Organizations teach their employees about a large variety of job performance aspects; we must find ways to weave cybersecurity awareness into a larger landscape that might include safety and health.
To do this, we must have measures of success—ways to demonstrate that learning has occurred. Moreover, because we're trying to demonstrate several things, we'll likely need several different measures. For instance, we want to be able to show that concepts are understood, can be applied during decision-making or technology design, and can lead to better outcomes for users or communities.
The outcome measures aren't easy to define. Security is a negative requirement: we want to show that nothing bad is happening. But demonstrating the absence of an event or quality is difficult, to say the least, if not impossible. Therefore, metrics for security are exceedingly difficult to establish; "Why Measuring Security Is Hard" describes this problem in more detail. 6
This problem is particularly relevant for training and educating system users, who are critical links in the security chain—until an unusual event occurs, the effects of training and education might not be evident.
Where Should Education and Training Occur?
Once we know how to provide cybersecurity education and training, we must decide where they should occur. Who is doing it now? Who could be doing it? What variables (such as organizational culture, educational background, and business needs) suggest the type and extent of the education and training?
Opportunities at work can range from on-the-job training and education to certification in various aspects of security studies (for example, for network operations specialists or certified security professionals). But security education and training can also be embedded in lifetime educational opportunities, from primary education through graduate studies and beyond. Moreover, the systems themselves offer openings to heighten user awareness, such as warnings about risks, alerts for suspicious activity, and descriptions of steps to take if users suspect that their data or systems are compromised.
Open Issues and Next Steps
For too long, we professional security users and practitioners have found it easy to wring our hands and bemoan the lack of good security training and education. It's time to get serious about doing a better job. We can begin by posing three key questions:
• Where are we already doing a good job (and how do we know)? There are some organizations that recognize security threats quickly, respond effectively, and learn from their experiences. We can identify them and study what distinguishes them from less nimble, less responsive organizations.
• Where do we need more work? Even the best organizations can improve their security postures. We must identify areas in which more education and training are necessary and provide processes for moving from the status quo to the desired effectiveness states.
• Do we have examples from other disciplines that can be used as models for how to educate and train on security? Examining other disciplines, such as health education, consumer protection, or emergency preparedness, might be useful for programs that have been successful in raising awareness and teaching essential skills. By learning from them and adapting their frameworks and processes, we might be able to build effective programs more quickly.
The sidebar, "A Sampling of National Education and Training Initiatives," describes several new and ongoing efforts to address these questions. Many of them focus primarily on pushing information to users—training and providing skilled cybersecurity professionals to help organizations protect their essential data, networks, and processes. But we shouldn't ignore the pull: listening to organizations as they tell us what they want and understanding what they really need.
The "Workforce Demand" sidebar summarizes the key findings of a workforce development workshop that brought together government, industry, and university representatives to try to understand the demand. 7
Its suggestions form a useful road map for deciding where cybersecurity educators should head next.
The articles in this special issue describe innovative ways to address some of the challenges in security awareness, training, and education. In "Security Education against Phishing: A Modest Proposal for a Major Rethink," Iacovos Kirlappos and M. Angela Sasse use a phishing example to illustrate the significant gap between the signals employed to indicate a website's legitimacy and those the users actually use to determine whether a website is safe. To close the gap, the authors distinguish awareness, training, and education. They suggest that security experts use awareness techniques to capture users' attention, then provide education and training in the context of the services that users are trying to access. Education can address not only risks but also the mechanisms available to reduce them. Similarly, service providers need both education about how their sites can be spoofed or undermined and training on risk reduction.
In "Holistically Building the Cybersecurity Workforce," Lance J. Hoffman and his colleagues describe how fields such as public healthcare, like security, are inherently complex and cross-disciplinary at multiple levels of expertise and performance. The authors encourage computer science educators, human resources professionals, and functional experts from disciplines that will attract computer science graduates to think beyond their individual fields and collaborate. In particular, they describe steps for "K through gray" learning (that is, from childhood through retirement) to increase security awareness and expertise.
In "Basing Cybersecurity Training on User Perceptions," Susanne Furman and her colleagues discuss the results of interviews with 40 users about their awareness of and concern about online and computer security. For instance, users expressed an understanding of trust marks and cyberrisk but lacked significant skills for protecting their computer systems, identities, and information online. Although the survey's sample is small and unrepresentative, the findings are consistent with other studies in suggesting strategies for effective awareness and education programs.
Finally, Mischel Kwon conducts a roundtable featuring a group of people from government, private-sector, and academic backgrounds to discuss the challenges in educating cyber professionals.
The underlying hypothesis of this special issue is that cybersecurity training and education are required so that users can navigate cyberspace safely and effectively. Our wrenching transformation into citizens of the information age is fraught with challenges as technology and data that assist us in new contexts continue to evolve. Wonderful opportunities abound for improving the cybersecurity knowledge and skills for young and old across all walks of life.
Shari Lawrence Pfleeger is director of research for the Institute for Information Infrastructure Protection. Contact her at firstname.lastname@example.org.
Cynthia Irvine is the chair of the Cyber Academic Group, director of the Center for Information Systems Security Studies and Research (CISR), and a professor of computer science at the Naval Postgraduate School. Contact her at email@example.com.
Mischel Kwon is president of Mischel Kwon and Associates, a cybersecurity consultancy in Fairfax, Virginia. Contact her at firstname.lastname@example.org.