• How can we help individuals be good cybercitizens? In particular, how can we give them a clear understanding of both cybersecurity issues and how their personal choices affect cybersecurity?
• How can organizations educate the public about cybersecurity issues in ways that inform better choices?
• Can building an effective cyberworkforce help users understand their responsibilities online and with computer-based technologies?
• What influences online and technology-related behavior, and how do cybersecurity training and awareness affect public perception and behavior?
• Behaviorism focuses on objectively observable aspects of learning. It links actions to outcomes, so learners can clearly demonstrate that they understand and can apply a principle or technique.
• Cognitivism explores theories that explain the brain's role during learning. For example, cognitive psychologists often use techniques such as functional magnetic resonance imaging to identify the parts of the brain that are active during a task. Then, they use this information to suggest instructional methods for activating those brain areas known to cause or enhance task performance.
• Constructivism examines the learning process, to discover how the learner actively constructs or builds new ideas or concepts.
• How often do we have to repeat and review? We know that once-a-year security training isn't working, but we don't yet know how often to provide a refresher or reminder.
• How does a changing threat model affect the way we conduct education and training? We don't know how changes to threats translate into changes to curriculum.
• What is the role of awareness campaigns? Organizations teach their employees about a large variety of job performance aspects; we must find ways to weave cybersecurity awareness into a larger landscape that might include safety and health.
• Where are we already doing a good job (and how do we know)? There are some organizations that recognize security threats quickly, respond effectively, and learn from their experiences. We can identify them and study what distinguishes them from less nimble, less responsive organizations.
• Where do we need more work? Even the best organizations can improve their security postures. We must identify areas in which more education and training are necessary and provide processes for moving from the status quo to the desired effectiveness states.
• Do we have examples from other disciplines that can be used as models for how to educate and train on security? Examining other disciplines, such as health education, consumer protection, or emergency preparedness, might be useful for programs that have been successful in raising awareness and teaching essential skills. By learning from them and adapting their frameworks and processes, we might be able to build effective programs more quickly.