, Dartmouth College
, Naval Postgraduate School
, Mischel Kwon and Associates
Pages: pp. 19-23
As technology creators, providers, and users, we must answer significant questions to address these problems; for example:
This special issue of IEEE Security & Privacy addresses these questions. In particular, we examine the security and privacy training and education needs and challenges of disparate age groups, business and government sectors, and skill levels as well as the various ways that these education and training needs can be satisfied.
Although the words training and education are sometimes used interchangeably, they're in fact very different. Training refers to learning concrete skills for meeting specific, real-life goals in a clearly understood situation. For instance, training in medieval times was often provided by guilds in which people who had mastered the skills took novices under their wings to show them how to perform some activity. Although some training can be accomplished using textbooks or online courses, most training focuses on exercise and repetition under supervision. Once trainees master the skill set, the training is complete; refresher sessions can remind them of key aspects of the skills or show them how to perform tasks faster or more precisely.
By contrast, education focuses on understanding and knowledge; learners master facts, principles, and concepts. Educated learners can associate principles and concepts, apply them to solve a variety of new problems, and evaluate those solutions' effectiveness. Here, performance speed is irrelevant; instead, improvement efforts focus on cognition, understanding, and conceptual linkage.
In some sense, training is a closed system. It can begin with a task analysis that yields a list of required skills and knowledge; then, trainees can demonstrate competence in each area. However, the concepts and principles to be mastered with education are vast. Educators can't be comprehensive; instead, they present a sample of relevant ideas and facts to illustrate broad concepts and principles. Because education is a more open system, it encourages learners to abstract key ideas and then to build models, some of which can predict future behavior or occurrences. Thus, educators convey knowledge from a variety of perspectives, and learners have discretion in terms of assimilating, organizing, and internalizing what they're taught.
This distinction between training and education is important as we consider how to answer the questions above. How can technology designers and developers best learn to provide effective security technology? How can users best learn to use technology in ways that balance security with functionality?
Understanding how people learn is helpful for effective training and education. Three theories of learning are behaviorism, cognitivism, and constructivism:
All three perspectives can be useful in suggesting ways to design cybersecurity training and education. And because educators have been studying learning for a long time, we needn't start from scratch. Dozens of well-tested theories describe how to move learning into practice, including experiential learning, 1 general problem solving, 2 information processing theory, 3 lateral thinking, 4 and modes of learning. 5 Educators haven't yet determined the best ways to teach all concepts, let alone cybersecurity. But any exploration of effective cybersecurity training and awareness can build on these initial explorations. A one-size-fits-all solution is unlikely to be the answer; different techniques will be useful for different kinds of training and awareness.
An essential element of any exploration of security training or awareness techniques is knowing when education and training have been effective. We want to be able to answer questions such as the following:
To do this, we must have measures of success—ways to demonstrate that learning has occurred. Moreover, because we're trying to demonstrate several things, we'll likely need several different measures. For instance, we want to be able to show that concepts are understood, can be applied during decision-making or technology design, and can lead to better outcomes for users or communities.
The outcome measures aren't easy to define. Security is a negative requirement: we want to show that nothing bad is happening. But demonstrating the absence of an event or quality is difficult, to say the least, if not impossible. Therefore, metrics for security are exceedingly difficult to establish; "Why Measuring Security Is Hard" describes this problem in more detail. 6 This problem is particularly relevant for training and educating system users, who are critical links in the security chain—until an unusual event occurs, the effects of training and education might not be evident.
Once we know how to provide cybersecurity education and training, we must decide where they should occur. Who is doing it now? Who could be doing it? What variables (such as organizational culture, educational background, and business needs) suggest the type and extent of the education and training?
Opportunities at work can range from on-the-job training and education to certification in various aspects of security studies (for example, for network operations specialists or certified security professionals). But security education and training can also be embedded in lifetime educational opportunities, from primary education through graduate studies and beyond. Moreover, the systems themselves offer openings to heighten user awareness, such as warnings about risks, alerts for suspicious activity, and descriptions of steps to take if users suspect that their data or systems are compromised.
For too long, we professional security users and practitioners have found it easy to wring our hands and bemoan the lack of good security training and education. It's time to get serious about doing a better job. We can begin by posing three key questions:
The sidebar, "A Sampling of National Education and Training Initiatives," describes several new and ongoing efforts to address these questions. Many of them focus primarily on pushing information to users—training and providing skilled cybersecurity professionals to help organizations protect their essential data, networks, and processes. But we shouldn't ignore the pull: listening to organizations as they tell us what they want and understanding what they really need.
The "Workforce Demand" sidebar summarizes the key findings of a workforce development workshop that brought together government, industry, and university representatives to try to understand the demand. 7 Its suggestions form a useful road map for deciding where cybersecurity educators should head next.
The articles in this special issue describe innovative ways to address some of the challenges in security awareness, training, and education. In "Security Education against Phishing: A Modest Proposal for a Major Rethink," Iacovos Kirlappos and M. Angela Sasse use a phishing example to illustrate the significant gap between the signals employed to indicate a website's legitimacy and those the users actually use to determine whether a website is safe. To close the gap, the authors distinguish awareness, training, and education. They suggest that security experts use awareness techniques to capture users' attention, then provide education and training in the context of the services that users are trying to access. Education can address not only risks but also the mechanisms available to reduce them. Similarly, service providers need both education about how their sites can be spoofed or undermined and training on risk reduction.
In "Holistically Building the Cybersecurity Workforce," Lance J. Hoffman and his colleagues describe how fields such as public healthcare, like security, are inherently complex and cross-disciplinary at multiple levels of expertise and performance. The authors encourage computer science educators, human resources professionals, and functional experts from disciplines that will attract computer science graduates to think beyond their individual fields and collaborate. In particular, they describe steps for "K through gray" learning (that is, from childhood through retirement) to increase security awareness and expertise.
In "Basing Cybersecurity Training on User Perceptions," Susanne Furman and her colleagues discuss the results of interviews with 40 users about their awareness of and concern about online and computer security. For instance, users expressed an understanding of trust marks and cyberrisk but lacked significant skills for protecting their computer systems, identities, and information online. Although the survey's sample is small and unrepresentative, the findings are consistent with other studies in suggesting strategies for effective awareness and education programs.
Finally, Mischel Kwon conducts a roundtable featuring a group of people from government, private-sector, and academic backgrounds to discuss the challenges in educating cyber professionals.
The underlying hypothesis of this special issue is that cybersecurity training and education are required so that users can navigate cyberspace safely and effectively. Our wrenching transformation into citizens of the information age is fraught with challenges as technology and data that assist us in new contexts continue to evolve. Wonderful opportunities abound for improving the cybersecurity knowledge and skills for young and old across all walks of life.
Initiatives to tackle education and training problems have started worldwide.
The National Initiative for Cybersecurity Education (NICE; http://csrc.nist.gov/nice) is a coordinated, multifaceted US government effort to enhance overall security through activities ranging from public training and awareness to workforce capability building. The initiative recognizes the breadth and complexity of cybersecurity and includes both initial and continuing training and education.
Cyber Security Awareness Month ( www.dhs.gov/files/programs/gc_1158611596104.shtm) is an effort to help users understand their roles in securing cyberspace and to ensure their personal safety online. It is sponsored by the US Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. Activities differ as each week of the awareness month focuses on particular issues. For example, in 2011, awareness month included programs highlighting general user cybersecurity awareness, cybersecurity education and workforce issues, cybercrime, and better cybersecurity defenses for small businesses.
Supported by the US National Science Foundation (NSF), the Cyber Security Education Consortium ( www.cseconline.org) is a regional center of excellence in advanced technological education. It focuses on implementing cybersecurity education in two-year colleges.
The Federal Cyber Service Scholarship for Service program ( www.sfs.opm.gov) aims to increase the number of information assurance professionals in government by offering fully funded scholarships to undergraduate and graduate students. Started in 2001, this NSF-supported program has produced hundreds of newly educated employees for the public-sector cyberworkforce.
The Asian School of Cyber Laws ( www.asianlaws.org/aboutus) provides education and training on cyberlaw, cyberinvestigation, and cybersecurity. Using country-specific details, the program's legal courses support attorneys, cyberforensic analysts, compliance training and education, and international cyberlaw. It also offers cybercrime prevention through an awareness program aimed at children.
In April 2011, the Institute for Information Infrastructure Protection held a workshop of key decision-makers in US universities, enterprises, and government to discuss perceived and real needs for cybersecurity expertise in their organizations. 1 Rather than focus on ways to educate and train cybersecurity professionals, the attendees focused on the kinds of expertise necessary and on ways to articulate that need. The following are the workshop's key findings.
It's difficult to quantify the number of cybersecurity experts needed in a given organization or across a swath of the economy. But there's a larger issue: "Incompletely-articulated knowledge, skills and abilities categories and data are available with which to codify and quantify the need for cyber security workforce development … [and] we must be able to express the problem and demand in ways that are understood by an organization's managers within the organization's culture."1 For example, if an enterprise seeks to increase its market share, cybersecurity requests should be expressed in terms of how they will assist in reaching that goal. In other words, as one participant said, "You have to show that security has an impact on the bottom line." 1
Even if an organization needs security, it doesn't always demand it or provide sufficient resources. Often, the need becomes apparent only after incidents result in serious losses.
By capturing data to depict current trends, we can extrapolate demand. Doing so requires speaking in terms that managers, lawmakers, and executives understand so we can make an investment case. A key challenge is determining how to raise the alarm without being alarmist.
Among system users, managers, IT support staff, generalist IT security professionals, and specialist IT security professionals, only the latter two will have security as the core focus of their training and experience. However, rank-and-file IT staff will experience and address many cybersecurity issues. Similarly, management controls resources and organizational culture, but everyday users are the ones who express a "security culture." This breadth of impact means that security and IT hygiene must be part of the training and job description at every level.
Yes. Effective security education and training involve a blend of outside training and on-the-job experience.
Regulation can focus management attention on compliance. However, training a workforce to meet a compliance requirement isn't the same as training it to meet an evolving real-world security need with demonstrated increases in security posture. Education and training should focus on aligning compliance with the organization's cybersecurity needs.
The demand for trained cybersecurity operators is evolving and expanding as rapidly as technology itself. We should build training capacity concurrently with developing methods to more accurately forecast future needs.
Every new technological development changes and challenges the cybersecurity landscape. Cybersecurity's core mission and its underpinning skills remain largely the same, but its professionals must adapt to technological changes to remain effective. Training and education must be grounded in the basic elements of attack, threat, vulnerability, and control but remain flexible in the way those elements are interpreted, taught, and applied.ReferenceInstitute for Information Infrastructure Protection,"Workforce Development: Understanding the Demand,"Apr.2011;www.thei3p.org/docs/publications/432.pdf.