The Community for Technology Leaders

Guest Editors' Introduction

Shari Lawrence Pfleeger, Dartmouth College
Cynthia Irvine, Naval Postgraduate School
Mischel Kwon, Mischel Kwon and Associates

Pages: pp. 19-23

Every day, the news media report one more way that cybersecurity—or a breach of it—affects some aspect of someone's life. From difficult-to-understand online terms of use to changing forms of data collection, users must make difficult choices about protecting their work and themselves online. As commerce, medical records, news media, and government interaction (to name a few) go digital, users must understand their benefits and risks. At home and on the job, the average citizen is repeatedly asked to make decisions where answers require significant understanding of key cybersecurity issues.

As technology creators, providers, and users, we must answer significant questions to address these problems; for example:

  • How can we help individuals be good cybercitizens? In particular, how can we give them a clear understanding of both cybersecurity issues and how their personal choices affect cybersecurity?
  • How can organizations educate the public about cybersecurity issues in ways that inform better choices?
  • Can building an effective cyberworkforce help users understand their responsibilities online and with computer-based technologies?
  • What influences online and technology-related behavior, and how do cybersecurity training and awareness affect public perception and behavior?

This special issue of IEEE Security & Privacy addresses these questions. In particular, we examine the security and privacy training and education needs and challenges of disparate age groups, business and government sectors, and skill levels as well as the various ways that these education and training needs can be satisfied.

The Difference between Training and Education

Although the words training and education are sometimes used interchangeably, they're in fact very different. Training refers to learning concrete skills for meeting specific, real-life goals in a clearly understood situation. For instance, training in medieval times was often provided by guilds in which people who had mastered the skills took novices under their wings to show them how to perform some activity. Although some training can be accomplished using textbooks or online courses, most training focuses on exercise and repetition under supervision. Once trainees master the skill set, the training is complete; refresher sessions can remind them of key aspects of the skills or show them how to perform tasks faster or more precisely.

By contrast, education focuses on understanding and knowledge; learners master facts, principles, and concepts. Educated learners can associate principles and concepts, apply them to solve a variety of new problems, and evaluate those solutions' effectiveness. Here, performance speed is irrelevant; instead, improvement efforts focus on cognition, understanding, and conceptual linkage.

In some sense, training is a closed system. It can begin with a task analysis that yields a list of required skills and knowledge; then, trainees can demonstrate competence in each area. However, the concepts and principles to be mastered with education are vast. Educators can't be comprehensive; instead, they present a sample of relevant ideas and facts to illustrate broad concepts and principles. Because education is a more open system, it encourages learners to abstract key ideas and then to build models, some of which can predict future behavior or occurrences. Thus, educators convey knowledge from a variety of perspectives, and learners have discretion in terms of assimilating, organizing, and internalizing what they're taught.

This distinction between training and education is important as we consider how to answer the questions above. How can technology designers and developers best learn to provide effective security technology? How can users best learn to use technology in ways that balance security with functionality?

Understanding How We Learn

Understanding how people learn is helpful for effective training and education. Three theories of learning are behaviorism, cognitivism, and constructivism:

  • Behaviorism focuses on objectively observable aspects of learning. It links actions to outcomes, so learners can clearly demonstrate that they understand and can apply a principle or technique.
  • Cognitivism explores theories that explain the brain's role during learning. For example, cognitive psychologists often use techniques such as functional magnetic resonance imaging to identify the parts of the brain that are active during a task. Then, they use this information to suggest instructional methods for activating those brain areas known to cause or enhance task performance.
  • Constructivism examines the learning process, to discover how the learner actively constructs or builds new ideas or concepts.

All three perspectives can be useful in suggesting ways to design cybersecurity training and education. And because educators have been studying learning for a long time, we needn't start from scratch. Dozens of well-tested theories describe how to move learning into practice, including experiential learning, 1 general problem solving, 2 information processing theory, 3 lateral thinking, 4 and modes of learning. 5 Educators haven't yet determined the best ways to teach all concepts, let alone cybersecurity. But any exploration of effective cybersecurity training and awareness can build on these initial explorations. A one-size-fits-all solution is unlikely to be the answer; different techniques will be useful for different kinds of training and awareness.

Measures of Success

An essential element of any exploration of security training or awareness techniques is knowing when education and training have been effective. We want to be able to answer questions such as the following:

  • How often do we have to repeat and review? We know that once-a-year security training isn't working, but we don't yet know how often to provide a refresher or reminder.
  • How does a changing threat model affect the way we conduct education and training? We don't know how changes to threats translate into changes to curriculum.
  • What is the role of awareness campaigns? Organizations teach their employees about a large variety of job performance aspects; we must find ways to weave cybersecurity awareness into a larger landscape that might include safety and health.

To do this, we must have measures of success—ways to demonstrate that learning has occurred. Moreover, because we're trying to demonstrate several things, we'll likely need several different measures. For instance, we want to be able to show that concepts are understood, can be applied during decision-making or technology design, and can lead to better outcomes for users or communities.

The outcome measures aren't easy to define. Security is a negative requirement: we want to show that nothing bad is happening. But demonstrating the absence of an event or quality is difficult, to say the least, if not impossible. Therefore, metrics for security are exceedingly difficult to establish; "Why Measuring Security Is Hard" describes this problem in more detail. 6 This problem is particularly relevant for training and educating system users, who are critical links in the security chain—until an unusual event occurs, the effects of training and education might not be evident.

Where Should Education and Training Occur?

Once we know how to provide cybersecurity education and training, we must decide where they should occur. Who is doing it now? Who could be doing it? What variables (such as organizational culture, educational background, and business needs) suggest the type and extent of the education and training?

Opportunities at work can range from on-the-job training and education to certification in various aspects of security studies (for example, for network operations specialists or certified security professionals). But security education and training can also be embedded in lifetime educational opportunities, from primary education through graduate studies and beyond. Moreover, the systems themselves offer openings to heighten user awareness, such as warnings about risks, alerts for suspicious activity, and descriptions of steps to take if users suspect that their data or systems are compromised.

Open Issues and Next Steps

For too long, we professional security users and practitioners have found it easy to wring our hands and bemoan the lack of good security training and education. It's time to get serious about doing a better job. We can begin by posing three key questions:

  • Where are we already doing a good job (and how do we know)? There are some organizations that recognize security threats quickly, respond effectively, and learn from their experiences. We can identify them and study what distinguishes them from less nimble, less responsive organizations.
  • Where do we need more work? Even the best organizations can improve their security postures. We must identify areas in which more education and training are necessary and provide processes for moving from the status quo to the desired effectiveness states.
  • Do we have examples from other disciplines that can be used as models for how to educate and train on security? Examining other disciplines, such as health education, consumer protection, or emergency preparedness, might be useful for programs that have been successful in raising awareness and teaching essential skills. By learning from them and adapting their frameworks and processes, we might be able to build effective programs more quickly.

The sidebar, "A Sampling of National Education and Training Initiatives," describes several new and ongoing efforts to address these questions. Many of them focus primarily on pushing information to users—training and providing skilled cybersecurity professionals to help organizations protect their essential data, networks, and processes. But we shouldn't ignore the pull: listening to organizations as they tell us what they want and understanding what they really need.

The "Workforce Demand" sidebar summarizes the key findings of a workforce development workshop that brought together government, industry, and university representatives to try to understand the demand. 7 Its suggestions form a useful road map for deciding where cybersecurity educators should head next.

In This Issue

The articles in this special issue describe innovative ways to address some of the challenges in security awareness, training, and education. In "Security Education against Phishing: A Modest Proposal for a Major Rethink," Iacovos Kirlappos and M. Angela Sasse use a phishing example to illustrate the significant gap between the signals employed to indicate a website's legitimacy and those the users actually use to determine whether a website is safe. To close the gap, the authors distinguish awareness, training, and education. They suggest that security experts use awareness techniques to capture users' attention, then provide education and training in the context of the services that users are trying to access. Education can address not only risks but also the mechanisms available to reduce them. Similarly, service providers need both education about how their sites can be spoofed or undermined and training on risk reduction.

In "Holistically Building the Cybersecurity Workforce," Lance J. Hoffman and his colleagues describe how fields such as public healthcare, like security, are inherently complex and cross-disciplinary at multiple levels of expertise and performance. The authors encourage computer science educators, human resources professionals, and functional experts from disciplines that will attract computer science graduates to think beyond their individual fields and collaborate. In particular, they describe steps for "K through gray" learning (that is, from childhood through retirement) to increase security awareness and expertise.

In "Basing Cybersecurity Training on User Perceptions," Susanne Furman and her colleagues discuss the results of interviews with 40 users about their awareness of and concern about online and computer security. For instance, users expressed an understanding of trust marks and cyberrisk but lacked significant skills for protecting their computer systems, identities, and information online. Although the survey's sample is small and unrepresentative, the findings are consistent with other studies in suggesting strategies for effective awareness and education programs.

Finally, Mischel Kwon conducts a roundtable featuring a group of people from government, private-sector, and academic backgrounds to discuss the challenges in educating cyber professionals.

The underlying hypothesis of this special issue is that cybersecurity training and education are required so that users can navigate cyberspace safely and effectively. Our wrenching transformation into citizens of the information age is fraught with challenges as technology and data that assist us in new contexts continue to evolve. Wonderful opportunities abound for improving the cybersecurity knowledge and skills for young and old across all walks of life.

A Sampling of National Education and Training Initiatives

Initiatives to tackle education and training problems have started worldwide.

The National Initiative for Cybersecurity Education (NICE; is a coordinated, multifaceted US government effort to enhance overall security through activities ranging from public training and awareness to workforce capability building. The initiative recognizes the breadth and complexity of cybersecurity and includes both initial and continuing training and education.

Cyber Security Awareness Month ( is an effort to help users understand their roles in securing cyberspace and to ensure their personal safety online. It is sponsored by the US Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. Activities differ as each week of the awareness month focuses on particular issues. For example, in 2011, awareness month included programs highlighting general user cybersecurity awareness, cybersecurity education and workforce issues, cybercrime, and better cybersecurity defenses for small businesses.

Supported by the US National Science Foundation (NSF), the Cyber Security Education Consortium ( is a regional center of excellence in advanced technological education. It focuses on implementing cybersecurity education in two-year colleges.

The Federal Cyber Service Scholarship for Service program ( aims to increase the number of information assurance professionals in government by offering fully funded scholarships to undergraduate and graduate students. Started in 2001, this NSF-supported program has produced hundreds of newly educated employees for the public-sector cyberworkforce.

The Asian School of Cyber Laws ( provides education and training on cyberlaw, cyberinvestigation, and cybersecurity. Using country-specific details, the program's legal courses support attorneys, cyberforensic analysts, compliance training and education, and international cyberlaw. It also offers cybercrime prevention through an awareness program aimed at children.

Workforce Demand

In April 2011, the Institute for Information Infrastructure Protection held a workshop of key decision-makers in US universities, enterprises, and government to discuss perceived and real needs for cybersecurity expertise in their organizations. 1 Rather than focus on ways to educate and train cybersecurity professionals, the attendees focused on the kinds of expertise necessary and on ways to articulate that need. The following are the workshop's key findings.

Close the "Articulation Gap"

It's difficult to quantify the number of cybersecurity experts needed in a given organization or across a swath of the economy. But there's a larger issue: "Incompletely-articulated knowledge, skills and abilities categories and data are available with which to codify and quantify the need for cyber security workforce development … [and] we must be able to express the problem and demand in ways that are understood by an organization's managers within the organization's culture."1 For example, if an enterprise seeks to increase its market share, cybersecurity requests should be expressed in terms of how they will assist in reaching that goal. In other words, as one participant said, "You have to show that security has an impact on the bottom line." 1

Learn How to Communicate the Demand

Even if an organization needs security, it doesn't always demand it or provide sufficient resources. Often, the need becomes apparent only after incidents result in serious losses.

Generate Better Data and Analysis

By capturing data to depict current trends, we can extrapolate demand. Doing so requires speaking in terms that managers, lawmakers, and executives understand so we can make an investment case. A key challenge is determining how to raise the alarm without being alarmist.

Define the Range of Security Responsibilities

Among system users, managers, IT support staff, generalist IT security professionals, and specialist IT security professionals, only the latter two will have security as the core focus of their training and experience. However, rank-and-file IT staff will experience and address many cybersecurity issues. Similarly, management controls resources and organizational culture, but everyday users are the ones who express a "security culture." This breadth of impact means that security and IT hygiene must be part of the training and job description at every level.

Hire or Train?

Yes. Effective security education and training involve a blend of outside training and on-the-job experience.

Recognize Compliance as a Double-Edged Sword

Regulation can focus management attention on compliance. However, training a workforce to meet a compliance requirement isn't the same as training it to meet an evolving real-world security need with demonstrated increases in security posture. Education and training should focus on aligning compliance with the organization's cybersecurity needs.

Measure as We Go

The demand for trained cybersecurity operators is evolving and expanding as rapidly as technology itself. We should build training capacity concurrently with developing methods to more accurately forecast future needs.

Prepare for the Unknown

Every new technological development changes and challenges the cybersecurity landscape. Cybersecurity's core mission and its underpinning skills remain largely the same, but its professionals must adapt to technological changes to remain effective. Training and education must be grounded in the basic elements of attack, threat, vulnerability, and control but remain flexible in the way those elements are interpreted, taught, and applied.

ReferenceInstitute for Information Infrastructure Protection,"Workforce Development: Understanding the Demand,"Apr.2011;


About the Authors

Shari Lawrence Pfleeger is director of research for the Institute for Information Infrastructure Protection. Contact her at
Cynthia Irvine is the chair of the Cyber Academic Group, director of the Center for Information Systems Security Studies and Research (CISR), and a professor of computer science at the Naval Postgraduate School. Contact her at
Mischel Kwon is president of Mischel Kwon and Associates, a cybersecurity consultancy in Fairfax, Virginia. Contact her at
61 ms
(Ver 3.x)