đź“–
Citizen Clinic
  • Welcome to ​the Citizen Clinic Cybersecurity Education Center
  • Case Studies
  • Clinic Curriculum
    • Syllabus
    • Lesson Modules
      • Introduction to Public Interest Cybersecurity
      • Ethics and the Citizen Clinic Code of Conduct
        • Citizen Clinic Student Code of Conduct
      • Old School INFOSEC: Basic Controls
      • Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape
      • Problem Diagnosis and Reframing
      • Threat Modeling & Bounding Risk Assessments
      • Contextual & Capacity Research
        • Contextual Assessment Informational Requirements
        • PESTLE M Worksheet
      • Information Gathering
      • Open Source Research Methods, Safety, and Tools
      • Adversary Persona Development
      • Threat Scenario Development
      • Changing Security Behaviors
      • Social Engineering and Phishing
      • Designing Security Training
      • Psychosocial Resilience
      • Harmful Information (Misinformation and Harassment)
        • Fictional Case Studies
        • Mitigation Framework
    • Condensed Bibliography
  • Low-Resource Organizations
    • Introduction
    • Section 1: Why do Low-Risk Organizations Need Cybersecurity?
    • Section 2: Common Cybersecurity Controls
    • Section 3: Additional Cybersecurity Best Practices
    • Appendices
      • Appendix A: Building a Security Policy for Your Organization
      • Appendix B: Implementation Guidance
      • Appendix C: Moving Beyond the Baseline
  • Clinic Infrastructure
    • Virtual Private Network (VPN)
    • Creating Virtual Identities
    • Security Evaluation Framework for OSINT Tools
Powered by GitBook
On this page
  1. Clinic Curriculum
  2. Lesson Modules

Designing Security Training

PreviousSocial Engineering and PhishingNextPsychosocial Resilience

Last updated 3 years ago

** Summary **

This module introduces practical considerations for designing a security training. This module essentially summarizes the amazing work of the Electronic Frontier Foundation’s Security Education Companion team (see ). While this module provides an outline of key topics to cover in class, review the Security Education Companion () for greater discussion of each of these topics before tailoring the module for your clinic’s needs.

** Learning Objectives **

  • Understand considerations for the “nuts and bolts” of training logistics and training team creation.

  • Understand how to learn about your audience via pre-event data collection and persona development

  • Understand lesson creation using learning objectives, stress cases, and lesson plans.

** Pre-Readings **

  • See Course Readings for "Designing Security Training"

** Resources **

** Discussion **

Even many new security practitioners have been subject to cybersecurity training. As a class, have students volunteer stories of their best and worst experiences as either a trainer or trainee, whether in a workshop, lecture, 2 hour seminar, or online session. What changes could have improved a bad experience or ruined a good experience?

** Input **

Training logistics

  • Consider Who, When, and Where

  • Get a feel for the space that you’re setting up in.

  • Understand the temperature, lighting, and what technology is available.

  • Do not assume that the technology you’re bringing and that your trainees are bringing are compatible.

  • Think about accessibility at the forefront of your event. If you didn’t think about accessibility, it shows in your event. If someone mentions they’re Hard of Hearing or Deaf and asks for an interpreter, and you don’t have resources to make that happen, then push the training to a later time so that you can make it possible.

  • People need to feel safe and to be safe to ask questions.

  • Trial and error. Be prepared to make mistakes and to handle those situations.

Creating a training team & establishing trainer roles

  • Build a “Superhero” team: play to your strengths. You can have someone who is good at facilitation, witnessing what’s going on in the group, and it helps balance things. You can help each other out.

  • Work together: When people are missing something, the other facilitator will be available to identify the gaps. People who have different operating systems on their devices may require more helpers for specific issues.

  • Learn from each other: Leverage different backgrounds and styles. Also, junior trainers can learn and improve from helping more experienced trainers.

Understanding your audience

  • Pre-event data collection: Perform training intake survey and get a feel for needs, as well as identifying when you might not be the right person (e.g. if it’s government hacking as a threat, that’s out of scope for most trainers, bring them to specialists!) Also, interviews can more deeply inform your understanding of people’s learning needs and mindsets you’ll be working with, especially understanding which misconceptions people might hold.

  • How will you gather this information?

    • Technical expertise

    • Device use

    • Threat Models

    • Accommodation requests

    • With cultural sensitivities? Privacy? Security?

  • Persona development: Trainers can use combinations of personas that incorporated threat models and other various factors as a way to include real-world considerations for trainers and their audiences.

  • The EFF used personas when creating the Security Education Companion as a basis for content-creation sprints, and thinking collaboratively through what kind of advice and content would be useful.

  • Personas can deliberately include misconceptions, disabilities, mindsets, threats, and stress factors that may make it difficult for someone to fully participate in a workshop.

  • Personas are not perfect and care must be exercised not to promote or incorporate stereotypes regarding disability inclusion, stress considerations, device limitations, misconceptions, and motivations.

Develop learning objectives using inclusive education framing.

Learning objectives are important. They’re not the most exciting part about teaching, but it’s valuable to learn how to determine the base level of teaching a concept and then layering on top of it. “Stress cases” for those objectives include:

  • Threat model considerations

  • Disability considerations that may affect how someone processes information or engages with people in a group

  • Financial constraints

  • Varying degrees of literacy

  • Levels of familiarity with devices

Create lesson plans.

  • Don’t reinvent the wheel

  • Be creative and inclusive with activities and delivery methods

  • Keep track of materials and other requirements (should learners bring their devices? Do learners need to know their account passwords in advance?)

** Deepening **

If you already have trainee personas:

Break the class into pairs of students, each with a persona and have them discuss the question: “how would you teach this person?” Share back to the group.

If you do not already have trainee personas:

Break the class into assigned teams where each team will develop a persona based on their experiences with their partner, other training experiences, and class discussions. Include misconceptions, disabilities, mindsets, threats, and stress factors that may make it difficult for someone to fully participate in a workshop. Share back to the group.

** Synthesis **

Recap training logistics, creating a training team and defining roles, understanding one’s audience, and actually planning the lessons. Ground this summary in an example or two from recent or upcoming training events.

** Assignments **

As a class, use the material in this module to support the creation and implementation of security workshops for the public (or, as teams, for their respective partners.)

https://sec.eff.org
https://sec.eff.org/articles
EFF's Security Education Companion