Designing Security Training

** Summary **
This module introduces practical considerations for designing a security training. This module essentially summarizes the amazing work of the Electronic Frontier Foundation’s Security Education Companion team (see https://sec.eff.org). While this module provides an outline of key topics to cover in class, review the Security Education Companion (https://sec.eff.org/articles) for greater discussion of each of these topics before tailoring the module for your clinic’s needs.
** Learning Objectives **
Understand considerations for the “nuts and bolts” of training logistics and training team creation.
Understand how to learn about your audience via pre-event data collection and persona development
Understand lesson creation using learning objectives, stress cases, and lesson plans.
** Pre-Readings **
See Course Readings for "Designing Security Training"
** Resources **
​EFF's Security Education Companion​
** Discussion **
Even many new security practitioners have been subject to cybersecurity training. As a class, have students volunteer stories of their best and worst experiences as either a trainer or trainee, whether in a workshop, lecture, 2 hour seminar, or online session. What changes could have improved a bad experience or ruined a good experience?
** Input **
Training logistics
Consider Who, When, and Where
Get a feel for the space that you’re setting up in.
Understand the temperature, lighting, and what technology is available.
Do not assume that the technology you’re bringing and that your trainees are bringing are compatible.
Think about accessibility at the forefront of your event. If you didn’t think about accessibility, it shows in your event. If someone mentions they’re Hard of Hearing or Deaf and asks for an interpreter, and you don’t have resources to make that happen, then push the training to a later time so that you can make it possible.
People need to feel safe and to be safe to ask questions.
Trial and error. Be prepared to make mistakes and to handle those situations.
Creating a training team & establishing trainer roles
Build a “Superhero” team: play to your strengths. You can have someone who is good at facilitation, witnessing what’s going on in the group, and it helps balance things. You can help each other out.
Work together: When people are missing something, the other facilitator will be available to identify the gaps. People who have different operating systems on their devices may require more helpers for specific issues.
Learn from each other: Leverage different backgrounds and styles. Also, junior trainers can learn and improve from helping more experienced trainers.
Understanding your audience
Pre-event data collection: Perform training intake survey and get a feel for needs, as well as identifying when you might not be the right person (e.g. if it’s government hacking as a threat, that’s out of scope for most trainers, bring them to specialists!) Also, interviews can more deeply inform your understanding of people’s learning needs and mindsets you’ll be working with, especially understanding which misconceptions people might hold.
How will you gather this information?
Technical expertise
Device use
Threat Models
Accommodation requests
With cultural sensitivities? Privacy? Security?
Persona development: Trainers can use combinations of personas that incorporated threat models and other various factors as a way to include real-world considerations for trainers and their audiences.
The EFF used personas when creating the Security Education Companion as a basis for content-creation sprints, and thinking collaboratively through what kind of advice and content would be useful.
Personas can deliberately include misconceptions, disabilities, mindsets, threats, and stress factors that may make it difficult for someone to fully participate in a workshop.
Personas are not perfect and care must be exercised not to promote or incorporate stereotypes regarding disability inclusion, stress considerations, device limitations, misconceptions, and motivations.
Develop learning objectives using inclusive education framing.
Learning objectives are important. They’re not the most exciting part about teaching, but it’s valuable to learn how to determine the base level of teaching a concept and then layering on top of it. “Stress cases” for those objectives include:
Threat model considerations
Disability considerations that may affect how someone processes information or engages with people in a group
Financial constraints
Varying degrees of literacy
Levels of familiarity with devices
Create lesson plans.
Don’t reinvent the wheel
Be creative and inclusive with activities and delivery methods
Keep track of materials and other requirements (should learners bring their devices? Do learners need to know their account passwords in advance?)
** Deepening **
If you already have trainee personas:
Break the class into pairs of students, each with a persona and have them discuss the question: “how would you teach this person?” Share back to the group.
If you do not already have trainee personas:
Break the class into assigned teams where each team will develop a persona based on their experiences with their partner, other training experiences, and class discussions. Include misconceptions, disabilities, mindsets, threats, and stress factors that may make it difficult for someone to fully participate in a workshop. Share back to the group.
** Synthesis **
Recap training logistics, creating a training team and defining roles, understanding one’s audience, and actually planning the lessons. Ground this summary in an example or two from recent or upcoming training events.
** Assignments **
As a class, use the material in this module to support the creation and implementation of security workshops for the public (or, as teams, for their respective partners.)
Social Engineering and Phishing
Psychosocial Resilience
Last modified 10mo ago