Welcome to the SecAware blog

I spy with my beady eye ...

18 Jul 2017

NBlog July 18 - awareness + training = learning

"The Trouble if Security Awareness Training Is Mainly a Penalty" is a well-written piece by Dan Lohrmann on the Government Technology website, expanding on several points relating to personal motivation and corporate culture.

"I believe transforming the security culture still remains our greatest challenge as we head toward 2020. But how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?"

One of the concepts or approaches Dan discusses is 'just in time training', a buzzword which implies doing away with general awareness activities in favor of something more focused on the specific needs of individuals. I believe that is known as 'training' (!) which certainly has value ... but still I maintain that awareness and training are complementary approaches - neither the same thing (despite widespread use of the misleading term "awareness training"), nor alternatives. Both training and awareness are valuable.

Let me explain with a familiar example. 

Most of us learn to drive through training - normally intensive, one-on-one guidance by an experienced, competent and qualified driver trainer, someone who coaches and leads us through the process of acquiring the knowledge, skills and capabilities necessary to pass the driving test. 

Driver training is expensive in terms of the fees plus the time and focus required. You can't really learn to drive without giving it your full attention. In the early stages, the manual coordination required to get the vehicle moving in roughly the right direction, and to stop when required, is mentally challenging and physically tiring. Later on as our competence increases, we become more relaxed ... unless/until something unfamiliar happens (such as someone turning across our path) when the instructor's dual-controls come to the rescue! 

Training has a specific goal - passing the test - plus broader objectives such as safety. Learning the 'rules of the road' is a particular aim, covering relevant laws (such as staying within the speed limits) that are likely to affect the outcome of the driving test. 

Most of us learn about road safety through a more general, informal style of learning, closer to awareness. We may be explicitly taught specific skills such as crossing the road safely at marked crossings, but mostly we learn to be safe on the roads in a gradual, life-long experiential process - we experience and figure out how to deal with hazardous situations at first hand. Even if the speed limit is 50, we discover that rain, snow and ice materially affect changes of direction or speed, hence the safe speed may be much less than 50. Hazardous road junctions, kids playing and (other!) unrestrained animals may have been pointed out by our instructor, mentioned in official guidelines, even brought up by TV advertisements ... but facing actual incidents, for real, really brings the warnings home at a more emotional than intellectual level. We literally gaps and shake.

That describes a conventional approach, although of course there are variations - advanced driver training, for instance, and self-training. I doubt anyone would seriously suggest doing away with training or awareness: they complement and support each other.

Finally, if you're not already confused enough, in everyday language 'training' often refers to fitness training, specifically. People get physically fit by exercising. In a broader sense, exercises are an excellent way to learn things by going through the motions, practicing behaviors in a deliberate, conscious way in the hope they will become automatic even when we are in a panic. Fire evacuation, penetration tests, case studies and business continuity tests/rehearsals are all exercises: whether you think of them as training or awareness is moot. Either way, we know they work. They have their place. 

Gary (Gary@isect.com)

No comments:

Post a Comment