With a background in adult learning, I always thought I’d be a professor. Never did I imagine spearheading the management of an industry-leading software security training platform. With the cybersecurity skills gap growing, I’m fortunate my path brought me to a place where I can help solve this widespread challenge.

“Behavior change” has unfortunately become a buzzword, but let’s not lose sight of the power it holds. Skills development is a psychological science wrapped with cognitive elements. The identical information presented in different ways can vary in terms of impact. If not methodological, it lacks context and/or goes into short-term memory. If delivered properly, the mind learns without realizing it’s absorbing and connecting (aka “being tested”).

Learners only see the end product, e.g., a computer-based training course, and often have little clue that there is a serious method behind its development. This is why adult learning specialists, instructional designers, subject matter experts, developers, and quality assurance all need to work together to make it happen. There are proven methodologies that build skills that last – and I’m a stickler for discipline when it comes to constructing effective training content.

Experts widely agree on one important principle: active learning results in increased retention. The Ebbinghaus forgetting curve reinforces that learners need to be engaged during training to absorb knowledge and transform it into effective habits. Through Mayer’s Cognitive Theory of Multimedia Learning, we also know that learning is an active process of filtering, selecting, organizing, and integrating information. Taking a multimodal approach to learning activates the sensory, working, and long-term memory stores to ensure security skills remain after the training is done. This principle is at the core of our approach.

Absorb » Do » Connect

All of our course activities fall into one of these categories.  The goal is to put the learner into action and elevate learning from passive reading to active seeking, selecting, and experiencing the material.

ABSORB – Build knowledge

This is achieved by reading (text), watching (video), and listening (narration). While obtaining essential information to perform a job function is important, it doesn’t have to be boring! We use humor and real-world scenarios to keep content engaging and relatable. We avoid hypothetical scenarios as it doesn’t create the situational awareness needed to put the learner into someone’s mindset on-the-job. Lastly, we ensure learners understand why something is important and its impact, setting the table to later connect what they’ve learned to their job.

DO – Transform information to skill

It’s important to reach learners in a variety of hands-on ways. Games, quizzes, drag-and-drop exercises, puzzles, code commit, spot the offending code, and find-the-fix are just a few examples. Monolithic task repetition is a rote implementation of concepts reviewed, but it does not contribute to a critical level of thinking. Conversely, too much interactivity can distract learners and compromise the integrity of the objective.

CONNECT – Change skill to habit

The most critical but often overlooked aspect of learning is when learners link acquired information and practiced activities to their work environment. This can entail a set of questions aimed at driving the learner’s reflection on how to solve a problem or how it impacts their job. Branched learning and multiple response pathways are great best practices as they force learners to reflect and provide feedback at key decision points. Linear learning, predefined answers, and one outcome approaches have the opposite effect. We let learners take different paths toward a fail-or-succeed outcome and explain how/why they arrived where they did. This branched learning approach allows learners to fail forward and reinforces concepts the learner has acquired.

Instructional Design – the Unsung Hero

We follow the ADDIE model for instructional design. It is a proven model based on cognitivism, social learning, and behaviorism. The idea is to complete each phase before moving to the next to ensure maximum knowledge retention. It creates a cascading effect as knowledge gets accumulated versus providing point-in-time memorization exercises. The five phases include:

  • Analysis – Identify goals, objectives, and prerequisite knowledge
  • Design – Refine performance objectives and define visual learning objectives to maximize impact
  • Development – Create storyboards that show value and relevance: simulations, games, voiceovers
  • Implementation – Integrate all course artifacts into the release candidate
  • Evaluation – Refine courses through a rigorous quality assurance process

Our team of instructional designers, subject matter experts, and program managers work together to ensure courses meet internal quality requirements, which includes content that:

  • Is accurate, timely, and reflects the latest threats and attacks
  • Contains the optimal combination of expert topics, interactions, and activities
  • Resonates with all types of learners

How does all this drive behavior change?

Software, code, and applications do not operate in isolation. This is why context is key. While our training platform is for all software security stakeholders, let’s use the developer role as an example. For developers to protect code, they need to experience a vulnerability from an attacker’s perspective. A focus solely on code-level security diminishes a developer’s ability to look beyond syntax and understand why a defect is a vulnerability and the role external factors play. This is why a remedial “line of code” hunting approach isn’t the most effective. Developers need to understand the impact of insecure code as the end-user (or attacker) experiences it. This is where the combination of code-level learning and deployed-state simulation is paramount. They need to understand how data gets sent through APIs or a form field, how it’s encrypted, what is displayed on a subsequent page, etc. These are all potential exploitation points, and they all go well beyond what a developer can see in source code.

Our balanced approach blends humor, contextual facts, and real-world simulations to yield the most engagement and reinforcement of technical/complex concepts. It encourages teams to think more critically, consider the bigger picture, and realize the consequences of haphazard development.

Our ultimate goal is to ensure all software security stakeholders can think, act, and respond with a security-first mindset. That is how you build real situational awareness.

Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.