Transitioning to cybersecurity awareness as a personal mission after teaching first-year college writing for 11 years, I learned one important lesson. We need to meet leadership and workforce member where they are not where we think they should be.
But, the question is: “What does that look like?”
Those of us who assume
For 8 of my 11 years, I made a strategic mistake in teaching. I assumed that students came to me with certain skills and information. I assumed, based on my experience, that they understood the parts of a thesis statement.
The problem? They didn’t.
The day I realized this was the day that my entire approach changed.
In cybersecurity, this realization translates to starting at the very beginning. Yes, we train workforce members on phishing and password safety. However, they don’t always understand how that connects.
Start with the basics
Before talking to team members, we need to focus on the basics. When people don’t understand why things matter, they’re less likely to engage in the behaviors.
Passwords are a lot like grammar. People know the rules but think they’re kind of stupid. I never approached grammar didactically, I always approached it practically. My hill to die on was always commas (and you will pry my Oxford Comma out of my cold dead hands). However, giving the long list of rules never worked. It was more effective when I explained, “You need a comma here because otherwise your main idea gets lost.”
In cyber, we need to do the same thing. We need to explain that “password123” is something hackers seek out. We can’t just say, “here are the password rules.” We need to say, “malicious actors use programs that let them find these passwords and get into them.” Most everyday people assume that malicious actors type type type type type in code like they see on television.
It took me 10 years to realize that 90% of my writing students couldn’t identify the subject of a complex sentence. They didn’t understand that an introductory phrase (which needs a comma after it) was being used as the grammatical subject of their sentence. Once I was able to identify that skill deficiency, I was able to backtrack my lessons to better close that gap. We discussed the basic grammatical principle of a subject, then we focused on how putting their introductory phrase as their subject was confusing them as writers as well as their readers. Once we worked through that gap, they were able to better articulate their thoughts and create a stronger foundation for their papers.
In cyber , this translates to explaining the interconnectedness of the vague to workforce member s structure of IT and cyber. If they don’t understand how a malicious actor uses programs to automate attacks, they won’t understand why using a public WiFi puts them at risk when they have a weak password.
Use analogies they understand
Even more difficult, because I’m 40 and my students were 18, was making the information approachable. They needed to understand the terminology of rhetoric in approachable ways.
For 8 years, I taught writing to engineering students. For 8 years, I had kids come in who were deadset that they were just born bad writers. For 8 years, I struggled getting them to overcome that ingrained mentality.
Until I started explaining essay writing in terms of math. When I sat them down and explained essay logic as being the exact same skill set as the transitive properties of math, they started listening.
In information security , we struggle with the same problem. We have people who believe that they will never understand cyber and so give up. When we explain things to them in terms they understand, they’re more willing to learn the processes necessary for data protection . For example, we use “Man-in-the-Middle” as the language for a malicious attack. People may sort of get it, but they don’t really. If you explain it in terms of the old game “keep away,” it becomes more manageable. For example, “when you’re using a public WiFi, your information goes back and forth, like the ball in keep away. Malicious actors are the person in the middle trying to win the game by ‘catching the ball’ or in this case, your information.” However, you need to start with the basic principles of how a device has an IP address, how it connects and pings the internet, and how WiFi works.
Thus, to really teach cyber, you need to start with the basics, scaffold those lessons, and then give analogies as the information gets more difficult and complex.
Cyber Professionals ARE Educator
We know what we’re talking about. We’re the experts. While we may not all want to be teachers,s we’re the only ones who can better enable our workforce members and leadership to be more cyber aware which ultiamtely makes our jobs easier.