Using the Growth Mindset for Teaching Cybersecurity

I started working in cybersecurity‍ in November 2016. When I started, everything felt incredibly overwhelming because I looked around at the professionals in the industry, and the language they used seemed totally incomprehensible. But, I’m pretty plucky so I started reading, researching, learning, understanding. Slowly, and goodness knows I’m never planning on learning how to code or hack. Nope, never. I word. Wording is my thing. Education is my thing. One of the most difficult things to overcome was the feeling that because I couldn’t code, there was no role for me in this industry. The “End-Users are The Worst” message all over infosec‍ Twitter.

When information security‍ professionals continue to say this publicly, we shut down the communication between ourselves and those with whom we need to partner. What can we do to change that approach? I suggest that we start looking to incorporating the growth mindset as part of our training programs and communications.

What are “mindsets”?

Carol Dweck defined two mindsets way back in 1988. She defined two basic mindsets as models for the way people learn and react to educational objectives. She suggested that education move from the Fixed Mindset to the Growth Mindset. Now, while I 100% feel that there are huge limitations to the Growth Mindset approach, it also offers a lot of insight for implementing cybersecurity awareness‍.

What is the Fixed Mindset?

The Fixed Mindset is a lot of what may people in the 1980’s and 1990’s grew up with. “I am smart, thusly I must not fail.” These people generally avoid challenging work so that they don’t look dumb and maintain a public persona to the world around them. Think of all the kids you might have known in Gifted and Talented classes back in the day (maybe you were one?) and how they felt the need to always be “the Best and Brightest.”

Think about leadership, and even your workforce, in your organization. The Fixed Mindset of having to be perfect to protect your job and reputation leads to a lot of failure. People want to excel, and what we think of as “lazy” may actually be related to an ingrained fear of failure. (I mean, not going to lie, some people really are lazy but not the majority of people.)

What is the Growth Mindset?

The Growth Mindset, on the other hand, focuses on wanting to learn which allows people to embrace challenges even when they fail a bit. They’re willing to learn from constructive criticims which allows them to achieve better outcomes. Here’s a handy dandy chart that shows the impact of a Growth Mindset from the “Mindset Works” website.

Using Growth Mindset for Cyber

The problem in our workforce overall is that the Growth Mindset is viewed as failure. If you don’t do something right the first time someone tells you to do it, then you’re failing at your job. Moreover in cyber‍ , we often focus on how users have a “fixed mindset.” The “End-Users are The Worst” mentality functionally leaves us with a “they’re just too stupid to learn this stuff. OMG.”

We keep focusing on the ways in which organizations ignore the importance of cybersecurity‍ by saying that management doesn’t understand. We keep focusing on the fact that management doesn’t “get” the importance of infosec‍ which is leading to breaches.

But, what if we focused less on how they “don’t get it” and talk to them about it in terms that are constructive rather than didactic? What if, instead of focusing on “you did this wrong OMG” we focused on “let’s learn from this and be better”?

What does this look like?

In elementary schools nationwide, teachers are adopting the Growth Mindset approach to enable better learning outcomes. With cybersecurity education‍, we can do something similar.

Most cyber trainings are multiple choice questions because that’s the easiest to run through an algorithm, especially for large organizations. I get that and understand the practical reasons underpinning that. However, it doesn’t mean we can’t reinforce Growth Mindset using multiple choice.

For example, typical questions look like this:

What is phishing?

A. A type of social engineering attack

B. A type of personal email sent

C. A type of workflow

These questions give you insight into the types of information that your workforce and leadership have memorized. But, they don’t connect to learning the impact of these things.

If we look at the Growth Mindset lesson plans, we can see a better way to ask meaningful questions. Looking at how teachers educate students on the Growth Mindset, we can apply the questions in that lesson to cybersecurity.

For example, a better multiple choice question might be:

If you see an email that has a link at the bottom, and then click on that link:

A. You might accidentally download malware injected into the website’s URL.

B. You might be giving away money.

C. You might be purchasing something without realizing it.

The difference between these two questions seems minimal. Both sets of answers are obvious if the employee took the training. However, the second one grows neural connections by focusing on cause and effect. Meanwhile, the first one didactically requires a definition answer. This difference in positioning the question enables stronger understanding of the impact of a phishing email.

Of course, if people don’t recognize that phishing is a social engineering attack in the first place, then the second question hasn’t really done any good. This is where using things like traditional teaching methodologies of scaffolding can help. You start with whether they understand what it is. Then you build on that. And yes, you can do it in a multiple choice environment.

What to do afterwards?

Well, it’s easy for us to focus on the negatives because those are the problems we face. It’s easy for us to say, “Look, y’all pretty much are Teh Suck at understanding phishing.” However, we can also look at what they DO know and start from there.

Most employees will get the question about what phishing is correct. However, many may miss the second one. This gives you insight into where the knowledge gap exists. It also lets you tell employees, “you guys are doing really great at understanding the “what” but not they “why.””

It’s important to understand the type of feedback you provide to the organization. If you praise them for “knowing” information, then that enables a Fixed Mindset. If you focus on the work they’ve put into security‍ and the effort they’ve put in, then you’re enabling a Growth Mindset. The Growth Mindset then allows them to increase their ability to secure the environment and help you protect information.