Learning styles
A couple of days ago I said I'd blog about "the preferred learning styles of various awareness audiences"*, so here goes.
First, a bit about my own learning style. As a former research scientist with an academic bent, I'm a self-confessed bookworm. I read (and write!) loads. I spend countless hours every day finding, reading, absorbing and thinking critically about stuff - mostly online although there are several heaving bookshelves in the office. Critical thinking is a vital and integral part of the learning process for me, especially in today's online world where anyone can publish anything. Sifting out truth and fact from fiction and fantasy is a very necessary part of the process (one that pre-dates the 'fake news' stuff by, oooh, centuries) so I tend to approach most Web pieces in a fairly cynical frame of mind. It takes a fair bit of effort and time to cross-check things, especially given that so much gets passed on from sources to press-releases to journalists to bloggers, each layer adding obscurity and spin and (rarely) insight. Authors who fail to cite their sources are a bugbear of mine, so much so that I tend to discount whatever they have written out of hand unless it intrigues me enough to go digging. So, I mostly learn stuff by reading about it.
I also learn by doing, usually after reading or being told or shown stuff but sometimes on my own initiative, conducting original research and experiments. It's something I do all the time in security awareness, a passion that drives me to write this very blog.
That's me but I'm well aware that others learn differently or have different preferences. Some people for example respond positively to repetition, leading to the "tell 'em what you're going to tell 'em, tell 'em, then tell 'em what you told 'em" 3-stage approach recommended by some. That's far too crude and manipulative for my liking so I modify it a little. Our awareness seminar slide decks, for instance, normally start with a slide introducing the topic and outlining the scope. Then comes several slides of content, ending with a summary or concluding slide ... and then references to sources of additional information. Sometimes we tack-on a final slide with something intriguing or 'different' to spark imaginations and leave people thinking. The 3-stage tell-em tell-em tell-em structure is there at the core but more subtle.
Yet another angle to this concerns the nature of the presentational materials. Some of us love the written word, clearly, while others prefer images and still others prefer concepts. Mind maps, diagrams and imagery works for some, but not all. Some people like plain lists of things, often but not necessarily in a vaguely sensible sequence (think bullet points and top-N lists). Some need more detail and explanation, whereas others don't care and can't be bothered with the details or reasoning - they just want to be told or shown what to do, directly, succinctly, step-by-step. Some like to hear, contemplate and discuss stuff, and a few of us more cynical types steadfastly refuse to accept anything unless we are personally persuaded or sufficiently convinced to internalize it.
We all differ in our language, reading and comprehension skills or capabilities. The 'reading age' metrics attempt to simplify the measurement, not very successfully in my opinion. It is a concern, though, especially in such a complex primarily technical area as information risk and security.
It should be obvious by now that a security awareness program faces quite a challenge in catering to such diverse preferences, at least it does if it aims to be all-inclusive (which ours does but yours may not). Our approach is to provide a range of awareness materials with a variety of styles, the idea being that everyone will find at least one item in every module appealing and eye-catching. For those who don't respond to written or presentation materials, the 'awareness activities' paper suggests further activities that those running the awareness program might like to perform. This has the added benefit of prompting them to get out of the office and interact face-to-face with people, rather than just stuffing some content on the intranet and putting their feet up!
That brings up yet another point: awareness and training professionals have personal preferences and styles too. There are approaches that we enjoy and favor more than others, ways we prefer to express or do stuff and things we find more of a struggle. In my experience, IT and information security professionals (including me!) are generally better at interacting with computers than with people: social interaction takes us out of our comfort zones, which implies the need to compensate in order to be more effective overall. The 'awareness quiz' format is a neat example of how we stimulate social activity in the information security context: although we provide 'model answers' just in case they are needed to get things going, the learning/information comes primarily from quiz participants rather than the written awareness content. They think and talk about stuff, often very animatedly and eloquently, partly, it must be said, as a consequence of the booze that is typically consumed during a good quiz night.
And that's where I'll leave it for now. If you're one who learns by reading (and since you are still here, patently you are!), I hope I've given you some stimulating ideas on how to design and perform awareness in a comprehensive, all-inclusive, cost-effective manner, hopefully having bags of fun in the process.
* I also said I'd blog about "topics, themes and messages" but that will have to wait for another day. I've said more than enough already!