Information Security training for fun and profit

I was recently asked to conduct security training for a group of journalists with little or no IT background who were concerned about the integrity and availability of their data as well as security in communicating with their sources and each other. Since it was quite an interesting experience I decided to write this blog post to sum up what I learned by conducting this training.

InfoSec (Information Security) is a difficult subject to lecture on, especially when it’s an 18 hour course. It is unrealistic to expect that the students have a comprehensive understanding of infosec in this time, but in the very least they should develop a healthy dose of distrust and good instincts for thinking about risks.

My first reaction was trying to figure out how I’m going to create enough slides to cover it but then I came across the training program from SaferJourno and subsequently Level-up which gave a completely different approach to InfoSec training.

The key to a good education is not only to make sure that the content is relevant, but also interesting and engaging at all times. SaferJourno and Level-up do a very good job at providing materials for trainers to create an InfoSec curriculum that is both relevant and engaging. This is done through the steps called ADIDS which stands for “Activity”, “Discussion”, “Input”, “Deepening” and “Synthesis” which starts the students off in an activity, such as a role playing game followed by a discussion of the concepts that were learned, followed by input which provides further real world information such as from a case study followed by deepening which is a practical, hands-on approach and finally synthesis which is a session of reflection on the material.

Role playing was something I found to be quite powerful as it is very difficult to explain public key cryptography to non-technical people, but when framed as a Romeo and Juliet: an Encrypted Love Story, suddenly the subject matter is not as intimidating and participants can grasp the topic in a fun and relatable way.

The result of the ADIDS method is that the students were really engaged in the subject matter and they developed a healthy intuition why operational security is important, why metadata is important, what an attack surface is, what does it actually mean for communications to happen in the clear and how much data do your devices actually leak. This then automatically create a need for mitigation techniques which are taught in the next segment. I find that this intuition that was developed is extremely powerful and with any luck, long lasting. One memorable moment was halfway through the course I happened to be looking over the shoulder of a participant as he was entering his password. He stopped, looked at me and said “I’m on to you”.

One reason why he did this is is because the first module of the program deals with operational security, by getting participants to think about non-IT solutions to information security problems. Some of the participants mentioned that their colleagues once had their laptop stolen from their hotel rooms, so they were asked to think about ways of preventing their laptops from getting stolen and then to think about how to contain the damage from a stolen laptop. Just before the last module, during the break, I had taken some of the laptops from the participant’s desks and hid them. When they returned, I interviewed them to allow them to express how much damage was done. The result was that they had all logged out of their online services, had their screen locked and had made backups of their critical data.

Another interesting demonstration that was performed was using WireShark, a tool used for capturing and analysing network traffic to capture WiFi packets out of the air and displaying it on the screen. I put the data up on the projector and asked the participants, “Who’s been browsing Website X” this started a discussion on how much data is made available over the air with unsecured WiFi and possible techniques used to preserve privacy and confidentiality.

Overall, the benefits in the short term I think have been quite positive. There should probably be a follow up study done to see how much long term impact the training made and if a refresher course is needed, but I’ve seen more awareness for Information Security out of this short course than I’ve ever seen happen anywhere else and am quite convinced that this is an effective approach for adult education.

CC Licensed slides from the training in Thai can be found here.


Copyright © 2014. All Rights Reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *