ABSTRACT
Imagine you are responsible for training of your non-technical organization of 1000 people that sells office supplies through a web interface. Your company has security procedures for the entire staff: IT professionals maintain your computer infrastructure and a specialized cybersecurity staff of eight individuals keeps the website and underlying databases secure. The leader of the cybersecurity team asks to collaborate with you to develop training for cybersecurity in your organization.
This chapter will present training approaches incorporating principles that are not commonly incorporated into training programs, but should be applied when constructing training for cybersecurity. It should help you understand that training is more than (1) providing information that the organization expects staff to apply; (2) assuming that new cybersecurity staff who recently received degrees or certificates in cybersecurity will know what is required; or (3) requiring cybersecurity personnel to read about new threats. Training is complex. Similar to studies of nutrition and exercise, single studies of training often yield inconsistent results [1]. Still, numerous studies of training and how people learn have yielded principles that are supported by scientific research and best practice.
This chapter will address
Domain-specific factors that arise with cyber-security training.
General principles of training and environments in which trainees learn well.
Practical considerations when applying general principles of training to cybersecurity needs.
Decisions that must be made when applying practical consideration, training principles, and cybersecurity factors to a specific course.
How to use big-data to support cybersecurity training.
