Innovative Methods of Information Security Training
Section 1. Introduction
More and more organizations providing information security training apply integrative training, i.e., designing training programs that combine traditional classroom training with e-learning approaches. E-learning is a broad concept that encompasses a range of teaching techniques, such as infographics and informative videos. E-learning became a successful training tool because it offers numerous benefits, including consistency of the presented information, ability to reach a large and diverse audience, and cost-effective use. Research demonstrates that to provide the maximum possible educational benefits, e-learning needs to be creative, original, and, most importantly, engaging.
In this article, we focus on two types of emerging innovative technologies that can make the learning process more creative, original, and engaging, namely, e-learning techniques using augmented and virtual reality (Section 2) and crowdsourcing (Section 3). At the end of the article, we provide concluding remarks (Section 4).
Section 2. E-learning techniques using augmented and virtual reality
The booming developments in the technology of virtual reality (VR) and augmented reality (AR) can provide the field of information security training with new insights, innovative solutions, and hands-on experience. The main advantages of integration of such technologies in a training process are: (i) faster learning due to efficiency of skill transfer; (ii) real-time knowledge acquisition and assessment; (iii) safety of practice; (iv) greater engagement due to the use of out-of-class learning environment; and (v) the possibility to have a hands-on training.
What is VR and AR?
VR is a computer-generated simulation of a real-life environment that, by means of stimulating vision and hearing, makes the user feel like experiencing the simulated reality firsthand. AR technologies provide their users with a view of a physical, real-world environment whose elements are augmented by computer input, such as video, graphics, or sound. Google Glass, an optical head-mounted display having the form of a pair of eyeglasses, is a typical example of AR technology.
Being similar, VR and AR differ in the sense that VR digitally recreates the real-life setting, whereas AR uses digital elements as an overlay to the real world. VR and AR should not be confused with Immersion. While Immersion allows the user to observe virtual environment by receiving artificial sensory stimuli merely, VR and AR not only allows the user to be a passive observer but also provides him/her with the opportunity to perform tasks in a virtual environment. It should be pointed out that VR and AR may have health effects on trainees, such as faintness and VR sickness (also known as cybersickness). Therefore, organizations willing to implement VR and AR in their training applications need to consult a medical doctor before doing so.
We will briefly overview how AR and VR technologies can be used in information security training through discussing the three main advantages of such methods, namely, (i) experiencing virtual consequences, (ii) a possibility for gamification, and (iii) a high level of engagement.
One of the main benefits of AR and VR technologies is that trainees can experience the virtual consequences of their mistakes. To illustrate, if a trainee is unable to identify a virtual attachment containing ransomware, the trainee can observe the virtual consequences of the ransomware, such as encrypting files and showing a message requesting a ransom to be paid in cryptocurrency. In the context of information security training, such technologies can be used to provide instructions to trainees during incident simulations. For instance, AR and VR can provide a CEO who undertakes information security training with directions on how to instruct each member of the company on the steps aiming to reduce the impact of a cyber-attack. Since AR and VR technologies can recognize objects, such technologies can be used to teach trainees on how to identify security loopholes in a real-life environment, like weak passwords, publication of information which can be used for conducting cyber-attacks, phishing emails, lack of anti-virus software, malicious websites.
AR and VR technologies can also be used for gamification of information security training. Game-based e-learning brings numerous benefits, such as challenging, motivating, and engaging audience, and exploring the consequences in a safe virtual environment. For instance, the trainees of an exemplary game can be divided into two teams, namely, attackers and defenders. The attackers can receive points for identifying information security vulnerabilities, luring the victims to open malicious attachments, and conducting successful cyber-attacks. The defenders can receive points for identifying cyber threats, implementing appropriate information security strategies, reporting cyber-security incidents, and complying with security policies. Thus, while obtaining points and virtual badges, the two teams will acquire practical information security skills in an emotionally engaging way. It is worth mentioning that emotional engagement stimulates trainees to do more than normally expected.
Training programs implemented through AR and VR technology require the participants to take part in the training process actively. Such participation results in a higher level of engagement in the exercise and also bypasses the traditional “classroom” approach that often is found to be less impressive by participants.
Due to their capacity for such emotional engagement, AR and VR-based training materials aiming to raise cyber security awareness amongst various people, especially kids, can be particularly advantageous. By way of illustration, such materials can raise awareness and instruct how to behave in a case of cyberbullying, how to browse safely on the Internet while avoiding the risks of malware, and how to avoid providing sensitive personal information to strangers or allegedly legitimate institutions online.
2.2 Practical examples of deploying AR and VR
VR technologies can be used in at least three types of training applications, namely, (i) applications allowing their users to see examples of information infrastructure, (ii) applications allowing their users to react to cyber-attacks, and (iii) applications providing their users with instructions on how to conduct various operations related to cyber-security. Each of these three types of applications will be examined in more detail below.
Applications allowing their users to see examples of information infrastructure
It may be time-consuming, costly, and cumbersome to allow trainees to examine various types of information infrastructure, e.g., information infrastructures of nuclear plants, airports, and railroads. AR and VR technologies will allow training companies to provide trainees with the opportunity to examine such infrastructures without the need to access them closely. For example, VR technologies can be used to examine industrial computer systems targeted by Stuxnet. Stuxnet is a malicious worm which attacks industrial digital computers controlling robotic devices, assembly lines, manufacturing processes, and other related activities. Stuxnet caused substantial damage to Iran’s nuclear facilities. VR and AR technologies can also be used to allow trainees to see information infrastructure on Mars and other planets. By way of illustration, Lecture VR is a VR application which allows students to see Apollo 11 (the spaceflight that landed humans on the Moon for the first time) as operating on the Moon. A screenshot of Lecture VR is provided below.
Fig. 1. A screenshot of Lecture VR application
Applications allowing their users to react to cyber-attacks
AR and VR technologies can place trainees in the middle of a cyber-attack, thus allowing them to develop their incident-response skills as well as their collaborative skills. This type of e-learning ensures that the trainees will be immersed in realistic incident situations, without experiencing the emotional and cognitive effects associated with danger.
Applications providing instructions
VR technologies can be used to provide detailed instructions on how to perform various cyber-security operations in a realistic environment. By repeating them multiple times, the users of such technologies will be able to memorize and apply them in real-life situations. Furthermore, VR applications can allow trainees to observe recorded responses of cyber-security experts.
Section 3. Crowdsourcing
In simple words, the term “crowdsourcing” can be defined as an act of outsourcing a job to a large group of people in the form of an open call. Nowadays, crowdsourcing is a popular tool for achieving various purposes, ranging from funding projects and solving online disputes to digitizing media libraries and cataloging artworks.
Organizations providing information security training can also deploy crowdsourcing in their e-learning platforms by allowing the public to comment on the work product of their trainees. Such comments will provide the trainees with different points of views, thus enriching their knowledge about information security matters.
It should be noted that many organizations have already started utilizing crowdsourced comments to complete complex tasks. For instance, peopleclaim.com allows the public to comment on disputes with the aim to facilitate their resolution. Mark Deuitch, the founder of PeopleClaim.com, noted that: “The site is growing rapidly and we have helped thousands of businesses and consumers resolve disputes at a fraction of what they would have spent if they had used the courts. Additionally, the cost of using our system ranges from zero to around $20, so it is cost-effective for any size claim.”
In addition to crowdsourced comments, organizations willing to accelerate generation and dissemination of InfoSec knowledge can use wikis, blogs, social media, and other crowdsourcing tools.
Empirical studies have clearly indicated that e-learning applications have a wide variety of benefits. For instance, applications allowing their users to publish anonymous feedback may increase user participation. In the recent years, there has been a steady increase in new and innovative technologies in e-learning. In this article, we explored the potential of some emerging technologies in the field of information security training.
There are numerous other tools and technologies that can contribute to InfoSec community, including, but not limited, to (i) automated course authoring (e.g., Adobe Captivate, Elucidat, and iSpring Suite) that allows users to quickly and effectively create e-learning courses, (ii) big data analysis that may provide trainees with extensive automatically generated reports which would supplement their learning, and (iii) encouraging learner-generated content that stimulates development and dissemination of knowledge through blogs, wikis, and social media platforms.
While some of the technologies, such as automated course authoring, can already be applied in the field of information security, most of the technologies discussed in this article have not been deployed extensively for information security training yet. An effective and timely implementation of AR and VR by companies providing information security training will ensure that their training is emotionally engaging, realistic, multi-faceted, innovative, and cost-effective. As Graeme Lawrie, Director of Innovation and Outreach at Sevenoaks School, points out: “We feel certain that this technology has a distinct and unique part to play for learners of the future. Sometimes a little bit of awe and wonder is what we need to make lessons memorable.”
- Burch, A., “The Top 10 Companies Working on Education in Virtual Reality and Augmented Reality”, Touchstone Research, 2 June 2016. Available at https://touchstoneresearch.com/the-top-10-companies-working-on-education-in-virtual-reality-and-augmented-reality/ .
- Burke, B., “Gamify: How Gamification Motivates People to Do Extraordinary Things”, Bibliomotion, 2014.
- “Cyber Security Awareness for Kids”, SANS Institute. Available at https://securingthehuman.sans.org/resources/kids .
- Dimov, D., “Using Crowdsourcing for Collecting Information about Security Vulnerabilities”, InfoSec Institute, 5 February 2013. Available at https://resources.infosecinstitute.com/crowdsourcing-for-collecting-information-security-vulnerabilities/#gref .
- Ewalt, D., “Defying Reality: The Inside Story of the Virtual Reality Revolution”, Penguin, 2017.
- “Innovative Models for Delivering Training to Workplace Learners”, Wood Manufacturing Council. Available at http://www.wmc-cfb.ca/sites/default/files/Integrated%20Training%20Study%20-%20Final%20Report.pdf .
- Ioannides, M. (Ed.), Magnenat-Thalmann, N. (Ed.), Papagiannakis, G. (Ed.), “Mixed Reality and Gamification for Cultural Heritage“, Springer 2017.
- Kapp, K., “3 Instructional Design Strategies For Virtual Reality Learning”, eLearning Industry, 3 January 2017. Available at https://elearningindustry.com/instructional-design-strategies-virtual-reality-learning .
- Kurubacak, G. (Ed.), Altinpulluk, H., (Ed.), “Mobile Technologies and Augmented Reality in Open Education“, IGI Global, 22 February 2017.
- Majumdar, A., “Utilizing Augmented Reality For Special Needs Learning”, eLearning Industry, 8 August 2016. Available at https://elearningindustry.com/augmented-reality-for-special-needs-learning .
- Pappas, C., “6 Tips To Use Virtual Reality In Online Training”, eLearning Industry, 11 February 2017. Available at https://elearningindustry.com/tips-use-virtual-reality-online-training .
- Rogogna, M., “Fast-Growing Startup Challenges the Legal System: An Interview with PeopleClaim’s Mark Deuitch”, Huffington Post, 20 December 2014. Available at http://www.huffingtonpost.com/mike-ragogna/fast-growing-startup-chal_b_6018914.html.
“Seven Innovative Training Concepts, White Paper, August 2010. Available at
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.