Over the years I’ve done a lot of information security, privacy and compliance training and awareness activities; content creation, delivery, tools, and a large variety of other related activities. I’ve found doing case studies to be one of the most effective, and most interesting and popular, type of training activity.
I’ve created dozens, and perhaps even hundreds, of case studies throughout the years. Case studies engage your personnel in thinking in ways that just telling them information cannot do, noticeably change their work habits, and measurably impact their opinions about information security and privacy.
In the third article of the May 2008 issue of my IT Compliance in Realtime Journal, “Creating Effective Case Studies for Information Security and Privacy Training” I provide direction for how to create effective case studies within any type of organization.
The following is an unformatted copy of the article, without the sidebar information and illustrations; download the PDF version of the article to see those…
———————————–
Using case studies within information security and privacy training is an effective way to reinforce the topic message for your learners by getting them involved and actively thinking about the topic and related issues. Case studies allow for a large amount of interaction between the learner and the instructor or training program. Learners must apply concepts to the case being analyzed. This valuable and effective method provides training to target groups who must clearly and comprehensively understand a topic to appropriately fulfill their job responsibilities, such as customer service staff, incident response team members, and marketers who have direct communications with customers.
Why Case Studies Are Effective
I have encountered very few organizations that include case studies within their information security and privacy education programs. Those that attempt to use case studies often do not use them effectively. This shortcoming is a great shame considering how important it is for personnel to incorporate safeguards into their daily job activities to successfully secure information and preserve the privacy of personally identifiable information (PII).
To see how to make case studies effective, it is worth taking a quick look back at important research performed by Benjamin Bloom in 1956 that holds up well today and will for decades to come. “Bloom’s Taxonomy” identified three domains of learning:
* Cognitive–mental skills (knowledge)
* Psychomotor–manual or physical skills (skills)
* Affective–growth in feelings or emotional areas (attitude)
[Sidebar information; to view see PDF]
The taxonomy also describes six levels of thinking skills. These six levels represent a progressive hierarchy of increasing skill depth. From the most basic learning (Level 1) to the most complex:
* Level 1–Knowledge: Recognizing information, ideas, and principles in the context in which they were learned.
* Level 2–Comprehension: Using the knowledge to translate, interpret, or comprehend information.
* Level 3–Application: Applying the information comprehended to independently, for the most part, solve a problem.
* Level 4–Analysis: Taking what is learned from application of the knowledge and communicating the assumptions, hypotheses, evidence, or structure of a situation, piece of information, or question.
* Level 5–Synthesis: Taking the analysis and associated information and integrating and combining ideas into a new plan, course of action, or proposal.
* Level 6–Evaluation: Appraising, assessing, or critiquing information, conclusions, or principles based upon specific standards or criteria.
These proven educational practices will move your corporate learners from the lower thinking levels (knowledge, comprehension) as soon as possible to the levels at which your learner is starting to apply the information. Remember, just telling facts or directives do not result in learning! Asking learners to memorize will not lead them to applying the knowledge to make good decisions for information security and privacy-related activities they encounter during their workday.
Providing case studies during information security and privacy training is an effective way to lead your personnel learners through these six levels and truly internalize and act upon the information you are teaching. Personnel are engaged and actually leave the training with information that will change their work habits to more effectively safeguard information.
[Sidebar information; to view see PDF]
Creating a Case Study
Many people find the prospect of creating an effective case study that exactly fits the objectives and the target audience a daunting task. Before you try to create a hypothetical situation, look to the news! There are so many incidents that occur daily that you should have no trouble finding a good example upon which to base your case study.
When you know your topic, your learning objectives (an important topic that I will cover in a future article), and your target learning group, it is time to create a case study. The following steps provide guidance as for you to create a case study:
1. Topic identification–Identify and document the information security, privacy, and/or compliance issues, concepts, and principles you want to teach, along with the learning objectives.
2. Brainstorm examples–Brainstorm situations that illustrate the issue, concepts, or principles you want to teach. Clearly document them.
[Sidebar information; to view see PDF]
3. Choose an example–From your examples, choose the situation that is most relevant to the issues, concepts, or principles you are teaching, then develop characters, background information, events, and actions taken.
4. Have someone review your draft–Write a first draft of your case study and ask someone knowledgeable in the topic are to read and critique it. Ask your reviewer if the intent and description are clear, interesting, and appropriate for the issue, concept, principle, and target audience.
5. Make edits–Use the feedback to rewrite your case study to address the relevant comments.
6. Create discussion questions–A crucial piece of an effective case study is the situation being analyzed and the accompanying discussion questions. Develop discussion questions to go along with the case study. Try to include questions from each of the six levels within the three learning domains of Bloom’s Taxonomy to make the case study as effective as possible.
7. Determine the need for visual aids–Consider whether you need graphic aids, such as charts, photographs, audio, video, screen shots, and so on.
[Sidebar information; to view see PDF]
A Case Study Example
Now let’s use these concepts to create a case study!
Topic Identification
[Sidebar information describing the case study scenario; to view see PDF]
The CxOs within your company are a perfect target group to learn from this case study to help prevent them from falling for a similar scheme. The learning objectives for this case study will be to help the CxOs to identify potential phishing messages, particularly spear phishing messages, and to have the CxOs know the appropriate actions they should take when they receive these types of messages.
Brainstorm Examples
Has anyone in your organization received a spear phishing message? A real experience within your organization is effective for engaging personnel in training. If you do not have an actual case, look through the news reports for examples. Search engines should be your friends for this activity.
Choose an Example
Two of my business associates have talked with me in the past 2 weeks about how this subpoena phishing message actually made its way into their organizations, past their otherwise strong malware and spam filters. The case study scenario could be written the same for both of them, based upon their actual experiences, to provide a short and effective training session with their CxOs. The following is an abbreviated version of a case study that could be used:
[Sidebar information with the case study; to view see PDF]
Have Someone Review Your Draft
Provide your draft to someone objective, knowledgeable about the topic, and who will give constructive feedback. For this draft, suppose the reviewer suggests that have the CEO contact the inappropriate person, such as the CTO instead of the Information Security officer, within the organization to report the message.
Make Edits
In response to the feedback from the reviewer, you change the last paragraph in the case study.
[Sidebar information with the updated case study; to view see PDF]
Create Discussion Questions
Now create questions to use during the case study. If the amount of training time available allows, try to create questions for each of the skill levels (many times sessions with CEOs are limited to 15 to 30 minutes). You do not need to limit the case study to six questions, but do what is appropriate for your target audience, the complexity of the topic, and the amount of time you have for the training session. The following are some examples of the questions you could use for this case study:
* Level 1–Knowledge: What type of message did the CEO receive?
* Level 2–Comprehension: What was the likely intent of the message?
* Level 3–Application: What should the CEO have done when he received the message? What should the CTO have suggested?
* Level 4–Analysis: What are the possible consequences of the actions the CEO took? What are the potential impacts to the organization and to the CEO himself?
* Level 5–Synthesis: What activities should the organization take in response to this incident? What types of communications, if any, should be sent to personnel throughout the company?
* Level 6–Evaluation: What are the lessons learned from this incident? Should anyone be sanctioned for any of the activities described?
Determine Visual Aids
For a case study that illustrates how to identify characters, such as for phishing messages, it is useful to include an actual example of what the message could look like. For this case study, you could include a screen print of an example of the spear phishing message, see Figure 1, as it appeared in The New York Times blog posted by John Markoff on April 16, 2008 at http://www.nytimes.com/2008/04/16/technology/16whale.html?_r=2&oref=slogin&oref=slogin.
[Figure 1: Sample spear phishing message; to view see PDF]
———————————–
Did you find this useful? Please let me know what you think!
Tags: awareness and training, Information Security, IT compliance, phishing, policies and procedures, privacy, privacy training, risk management, security awareness, security training