What do you think this is?

Just thoughts of a restless mind...

Training headaches

I appreciate training and am always eager to learn something new, but I have yet to settle on a preferred form of instruction. However, there is one that I find particularly challenging, and since I've recently been considering the possibility that the effectiveness of the security training and awareness we provide may vary depending on the mode of delivery, I thought I would write down my thoughts. Here are my personal choices.

Classroom training

Learning in a classroom setting is the best choice in my opinion. Maybe it's because I need people around me in order to stay focused, or I just like to watch and listen to others talk. In classroom, I may seek clarification on concepts I'm still unsure of and engage in fruitful discussion with my instructors. For me, this is quite important. Depending on the topic, classroom training may also involve activities that are completed in small groups or on computers. The classroom is my preferred setting for human interaction, while for computer-based labs, classroom is a close second.

This appears to be the most costly approach of constructing one's body of knowledge. This is the route I use to help the most seasoned members of my team advance in their careers. When the situation calls for it, this is the route I take as well.


No, security awareness cannot be delivered as self studying efficiently, but security knowledge building can. Meaning that we all learned somehow, and most of us had to self-study a lot to build our knowledge and progress our careers. Having a book in hand is my second best option; and if a lab is needed, set up a virtual machine on one of my computers and off you go. Although self-studying is among my preferred options, I find it more and more difficult to set time aside to focus and study. On the positive side, if my mind starts wondering, I can always go back to the previous page and re-read what I missed. This is how I prepared for practically all of the certification exams I've taken and passed, including CISSP, CRISC, and CCSK.

Interactive online training

Although interactive online training should be the equivalent of classroom training with minor differences, I personally find it significantly less efficient. Perhaps it's because I have trouble focusing for lengthy periods of time, but I find that this form of delivery does not hold up as well for me as the first two. However, if I combine it with traditional books and study guides, I find that I am able to retain more information. Notably, a less popular variant of this strategy involves using two trainers. A conversation ensues, which, while obviously scripted, has an energetic quality that may keep the audience interested.

Online video clips and interactive exercises

Training videos are increasingly often used by businesses to provide education and security awareness to their employees. Either with real people or animated characters, many of these short movies also include interactive activities, quizzes, etc., that, when timed appropriately, may help maintain viewers' interest. Even though this is the strategy most businesses follow, I know that I am not alone in finding it to be unsatisfactory. Using this model is actually a middle ground between the high cost of models that need human time (such as interactive training, which can take place in a classroom or online) and the efficiency level. This method's on-demand delivery is a big advantage over interactive alternatives, since it gives learners more flexibility in scheduling their training.

Online narrated training

Similar to the previous method, but instead of video clips you have just presentations that someone narrates. In reality, there may be no technical difference between this model and the previous one, except for the structure of the content. Since this normally does not include interactive activities, I have kept it as a separate item. The narrator is the model's defining characteristic. Obviously actors make the finest narrators, but I imagine that anyone who has given presentations before knows the importance of varying the tone of their voice enough to keep the audience engaged. Interesting as it may be, I think this approach to be the least productive one. This might be more challenging if the narrators have an unusual accent (not native or "tv - quality").

Recently, I've encountered (and I get that I may have been lucky to have never encountered) situations in which the narration was performed by a text-to-speech engine. This horrible manner of distribution should be strictly prohibited. No one could possibly pay attention for more than a minute to that monotone narrator.

If you, like me, need to choose training provider(s) for your organization's security awareness needs, the first step you should take is to identify your preferences, and subsequently determine the organization's appetite. Identifying your preferences first is important, to avoid unconscious bias

Image by stockking on Freepik