EDUCATIONAL DELIVERY
7.6 E-learning for Information Security Edu- Edu-cationEdu-cation
Section 7.3 identified certain requirements that should be met by educational approaches used for information security education. These requirements have also been published before as part of Van Niekerk and Von Solms (2004). This section will compare these requirements against the features of e-learning ap-proaches to determine how well e-learning as an educational delivery channel matches the needs of organizational information security education.
• The first identified requirement is the need for all employees to (even-tually) ”pass” the course. Information security depends on each and every person involved in the security process to have the necessary security related knowledge and/or skills to perform his/her job in a secure manner. It is thus necessary to ensure that the educational approach taken allows users who ”fail” the assessments relating to a specific knowledge element, and/or skill that is needed, the opportunity for additional learning and, afterwards, to be re-assessed. E-learning approaches are arguably better suited to address this need than any other possible approach. Because e-learning can be done at a time and place that suits both the employee and the organization, there are lit-tle or no additional impact on a learner’s normal job functions should he/she need to repeat on of the learning modules. There is also no additional cost involved in having an employee who repeats a specific learning module. The facilities provided by a learning management sys-tem will also enable the organization to keep track of each and every individual employee’s learning/progress.
• The second identified requirement is the need to address current val-ues, beliefs, and opinions of employees. This is especially important if the overall goal of the program is to foster an organizational culture of information security. However, employees can come from many dif-ferent educational and/or cultural backgrounds. These difdif-ferent back-grounds, and many other factors could influence the current values, beliefs, and/or attitudes of employees towards information security.
These values, beliefs, and attitudes can thus vary significantly amongst
an organization’s employees. In some cases, individuals might even consider their own values, beliefs, and attitudes to be personal/private and would thus not like to openly discuss/share these. E-learning sys-tems provide an excellent medium to assist in the addressing of current employees’ values, beliefs, and attitudes. Firstly, the user models / do-main models in current adaptive e-learning systems can already accom-modate the modeling of various user backgrounds and other individual traits. These and similar features could, to a certain extent, also be used to determine a difference between the desired values, beliefs, and attitudes (as modeled in the domain model) and the specific user’s (as modeled in the user model). The content can then be adapted to the specific user’s needs in order to allow the user to explore (if preferable, anonymously) the reasons/reasoning for the inclusion of specific infor-mation security controls. In addition to this, e-learning solutions offer the ability to use a multitude of approaches. Course designers could thus address specific ”contentious” issues in wiki’s, blogs, videos, or even via interactive discussion forums. According to Kabay (2002, p.
35.9) the use of simulations, videos, and role-laying exercises could as-sist in changing user beliefs/attitudes during a culture change program by helping users bridge the gap between intellect and emotion (what they are taught is logical, but it conflicts with how they feel about the topic). The use of interactive discussion forums could allow users to not only explore the reasons/reasoning for a specific control, but to also provide their own opinions on specific issues.
• Thirdly, information security education requires that learning materi-als are customized to the needs of specific target users and/or groups.
Such customization is one of the central features of e-learning. The entire field of adaptive e-learning systems specifically aims at the im-plementation and improvement of such learner specific customization.
As discussed earlier, these systems can customize content based on the individual user’s learning preferences, learning needs, current activi-ties (work context), background, location, systems and/or platforms used, individual traits, cognitive styles, goals and tasks. E-learning approaches are arguably more accommodating of such customization needs than any other educational delivery medium.
• The fourth requirement for information security education that was identified is that users should be responsible for their own learning.
This requirement was motivated in Van Niekerk and Von Solms (2004) specifically based on the cost implications of education in terms of both time and financial resources. It is also important in terms of the first requirement identified, namely that everyone should ”pass” the course.
From a time and cost perspective, users could only be allowed multiple opportunities to learn, if such additional opportunities do not require them to spend additional time away from their job responsibilities. E-learning systems allow users to learn when and where they choose to.
It also allows users to learn at their own pace, according to their own learning needs, and to explore topics according to their own interests.
E-learning enables users to participate in group discussions, or not to, should they so choose. With the help of the learning support systems in modern e-learning solutions, learners are empowered to take control of their own learning. E-learning systems thus allow organizations to pass the responsibility for their learning to the users themselves. How-ever, in order to ensure that the user takes this responsibility seriously, organizations need to hold the users accountable for their learning.
• Holding users accountable for their own learning was the fifth require-ment identified for information security educational approaches. This requirement goes hand-in-hand with making users responsible for their own learning. Through the use of learning management systems orga-nizations can not only hold users accountable for their own learning, but can also keep extensive records of learning. E-learning systems al-low organizations to monitor user learning progress, in terms of training completed, time spent on specific modules, performance in assessments, etc. With the extensive learner monitoring and tracking capabilities of current e-learning solutions organizations can also identify learners who need remedial or additional training in order to remain compliant with legislatury changes.
• The final identified requirement for information security education is the need to provide learners with feedback. Feedback is a central fea-ture of any successful educational approach. Providing learners with
prompt, specific, and corrective feedback increases the likelihood that the learners will persist in their learning activities until they are suc-cessful (Sousa, 2006, p. 66). The ability of computers (e-learning) to provide immediate and objective feedback is considered to be a moti-vating factor towards continued learning because learners can under-stand their own level of competence and can evaluate their own progress (Sousa, 2006, p. 66). E-learning systems can be used to provide contin-uous formative assessments and feedback to enhance the learners own learning process, or to administer summative assessments for use by the organization in order to determine whether or not a specific learning module has been completed successfully.
E-learning systems thus meet all the identified requirements for infor-mation security education. It can be argued that e-learning is in fact the most appropriate delivery channel for information security education avail-able to modern organizations. Additionally, e-learning components can also be included in more traditional educational approaches to form a blended learning environment. Research discussed earlier in this chapter has shown that such blended approaches are highly effective from a pedagogical point of view.
7.7 Conclusion
This chapter examined the requirements of organizational information security education. It was argued that information security is dependant on each and every human involved in the security process. Organizations thus cannot afford to have any of the users in an information security educational pro-gram fail the course. It was also argued that the existing values, beliefs, and attitudes of users must be addressed by these educational programs.
This is especially important if the organization wishes to foster a culture of information security. Thirdly, the learners in organizational information security educational programs are adults, who have well established learning preferences, educational backgrounds, and levels of technological competency.
These adult learners also have very specific, and varied, roles and responsibil-ities towards information security. There is thus a need to customize learning material in organizational information security educational programs in
or-der to accommodate the variety of needs and background amongst the target learners. The fourth, fifth, and sixth identified requirements were all based on the fact that few organizations can afford to send all their staff for ex-tensive classroom training. Organizations should thus be able to make the users responsible for their own learning. However, if users are responsible for their own learning, organizations would have to hold them accountable for this learning in order to ensure compliance with possible legislatory re-quirements, and in order to ensure that organizational information resources are in fact secure. Finally, learning requires feedback. If users are to be responsible for their own learning, the educational approach would have to accommodate this need for feedback. Based on the identified requirements, e-learning was suggested as the preferred educational delivery medium for organizational information security education. The chapter examined the components of such e-learning systems, as well as the role(s) each of these components play(s) in an e-learning environment. In addition to the ”nor-mal” components, the features of adaptive e-learning systems were briefly examined. The chapter examined the benefits that e-learning, and blended learning approaches that incorporate e-learning components, can offer to var-ious organizational stakeholders. The specific benefits offered by these ap-proaches from a purely pedagogical viewpoint were also discussed. Finally the chapter compared the requirements of organizational information security education to the features provided by e-learning systems. It is the conclusion of this chapter that e-learning would be a medium that is ideally suited for the delivery of organizational information security education. Furthermore, the possibilities provided by adaptive e-learning technologies can potentially add a lot of value to information security educational programs. Through the use of e-learning environments, organizations can not only create ap-propriate information security educational material, but can also effectively administer and manage such programs. This chapter has thus addressed the third research objective of this thesis, namely to ”demonstrate the suitability of e-learning as a delivery medium for organizational information security educational programs”. The next chapter will show how e-learning can be used as part of a pedagogically sound process in order to address the final research objective identified in section 1.7, namely to demonstrate ”how the various elements contributed by this thesis integrate into existing
transfor-mative change management processes for the fostering of an organizational information security culture”.