Reflective practice in cybersecurity

In educational theory Paulo Freire sets out two very distinct types of learning. The first he calls the Banking Model and the other a critical or problem based approach. The first treats students as passive vessels to be filled with knowledge by experts. They are 'gifted' (more often today mandated to accept) this deposit.

Presently, we pay only lip-service to the latter. We hear how "critical thinking" must be taught in schools if we are to counter a "world of disinformation". In reality, few educational establishments have the skills or the stomach for real critical pedagogy. It is incompatible with authoritarianism, now enjoying a fresh cultural revival.

Reflection is a vital element of practice-based professional learning. It is the ability to reflect on our own actions and attitudes, and those of peers and organisations. It is "thinking about thinking" with the goal of improving professionalism. It implicitly rejects an a-priori "right way to do things".

In a modern military, reflective practice is applied to exercises and engagements to see what went right or wrong. This experiential learning may extend to questioning orders or even the remit in the theatre of operations. Likewise in medicine, for surgeons, doctors. nurses and therapists, a practice of continual professional reflection is used.

It is not exclusively a post mortem, root cause analysis or incident review that's conducted after a disaster. On the contrary it's an ongoing analysis to prevent problems from occurring.

In educational theory the work of Donald Schon, Jean Piaget and John Dewey is influential on a set of ideas that include:

• Iterated encounters with variants of a problem
• Learning from failure
• Integration of theory and practice
• Emotional literacy
• Honesty. No hiding or denial of inconvenient truths
• No blame or "egoless" communication.
• Personal responsibility and even Extreme Ownership

Having taught computer science at undergraduate and postgraduate level for over 30 years, I find that teaching cybersecurity is uniquely challenging. It is broad, covering topics from mathematics and cryptography to psychology and politics. The base of students is also uniquely wide, including not only developers and other tech-professionals but almost every age and ability range and every type of profession. It also has complex and sometimes problematic relations with institutional dynamics, politics and individual psychologies.

Unfortunately, low-quality and cheap teaching is common for defensive cybersecurity. Students are often selected punitively, because they failed some internal "phishing test" meant to trick them. They're sat in front a series of video lectures on topics that have no meaning to them, and finally assessed with an online "quiz". In six months they will fail the same test and be recycled through the training system.

In contrast, we see students who come to an offensive cyber class brimming with energy. They cannot wait to download and learn new attack tools and get breaking into systems, spying and stealing data. They complete homework with enthusiasm and spend extra hours going beyond the lesson plan.

Explaining this divide is difficult and awkward. It is rooted in cultural norms that make the defenders "passive" and the attackers "active". It also brings in gendered ideas about security in what is a very unequally staffed profession.

Presently, most cyber-education is defective in its content and its aims. With regard to its aims, it's really behaviour management, indoctrination and outsourced policy compliance. There is little if any sincere intent to improve the student's understanding or behaviour.

Institutions are conflicted because security-literate employees who display critical thinking, raise concerns and question policy are "troublesome". Most institutions send employees for training to meet their own compliance pressures, making the experience a cosmetic check-box exercise.

With regards to content, it is one of the fastest changing areas of knowledge facing humanity. Hardly a week passes without a major shift in technical paradigms or geopolitical alliances. While the foundations like mathematics, protocols, or operating-system principles remain stable, everything at "Layer 7" and above is in turmoil. It is unclear where perimeters are, or even if traditional perimeters exist. It is unclear whether vendors and service providers are friend or foe. And with digital security it is increasingly unclear for whom it functions, from who or what it defends, and to what end we deploy it.

Terms like trust, security, safety, protection, privacy, freedom, and secrecy are used interchangeably with little regard to their real meanings, and often deviously by for-profit vendors or those with mischievous political agendas.

The only way to counter this is to create new modes of cyber education and digital literacy for the 21st century. This methodology combines practical learning with deep academic, analytical work and theory.

Against this backdrop we have developed a unique approach to security teaching in which we;

• consider the ethics of the information age
• understand digital harms and their effect on everybody
• obtain buy-in and motivation
• understand the mechanisms for defence, mitigation and resilience
• empower operators with a sense of agency and ownership
• teach and test practical defensive skills
• reflect and iterate on vigilance, planning and action cycles
• develop communicative skills and security vocabulary
• cultivate self-reliance and scepticism
• cultivate emotional and instinctive left of bang sensitivity
• develop confidence in tackling security issues
• motivate self-learning and "security thinking as life-stance"
• foster network-building and help-seeking activities
• encourage learners to take reflective and critical skills back to the workplace

People don't talk to each other any more. That's a fact you can verify looking at any queue or gathering, or even couples in a restaurant. We are "atomised" into individuals staring at tiny screens. This erodes our collective immune-system and makes our organisations weak.

Isolation and compartmentalisation are encouraged in corporate workplaces run under the creeds of financialisation and "professional management". Your boss doesn't want to talk to you, nor for you to confer with colleagues, at least not outside strictly controlled and monitored "proper channels". When was the last time you sat down for lunch with someone from a different department, HR, sales, IT or spoke to the office cleaner?

One of the worst offenders is IT. Although everyone in the company depends on computing we too often find IT citadels. They become like secretive little internal "shadow governments", opaque, aloof, unaccountable and dictatorial. They author policy without consultation and decree it without explanation. The result is an "us and them" tension between the workforce and infrastructure.

Companies divided make easy conquests for attackers. Phishers and phone scammers rely on poor intelligence-sharing and weak organisational cohesion. Newsletters sent out as weekly "no-reply" emails don't work. Nobody reads them. Besides, top down security is weak precisely because it is inflexible and brittle.

Poor structural security is a consequence of Conway's Law which creates weak tactical communication because the "allowed" communications paths mimic the class and specialism divides within the organisation.

The reality is that human exchange in a "safe space", to obtain common aims and understanding, or to acknowledge difference, is the bedrock of security. It opens new communications paths and reveals hidden weaknesses.

Done as proper reflective practice this need not be unstructured, chaotic or undermining, as many managers fear. Developers who are used to one-minute round-robin stand-ups and requirements disputation and resolution will understand this.

Cybersecurity is much more than a set of firewall rules, technical skills or rote behaviours that can be encapsulated by policy or learned in a few hours of video training. Security is a human value that is relational, emotional and spiritual. It is also founded on habitual, ongoing practices. For organisations it is an internal quality issue that cuts to the heart of values, how the company is run, and who for. Cybersecurity need not be located exclusively within "IT".

Bringing ideas from educational theory and wider professional practice has changed how we see cyber-security and it can change the security culture of your organisation, greatly reducing its attack surface.

If you want to know more about this approach, talk about organisational security or make suggestions then please contact us at The Cybershow or at Boudica Cybersecurity for commercial enquiries. We welcome guest opinions or suggestions for show topics.