Practise and exercises as a founding element of a hacker-proof digital posture

eLearning Expert Talks/Security Awareness
31 July 2023
Pratica ed esercizi

The third and final (for now…) appointment with Maurizio Zacchi (here are the first and second interviews), Director of the Cyber Guru Cyber Academy.

Everyone has experienced firsthand the difference between theory and practise in a learning path.

Learning the theory is a necessary first step.
Especially in our Western approach, whereby we are accustomed to nurturing the mental aspect of knowledge. After all, this is how they taught us from an early age. To read, listen, study, and perhaps even to repeat what was transmitted to us.

However, there is a type of knowledge that is based on a practical approach, made up of exercises and a concrete comparison with the subject that, especially for some areas, cannot be neglected. Just to give some examples, it is difficult to imagine that a musician can express themselves to the fullest only by studying the history of music or by memorising a score. Or that a chef could succeed only by reading cookbooks.

Unfortunately, often in our training models, these two approaches are separated, and so it happens that training is never complete, and there is always some knowledge missing.

This discourse is all the more valid for adults who already practise a profession and who have little time, little mental availability, and who think they can learn something new just by reading some handouts or listening to a theoretical lesson.

The bad news is that this one-dimensional approach doesn’t work. We can develop a large number of theoretical concepts and maybe even present them well, but if we do not include experience in the field in the training course, the training will never be effective.

The good news is that good trainers know this and are very careful not to overlook either approach.

This is all the more true in relation to cybersecurity training,a particular learning process consisting of an important theoretical component, but also of a decisive practical and exercise-based component, without which there can be no certainty of being ready to face the increasingly insidious cyber threat. This is because the latter is continuously mutating and because it always finds new ways to break through human vulnerabilities and the lack of habit of managing the continuous flow of problems.

To build the necessary competence to make a user fully aware and able to make the most of the opportunities of the digital dimension while minimising the risks to their safety and that of their organisation, we must develop all the necessary skills. This means acting on knowledge, which is related to awareness and expertise, which are related to practise and experience, and on knowing how to respond to different situations, which is related to behaviour.
The integration between different paths in accordance with a logic of continuous training and permanent updating is the basis for curating comprehensive and multifaceted knowledge, with the aim of developing the fourth skill, that of knowing how to ‘become’, promoting a state of self-observation and self-reflexivity.

The importance of “practise” in training

Maurizio Zacchi, head of training at Cyber Guru, explains the importance of practical training and continuous training to stop attacks that come from ever-different and unexpected fronts.

“Especially for phishing emails” – he says – “we realised that a big difference in the level of preparation of individuals is a consequence of systematic exercises that are always different. This, in fact, actively tests the learning of theoretical concepts and leads, in most cases, to that permanent change in behaviour that should be the result of effective training. For this reason, a fundamental part of our training is the sending, obviously by surprise, of emails containing traps of various types and commensurate with the learner’s level of preparation. That is, depending on how the latter will react from time to time to the simulation of the scam, subsequent phishing emails will be sent to him/her that will lead him/her to face increasingly difficult challenges, or in any case, challenges that correspond to his/her level of learning”.

In fact, it is an ad personam training that, precisely because it is based on personal experience, is the most effective in delivering permanent results in behavioural modification. It is an adaptive process that allows you to “customise” the training path.

Gamification

Cyber Guru also adds a playful aspect to this type of exercise, through which company employees can have fun and challenge themselves on the slippery slope of cybercrime. The latter is an element that greatly increases motivation and the desire to put oneself to the test.

One thing is for sure: Cyber Guru is very clear that cybersecurity training must set itself apart from the boring and increasingly narrow cages of classic corporate training courses, which more often than not subject poor employees to a tour de force of concepts and theories that almost always end up in oblivion after a few days. This is an unnecessary effort for employees, an unwise investment for the company and a dangerous exposure to the risk of cyber scams, since the subject is evolving very quickly and is becoming increasingly challenging.

Challenging cybercrime requires groundbreaking training

For this reason, the training provided by Cyber Guru can be considered revolutionary, because it gathers the indications from the most advanced learning theories and organises them into gradual, effective and customised training courses.

For the first three years, there is a real organised school with a training of about half an hour per month that expertly combines theoretical knowledge, personalised practical experiences and recreational activities. In this phase, you learn everything there is to know about the subject and become masters of the subject, leaving everyone the freedom to manage and assimilate their training path in their own time.

After this period, the maintenance phase begins, because memory is maintained through continuous repetition and exercise. And also because we are talking about a subject that is constantly evolving and that can certainly not be relegated to one or two training days during the year.

For this reason, from the fourth year onwards, Cyber Guru no longer provides the didactic approach but rather a personalised path, which is organised from time to time according to the feedback from each individual learner. If the latter demonstrates that he/she knows that subject, he/she proceeds on a path of strengthening his/her knowledge. Otherwise, a reorganisation path is proposed until complete assimilation has been achieved.

All this is done through interactive videos that, however, do not engage employees for more than 30 minutes each month.

To make the educational journey even more captivating,serious games are also organised, in which the learner is subjected to a series of questions and problems to be solved, along the lines of the Escape Room concept. If you guess and overcome the challenges, you can leave the room, successfully completing your path.

“It is a model” – explains Maurizio Zacchi – “based on the adaptive process, built with artificial intelligence algorithms, which allows an automatic adaptation of the training path to the level of knowledge and ability of the learner. It is the definitive overcoming of a traditional training concept, which has demonstrated all its limits in the corporate field“.

Related Articles

Clusit 2024 report: data of concern

Clusit 2024 report: data of concern

Manufacturing targeted in Italy but attacks on health care grow 83% over first half of 2023.The centrality of the human factor. From the cyber front comes no good news. On the contrary, the war (because this is what it is all about) is more heated than ever and the...

read more