Instructional design is, I believe, an underappreciated art. To support my claim … do you know what “instructional design” actually is? Don’t feel bad if you don’t; I’d never heard of it until I was well into my third career and discovered that I’d been dabbling in it for decades without being consciously aware of it. That seems like the definition of an “underappreciated” art to me.
Depending on whose definition you’re using, instructional design (or, if you prefer, instructional systems design) is “… the systematic development of instructional specifications using learning and instructional theory to ensure the quality of instruction.” Or, in layman’s terms, taking a programmatic approach to developing, deploying, and continually optimizing recurring training. That’s the primary focus of the security awareness community: we determine what facts and tasks our people need to know to be effective in their operational environment, create material to teach the skills, ideas, and knowledge areas needed to make people effective, then tweak our creations to ensure optimal understanding, retention, and application. The “tweak” part is the crucial element. Effective training requires constant refinement and reinforcement rather than a one-and-done box-checking exercises.
Or, at least, that’s what we’re supposed to be doing. I’ve worked at a lot of places that didn’t grasp the concept. Oh, they trained us, to be sure … Just not well enough to be effective. Their formal training covered some of what we had to know but frequently lacked critical context and/or process steps; those parts we had to pick up via on-the-job training, trial-and-error, and the explanations for why a former cubemate had just been terminated. You’d thing it would be obvious, but, I’ve met a bunch of trainers that just didn’t get it. They couldn’t seem to see beyond their discrete Terminal Leaning Objectives to picture how those taught skills must be applied start-to-finish under real-world conditions. From a security professional’s perspective, this is not how you want to prepare your people to conduct enterprise defence tasks.
To illustrate my point, I want to take another swing at my all-time favourite punching bag: the United States Army. To be clear, I still feel there’s a lot to love about the army and military life. On the other hand, the U.S. Army is so large and soresistant to common sense that it’s known around the globe for doing bizarre things that defy all sense and logic. Like a kaiju attempting embroidery, the sheer scale of the beast makes it clumsy at activities requiring attention to detail.
As a practical example: I started army life as an enlisted medic. As new corpsmen, we learned a little anatomy, a little physiology, a very small amount of nursing, and a ton of bandaging skills. The running gag was that we were “battlefield gift-wrappers.” We might not be sure what was going on inside a patient, but we knew all the best ways to keep the wounded sodlier’s blood inside them long enough for the patient to become Somebody Else’s Problem. That approach was fine when I was the junior ambulance crewman and my duties were limited to “carry the guy on the stretcher” from this place to that place. It didn’t work so well when I was assigned to Sick Call and was expected to diagnose people with mysterious “general body aches.”
A few years later, through a series of misadventures, I got commissioned as a Medical Operations lieutenant. During the Medical Officer’s Basic Course, we were trained on a little military history, a little organizational theory, a smidgen of logistics, a lot of physical fitness [1] and next to nothing about lieutenant-level fieldcraft. It was assumed that all us brand-new lieutenants – including who had never served before! – would … somehow … pick up the basics through OJT.
The flaw in this model became painfully clear when we left our cosy classrooms for our first Field Training Exercise. Those of us who were prior enlisted expected to have an easy time of it. We knew how to pack our belt kit, how to sleep standing up in formation, how to safely secure our sidearms … all the basic survival skills that the doctors, nurses, veterinarians, and entomologists in our class had never been exposed to. Still … we didn’t know everything about what we were expected to do on the exercise and that nearly bit us in the neck.
At some point towards the end of a freezing week in December, we were tasked with tabbing all over hell and creation to practice siting field aid stations (i.e., identify the best terrain, erect some tents, and practice moving incoming wounded). Every so often, the training cadre would show up with a ground ambulance full of empty litters that we’d practice loading and/or unloading. Sometimes the cadre would send a surprise MEDEVAC chopper our way. Sure enough, in a mid-afternoon drizzle, a UH-1 Iroquois whup-whup-whup’d over our valley and hovered, pretending like it was waiting to be “guided in” to land.
It should come as no surprise that when mere ground pounders offer Army pilots suggestions, those suggestions often get ignored. Our job as lowly non-aviators is to politely get out from under them and to occasionally carry their baggage. I’d been in and around enough MEDEVAC birds to know that my top priority was getting out of the pilots’ field before they deigned to land wherever the heck they felt like. Their flying chariot, their rules.
Our cadre was having none of it. One captain roared at me to “get out there and guide the chopper in” … as in, run out into the middle of the field where the very bored pilots wanted to land and get in their way … then arrogantly use huge hand gestures to tell the pilots how and where to land their magnificent steed. As if.
Nonetheless, the cadre captain’s order was law, so I trotted out to the centre of the field and used what I remembered from chapter 5 of the late 80s edition Field Manual 21-60, Visual Signals. We’d studied it as officer cadets but had only ever usedthe part on hand and arm signals for dismounted infantry patrols. What university had a bloody helicopter to practice on? Still, I remembered the basic gestures well enough: hover, move left, move right, to-hell-with-it-just-land-already and go-the-heck-away. I pantomimed my way through a couple of minor move-left and move-right signals to make the captain happy while the Iroquois’s pilot ignored me. Once I’d gestured enough to tick the box, I made the “go-ahead-and-land” gesture … at which point the critical gap in our Visual Signals training become glaringly obvious.
As a reminder, helicopters have big spinning sword blades on top of them. A squishy human shouldn’t be anywhere near a big spinning sword blades if you’d like to keep your head attached. My immediate need at that moment was to get the heck out of that field … but our Visual Signals instructors had insisted that we had to remain fixed in place with our eyes glued to those of the pilot until the helicopter landed in case of an emergency that required us to give the “oh-no-something-went-horribly-wrong-run-away” signal. Can’t leave, can’t turn your back on the bird, don’t want to get ginsu’d by the aforementioned spinning sword blade … Now what? Our “training” … such as it was … had never covered the last step of the process. I’m sure it would be painfully obvious to someone who worked in an aviation unit all day, but at that moment, all I could think to do was what they’d taught us in patrolling: “while wating for a helicopter to pick your squad up, get down as close to the ground as you can (so the giant spinning sword blade doesn’t mince you) until the chopper’s crew chief gestures at you to start boarding.” I did that.
I stayed prone as the Iroquois touched down and refused to move until its rotors stopped bouncing. Fun fact: helicopter blades flex up and down. Just because you can stand safely under a helicopter while its engine is running on the pad does not mean it’s safe all the time. Like, during landing … when the momentum makes the blades dip in an umbrella shape … where a standing person might be inconveniently located. Before I felt safe to get back up, I heard the captain chewing me out for “worshiping the helicopter.” “What the HELL are you DOING, lieutenant?! GENUFLECTING to the ALMIGHTY whirlybird? Get up there and start processing those ‘casualties!’” [2]
After getting back to my feet, I politely asked the captain what the correct process was to (a) remain standing within the bouncing rotor disc while the helicopter descended and (b) not get reduced to kebab chunks. The captain glared at me, stammered “You know!” and wandered away quickly. I’m 99% certain that he, too, had never been taught the end-phase of the “guiding a helicopter to a safe landing” process and was desperately hoping that the rest of us had been taught it by a friendly passing magical faun or some-such. He sure as hell wasn’t going to admit that he didn’t know either … and might have been ordering young subalterns to literally risk their neck. [3]
That’s the problem: the original R.O.T.C. curriculum designers and our instructors had dutifully taught us some critical information – a new language of hand-and-arm gestures – without teaching us how to correctly and safely employ that language under real-world conditions. The only time we would ever need to know the “chat with a landing helicopter” gestures was when a real helicopter was landing next to us … at which point the “how do I get the #&$ away from the spinning sword blades” task was really important.
We see this mistake get made all the time in cybersecurity training. I’ve seen a bunch of training modules, posters, cheat sheets, and “informational” articles go to great lengths to define terms like “phishing” or “fraud” without ever putting the terms into proper context or providing practical examples of how to detect and/or react to them. It’s like the course designers were getting paid by the raw learning objective and only got a bonus for adding cutesy cartoon clip art. Answering the students’ frustrated cries of “now that I know that what do I do?” never seemed to enter the picture.
Good instructional design recognizes this problem and addresses it head on. You don’t just teach people facts in isolation; you teach them the context in which they’ll employ those facts. You teach them how to start and finish a task, what success and failure look like, and what might go wrong. You teach processes. That is, you teach people end-to-end skills that they can actually employ … safely.
Don’t put your people in the awkward (and potentially lethal) position of trying to guess how to get out of a danger zone once they’ve properly identified a threat. It doesn’t matter if it’s handling a ransomware installer, disengaging from a dodgy elevator conversation, or securing a mysterious USB drive in the loo. Teach the attack methodology and intent, then teach the proper reaction drill all the way through so that people can adapt correctly when the specific encounter doesn’t play out exactly as you described it in the classroom.
More importantly, don’t simply stop the process after you’ve designed, developed, and deployed your training. Get out in the field (or whatever passes for it) and observe how your students employ your training under real-world conditions. Identify what crucial steps you left out, then redesign your content to account for the oversight. Good instructional design means constantly improving your material to best meet the needs of the people expected to employ it.
[1] Our curriculum was, to paraphrase comedian Bill Hicks, “Left foot, right foot … faster, faster … um … go home, shower.”
[2] Unfortunately for everyone, the U.S. Army did not at the time allow you to bludgeon stupid officers with a shovel. I assume this counterproductive and ill-advised rule is still in effect.
[3] That must have been quite embarrassing for the captain as I never saw him again after that encounter.
Pop Culture Allusion: None this week. If you can find a media allusion pertaining to this topic, my hat’s off to you.
