Security Journey Blog

Applying Learning Science Principles to Secure Code Training

Written by Security Journey/HackEDU Team | Jun 7, 2021 2:58:48 PM

Everyone knows the old adage: You can lead a horse to water but you can’t make it drink, and this is certainly applicable when it comes to self-directed learning through computer-based training programs. But if learning is the goal—and it is a critical one in the field of cybersecurity, where breaches cost enterprise companies an average of $3.92 million—you’ll probably want to do everything you can to increase the likelihood of that horse taking a swig.

 

That’s where Learning Science comes in. Did you know there’s a whole field of academic study dedicated to using science to understand what makes learning more effective, and that thousands of scholars have been contributing to the body of knowledge for over 100 years? It started back in 1899 when William James wrote an essay called Talks to Teachers which melded psychological principles with the practice of education. Since then, the field has grown in scope to encompass the ever-expanding bodies of knowledge in the fields of cognitive psychology and data science. In 2021, there has been so much research on the topic, tested to the height of scientific possibility using cutting-edge experimental design technology, that we can almost use the word “proven” to describe the learning science principles that have emerged over the years.

 

Here at HackEDU, learning science principles have been the cornerstone of our approach to secure code training. Below, we highlight the top seven Learning Science Principles based on the largest contemporary body of knowledge from Carnegie Mellon University, and explain how we incorporate each one into our training program.

 

Prior Knowledge Affects Learning

When it comes to computer programming, developers are coming to the table with wildly varying experiences and beliefs around secure coding practices; as we pointed out in our 2021 Vulnerabilities Benchmark Report, half of all developers are starting off with no formal training at all. Accurately gauging the level of prior knowledge to determine a starting point is critical to shape individualized curricula that aren't boring or too hard. This is why we offer an initial test that acts as a benchmark for trainees to build upon and enter the training program  at a level that is right for them. Additionally, management can help structure an effective training program by identifying Security Champions to take on leadership roles in team training and assist those who are beginning with less prior knowledge.

 

Organizational Style Affects Learning

The field of cybersecurity is a highly complex domain full of ever-moving targets. If the goal is to educate developers in a way that enables them to have a deep, functional understanding of landscape to write secure code that is impervious to attacks, lessons should be structured to enable them to meaningfully organize their knowledge so they can draw from it in a responsive manner depending on the situation at hand. That’s why we’ve crafted our training modules to build upon one another as well as a trainee’s prior knowledge, and have structured them in a way that’s contextually appropriate to their usual coding environments, and in the languages that they’re most comfortable with. This method contrasts with old-school approaches that teach skills in random blocks or in contexts that are outside of the relevant development environments.

 

Understanding Motivation is Critical

According to the leading research, “when students find positive value in a learning goal or activity, expect to successfully achieve a desired learning outcome, and perceive support from their environment, they are likely to be strongly motivated to learn.” In the security world, that positive value can be an innate desire to beat cybercriminals at their game, or the quest to save companies from having their systems compromised. We also encourage our customers to use positive reinforcement to further motivate their developers. Something as simple as giving away a company-branded backpack upon successful completion of training has proven to be very effective at getting developers to take and complete their training.  

 

Developing True Proficiency Requires Knowledge of Content and Context

What does true proficiency look like when it comes to secure coding practice? Understanding the theory and acquiring skills is part of it, but being able to routinely integrate and apply those skills in real world conditions indicates proficiency on a holistic level. How will companies know when their developers have achieved this? By focusing on actual coding in order to prove comprehension and proficiency, our platform provides insights into a developer’s true capability. HackEDU’s reporting tool provides an accurate view of proficiency based on multiple elements, including time spent in each lesson, number of incorrect code submissions and the number of hints a team member clicks

Goal-Directed Practice + Targeted Feedback = Success

In order for secure code training to be truly effective, the practice must routinely focus on tangible goals that match a developer’s level of ability. The goals should be structured in such a way that they can be steadily achieved, and are coupled with concrete feedback about performance. While one-and-done training certainly has its utilities—and necessities—we recommend structuring training across a longer timespan in bite-sized intervals so trainees have the opportunity to truly integrate what they have learned. Our lessons are short (20-30 minutes apiece), and provide hints and feedback that help developers learn the material. If they’re truly stumped, our live chat feature, which gives them access to an engineer who can help answer questions, makes it easy for them to resolve the challenge they’re facing.

 

When it Comes to Effective Learning, Climate Matters

This should go without saying, but as much as developers use computers, they are people first. Every person enters the learning process with their own distinct placement on the spectrums of emotional, intellectual, and social skills. As such, creating a positive learning environment that’s adaptive to each individual’s preferences and tendencies is critical to ensuring their educational success. That’s why, unlike many of our competitors, we make sure to foster a positive learning environment by using inclusive, accessible, non-violent language in our training content so everyone feels like they have an equal opportunity at acquiring these very important skills.

 

Becoming a Self-Directed Learner Requires Goal Monitoring and Adjustment

In a perfect world, everyone who wanted to learn something new wouldn’t even need a training program; we could just train ourselves to acquire the relevant information and undergo the necessary cognitive processes to modulate our own learning. Well, this isn’t something most people can naturally do, but it can be enabled using technology. At HackEDU, we do this by integrating our platform with various testing and vulnerability discovery mechanisms such as SAST, DAST, and SCA tools, and bug bounty programs. These integrations provide adaptive lesson plans that are tailored for each developer based on the actual vulnerabilities discovered in their code. This increases relevance, and enables developers to improve on areas that they’re weak in. 

While all the psychology in the world can’t offer a foolproof guarantee to learning, we’re confident that there’s no better approach to increase the odds of getting that horse to drink than this science-backed approach.