Learning Security

Design Principles

Drawing on our prior experience, the following principles informed the initial design of the workshops:

  • Abandoning the boot-camp model to better support task demands and the more extensive review needs of adult learners.13
  • Creating participant-driven workshop goals.

Abandoning the Boot Camp Model

One major drawback to the training structure of the three- to five-day boot camp model with which we are most familiar is the sheer density of material it must cover. Squeezing a core information-security curriculum into a single workshop, while maintaining the focus of the hands-on practice described above, has typically required approximately five full days. While this approach remains more effective than the most common alternatives—brief, lecture-style presentations and distance-learning platforms—it clearly comes with its own limitations. Most significantly, adult learners simply are not very good at absorbing and retaining new information so quickly, a challenge compounded by a lack of opportunity for proper review. In a weeklong workshop, it is possible to review material at most four days after covering it initially, and the typical window is significantly shorter than that. Moreover, boot camp-style trainings leave little room for the uninteresting-but-time-intensive activities that actually represent key dependencies for the skills that journalists need. For example, full-disk encryption is a recommended digital-security basic, especially for anyone working on a laptop that he or she transports, even from work to home. While on Macintosh computers, for example, it’s easy to “switch on” this feature, we recommend that participants make both initial and ongoing backups of their laptops before activating it. This latter process, however, which provides for crucial data recovery, is actually a multi-stage, high-latency process that includes several foundational and sometimes time-consuming steps:

  • Understanding strong passwords.

  • Comfort with secure password managers.

  • Obtaining one or more sufficiently large external hard drives (or backing up and re-formatting existing drives).

  • Practice encrypting external hard drives.

  • Familiarity with backup software.

  • One or more overnight file transfer operations.

  • Training on full-disk encryption itself, including (on a MacOS device) how to create a restore code for FileVault encryption software. Creating a backup before turning on full-disk encryption is a safety measure as well as a core task, since rare errors can occur and may require restoration of data from a current backup.

  • Another long (possibly overnight) window during which data is actually encrypted.

  • Demonstration of full-disk encryption in action, such as how FileVault affects the ability to connect computers together via FireWire in “target mode” on MacOS devices.

The bold items above, in particular, represent tasks that are extremely difficult to fit into a several-day training window. A number of the topics we covered have similarly awkward dependencies. At CJS, however, we were able to hold shorter sessions and schedule them farther apart from one another. Both journalism schools and newsrooms looking to implement professional development programs should take full advantage of this luxury, as it made a significant difference in terms of students’ ability to:

  • absorb content.

  • benefit from meaningful repetition and review.

  • utilize gaps between sessions to do things like clearing off old hard drives, backing up content, and encrypting large amounts of data.

Unlike our experience with weeklong trainings in the human rights sector, we were able to help students complete multi-step challenges, such as the process enumerated above, by relying on a combination of in-class support, office-hours, and assigned homework. The result was a significant percentage of students with verifiably encrypted backups and laptops, demonstrably strong password habits, and appreciation for the vulnerability of unencrypted data at rest.

Designing with Participants’ Goal in Mind

Early feedback from the CJS community indicated a strong desire among students for practical, skills-based education. As one student responded to our initial awareness raising presentation, “We already know it’s important, man. That’s why we showed up! It’s the specifics we need more of.”

At the same time, a number of participants at our first workshop had missed our initial presentation, so we spent some time reiterating the basic arguments for the importance of the content. We were afterwards reminded again that these journalists—mostly students, with some CJS media staff, alumni, and one human rights NGO staffer unable to access comparable workshops in his own sector—were already convinced and ready to move on to practical skills-building:

“The general feeling was that we spent too much talking about why it is important to have data security . . . Given how digitally ignorant we are and how much we need to learn, I really hope we could cover more skills . . . at each of these sessions.”

Though it was very much in line with our existing plans for the remainder of the semester, this reiterated feedback helped strengthen our focus on applied skills, which was already the inclination of our NGO-sector training experience. Accounts from students and alumni who had previously “given up” on information-security workshops and trainings either due to the dearth of practical material covered or because such events had left them plagued by half-installed tools highlighted the value of this sustained hands-on approach. One student, for example, came to us unable to send email from her computer at all after attempting to install and configure PGP during a twenty-minute workshop offered elsewhere. While practical, hands-on experience is a must, it takes time, preparation, and some degree of post-workshop follow-up and support to be effective.