We are at BLACK HAT USA 2022, come see us at #IC75, check out our BlackHAT training sessions
Application Security

Is Hands-on Learning Actually Better?

February 21, 2022

There's a reason most people hated school. Six hours of sitting in the same old classroom, staring at a chalkboard as the teacher drones on and on about mitochondria and Pythagoras. Did you even really learn anything from those lessons?

Most people view these kinds of one-way lectures as the 'default' way to learn or teach, because that's how they did it in school. But unlike a computer or hard drive, our brains don't just automatically store and save all the data we're fed. Some thing stick better than others. Some methods work better than others in getting people to retain more information (and be able to retrieve it on command).

That's what this article is all about. What's the real difference between hands-on learning and one-way lectures? Is one better than the other, and if so, why? And most importantly, what's the best option for you?

How Hands-on Learning Works, According to Science

Hands-on learning is any kind of process where you gain some knowledge or skill by actually performing it. From science experiments in the chemistry lab, to learning to ride a bicycle, anything you need to use your hands and mind to do is classified as 'hands-on'.

While in traditional lecture-style learning, there's usually just an audiovisual input that your brain processes. Hands-on learning, however, is much more involved. In a study by the University of Chicago, two groups of students were taught about the concept of angular momentum using spinning bicycle wheels. While one group got to actually hold the wheels and experience the forces firsthand, the other group simply observed.

When the researchers monitored the brain activity of both groups using f-MRI scans, they made an interesting discovery. The students who got to learn hands-on had increased activity in the parts of the brain that processed sensory and motor-related information. While the other group just watched and inferred the information, the test group performed the activity and experienced their lesson.

Hands-on learning has been found to be as much as 50% more effective than traditional methods.

This increased brain activity showed real-world significance in a quiz the students took several weeks after the experiment, with the hands-on group outperforming their peers by a clear margin.

Dr. Nina Huntemann from edX says that "the core of active learning is The Learning Loop: one learns new knowledge, applies it to a situation, receives feedback, reflects upon what was learned, and repeats the process."

According to her, this modular nature of this loop is key to the effectiveness of active learning. If you spend 2 hours in a lecture, then try to remember all of it while you're applying that knowledge later on, you're more than likely to forget something.

On the other hand, if those 2 hours are broken up into smaller 15-30 minute chunks where you learn something, apply it immediately, and see the results, you'll better understand the thing you just did. Additionally, you will better remember each step because it was broken down into smaller parts and you were actively applying the knowledge you acquired.

The benefits of learning by doing have been confirmed by several studies over the years. When you participate in an activity, more of your brain gets involved in the process. The neural connections that form as a result give deeper context to the information you acquire, and as a result, you retain more knowledge in the long-term.

How Hands-on AppSec Learning Benefits Your Team

The advantages of hands-on training don't just apply to individuals — it creates a ripple effect that can be felt across entire groups of people. In the corporate world, this can be seen in the way teams—large or small—respond to getting high-quality training.

Here are 3 ways hands-on learning is better for teams on an enterprise level:

  1. It's far more efficient (and cost-effective)

As we mentioned before, hands-on learning is way more effective than traditional training methods. Once a team member has learned something practically, they retain that information better, which means they waste less time making mistakes or figuring things out.

They learn more efficiently and work more efficiently, saving time on both fronts. This has direct impact on cost, especially in long run.

  1. Making mistakes is harmless

In the process of learning anything, it's not only inevitable—but important—that you make mistakes. You fall, you pick yourself up, learn why you fell in the first place, and you're more careful going forward. Training your team is no different.

But making critical mistakes, especially when it comes to application security, can have serious real-world consequences. An improperly trained employee could inadvertently leave a dangerous bug or vulnerability in your software that could leave it open to attackers, damaging your company's business and reputation.

When your employees learn hands-on, they can make these mistakes without fear of disrupting the entire system. They'll even feel more free to experiment and try out techniques that would have been totally off-limits on a real workflow.

In fact, AppSecEngineer's hands-on labs are made to be totally safe and secure, so you can play around with each lab environment without fear of breaking anything. Learn more about that here.

  1. It's not boring AF

No, we're not adding this as a joke (but you can still laugh). This is a real problem in corporate training programs. Everybody's gone through that 2-hour long PowerPoint presentation or a poorly-made training video that you ended up learning almost nothing from. When most people in the corporate world hear 'training', their involuntary response is to groan.

Hands-on changes that completely. Going from passive to active learning can give your team a compelling reason to pursue more lessons, and their interest levels get a noticeable boost. An interested learner is far more likely to stick with the course and see it to completion.

How To Do Hands-on AppSec Training With Your Team

Hopefully by now you're sufficiently convinced about why you should do hands-on training in application security. Now it's time to figure out how to do it.

Here are our top 3 ways to do hands-on AppSec learning at your organisation:

  1. Rotate developers into your security team

In a 2015 conference, Etsy's Director of Security Engineering spoke about how they rotate developers from their usual product engineering team and into the security team to work with them for as much as a month each year.

This helps developers understand how application security engineers operate in real-world situations, and learn from their day-to-day responsibilities. This not only helps devs understand the security posture of the apps they themselves build, but creates a rapport between teams and eases collaboration.

  1. Build skill in AppSec across all your teams

Real skill is difficult to come by, because it requires a combination of factors: high-quality learning material, the freedom to try out what you've learned and get immediate feedback, and a way to reliably measure improvement over time.

AppSecEngineer has all three. In fact, our hands-on security labs simulate real-world attack scenarios, so you get the experience of exploiting apps (Offensive security) and securing them (Defensive security). We have security courses for all major spheres of AppSec including Kubernetes, Cloud, Serverless, and DevSecOps.

Learn more about our hands-on labs and how they work.

  1. Make them compete!

One of the best ways to get jaded employees to sit up and take notice is hold special events. And the sort of events that get the most attention? Competitions, of course!

Internal bug bounty programs are a great way to motivate your employees to find vulnerabilities in your organisation's apps. Cash bonuses or other rewards are a great incentive to get the ball rolling, and you could even offer a grand prize to the employee with the most bugs found at the end of the year.

In a similar vein, you can organise capture-the-flag contests or hackathons every few months. In fact, Facebook has open-sourced the platform they use to build CTF competitions. You can use that to get started quickly.

With all these ideas in your tool belt, you're now fully equipped to really make a difference in your organisation's approach to security training. If you have any questions about the AppSecEngineer platform, feel free to contact us.

Aneesh Bhargav

Aneesh Bhargav

When Aneesh is not creating career-focused security content, he’s probably playing video games.