In the late 19th century, the German psychologist Hermann Ebbinghaus became deeply curious about the nature of human memory and how it affects our ability to learn something new. He didn’t just want to understand how well the brain could remember learned skills, but was looking to create an empirical model that could predict how effectively the brain could retain that information.Ebbinghaus conducted his first experiments on himself. He began by memorising a series of meaningless syllables, for example: DIF, LAJ, LEQ, MUV, WYC, DAL, SEN, KEP, NUD…and so on. Then he tried to recall them at various points of time — immediately after memorising them, then 20 minutes later, then an hour, a day, and finally, a whole month later.
“The reason most people hate learning new skills is that it’s hard, or boring, or just unintuitive.”
When he documented the results of the experiment, an interesting pattern seemed to form. The amount of information he could retain dropped at an exponential rate, which meant that just 20 minutes after he’d memorised the syllables, he’d already forgotten nearly half of them. By the end of two weeks, he could remember less than 10% of all the syllables.
This decaying exponential graph, known as the Ebbinghaus Curve or the ‘Forgetting Curve’, models how the brain forgets information over time. It also explains why learning is so hard.
But learning doesn’t have to suck. The reason most people hate learning new skills is that it’s hard, or boring, or just unintuitive.
Even visual learning, often considered the Holy Grail of education, has its limits.What you need is something more visceral, more tangible, something that doesn’t just ask you to see or hear something, but do. And that, folks, is what this ebook is all about.
In recent decades, new research has given us a look at how a more active approach to learning can make a massive difference to how quickly and effectively you learn. One study showed that students who engaged in learning hands-on are 1.5 times more likely to pass a course than those who didn’t. It’s even been found that learning by doing activates the sensory and motor-related parts of the brain when students were asked to recall what they learned.
Hands-on or active learning is the process of actively performing the thing or concept you’re learning about. If you want to learn how to secure a container image in Kubernetes, the best way to learn about it is to actually take an insecure image and perform every step of the process yourself.
What makes active learning so much more effective than the passive alternative is the fact that it’s learner-centric. In passive learning, the instructor and learner take on the roles of master and apprentice, where one teaches and the other absorbs. In active learning, the instructor serves more as a facilitator, guiding the learner to knowledge instead of giving it to them straight away.
The longer you spend learning something, the less you’ll be affected by the Ebbinghaus Curve, and the more information you retain over time. And the best part? This information is directly applicable in the real world.
Back in 2019, we’d been brought on to train a major technology solutions company in cloud security, Kubernetes security, and threat modeling. More importantly, though, we needed to help them fix a systemic issue plaguing the company: people were constantly skipping mandatory training programs. Feedback from their teams revealed a host of issues that are prevalent across thousands of companies around the world.
And if your organisation doesn’t recognise them right now, they could potentially sink thousands of man-hours and hundreds of thousands of dollars on training programs that don’t work.
This is perhaps the most common: programs that exist purely to meet compliance requirements. These perfunctory efforts at training to tick a box might get the job done on paper, but amount to very little in the real world.
Some people learn faster than others. Others have shorter attention spans. Still others aren’t comfortable with the language your company uses to communicate.These are all real problems employees face when they undergo training, and they’re often overlooked because corporate training is all about scale and efficiency. But that simply isn’t how learning works, and it’s important to give people the opportunity to learn at their own pace.
A symptom of the compliance training issue, learning fatigue happens when training is seen as an obstacle to get past rather than an opportunity to acquire new skills.Tight deadlines, obtuse progress tracking mechanisms, and a saturation of content can make employees dread a training program rather than welcome it. Over time, this can lead to them taking training less and less seriously, which is bad for both morale and productivity.
If there’s one thing that can completely sap someone’s interest in a training course, it’s bad content. If your team members have to sit through hours of training that’s not relevant or immediately applicable to them in their day-to-day responsibilities, you can count on them not taking those programs seriously.
While we’re big fans of active learning, it’s not as simple as just picking the first program that uses ‘hands-on’ as a buzzword. To get the most out of your training programs, it helps to break down the entire process into 3 phases:This process is recommended by psychologists and training researchers, and has been found to be highly effective in training large teams. At each phase, there are important steps you need to take to ensure that the training isn’t just happening, but helping your team effectively solve their day-to-day problems.
1. Before training
2. During training
3. After training
Training Needs Analysis
This is the first phase, and it involves a whole lot of planning. Researchers say the most important step to take at this point is conducting a Training Needs Analysis (TNA). It helps you answer 4 key questions:What is the expected outcome of the training?How is the training going to be designed and delivered?How will the training be evaluated? What factors will help or hinder the training?Let’s go back to the example where your team needs to build a secure AWS application. Answering the first question is straightforward: the training should result in every team member acquiring the skills to securely build and deploy a cloud-native app securely on AWS.
Job Task Analysis
Identifying what kind of training each team member needs is what’s called a Job -Task Analysis. But it’s not enough to simply ask your team, “What training do you want to take?” Research has shown that people are often not able to articulate what training they really need, making a more thorough analysis necessary.It’s crucial for your organisation to find the courses best suited for each team member so they train only in the most relevant, time-sensitive skills to help them do their job.
If you’re in charge of the team undergoing training, it’s your responsibility to foster a positive Learning Climate amongst your colleagues. Studies have found that the conduct of supervisors can have a significant impact on the effects of employee training, both for better and worse.
Practice Makes Perfect
The foundation of any good hands-on learning is repetition. The fastest way to learn a new skill is to perform it by hand, and the best way to retain that skill for an extended period is to practice, practice, practice. Whether it’s in a simulated environment or the real world, the sharpest skills are the ones you use the most.
Learning From Mistakes
Want to know the best part about using simulated models for training? It’s a safe, easy way to learn from your mistakes. If your team made a serious error on a live application accessible to the public, it could have dire consequences.On the other hands, making a mistake in a simulated lab environment is actually a good thing, because it’s a harmless way to learn what not to do.
Think back to the Training Needs Analysis from Phase 1—specifically, the first question: “What is the expected outcome of the training?” The main objective of your evaluation is to see if the training gave the results you were expecting.
Here are some of the most important questions to consider:
– Did the training teach the skills necessary for the learners to do their jobs better?
– How thoroughly did the material cover the subject? Were there any gaps in knowledge?
– Did the hands-on exercises closely represent real-world challenges?
– What was the learners’ experience with the training?
The last step in the training process is all about ensuring your team doesn’t forget the skills they so painstakingly acquired in the last few weeks. According to some studies, trainees that don’t get to apply what they learned forget up to 90% of it within one year of being trained. Sound familiar?
That’s why it’s so important to make sure your team get to utilise their skills in real-world circumstances soon after they’ve learned them. It’s quite possibly the best way to reinforce their training, owing in no small part to the confidence your team members get when they see all their hard work come to fruition in a tangible form.
You’re also looking at helping teams achieve DevSecOps, where secure engineering practices are integrated seamlessly into a DevOps pipeline. This is the ideal jumping-off point for a lot of developers into security, because they can directly apply their knowledge of building apps in an agile pipeline to figuring out implementing security measures in the process.
But it’s also a lot harder to create material for active learning, which explains why you don’t see it more often in the corporate space.
That’s where AppSecEngineer totally changes the game. We’ve created a space where your lessons go hand-in-hand with practical models you can play around and experiment with. More importantly, we’ve made it incredibly accessible to people who are dipping their toes into AppSec for the first time.
When it comes to skilling your whole organisation in Application Security, nothing comes close to AppSecEngineer.