"Cybersecurity Computer-Based Training and Technical Communication Design"
by Lysandwr McNary
About the AuthorLysandwr McNary graduated from New Mexico Tech in spring of 2013 with a Bachelor of Science degree in Technical Communication, after years spent in varied pursuits, from book publisher to United States Army Psychological Operations Specialist. Her time with the US Army, including two years in Iraq, provided many opportunities for studying cybersecurity, communication, and human behavior. Contents |
AbstractA review of literature on computer based training (CBT) suggested a lack of effectiveness testing in the development of cybersecurity CBT. In addition, the review led to the question: do producers of information assurance CBT (a critical element of cybersecurity training) clearly and successfully use accepted Technical Communication (TC) methodologies to design effective training. This is of concern in particular because cybersecurity has been declared by the federal government as one of the most serious economic and national security challenges we face as a nation. In order to verify or dispute this apparent lack, an analysis was done of a training module meant to provide mandated Federal Information Security Management Act (FISMA) compliant training to employees of federal agencies and affiliated civilian entities. This analysis had two objectives: to determine how successfully the training fulfilled the mandated FISMA requirements, and to identify if TC design principles were applied in order to create more effective training. Although this analysis is of necessity a small scale examination, the results do indicate a lack of success on both counts. Coupled with a review of TC degree programs and cybersecurity related curricula at thirteen public universities, the results suggest the possibility that a lack of cross-discipline program emphasis has led to a shortage of personnel in the cybersecurity workforce with strong TC skills, knowledge, and abilities. Keywords: cybersecurity, computer-based training, FISMA, information assurance, technical communication IntroductionThe discipline of Technical Communication strives to communicate information effectively both textually (in context) and visually (such as with graphics, use of space, and alignment.) Technical communicators must have an awareness of how humans absorb and process information from sentence and paragraph structure to font sizes to audio-visual media. This knowledge is especially pertinent to the development of training products, where technical communicators deal with instructional design and various levels of technology. The technological aspect becomes most important in specifically computer based training (CBT) product development. The Federal Information Security Management Act (FISMA), issued in 2002, includes a set of requirements that are mandatory for all federal agencies and affiliated civilian entities that access federal information systems. A basic tenet of FISMA compliance includes information awareness training for all personnel with any access to federal information systems as an essential element in maintaining national cybersecurity. The National Institute of Standards and Technology (NIST) is the primary agency tasked with providing guidance on meeting those training requirements (NIST Computer Security Division). Besides the Technical Communication Bachelor of Science program here at New Mexico Tech (NMT), I have extensive experience with required "information assurance/awareness" and classified computer security training qualifying me to analyze training modules. In addition, I have participated in security training exercises through the NMT Computer Science department. Based on my observations, computer security (or cybersecurity) training does not appear to be commonly developed with technical communication standards of known best practices, eLearning design principles, and usability/effectiveness testing in mind. It is worth noting that a review of Technical Communication degrees offered by universities across the United States (Appendix A) shows that such programs don't often include computer security or information awareness training; additionally, cybersecurity degree and certification programs generally don't offer courses in training development. In the following background section of this thesis, the role of FISMA and NIST in setting national cybersecurity and information assurance/awareness requirements for all federal agencies is discussed. Additionally, technical communication best principles in training development and design are defined. Within the subject literature, there is a sizeable body of research on applying technical communication principles in order create effective training. However, studies on cybersecurity training typically focus on how to accomplish immediate knowledge transfer rather than how effectively that transfer is accomplished. This deficit is illustrated via a literature review covering e-Learning and principles of design, up-to-date CBT technology available to technical communicators, and information awareness applications. Following the literature review, there is an examination of the primary FISMA-certified information assurance/awareness CBT module from the Department of Defense (DoD) in order to determine how successfully the training both satisfies FISMA/NIST requirements and demonstratesa clear application of TC best principles. |