At Motherboard, we don't just like talking about security, we want to show you how to make you and those around you more secure as well. We found this guide from Cryptoharlem founder Matt Mitchell and colleagues Rachel Weidinger, Cooper Quintin, and Martin Shelton very useful for thinking about how to message security to the masses, which these days is more important than ever. Stay vigilant! — Editors.
A digital security training is a gathering of people trying to learn more together. It's that simple.
There are more requests for security trainings than ever today. Many people have stepped up to help fill the demand, which is great. With all the added interest, it is important to make sure that our security trainings are helpful and follow the 'do no harm' principle. As a security trainer you will often be people's first introduction to the world of digital safety; what you say can have a huge impact on how people think about this subject. A bad first security training might be as bad or worse than no security training at all! Remember: it is better to teach people *how* to learn about security than to teach them facts about security.
* Feeling awkward or wondering if you are qualified to be doing this?
The fact that you are even asking yourself these tough questions means you are the right person to be doing this. Matt often talks about the early days of the AIDS/HIV epidemic. There were scientists in university labs, doctors in hospitals, and researchers at the Center for Disease Control all working on this problem. However, where would we be without the trusted members of the community talking about prevention, care, and support? Often, all they had was a brochure of basic information. When you teach safer sex by putting a condom on a banana, it's memorable. If they already know and trust you, all the better. It doesn't take a PhD, it just takes a caring heart. It goes a long way and probably made more of an impact than we can ever measure. If you know one thing more than your audience and are willing to share, then you are in the right place. There is a thing called imposter syndrome and you need to get over it. You got this!
A Practical Checklist For Leading Your First Training:
A basic agenda for training might cover:
- Remember to be as inclusive as possible. A broad welcome and a code of conduct go a long way.
- Risk assessment (aka threat modeling, don't know what this is? Read this, this, or that)
- Operational Security and Information Security basics (i.e. basic digital hygiene)
- How to learn more and keep up to date
Logistics for planning a training
- Choose an accessible space. Consider places like a community center, library, or cafe. Let your audience's comfort guide your venue choice. Avoid alienating locations, such as hackerspaces. Think about who will be attracted to the space, and who is likely to come back again.
- Real world promotion (fliers, postcards, personal invitations) will get real people. Digital outreach will get digital people. Reach out.
- Drafting an agenda will help you plan time in the training, and remind you of what you want to cover and ask. It's just like a regular agenda, plus it includes time, questions to ask, materials you'll need, and content you'll cover.
- Model good privacy practices. If you're going to take photos, check out these guides from Witness.org for tips on preserving privacy.
- Tell trainees in advance what they should bring. We recommend telling people to bring an open mind and the device they use the most. It's more important that people come to the training than bring a particular device.
When your trainees leave the training, they should be able to:
- Do basic risk assessment or threat modeling.
- Understand the limitations of digital security training.
- Share good info with their friends.
- Have a way to keep up to date on digital security.
Check out our other blog post for more information about how to build your digital security skills & for up to date resources.
Now for a little more depth. To help you give the best trainings, we have gathered a few tips from experienced trainers below.
Build effective mastery: Focus on maximum effect and giving people a feeling of hope and mastery. Remember, the people you are training have probably never thought about opsec (operational security, how to operate in more secure way) or infosec (information security, tools and practices to keep information private) before. Security is complex, and it can be easy to scare your audience and drive them away. Don't give your trainees the impression that they will never know enough to take security measures. Try not to scare your audience! Instead, you should leave them feeling empowered.
Teach basic (security) hygiene: You are their best source for this information and are probably their first introduction to this topic. Pretend you are a part of a Doctors Without Borders team, and you need to go in and do the most basic things to save peoples' lives. After thinking about it, you might just explain to people how to find clean water and soap, showing people how to wash their hands. This would be the most impactful use of time. Creating a "base line" that everyone can get to. Talking about things like, zero days, baseband exploits, and the capabilities of the NSA would be like telling people about cancer and lupus and how to diagnose rare diseases before they have learned about hand washing and penicillin.
Talking about things like, zero days, baseband exploits, and the capabilities of the NSA would be like telling people about cancer and lupus and how to diagnose rare diseases before they have learned about hand washing and penicillin.
Listen with love: There's a good chance your trainees are scared. Pay attention to both your trainees questions, and to their emotional state. Listen to their fears. Share how to do realistic risk assessment by directly addressing stated fears. 'Bedside' manner matters. You don't need to be their therapist, but you can illuminate a path forward. Hope is empowering. Feeling defeated is often a symptom of not knowing that there is something you can do and someone out there who cares.
Don't wait to get 'perfect': Being perfectly correct is not necessary, but passing out bad info is dangerous. Follow the 'do no harm' principle to the best of your ability. Your job is to provide immediate triage, and to share the most up to date info. Training with limited, good info is better than not training at all. Be honest about your limitations, and the limitations of this work.
Model real-life challenges: It's best to focus on practical security concerns that people can immediately address. Teach ways to think about security and threat modeling (a better introductory term is risk assessment). Talk to people about realistic scenarios or situations that they will actually face.
Your body matters: Being a trainer is like being a performer. Bobby from Tactical Tech reminds trainers that when they are doing a training they are performing, like in theatre. Before your training stretch out your arms to feel big, breathe in and out deeply, and get ready to be bright, positive, clear, and kind. Take tips from your favorite comedian, rockstar, or MC. Smile, move around, make eye contact, make your audience laugh, ask questions for the audience to answer, and have them ask each other questions. Also doesn't hurt to project your voice, just pretend everyone is twice as far away from you than they actually are.
Keep your audience engaged: Don't talk at your audience. People get bored with lectures and will have a hard time remembering what you taught them. Keep your audience active and listening to you. Let people develop a "muscle memory" by doing things themselves with your guidance. Encourage your audience to use their hands and fingers on their devices. If someone is going off script, ask questions and be encouraging. No one reacts well to being told they are "doing it wrong." If you use a slide deck, ask for feedback/questions after each slide to gauge the audience. You don't want to lose them.
Manage questions to maximize learning: Questions are great. They are a sign that your audience is interested, but they can also be disruptive. Some questions are irrelevant, don't make sense, or are not even questions at all. To deal with these you can ask the person to ask you later or email you the question. Another good strategy for dealing with questions is to pass out some index cards and have your audience write questions on those. This way you can easily ignore problematic or overly specific questions and answer the questions which are of most use for your audience. As an added benefit, this also gives shy audience members a chance to anonymously ask questions without having to speak in front of the group. Remember you are not an expert in this nor should you be. It's a group effort and asking people to look it up, share ideas, and learn together should be encouraged. It takes a lot of the pressure off of you.
Security info rots, build security insight: If you are writing a security guide please consider putting a date on it so that people can tell how current the advice is. Also consider putting an expiration (or "best by") date on it and either retire or update it when it is close to expiring. If you find a guide online that doesn't have an expiration date, you might want to write to the author and ask them nicely to update it. When training, teach about how to keep up to date. Help set up ongoing trainings for that community if you can.
Handouts help: Handouts or packets can be a great way to give your audience more information than you can pack into the training. You can include games and stories about threat modeling, links to tools and online guides, and pointers to other resources and places to learn. This can help supplement the memory of your audience and keep them from getting distracted taking notes. You can also answer the most common questions that you get.
Practice makes perfect: Perfection isn't our goal so practice your talk in front of someone who doesn't know this topic. The first time you are saying these things shouldn't be in during the training. Be sure to avoid acronyms & industry/nerd jargon (we speak a language that is exclusionary to many), instead try easy to understand and translate terms.
We covered a ton of ground here. You don't have to memorize it all before you lead your first training. We are excited you're ready to help your community increase their digital security skills. Let us know how it goes!
This guide was originally published on Medium. You can follow the authors on Twitter and Medium: Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton), Matt Mitchell (@geminiimatt).